Cybersecurity Firms Warn of Online Shopping Threats Over Black Friday Weekend
As marketers from carmakers to fast-food restaurants blast consumers with Black Friday deal offers this week, cybersecurity companies' Black Friday messaging are about the dangers of online shopping.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Nearly 30 percent of Black Friday and Cyber Monday spending will be on mobile devices, said software-as-a-service company RiskIQ, in a Monday report, making shoppers at risk of encountering phishing pages, malicious apps and viruses that infect smartphones in search of financial information and other data. Fake apps can fool users into entering credit card numbers, steal personal information, encourage users to log in using Facebook or Gmail accounts or “lock the device until the user pays a ransom,” it said.
In researching where cybercriminals are targeting their efforts for holiday 2016, RiskIQ ran a keyword query on its mobile app database for instances where the brand names of five leading U.S.-based e-tailers appeared with the term “Black Friday." One-tenth of the 5,315 mobile apps found in a “Black Friday” search of global app stores were unsafe to use, or “blacklisted” as malicious, RiskIQ said. Threat actors focused on the top five leading (but unnamed) brands in e-commerce with a combined total of more than a million blacklisted apps that contain the retailers' branded terms in the title or description, said the report. Two of the brands had more than 400,000 blacklisted apps each.
Most bad apps are hosted on third-party app stores that “few American consumers know of,” RiskIQ said, but even official stores for the most popular devices -- Apple Store and Google Play -- can host apps that are dangerous. Protection by most mobile app stores “is good, but not bulletproof,” it said. Apple and Google didn’t respond to questions.
Threat actors in the holiday shopping season “will try to capitalize by using the brand names of popular e-tailers to exploit user traffic looking for Black Friday deals and coupons,” said RiskIQ. That includes setting up fake mobile apps and landing pages, “often using fraudulent branding to fool consumers” into downloading malware or providing their login credentials and credit card information, it said.
RiskIQ offered consumers several ways to reduce risk when shopping online: download apps only from official app stores such as Apple Store or Google Play; be wary of apps that ask for suspicious permissions including access to contacts, text messages, administrative features, stored passwords or credit card information; verify the name of the app developer, including proper spelling; look for red flags including free email service contact information and poor grammar.
For shopping via the web, RiskIQ found more than 1,950 blacklisted URLs that contained branded terms associated with the top five e-commerce companies along with a reference to Black Friday. The URLs were linked to spam, malware or phishing. "It's easy for threat actors' infrastructure to hide in plain sight -- often using brand names in malicious URLs to fool people into visiting pages that phish for sensitive information, infect users with malware, or redirect traffic to other malicious or fraudulent pages," it said.
RiskIQ's advice for shopping via the web this weekend: check website addresses after following links on social media to be sure you end up on the true website of the retailer you’re trying to link to and be sure an e-commerce site has the “s” in https in the URL to ensure a secure connection before giving credit card information.
PasswordWrench, meanwhile, is pitching its password manager system that helps users create and recall complex passwords, “making it nearly impossible for criminals to hack information.” The system is designed to protect individuals' and corporations' confidential information, through a secure password manager system that helps users create and recall complex passwords, said the company.
PasswordWrench generates a password card with random letters, symbols and numbers, and users are guided to recall the complex passwords without PasswordWrench storing the actual passwords online, said the company. Users don’t have to remember strings of random characters or upload passwords to third-party websites, it said, and they can also download a physical copy of a password card or access their cards online. The system is said to protect against weak passwords, keystroke logging, brute-force searching and hidden camera and insider threats.