Summary. The phenomenon of increased online shopping the Monday after Thanksgiving has been accepted as Cyber Monday by shoppers, retailers, and the eager criminals hoping to steal from both. According to a recent article in Fortune, the “upcoming holiday season will be the largest online shopping affair yet, with expectations of 11% biggest growth year over year (YoY) and $91.6 billion in total holiday online sales.” The volume of online sales on Cyber Monday is expected to be the largest online shopping day in history and provides a great opportunity for hackers who are experienced with credit card theft, scams, and other malicious acts to profit and for others may use the day for hacktivist disruptions or just for mischief and amusement.
Analysis. Kaspersky’s 2016 Threat Overview for Black Friday and Cyber Monday specifically calls out phishing as the major tactic that scammers are utilizing during the holiday weekend, with online stores and payment systems as being the main targets. Phishing has a low barrier of entry for most criminal groups and many low-frequency shoppers who might not otherwise buy items online may be fooled by phishing attacks largely due to their unfamiliarity with the process. Businesses, meanwhile, must handle a network-disrupting level of activity, making it easier for employees to make mistakes as they handle invoices or other important financial operations. This could open the door for hurried processes and overwhelmed staff, which make tactics like business email compromise (BEC) scams more dangerous. Users also need to be concerned about malware, denial of service attacks, and
spam, as hackers try to take advantage of customer’s interest in or businesses’ confusion during Cyber Monday.
Preparedness & Operational Considerations.
1. Planning. No amount of planning can fully prepare businesses for the ever-expanding online holiday shopping season. However, while Thanksgiving through Cyber Monday are associated with tremendous online retail volume and security threats, the majority of threats are relatively persistent. Vigilance online is an imperative and businesses should consider building in practical exercises and drills into their long range training calendar to be conducted to prepare for this busy time, but also to update and sustain awareness and preparedness throughout the year.
2. Training. Consider conducting frequent, short, and specific training around Thanksgiving and throughout the holiday period (and ideally as part of routine operations!) to remind employees on the common signs of scams and malware. They should be immediately suspicious interacting with any email purporting to contain an invoice, great deal on shopping, banking information, or account details. Doubly so if there’s an attachment or hyperlinks.
3. Operations. Be prepared for malicious campaigns by monitoring advisories and other communications from organizations like the US-CERT, the FTC, and Spamhaus. They typically provide up to date advice and considerations for internet users and organizations. US-CERT’s 2015 alert on holiday phishing and malware is a good example of the resources they provide.
This article was originally published in The Torpedo Report, a weekly report produced by Gate 15. Torpedo is a modified acronym for Threat, Risk, Preparedness and Operations. The Torpedo Report is intended to provide an assessment of key notable threats highlighted over the previous week with operational context, risk analysis and actionable preparedness and operational recommendations leaders can consider to enhance their organizational security and resilience.