Security pros warn of Black Friday threats

Annual shopping bonanza offers cybercriminals some great online deals

It's not just retailers who can cash in on consumers looking for cash-saving online Black Friday deals, cyber criminals are out to bag a bargain too.

According to the security community, both retailers and their customers face threats, albeit from different perspectives.

From the point of view of retailers, one of the biggest dangers is a database compromise, leading to customer data being leaked and reputations being ruined.

Advertisement - Article continues below

"This week Black Friday sales are expected to hit record levels, which, while good for the British economy, will raise concerns about the opportunities for scammers and cyber criminals," said Ross Brewer, vice president and managing director of EMEA at LogRhythm. "Indeed, all eyes will be on who and there will be some will fall victim to hackers' increasingly persistent and smart tactics. Retailers are prime targets because of the confidential data they hold whether it's bank details, email addresses or personal information.

"There's absolutely no doubt that cyber criminals will take advantage of this week's online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months."

There's also the danger of DDoS attacks disrupting their sites and forcing their customers to shop elsewhere.

Advertisement
Advertisement - Article continues below

"The run up to Black Friday and Cyber Monday is a trying time for those of us in cyber security," said Darren Anstee, CTO of Arbor Networks. "Cyber criminals are still up to old tricks, and will not miss an opportunity to deliberately target websites at a time of peak demand. Those unable to contain a DDoS attack risk losing their customers to competitors if they are unable to counter the attack, so it is essential that organisations expect cyber-attacks and know how to respond."

Advertisement - Article continues below

Of course, not all outages are down to a deliberate DDoS attack - with so many people looking for Black Friday Deals, websites can simply buckle under the weight of genuine traffic.

Indeed, this seems already to have happened to some sites on Black Friday eve, including Ted Baker, Game and Calvin Klein.

"Before Black Friday even got underway, a number of e-commerce sites had already gone down as they couldn't cope with traffic surges." said Simon Wharton, managing director at PushON. "Not long after 9pm, Ted Baker was struggling to meet demand with users temporarily unable to access the site. GAME was also down for about three hours ... and Calvin Klein had opted to pay for adverts on Google, yet when users clicked on the ads, they were led to a blank page"

"This just highlights that some retailers have not taken the necessary steps to prepare for Black Friday ... why haven't retailers like Debenhams and Ted Baker learnt from last year's mistakes and took the time to make sure their sites were crash-proof early on?"

Advertisement - Article continues below

For consumers looking for a bargain, there are other perils to be aware of, particularly phishing scams, fake websites and malvertising.

"It's highly likely that almost everyone with an email account has been sent a phishing email at some point. But phishing attacks are becoming increasingly sophisticated and much harder to spot," added John Shier, senior security Advisor at Sophos. "Though many [people] don't think that they have been phished, if phishing is done right you wouldn't know about it, so it's highly likely that the number of those who have been phished is actually a lot higher."

Advertisement
Advertisement - Article continues below

For both retailers and consumers, however, these potential threats don't stop once the Black Friday frenzy has cleared, as the run-up to Christmas and January sales also offer prime pickings for malicious actors thanks to the increase in transactions taking place.

How businesses can protect themselves

For businesses, dealing with Black Friday threats is a combination of ensuring standard security measures are up to scratch and having in place the sytems and means to deal with surges of traffic.

Advertisement - Article continues below

For standard security measures, this means ensuring sufficient network protections, such as firewalls and intrusion detection systems, are in place with the software up to date. Other prevention, detection and resolution measures are also important, such as machine learning-driven software that can bring attention to erratic behaviour which could indicate an attempted intrusion or existing infection.

All retailers should also be ensuring end-to-end encryption for financial transactions in particular, as well as encrypting sensitive data at rest on its systems, such as credit card numbers, customer addresses, emails, telephone numbers and so on.

For traffic surges, whether they're caused by a DDoS attack or a genuine increase in interest, there are plenty of cloud bursting and traffic management services out there that can offer one-off protection or ongoing contracts (which could help for other busy times of year or any "out of the blue" attacks, which could happen at any time).

How consumers can protect themselves

While there's not much consumers can do to protect their data once it's on a retailer's system, there are many things that can be done before their data ever gets to that point.

Advertisement - Article continues below

Phishing scams are among the most popular when it comes to Black Friday and there are many ways cyber criminals may try to tempt you to click on a link. However, offering incredibly - perhaps impossibly - good deals, such as 94% off an iPhone X should raise a red flag.

"The old adage, 'if it seems too good to be true, it probably is' stands true with most of the Black Friday cyber scams, but it is important for consumers to become conditioned to recognise the signs of fake deal," said Aaron Higbee, CTO of PhishMe.

Other tips include making sure the site really does have "https" in the url and not just "http", even if it's displaying the padlock icon in the address bar, watching out for "typo-squatting" (for example, "ebya" rather than "ebay", or "amazan" rather than "amazon"), and ensuring there are contact details available in case something goes wrong with the order, such as a working phone number or customer service emails address.

Advertisement - Article continues below

Finally, ensure you have security software installed that protects you while you are browsing online and also offers protection against malware downloads, no matter where they come from.

For trusted and genuine Black Friday Deals, you can head over to our sister site Alphr, which has a list of the best bargains on offer right now.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020