Phishing is a perennial favourite. Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth
Hyperactive online activity and potentially compromised purchasing, promotion and sales behaviours during the seasonal ecommerce shopping frenzy are like a red rag to a bull for enterprising cybercriminals, according to an official at F5 Networks.
David Warburton, Principal Threat Evangelist at F5 Networks, said that from denial of service (DoS) attacks, shutting down retailers in their revenue-generating prime to ransomware campaigns extorting your hard-earned spending money, there’s a world of banana skins out there.
Formjacking is one of this year’s most notable threats and is, according to F5 Labs’ 2019 Application Protection Report, now one of the most common web attack tactics in play. It was responsible for 71% of F5 Labs-analysed, web-related data breaches in 2018.
“As more web applications connect to critical components such as shopping carts, card payments, advertising and analytics, vendors become an outsized target. Code can be delivered from a wide range of sources – almost all of which are beyond the boundaries of usual enterprise security controls. Since many websites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims,” Warburton said.
“Phishing is also a perennial favourite. Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. It is far easier to trick someone to hand over their credentials. The hardest part is coming up with a convincing email pitch to get people to click on, and a fake site to land on,” he added.
Interestingly, F5 Labs suggests that phishing is no longer as seasonally specific or predictable. Last year, the F5 Security Operations Centre (SOC) reported a 50% phishing attack spike between October and January. That is changing, driven in part by social media making personal data freely available at any time. While that is another story in and of itself, phishing will invariably figure prominently for the next few months.
Judgement can go out the window when all those eye-popping discounts hit, even for the most cyber-savvy consumer. Top tips to avoid getting hoodwinked include:
Don’t be lured into a false sense of security though. The F5 Labs 2019 Phishing and Fraud Report found that phishers continue to push for deceptive credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate. The most impersonated brands and services are Facebook, Microsoft Office Exchange, and Apple.cy
The challenge for retailers
Retailers need to protect both operations and customers. The costs of slipping up are significant. IBM’s 2019 Cost of a Data Breach Report revealed that the global average, per-record cost of a retail breach is $119 (up 1,7% year-on-year).
Recommended security must-haves include:
“It is going to get noisy out there. Bargains will be had. Retail records will fall. Data will be stolen, and reputations will be dented. Distractions are everywhere. We all need to do our bit to pre-empt and snuff out cybercriminals’ inevitable seasonal buoyancy,” Warburton said.