Cyber-Crimes Likely to Surface During Holidays: 10 Common Scenarios

by Chris Preimesberger

It is probably the most common type of cyber-attack: A retailer is targeted by a botnet, and this results in a DDoS attack that brings down the retailer’s website or sites.

A cyber-criminal masquerades as a merchant and a buyer, and manipulates the open platform of an app store/marketplace for financial gain. The fraudster cashes in on rebates and earns points from credit card incentive programs.

An online merchant looks to expand through mobile platforms and allows customers to access its Websites through smartphones and tablets. Customers are exposed to data-stealing malware that infiltrates their mobile devices and captures account access credentials, which criminals then use or sell.

An online retailer hires an agency to conduct an online advertising campaign. The agency is paid on a “per-click” basis. However, an outsider with the agency’s access enters multiple thousands of clicks that turn out not to be the paid clicks from interested consumers.

A cyber-criminal steals hundreds of credit card numbers and uses a merchant’s credit or debit payment function to validate active credit cards.

A fraudster does an end-run around an online retailer’s pricing policy. He selects a heavily discounted item, places it in the shopping cart, and then delays the check-out. He comes back to the cart later after obtaining an e-coupon and applies the discount to the final purchase price, thus obtaining the item well below the retailer’s cost.

A successful spear-phishing scam results in a cyber-criminal obtaining the usernames and passwords of a merchant’s customers. Customer account information was compromised because the retailer’s employees were duped by what appeared to be a legitimate internal company email communication. The cyber-criminal launched the campaign by obtaining key employee email addresses directly from the retailer’s Website.

A merchant expands customer payment options to include Internet payment methods such as PayPal, Google Wallet, Amazon Checkout and others. A criminal looking for Websites that have recently added Internet payment processes identifies this site and exploits any lack of fully implemented security controls.

A cyber-criminal creates a fake Website that imitates a legitimate company’s Website. Loyal and prospective customers are lured to this bogus Website, where they are asked to provide personal information to register for a promotion or offer. This leads to the theft of sensitive information such as credit-card numbers and addresses.

To combat attacks during the holiday shopping season, prepare your site by ensuring that you have visibility into attack types such as DDoS at both the network and application layers to maximize your return-on-investment on your Web application. Also, a mixture of navigation and network security is required to properly mitigate these costly attack vectors. Merchants should also monitor the use of all entry points to their site, especially at times of high volume.