For malicious parties hoping to capitalize on the frantic frenzy of online purchasing, both the prevalence of email marketing and popularity of mobile purchasing pose significant threats.
The promise of incredible deals via email marketing campaigns presents the perfect attack vector for malicious parties to prey on unsuspecting shoppers.
Spear Phishing Attacks
This holiday season, if the deals that pop-up on your social media feed or land in your inbox seem too good to be true, they probably are. Simply clicking on an unassuming malicious phishing link could lead to disastrous consequences depending on the situation.
According to Verizon’s 2016 Data Breach Investigations Report (DBIR), phishing attacks are on the rise with 30% of phishing emails opened and 12% of the recipients clicking through to either a risky link or attachment.
ScamWatch, an initiative maintained by the Australian government, indicates that last month, during October 2016, of the 361 online shopping scams reported, 44.2% resulted in financial losses and 40% of these scams were launched from either email or social networking links.
Spear Phishing Threats
During the dawn of internet email scams, early phishing attempts would simply send mass emails without any personalization, however the recent trend has been to use spear phishing, which zeroes in on certain people or groups in order to increase the chance of success for their scam. Spear phishing highly increases the “legitimacy” of this fraudulent communication as our guard tends to be let down when our personal details are included.
Sophisticated email phishing operations can also utilize cross-site scripting (XSS) to pose as legitimate e-commerce vendors become even more hard to identify and stop as the links that are used to lure users actually appear legitimate while taking the user to a malicious URL that would appear as the trusted entity, such as, www.mybank.com/account despite being an entirely different URL.
With the sensitive data of over half a billion Yahoo user accounts leaked earlier this year, and over 400 million sets of user details leaked in the Adult Friend Finder breach, cyber criminals are even more empowered and focused when it comes to any phishing attacks that they could be planning for this holiday season.
Due to the fact that the leaked user data from the massive Yahoo leak, and countless others that have occurred over the course of 2016, attackers are able to upgrade their email scamming to spear phishing attacked which appear even more legitimate as these phishing emails may contain user names, telephone numbers, dates of birth and in extreme cases, security questions and answers.
Are Spear Phishers Armed with your Login Details?
How to check if your login details have been released in a major data dump
What if your data has been leaked? That’s a question tackled by Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.
His popular website haveibeenpwned.com was built after the massive breach of Adobe customer accounts in order to help educate and inform the public about both the scale and frequency of large data breaches.
All of the data comes from breaches where the data is publicly available, however passwords are not stored within the site itself. By entering your email address, a quick search will show if your account data has been compromised. Users are also able to set up alerts if their user info compromised in future leaks.
If your information has been leaked or compromised, it’s critical that you change your password for that platform and ensure that you are not reusing that password anywhere else on the internet as it could provide hackers, spammers and spear phishers with a quicker attack vector.
Watch Troy Hunt discuss employing automation to streamline secure coding practices in our “Meet the Experts” webinar Software Security & Early Prevention of Vulnerable Code here.