This Black Friday and into next week, shoppers will inevitably be lured to fake websites for '60% off iPhone X' or a 'last in stock' super deal fraudulent campaign. Mostly via phishing emails and increasingly via expertly crafted login pages, making you think you are logging into a valid site.
If you fail to notice the web login page is fake, typically hackers receive your login details and/or credit card information. Your stolen login details including username and password, together with your and personal information are then used to carry out fraudulent activities. Simple phishing campaigns can use an almost identical copy of a login page for Social Media platforms, e.g. Facebook, or search engines, e.g. Google, plus a variety of popular retailers and banks, etc. Often using typos in domain names, whilst still using a secure certificate, with a malicious PHP script to send home the details captured.
However, at this time of year the sophisticated and 'long game' players in organised cyber-crime will have pre-planned a deeper trap. Often embedding within the file structure of a web site. Black Friday to Cyber Monday is a promotion lasting at least a week. Notwithstanding the malware, credit card skimming inject, at the checkout to steal your credit card details. Taking advantage of web site extensions, embedding malware e.g. a backdoor alongside a key logger many months ago to bridge access and exfiltrate data at will. Successful campaigns and sources are tweaked in terms of the messaging and left in play throughout the forthcoming holiday season. This is big business every year.
Compromised website owners will see a performance impact and under normal circumstances this would raise alarms. In the midst of high volume transactions for Black Friday could be missed. In fact 'unwanted software' installed on websites by nefarious means has been an issue for years, with Google publishing the typical characteristics for website owners to look out for.
If you believe you have been a victim of a phishing campaign, here some tips for you;
- Change your passwords
- Adopt a multi-factor authentication
- Regularly review your bank account for unusual transactions
- Block the cards used for online transactions
- Contact the site where the phishing page originated
There is an old adage, "if it looks too good to be true, it always is", even on Black Friday!
Visit qa.com/cyberfor more information on how they can help solve the Cyber Security skills gap.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 123 | 3 August 2020
Cyber Pulse: Edition 122 | 27 July 2020
Cyber Pulse: Edition 121 | 21 July 2020
Cyber Pulse: Edition 120 | 13 July 2020
Cyber Pulse: Edition 119 | 6 July 2020
Cyber Pulse: Edition 118 | 29 June 2020
Cyber Pulse: Edition 117 | 22 June 2020
Cyber Pulse: Edition 116 | 15 June 2020
Cyber Pulse: Edition 115 | 8 June 2020
Cyber Pulse: Edition 114 | 1 June 2020