Security pros warn of Black Friday threats

Annual shopping bonanza offers cybercriminals some great online deals

It's not just retailers who can cash in on consumers looking for cash-saving online Black Friday deals, cyber criminals are out to bag a bargain too.

According to the security community, both retailers and their customers face threats, albeit from different perspectives.

From the point of view of retailers, one of the biggest dangers is a database compromise, leading to customer data being leaked and reputations being ruined.

"This week Black Friday sales are expected to hit record levels, which, while good for the British economy, will raise concerns about the opportunities for scammers and cyber criminals," said Ross Brewer, vice president and managing director of EMEA at LogRhythm. "Indeed, all eyes will be on who and there will be some will fall victim to hackers' increasingly persistent and smart tactics. Retailers are prime targets because of the confidential data they hold whether it's bank details, email addresses or personal information.

"There's absolutely no doubt that cyber criminals will take advantage of this week's online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months."

There's also the danger of DDoS attacks disrupting their sites and forcing their customers to shop elsewhere.

"The run up to Black Friday and Cyber Monday is a trying time for those of us in cyber security," said Darren Anstee, CTO of Arbor Networks. "Cyber criminals are still up to old tricks, and will not miss an opportunity to deliberately target websites at a time of peak demand. Those unable to contain a DDoS attack risk losing their customers to competitors if they are unable to counter the attack, so it is essential that organisations expect cyber-attacks and know how to respond."

Of course, not all outages are down to a deliberate DDoS attack - with so many people looking for Black Friday Deals, websites can simply buckle under the weight of genuine traffic.

Indeed, this seems already to have happened to some sites on Black Friday eve, including Ted Baker, Game and Calvin Klein.

"Before Black Friday even got underway, a number of e-commerce sites had already gone down as they couldn't cope with traffic surges." said Simon Wharton, managing director at PushON. "Not long after 9pm, Ted Baker was struggling to meet demand with users temporarily unable to access the site. GAME was also down for about three hours ... and Calvin Klein had opted to pay for adverts on Google, yet when users clicked on the ads, they were led to a blank page"

"This just highlights that some retailers have not taken the necessary steps to prepare for Black Friday ... why haven't retailers like Debenhams and Ted Baker learnt from last year's mistakes and took the time to make sure their sites were crash-proof early on?"

For consumers looking for a bargain, there are other perils to be aware of, particularly phishing scams, fake websites and malvertising.

"It's highly likely that almost everyone with an email account has been sent a phishing email at some point. But phishing attacks are becoming increasingly sophisticated and much harder to spot," added John Shier, senior security Advisor at Sophos. "Though many [people] don't think that they have been phished, if phishing is done right you wouldn't know about it, so it's highly likely that the number of those who have been phished is actually a lot higher."

For both retailers and consumers, however, these potential threats don't stop once the Black Friday frenzy has cleared, as the run-up to Christmas and January sales also offer prime pickings for malicious actors thanks to the increase in transactions taking place.

How businesses can protect themselves

For businesses, dealing with Black Friday threats is a combination of ensuring standard security measures are up to scratch and having in place the sytems and means to deal with surges of traffic.

For standard security measures, this means ensuring sufficient network protections, such as firewalls and intrusion detection systems, are in place with the software up to date. Other prevention, detection and resolution measures are also important, such as machine learning-driven software that can bring attention to erratic behaviour which could indicate an attempted intrusion or existing infection.

All retailers should also be ensuring end-to-end encryption for financial transactions in particular, as well as encrypting sensitive data at rest on its systems, such as credit card numbers, customer addresses, emails, telephone numbers and so on.

For traffic surges, whether they're caused by a DDoS attack or a genuine increase in interest, there are plenty of cloud bursting and traffic management services out there that can offer one-off protection or ongoing contracts (which could help for other busy times of year or any "out of the blue" attacks, which could happen at any time).

How consumers can protect themselves

While there's not much consumers can do to protect their data once it's on a retailer's system, there are many things that can be done before their data ever gets to that point.

Phishing scams are among the most popular when it comes to Black Friday and there are many ways cyber criminals may try to tempt you to click on a link. However, offering incredibly - perhaps impossibly - good deals, such as 94% off an iPhone X should raise a red flag.

"The old adage, 'if it seems too good to be true, it probably is' stands true with most of the Black Friday cyber scams, but it is important for consumers to become conditioned to recognise the signs of fake deal," said Aaron Higbee, CTO of PhishMe.

Other tips include making sure the site really does have "https" in the url and not just "http", even if it's displaying the padlock icon in the address bar, watching out for "typo-squatting" (for example, "ebya" rather than "ebay", or "amazan" rather than "amazon"), and ensuring there are contact details available in case something goes wrong with the order, such as a working phone number or customer service emails address.

Finally, ensure you have security software installed that protects you while you are browsing online and also offers protection against malware downloads, no matter where they come from.

For trusted and genuine Black Friday Deals, you can head over to our sister site Alphr, which has a list of the best bargains on offer right now.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020