Holiday Shopping and Phishing Attacks
By Francesca Spidalieri, Fellow for Cyber Leadership
Hackers Devise New Simplified Phishing Method | Dark Reading
Just in time for the holidays, scammers and hackers are preparing a torrent of fake emails that seem just too good not to click on, and are devising more efficient ways to lure unwary shoppers into divulging their personal data and financial information. In a classic phishing scenario, for example, attackers clone a legitimate website by capturing, copying, and modifying the code of the website, and then host the malicious code on their own bogus site. In this way, the would-be victims have no idea they are actually on a malicious page. A new phishing technique—dubbed Operation Huyao—reduces the time and effort needed for attackers to mount a phishing campaign while simultaneously making such attacks more difficult to trace. The new technique allows phishers to skip the steps of the classic scenario by inserting a proxy program between a would-be victim and the target website, and making it easier and faster to lure end users to a malicious site. Once the victim prepares a purchase, the proxy program serves up a modified page that walks the user through a checkout progress designed to extract personal information and payment card or bank account information. In short, the attacker needs only to create a copy of those pages that receive data of interest, a technique that has proven hard to detect.
While cybersecurity experts are still working to find possible solutions against this latest phishing technique, here are some tips on how to protect yourself from online scams:
- Be wary of emails and pop-up messages that ask you to enter your account username, password, credit card number, or personal information—No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look at the specific email address and domain name of the sites first to make sure it’s really from the retailer and not a close derivative, and then contact the legitimate organization directly to verify the request.
- Use stronger passwords and use a different one for each site that stores important information—Various password management programs—1Password, KeePass, or LastPass—exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
- Be skeptical of deals that sound too good to be true—If you are offered a gift card with a significantly discounted face value or other offers with ridiculously low prices, it could be too good to be true.
- Do not send cash or wire money for payment—Pay by credit or charge card. The best option would be to keep a separate credit card account with a low spending limit only for online purchases.
- Check your card activity daily—If you notice any unauthorized charges, immediately contact your bank.
- When you look at card activity, keep an eye out for “microcharges”—Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. Bottom line: don’t overlook small, unauthorized charges!
- Keep your antivirus software up to date—It will monitor all online activities and protect your computer from viruses, worms, Trojan horses, and other types of malicious programs.
- Use your smartphone wisely—Mobile devices offer convenient consumer resources but may also provide cyber criminals with your personal and account information.
Follow Francesca on Twitter @Francesca_cyber.