With the worldwide economy still mired in a semi-historic slump, some savvy cyber-attackers are departing from the usual raft of Santa Claus e-cards and reindeer-in-the-living-room themed multimedia codec attacks in favor of threats engineered to suck in those people desperate for a few extra bucks to add to their holiday budgets.
More people than ever are likely to be wondering how they’re going to shell out for holiday cheer this year and predictably attackers are launching a wave of attacks aimed at work-at-home moms and paycheck-starved students in hopes of lining their own pockets for the year-end consumer crusade.
And those on the other side looking to embrace the spirit of giving are also being targeted, as usual.
As McAfee AVERT Labs researcher Sam Masiello highlights in a blog post on the topic, with U.S. unemployment over 10 percent and the mortgage crisis still lingering over the national economic scene the arrival of the holiday buying season is already creating an atmosphere where scammers may find more people than ever who are ripe for the picking.
The expert points out that in this regard, by adapting their threats to align with current social issues like unemployment at the holidays, many cyber-criminals have become master marketers.
Through campaigns launched by more traditional means such as e-mail and via more enterprising tactics including postings on Twitter, attackers are hitting up end users with ploys that promise a quick way to make a buck or share some good tidings before the holidays have already arrived.
Most of the attacks are either phishing oriented or seek to trick people into clicking on their embedded links to load malware attacks onto endpoint machines, Masiello said.
“Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in,” the expert notes. “This has caused many to become desperate and vulnerable as the try to make ends meet. Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.”
To help users navigate the landscape of threats and avoid being duped for the holidays McAfee has published a special “12 Scams of Christmas” report that highlights the many different types of attacks that people need to be most aware of.
Among the sources of virtual stocking coal highlighted by the company are:
-Phony charitable phishing scams, many of which are designed to look as if they come from real charities. -Fake delivery invoices, again made to look like they really originated at legitimate overnight carriers. -Poisoned social networking friend requests, particularly those themed to come from long lost relations. -Holiday e-cards, though why anyone opens e-cards of any kind anymore is beyond me. -Discount luxury jewelry sales pitches, just in case you want to give someone a fake designer watch. -Malware-ridden Christmas carol lyrics sites, which is actually a pretty darn devious angle. -Job search scams, as undoubtedly new employment would be the biggest gift of all for many, sadly. -Auction site fraud, because everyone is looking for a sweet deal on something this year. -Password stealing scams, since so many people are coming online to do shopping in Q4. –E-banking attacks, as we’re all keeping an even closer eye on that balance until after Jan. 1. -Ransomware, as nothing says home for the holidays like a hijacked desktop.
Obviously none of these tactics are new or wildly sophisticated, but the truth is that end users are really more vulnerable over the holidays, driven either by financial desperation or feel-good charitable generosity.
Welcome to the holidays circa 2009.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.