Attackers Gearing Up for Cyber Monday With Scams, Deals

Criminals and scammers are targeting online shoppers looking for deals with too-good-to-be-true offers for Cyber Monday.

Holiday shoppers planning to search for that perfect gift are gearing up for online deals on Monday after Thanksgiving. Security experts warned that scammers are also ramping up their efforts for the biggest online shopping day of the season.

With close to $1 billion in online sales, last year's Cyber Monday surpassed Black Friday as the highest-volume day for holiday shopping. This year's Cyber Monday is shaping up to be even bigger, with shoppers expected to do more than a third of their holiday shopping online, to the tune of $1.2 billion, according to the National Retail Federation.

"Even more holiday shopping will happen online this year than last, and that means more scammers will be looking to do some shopping of their own-possibly at your expense," said Stephen Cobb, a security evangelist for ESET.

The search term "Cyber Monday Deals" has seen a 400 percent increase in the month of November, according to search statistics available from Google. Cyber-criminals created fake Websites targeting keywords such as "tech," "jewelry" and "toys" that poison search and appear high on results pages. When users land on these optimized pages, they are redirected to other malicious sites that download malware onto their computers or trick them into divulging personal information.

Enterprises are also at great risk on Cyber Monday, since a significant chunk of the online shopping will occur while people are at work. In fact, almost 60 percent of the nearly $900 million in online purchases two years ago on Cyber Monday were made from the workplace, McAfee said. While shopping, consumers will be "putting their organizations at risk for malware, spam, phishing scams" and other threats, the company said.

Scammers are also pushing out malicious emails pretending to have special Cyber Monday deals. Users should "beware of everything and everybody," Michael Sutton, vice-president of security research at Zscaler ThreatLabZ, told eWEEK. Users need to be "cautious, vigilant and wary about everything," including search results, what links to click on, what information is provided online, who sends a message on social networks and what emails arrive in the in-box, according to Sutton. Users should not click on links to avail themselves of deals-since if it sounds too good to be true, it probably is.

Zscaler and McAfee recommended that organizations remind employees to be aware of social engineering tricks and offer examples of common scams, such as fake e-cards and offers of free expensive gadgets or deals.

For example, the research team at German security company "eleven" warned about emails promising a $50 iTunes gift certificate. The messages come with the subject line "iTunes Gift Certificate" and have a Zip file attached, which allegedly contains the special shopping code to use on the site. When the Zip file is opened, it actually executes the Trojan that installs itself and phones home to a remote server for additional instructions, eleven said.

Employees should make sure their operating system has the latest patches and that all software, Web browser and security tools are up-to-date. Users need to exercise caution when going online, regardless of the device being used, whether it's a laptop or desktop, a mobile device or a Web-enabled device.

McAfee even recommended monitoring user activity or locking down Internet access to cut down the probability of malicious activity within the organization. Since employees are just as likely to use their devices when shopping instead of using the company-issued system, Staples recommended segmenting the network, such as creating a "guest network," to separate network traffic generated by personal devices from corporate resources.

Users should also shop from major retailers and reputable sellers known for delivering what they offer. The online merchant should have invested in basic security measures, such as having a valid Secure Sockets Layer (SSL) Web server certificate from a reputable provider, Mark Bower, a vice president at Voltage Security, told eWEEK. All transactions, regardless of the device being used, should be done over a secure connection because, otherwise, a third party can intercept the information.