Merry Riskmas
People of all ages look forward to Christmas holidays. Children think of the gifts they will receive from Santa, and those of us who are older savor the thought of spending the holidays in joyous company with friends and family. Christmas is considered by most, including myself, as the most wonderful time of year.
Cyber criminals feel the same way about the holidays. They exploit online shoppers’ longing for a good sale by slamming them with phishing scams laden with "special offers" and try to turn our beautiful Christmas to Riskmas.
We have talked about this subject in the past but constant repetition carries conviction.
We have talked about this subject in the past but constant repetition carries conviction.
The holiday season is retailers’ busiest time of year, with an estimated 20% of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20% growth. During this time, retailers arguably face a more difficult problem with IT than other industries for many reasons. The holiday retail "freeze" is underway, which means that any security upgrades or technology additions for retailers are put on hold until after the busy holiday shopping season. For the next few weeks, only critical security patches will get installed. The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a "freeze", there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.
The main challenge and priority is service availability to the customers, whether it is for online or in-store purchases. At executive level, service availability translates to transactions, which in turn relates to revenue growth. However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage but also in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.
In December 2009, a hacker, then operating under the alias of “igigi,” succeeded in stealing the account credentials for all 32.6 million users after successfully penetrated RockYou, a company which develops games and advertisements for social media sites. All of the information had been stored in clear text, meaning that neither account holders’ usernames nor passwords had been encrypted. Company’s databases were infiltrated as a result of an SQL injection vulnerability, one of the most common security vulnerabilities with respect to web applications today.
Following the breach, the security firm Imperva analyzed the stolen information, portions of which were published online by the hacker. The study revealed that 40% of account holders had used a password consisting only of lowercase letters, 30% had chosen a password less than six characters in length, and nearly 1 in 100 had set their password to "123456".
Nevertheless, companies are not the sole targets of holiday breaches. The amount of unwanted traffic increases significantly before Christmas, and people need to be wary of viruses and other malware. Christmas, like other holidays, is a time of opportunity for junk mailers and information phishers. An ill-advised click can ruin your holiday, when an electronic Christmas card from a friend or business partner installs malware on your computer. People are in holiday spirits and behave more casually in the online environment. For example Christmas greetings sent by email can be disguised so that they look like they have been sent by someone you know. When the unsuspecting recipient opens a picture or link contained in the message, a virus is released.
Back in 2010, just two days before Christmas, attackers sent out an email that spoofed “seasons greetings” from The White House to a number of government employees and contractors. The text of the email was published on Brian Krebs’ website. It read:
“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”
The card then prompted users to click on a link, which downloaded a variant of ZeuS malware.
A control server allegedly based in Belarus manually sent out the email to a small number of recipients, which made the attack undetectable by security traps and sensors. Ultimately, more than 2GB of government documents were stolen in the attack. However, no classified documents were compromised.
On December 2013, Symantec reported a spike in the number of NTP amplification attacks. NTP stands for Network Time Protocol. It was originally developed by a professor at the University of Delaware as a means syncing the clocks of multiple computers.
According to Symantec’s blog post on the topic, NTP attacks are similar to DNS amplification attacks in that they use a small packet to request the delivery of a large amount of data to a specific IP address. In this case, the attackers used the monlist command, a query found in older versions of NTP that sends requesters a list of the last 600 hosts who connected to the server, as part of a series of DDoS attacks against certain targets, including a number of gaming sites in late December. The evolution of NTP amplification attacks in part reflects the Internet’s development thus far.
To sum up, here are some additional tips you can use to avoid becoming a victim of cyber fraud:
- Enable 2-factor authentication in all your accounts. You can find a list of services that support this here.
- Do not respond to unsolicited (spam) e-mail.
- Do not click on links contained within an unsolicited e-mail. Ask yourself: "Why am I being asked to click here?" If you’re not sure, don’t click!
- Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible. Ask yourself: "Does this look authentic?"
- Avoid filling out forms contained in e-mail messages that ask for personal information.
- Always compare the link in the e-mail to the link you are actually directed to and determine if they match and will lead you to a legitimate site.
- Log on directly to the official website for the business identified in the e-mail instead of "linking" to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
- Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
- If you are requested to act quickly or there is an emergency that requires your attention, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
- Remember if it looks too good to be true, it probably is not.
- Ensure your staff are educated ahead of the Christmas period. Phishing presents as much danger to businesses as it does individuals.
- Get a penetration test now before the Christmas period to test the security of your networks and systems.