Shopping Season Threat Averted: AliExpress Patches a Vulnerability That Could Have Allowed Credit Card Phishing
Made public on the week of Black Friday, security researchers disclosed a vulnerability in AliExpress.com, a popular online retail service owned by Alibaba and patronized by over 100 million customers worldwide. The online shopping portal was found to have an open redirect vulnerability that could have allowed attackers to display a fake coupon designed to phish sensitive information from shoppers who viewed it. AliExpress took action and fixed it within two days of notification.
The security researchers who devised an exploit technique for the vulnerability noted that AliExpress uses only a simple method to stop such attacks. This method involves checking the referer header of the request. If the referer was not set or was incorrect, the request would be denied by the server. A referer is an HTTP header that identifies the URL of the webpage where the request was requested from.
Defending Against Phishing Attacks
As the shopping season rolls around, attackers are expected to roll out their phishing tactics to take advantage of the holiday rush.If you suspect that you have fallen victim to a phishing scam, immediately change passwords and PINs on all of your accounts.
Here are other tips on how to spot and avoid phishing scams:
- Bookmark shopping sites. Avoid using search engines to find good deals. Limiting your search to trusted, secured shopping sites can reduce the chances of you landing on a spoofed site.
- Always check the hyperlinks. To verify the legitimacy of the URL, move your cursor over the embedded link before even clicking it.
- Spoofed emails usually contain a generic greeting. The user’s email address can also be used rather than directly addressing the recipient with his/her name, and that's a red flag.
- Watch out for poor grammar or dodgy spelling. Legitimate emails do not contain glaring errors.
- Recognize sloppily-designed emails. Wrong or out-of-place logos and layouts are signs that a message isn’t from a trusted source.
- Beware of websites that ask for your password. Never give away passwords or sensitive information to untrusted or third party sites.
- Stay clear of emails or sites that demand urgent action. Some messages will include desperate calls to action such as clicking certain links or disclosing personal information.
- Be wary of too-good-to-be-true offers. There's a saying that goes, “if something seems too good to be true, it probably is,” and it applies to online shopping. Be wary of items offered at very low prices.
- Routinely check your card statements. Be on the lookout for unauthorized transactions.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale