Shoppers heading to the stores for Black Friday shopping this week should be vigilant when using mobile devices as scammers and criminals will be gunning for them, security experts warned.
Mobile appears to be king on this year's Black Friday, traditionally the biggest holiday shopping day of the year. Many shoppers will use their mobile devices to compare prices and research products on while in stores to make sure they are getting more for their money.
A recent study from Webroot found that nearly half of the respondents planned to use a smartphone or tablet to purchase holiday gifts this year and that Android and iOS users prefer using a mobile app rather than the mobile Web browser when shopping online.
Many online retailers plan to offer mobile-only deals on Friday after Thanksgiving to lure customers away from brick-and-mortar stores. Amazon.com is offering shoppers the PriceCheck app to compare deals they are seeing in the store with what is available on the online retail giant's site.
Retailers that offer their own shopping apps also plan to offer exclusive sales offers to customers who have these apps installed on their mobile devices to encourage them to come to their stores. Apps such as ShopSavvy compare prices across several stores for the consumer. There are also apps available that take allow users to use alternative payment methods with their phones.
All these apps designed to save money and make shopping easier mean users have to be careful where they are downloading these apps from, warned antivirus software producer McAfee. Holiday shopping is not the time to be downloading from unofficial app stores or trying out new payment apps from unknown companies as many examples of mobile malware masquerade as legitimate-looking apps.
Shoppers should also steer clear of using public wireless networks while shopping. It's very easy for criminals to set up fake hotspots and intercept login credentials and other sensitive information from connected users on their mobile devices, Alex Horan, senior product manager at Core Security, told eWEEK. While that's a good piece of advice to follow year-round, normally security-conscious users may succumb to the "irresistible" urge to compare the latest deals available in the store with online retailers or check their banking balance, according to Kaspersky Lab. Using mobile carriers 3G networks for mobile browsing is always safer, since criminals have not yet managed to compromise that.
The Webroot study also found that shoppers are using their phones to scan barcodes and Quick Response (QR) codes to find out more about products. There has been an increase in malicious QR codes, where users scan them using their smartphones thinking they will find good deals or more information. Instead they get sent to a phishing page. Other malicious QR codes direct users to a page hosting malicious files that can be downloaded onto the user's Android phone, according to Kaspersky Lab researcher Denis Maslennikov.
Shoppers are also susceptible to clicking on links, especially if they think the link is for a coupon or a deal from sites like Living Social and Groupon, which encourage friends to spread the link through their social networks. "Attackers know that users will click on just about anything to save a buck, and during the holiday season they'll click twice," warned Adam Powers, CTO of Lancope, a producer of network traffic monitoring technology. Powers also noted that many malicious links may appear on Facebook. Shortenend links to bad sites may also be sent through email and Twitter.
Shoppers also have to secure their devices so that if lost, the devices can't be used to access their personal accounts or steal sensitive information. Credant Technologies recently surveyed top 15 shopping malls in the United States and learned that shoppers had lost 2,200 tablets, smartphones and USB drives in these very public spaces. The Majority of the devices were found in the food court while the rest were found in restrooms. Half were never reclaimed, according to Credant Technologies. If those devices didn't at least have a passcode or PIN assigned, it would be childs play for anyone to access online accounts.