Beware of Holiday-Themed Multi-component Online Threats
The holidays historically usher in a significant number of threats, as cybercriminals consistently look out for more lucrative opportunities and as the holidays present the perfect venue for launching themed attacks. Cybercriminals often leverage holiday activities to launch attacks targeting unsuspecting users.
Sending Holiday Greetings
Sending e-cards is a practical and easy way of sending love and cheer to loved ones. However, instead of sending love and cheer, some e-cards send out malware. Worse still, these email greetings may be used to steal information.
Online shopping is also fast becoming the preferred means to buy goods during the holidays. Studies show that 83% of consumers opt to shop online for Thanksgiving. The U.S. online shopper volume is also expected to increase to 78% of the overall shopper volume by 2014.
Reports also revealed that mobile shopping is on the rise, as 43% of U.S. consumers continue to use their smartphones to conduct research on goods they wish to buy online. Moreover, 26% of the consumers in the Asia/Pacific region use their mobile devices to do research on products while 40% of U.K. consumers use their mobile devices to purchase goods online. With these numbers, it is not surprising that cybercriminals target online shoppers using different tactics
Looking for Deals and Promos
Since it is the season for shopping, consumers are also most likely to take advantage of promotions and deals. Cybercriminals respond by churning out fake promos and deals, all to steal information and to spread malware.
For more information on holiday-themed threats, take a look at the following blog entries and articles:
- Black Friday Spammed Message Offers Bogus Discounts
- Christmas Spam in February?
- 'Tis the Season to Be Wary
What holiday threats can users come across?
Cybercriminals are well aware that Internet use spikes during the holidays. Users deliberately take time out to send holiday greetings to friends and loved ones via email and social networking sites. It is thus only logical that cybercriminals leverage these to lure in victims.
How do these threats get into users' systems?
Holiday-themed threats can get into users' systems via several ways. For starters, spamming has seemingly become a holiday cybercriminal tradition. The list of typical of spam includes fake e-cards, advertisement spam, and spam with malware attachments.
Figure 1. Fake Christmas e-card
Blackhat SEO has likewise been rampantly used in the past, as this enabled cybercriminals to increase the page ranking of malicious sites in search engine results pages. Users keying in holiday-related keywords are more likely to fall prey to poisoned search results.
Some threats like survey scams are now spreading via social networking sites. For instance, a scam made use of Tweets about gift vouchers, which eventually led users to spam sites.
Another survey scam used Facebook to trick users into thinking they were getting free Starbucks coffee. The said scam redirected users several times before they finally landed on a survey scam site. Like other survey scams, users were asked to give out their mobile phone numbers, after which they were subscribed to premium paid services without their knowledge.
A similar tactic was used by a fake Starbucks promo page that pointed to survey scam site. These same tactics may be used to launch similar cybercriminal attacks during the holidays. For more information on similar threats, take a look at our e-book, "Spam, Scams, and Other Social Media Threats."
Trend Micro researchers also warn users of letters supposedly from Santa Claus. This particular spam urged users to write letters and send these via email to family members and friends. Those who were tricked into doing so ended up divulging personal information like email addresses and paying certain amounts for the delivery of the said letters.
Figure 2. Personalized letter supposedly from Santa Claus
Cybercriminals also take advantage of the popularity of social networking sites to spread various threats. For instance, one scam made use of tweets promising gift vouchers, which eventually led users to spam sites.
Another survey scam used Facebook and Twitter to trick users into thinking they were getting free cups of Starbucks coffee. The scam redirected users several times before they finally landed on a survey scam site. Users were asked to give out their mobile phone numbers, after which they were subscribed to premium paid services without their knowledge. These same tactics may be used to launch similar cybercriminal attacks during the holidays. For more information on similar threats, take a look at our e-book, "Spam, Scams, and Other Social Media Threats."
Figure 3. Screenshot of the survey scam site that asks users to give out their mobile phone numbers
Online shopping likewise gives cybercriminals an opportunity to spread holiday mischief, as more and more people spend more time hunting for great bargains and huge discounts.
What other holiday-related threats should users watch out for?
Aside from the previously mentioned threats, cybercriminals may also employ the holiday season in their schemes. Cybercriminals used to frequently lead blackhat search engine optimization (SEO) attacks against unsuspecting users. Session hijacking can cause users’ credentials and personal information to land on cybercriminals’ laps for use in malicious deeds like impersonation. Mass compromises, as in osCommerce’s case, can put users at great risk of system infection and data (e.g., credit card information) theft.
What holiday-themed threats should mobile users watch out for?
Similar to desktop PCs, mobile users should watch out for spam campaigns and phishing attacks. Some phishing sites are well-designed, making it hard for users to differentiate between them and legitimate sites. Well-executed designs, coupled by mobile phones’ smaller screens, can make it harder for users to closely scrutinize a web page’s veracity.
Users should also be wary of Trojanized apps when downloading from official or third-party app stores. They can check the legitimacy of these apps by looking for other users’ ratings and reviews.
How do holiday-themed threats affect users?
Apart from effectively dampening the holiday spirit, threats pose various risks to users. Spam may seem like more of an annoyance than a threat but these can pose serious risks. Spam with a malicious link that take advantage of Black Friday, for instance, led users to malicious sites. Those who ended up on these pages may unwittingly engage in dubious transactions while availing of supposed offers. They may also automatically download malware onto their systems.
Users who fall prey to various scams are in danger of handing over personal information via filling up fake forms. Survey scam victims, in particular, may end up paying for premium mobile service subscriptions they did not even want to avail of.
Mass compromises may also have dire consequences to enterprises and consumers alike. These may, for one, disrupt business operations, which may translate to profit loss. Affected users, on the other hand, are at risk of data or financial theft.
What types of information do cybercriminals steal from users?
Cybercriminals launch a plethora of holiday-themed attacks to obtain user information like credit card credentials, online banking PINs, and other personal data. The stolen data may lead to the launch of more damaging attacks or may be sold underground.
Are Trend Micro product users protected from holiday-themed threats?
Yes, Trend Micro product users are protected from all kinds of holiday-themed threats. Powered by the Trend Micro™ Smart Protection Network™, Trend Micro products' email reputation technology blocks spam from even reaching users' inboxes. Web reputation technology, meanwhile, blocks user access to malicious sites that either host malware or serve spam. Finally, file reputation technology prevents the execution of and deletes all known malicious files from users' systems.
Apart from using security software, what can users do to prevent holiday-themed threats from affecting them?
To avoid becoming a cybercrime victim during the holidays, keep the following best practices in mind.
Best Practices When Opening Email
- Immediately delete dubious email, especially those that come from unknown senders.
- To avoid becoming a phishing victim, make it a habit to mouse over embedded links or images in dubious email in order to check the legitimacy of the URL that appears on the lower left-hand corner of the browser window.
- Avoid downloading file attachments and clicking links embedded in spam and dubious email.
- Scrutinize online promotions, especially those that come from questionable sources.
- Remember that offers that are too good to be true usually are.
- Conduct your own research to verify seemingly legitimate email offers.
- Install a security software that immediately deletes spam from your inboxes and that verifies the legitimacy of the sites you visit.
Best Practices When Surfing the Web
- Bookmark frequently visited sites. When visiting a site for the first time, directly type in its URL in your browser’s address bar in order to avoid stumbling upon bad sites.
- Do not click suspicious-looking URLs even if these appear as top search engine results. Consider a link suspicious if any or some of its components are made up of random characters.
- Read the overview of a search result (i.e., the set of text that appears right after the title page in bold). Search results whose overview does not provide sensible, brief site descriptions are usually malicious in nature. A sure sign of blackhat-SEO-related sites is the presence of randomly stuffed keywords in the overview.
- Make it a habit to keep online transaction records in order to avoid becoming scam and/or fraud victims.
- Check the page rating of a site listed on a search engine results page before clicking its link.
- Keep in mind that the best things in life are hardly ever free. In fact, most sites that advertise free stuff usually just give you free malware.
FROM THE FIELD: EXPERT INSIGHTS
"The festive holiday season is a consistent cybercrime favorite because of the sheer number of shoppers that flood online shops at this time. Every year, as the number of holiday shoppers increase, so does the number and sophistication of cybercrime attacks." -- Nino Penoliar, Anti-Spam Research Engineer
"The Internet is a dangerous place, especially during this season. Customers should stick to what they know such as familiar websites in order to avoid online threats." -- Ivan Macalintal, Senior Threat Research Manager