top of page
DC Anderson

Cyber Security Tips for Holiday Shopping



The 2019 Holiday Shopping season is in full swing with both retail and online stores bracing for impact. This is also the single hottest time of the year for cyber criminals to ramp up attacks targeting retail and online stores. In this article, I want to provide some means cyber criminals attack the every day person in both online and physical store front formats so you can be better prepared to protect yourself and keep the holidays a cheerful time.


Before we begin....


Before I start providing these attack vectors, I want to take a brief moment to disclose that this post is not in any way designed to insight panic. Can these methodologies be used for nefarious purposes? Absolutely. Just this week, my wife's coworker had a malicious attacker attempt to purchase over $1,200 worth of merchandise fraudulently. Fortunately, her bank did its due diligence and snuffed out this transaction. The goal here is for awareness and knowledge and not fear mongering.


Online Attack Vectors


In 2019, there will be about as many online shoppers as retail shoppers. With the rise in online shopping, cyber criminals have several very effective means to attack during the holiday season. The first one I want to talk about is Phishing. Phishing is a means for criminals to obtain data or access to data by means of fraudulent representation of a corporation or organization. For the better part of the last 20 years, this has been done using e-mail as its primary attack vector but as you will learn in this post, cyber criminals have more options available now than ever before. Let's start with email phishing as that is the vector most folks are familiar with.


E-Mail Phishing


There are a variety of different scams criminals use via email to try and steal information or access to your financial accounts. Some of these are not holiday shopping specific while others very much are but I do want to take some time to illustrate some different kinds of phishing emails and how you can identify them. In some cases, they are very easy to detect and in other cases, it can be a bit more difficult.


The SINGLE MOST IMPORTANT LESSON FROM THIS ENTIRE SECTION IS:


DO NOT CLICK LINKS IN EMAILS.


Even if you think it's 100% safe, it takes seconds to retype a link into a browser. This is the most common way bad guys hack you. Don't do it. You'll thank me later.


Let's start with something that isn't exactly holiday shopping related but can't be ignored when it comes to phishing.


Nigerian Prince Nonsense


This is the one of the oldest scams on the internet today. It has been around for at least 10 years and shockingly still works in 2019. https://www.cnbc.com/2019/04/18/nigerian-prince-scams-still-rake-in-over-700000-dollars-a-year.html


Here is an example of one of these emails:



There are a multitude of red flags with this kind of email. The first is the very nonspecific greeting (Dear Friend). Then the volumes of grammatical errors, awkward sentence structure and downright random nonsense this email references. (I know no one in Nigeria and have no Nigerian partners). But the primary driver on why this is so garbage is that it is 100% illogical. Someone who intends to send you millions of dollars wouldn't likely send you an email about it. Transferring this kind of money requires bank and accountant intervention for taxes and usage of the Swift Banking network. And minimally, they should know who they intend to send millions of dollars to instead of "Friend".


If you are still perhaps tempted that some far off country has a windfall for you, you can at least check the source of the email. In some cases, you can just click the sender and it will show you the source email address but this can be spoofed. In this cases, the fraudulent actors didn't even bother to spoof it:



In this case, Mr. Kingsley Mogahalu, our courageous Nigerian Director of Money Transfers is sending his message to us from an email address in China (sales@vovision.com.cn). Seems legit......


TL DR: No one in any country is likely to send you massive sums of money for no reason. If they do, they certainly won't contact you in this manner. Don't click on any links they give you or do anything they ask. Delete this crap and forget it exists.


Shipping Mishap Phishing


The next option is very holiday shopping season specific as this is the best time of year for an email like this to get hits. It is super common, particularly this time of the year, for packages to be shipping all over the world. In this phishing effort, the bad guys are hoping to get you panicked over a critical package from not making its destination:



In this scam, the bad guys are hoping you are expecting a package and are trying to get you to click that "Get Shipment Label" link. In some ways, this looks kind of legitimate. It provides a generic Shipment ID and a marginal copy of the FedEx Branding. But what is the single most important lesson in this article?


DON'T CLICK ON LINKS IN EMAILS


This pretty box asking you to get a label is not your friend:



What I have done here is inspected this object within the email. To do that:


1. Right Click within the body of the email and choose "Inspect Page"

2. Scroll and browse the code until you find what you are looking for.


In this case, that pretty FedEx link goes to a malicious website with some encrypted looking PHP code. This won't give you a shipment label. It is much more likely to give you ransomware.


And once again, these folks didn't do a very good job of spoofing that email source again:




I don't know about you but any source address email from FedEx coming from Spain seems a bit suspect to me.


TL DR: If you are expecting a package and you are notified it was delayed or undelivered, go to the shipping company's website yourself. DON'T CLICK LINKS IN EMAILS.



Online Bank Account Phishing


Another very effective phishing email that we see an increase of during the holiday season is online bank account issue phishing. Malicious actors attempt to get you to believe your online bank account has a problem and get you to fill out a form that collects every piece of information this person could ever need to set up new accounts in your name, drain your current bank account, set up credit card accounts, the list goes on. This example is a little better than some of the others as we see in the example below:




These types of emails are all very similar. The entire email is designed to get you panicked into action without thinking it through. First, they tell you someone has tried to get on your account from different computers with bad passwords (Scare tactic #1) Then they give you a solution to the problem, which is click that malicious html form they attached. Then the create a dire sense of urgency. Take a look at the date this was sent (6/4/2014). And then take a look at the date they want you to respond by (6/7/2014). Based on this email, they give you three days to fill this out or they "will be forced to suspend your account indefinitely" (Scare Tactic #2). They double down on this again in the next sentence by saying how this is a mandatory measure and failure to verify will lead to permanent service suspension. (Scare Tactic #3). This particular email is a better effort by the bad guys as they spoofed the source well in this one:




In this example, I viewed the source of the email to see where it was really coming from and found the answer there. To do this in Outlook.com:


1. Go to the "More Options" icon in the upper right corner of the outlook.com website (it looks like three horizontal dots)

2. Choose the "View Message Source" option in the drop down menu

3. Find the "Received From" option in the text below.




The thing to take away with emails such as this are that a legitimate bank will never send an email with this kind of tone to it. Banks will notify you through a phone call or something directly from their banking application that asks for no personal data via these communication channels. Another way to identify fraud is that there is also no direct data in this email that identifies you or your account. It is very non specific as most phishing emails are. The design is for hundreds of thousands of people to get this email with the hopes that a certain percentage fall for it. As such, these emails are constructed very generically.



Search Engine Phishing


Something that is relatively newer to the world of phishing is something called Search Engine Phishing. This is when a malicious attacker pays for an Ad or creates a website and then uses some paid Search Engine Optimization to get it ranked at the top of a Google Search query. This is something that a malicious attacker could do for the holidays. For example, they may target a hot toy name or a popular online vendor. They may promise a hard to get item as a massive discount or offer free items with a purchase. The goal with this attack vector is to get people to click on their bad website that comes up as part of a search engine query and then leverage that website for criminal activity. Here is an example of some Search Engine Phishing:





In this example, that first website is a paid advertisement that takes you to a malicious phishing site. The site below is the actual legitimate website. In some cases, like the one above, the first one is clearly marked as an AD. If you have a choice between a site that shows up as an AD versus one that does not and they look the same, it is recommended to avoid that AD. This can be difficult to decipher in some cases as the attackers will actually rank a malicious site up the SEO ranks versus investing into some paid ads. The key here is to read the websites that come up as results on a search engine very carefully as fraudulent pages do exist in these types of queries and Google and other search engines do not always have means to filter them away.


Smishing


The last phishing type I want to briefly mention is what is known as Smishing, which is Simple Message Service Phishing. This is better known as text message phishing. During the holidays, it is not uncommon for malicious attackers to send out text messages that mimic banking sites or Apple IDs. The bad guys choose these frequently as many people have IPhones and as such have Apple IDs. There are also many folks buying gifts and having a text message that comes to you that says your account is frozen might scare some folks into clicking links or calling the numbers these text message provide. here is a good example of a banking related Smishing message:




In this example, the malicious actors are trying to get people to call a bad call center whose whole purpose is to steal information to drain bank accounts. If you do get a message from your bank that there is a problem, always call the number on the back of your actual card and never follow these directions. Again, these types of messages are scare tactics and designed to get you to make a fast impulse driven decision based on fear rather than logic.



Retail Store Hacking Options


Online store fronts are not the only place for criminals to take action. Retail stores also have things to watch for as a consumer this holiday season. Here are two means that a cyber criminal can attack you while at the retail store.


The Bad USB Parking Lot Sweepstakes


Criminals have used this tactic for many years but the holidays make it even more lucrative and make it more effective. This tactic involves dropping bad USB drives all over a parking lot of a retail store front in the hopes that someone, be it a kid or a curious adult, will take that USB drive home with them and attempt to view the contents. Once that USB drive is inserted into a home computer, the drive can immediately install malware, ransomware, or quietly disable antivirus and install a keylogger. This will allow a cyber criminal to record all keystrokes on your keyboard including online passwords for your social accounts and even banking or credit card information. Golden rule with USB Drives. You treat them like gum. If you see gum on the road, its not a good idea to pick up gum on the ground and chew it. The same applies for USB drives. If its on the ground, think of it as doing the same.


TL:DR: Don't access USB drives that you find randomly on the ground. It is very possibly a malicious item.


Stealing your Banking Pins with a Cell Phone


It is all too common to see people browsing their phone while they stand in line at the retail stores. But you may want to be a bit careful as to what the person behind you is actually doing with their phone. Smart phones can do some amazing things in this day and age with cameras that rival commercially available ones. And what some malicious attackers can do with that phone might surprise you.


Several companies online make a device that you can attach to your smart phone that allows the camera to see in the infrared spectrum. If you don't know what that is, I want to reference you to the 1987 Arnold Schwarzenegger movie Predator:




What this does is provide you an image that shows varying degrees of heat throughout a target. On a smartphone, this is super useful for contractors to find insulation issues, electrical problems and signs of water damage. Unfortunately, this is also super useful in stealing banking pins.


What cyber criminals will do is they will hold their cell phone in the line of a store normally. They will record the surrounding area with the camera in an effort to get the numbers of a credit or debit card on either video or on camera and then after the transaction is complete, they flip on an infrared camera attachment and hover it over the pin pad as shown below:





The darker colors here show warmer keys so this tells an attacker that the orange and yellow keys were likely pressed last and the lighter green keys were pressed first. We can tell reasonably quickly that this pin is 1 2 3 4 5. This then gives them full access to credit or debit cards with very little actual technical hacking skills. The challenge with this attack vector is two fold. First, this is very, very difficult to notice. It will just appear as someone with a phone in a store front and as such that makes it more difficult to detect. The second is even after a minute goes by, the attacker still can get a thermal signature from the keypad and have a reasonable chance of successfully obtaining your pin. These camera attachments costs about $200-300 dollars and work for both Android and IPhone models. There are some other applications for this attack vector as well including those cars with the push button access systems as well as doors on storage units with pin based systems. But there are some ways to mitigate this attack as a whole.


First, metal keys don't transmit a thermal image well as the heat disperses too quickly for it to register. So metal keyed pin pads, like the ones we typically see on gas station pumps and atms aren't as vulnerable to this. Another way to mitigate this is to rest your fingers on all the keys on a plastic or rubber key pad while you punch in your pin. This prevents a useful thermal signature while taking very little effort on your part.


The key take away here always kind of rest your hand over all the numbers on those plastic or rubber pin pads just to be safe and always be mindful of the person behind you at Walmart or Target who appears to be watching the viral cat meme this season; he might just be up to something a bit more nefarious:




What are your primary concerns regarding cyber security this holiday season? Do you have any tales of being hacked in the past during the holidays? Let me know if this article was helpful to you and share any stories or concerns in the comments below!

54 views0 comments

Recent Posts

See All

Comments


bottom of page