David Harley: "My colleague Urban Schrott, from ESET Ireland, wrote a nice feature article for our monthly ThreatSense report (which is now available on the Threat Center page) on seasonal scams. As the scam season is starting to get into full swing, we thought it might be good to give it a wider audience here. Beam us up, Schrottie: maybe start us off with a riddle from a Christmas Cracker? ;-)"
Why is Christmas one of the jolliest seasons for cybercriminals? Because this is the time when the most money is spent online in the shortest time, and there are many opportunities for them to make themselves a hefty Christmas bonus as a reward for the other malicious activities they've been busy with throughout the year. And they are actually immoral enough to steal even from Santa!
There are many jobs cybercriminals go to work on in the holiday season, but most involve either getting hold of online shoppers’ money without their knowledge, or conning them into handing it over voluntarily. The first category would mainly include stealing online shopping credentials (such as passwords to PayPal, Amazon and others) or credit and other payment card details. This is mainly achieved either through spyware installed on infected computers or through fake websites used instead of legitimate ones to con users into typing in their log in credentials. It may also be done by setting up a website for holiday shopping that simply doesn't deliver the goods users were charged for, or which delivers something of no real value.
Another popular scam is Black Hat Search Engine Optimisation (BHSEO) which redirects searches on shopping-related keywords to malicious websites that try to infect the users with rogue antivirus and other malware. Just recently we have encountered malicious SEO regarding the Royal Family and the Korean conflict, while scams related to Christmas-shopping are becoming more sophisticated every year. Once any of these data fall into the hands of cybercriminals, they can be used to purchase real or bogus items, and generate a nice little profit. A spring survey in Ireland revealed that 76% of Irish consumers have been targeted by scams and the frequency of their engagement is expected to intensify during the Christmas season.
Then there is the lowest form of life in the cybercriminal fraternity, the charity abusers. As criminals are all too aware that many people like to make charitable donations when the Christmas spirit is at its most infectious, many fake online charities appear around this time. These are known to surface around any disasters that occurred, so we had many fake Haiti earthquake and Asian tsunami charity scams, and Chilean miner scams were also reported. The global economic crisis is likely to spawn other fake charities in various countries, pretending to appeal for help for impoverished families. While we certainly don't wish to discourage charitable donations, we do appeal to people to choose known and trusted organisations, or to do a proper check up on any others they wish to donate to: for instance, check the charity checklist by The U.S. Federal Trade Commission.
What else can computer users do to protect themselves?
- When searching for a gift online, check what websites you're being directed to. It is always safer to type in the address of the shopping site you wish to access, than to click any link you’re offered, as it may lead you somewhere you definitely wouldn’t want to go.
- Key words such as the names of popular items, brand names, computer games, sales, deals, could all lead to fake websites where search engines have been poisoned.
- Look for secure “https” connections on the sites where you shop.
- Check your PayPal and card balances regularly for any unusual expenses, and stop credit card payments immediately if you see something suspicious.
- Be careful about emails claiming to be “shipping information“ or “sales invoices“ for items you didn't order, as they could have an infected file or link attached.
- Use different passwords for any sites you use that require an authenticated log-in, so that even if cybercriminals intercept one of your passwords, they won't be able to get to all your sites.
- Overall, use common sense, and do browse for news on the latest scams occasionally, so that you know what you're up against.
Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland
David Harley, ESET Senior Research Fellow