Security pros warn of Black Friday threats

Annual shopping bonanza offers cybercriminals some great online deals

It's not just retailers who can cash in on consumers looking for cash-saving online Black Friday deals, cyber criminals are out to bag a bargain too.

According to the security community, both retailers and their customers face threats, albeit from different perspectives.

From the point of view of retailers, one of the biggest dangers is a database compromise, leading to customer data being leaked and reputations being ruined.

Advertisement - Article continues below

"This week Black Friday sales are expected to hit record levels, which, while good for the British economy, will raise concerns about the opportunities for scammers and cyber criminals," said Ross Brewer, vice president and managing director of EMEA at LogRhythm. "Indeed, all eyes will be on who and there will be some will fall victim to hackers' increasingly persistent and smart tactics. Retailers are prime targets because of the confidential data they hold whether it's bank details, email addresses or personal information.

"There's absolutely no doubt that cyber criminals will take advantage of this week's online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months."

There's also the danger of DDoS attacks disrupting their sites and forcing their customers to shop elsewhere.

Advertisement
Advertisement - Article continues below

"The run up to Black Friday and Cyber Monday is a trying time for those of us in cyber security," said Darren Anstee, CTO of Arbor Networks. "Cyber criminals are still up to old tricks, and will not miss an opportunity to deliberately target websites at a time of peak demand. Those unable to contain a DDoS attack risk losing their customers to competitors if they are unable to counter the attack, so it is essential that organisations expect cyber-attacks and know how to respond."

Advertisement - Article continues below

Of course, not all outages are down to a deliberate DDoS attack - with so many people looking for Black Friday Deals, websites can simply buckle under the weight of genuine traffic.

Indeed, this seems already to have happened to some sites on Black Friday eve, including Ted Baker, Game and Calvin Klein.

"Before Black Friday even got underway, a number of e-commerce sites had already gone down as they couldn't cope with traffic surges." said Simon Wharton, managing director at PushON. "Not long after 9pm, Ted Baker was struggling to meet demand with users temporarily unable to access the site. GAME was also down for about three hours ... and Calvin Klein had opted to pay for adverts on Google, yet when users clicked on the ads, they were led to a blank page"

"This just highlights that some retailers have not taken the necessary steps to prepare for Black Friday ... why haven't retailers like Debenhams and Ted Baker learnt from last year's mistakes and took the time to make sure their sites were crash-proof early on?"

Advertisement - Article continues below

For consumers looking for a bargain, there are other perils to be aware of, particularly phishing scams, fake websites and malvertising.

"It's highly likely that almost everyone with an email account has been sent a phishing email at some point. But phishing attacks are becoming increasingly sophisticated and much harder to spot," added John Shier, senior security Advisor at Sophos. "Though many [people] don't think that they have been phished, if phishing is done right you wouldn't know about it, so it's highly likely that the number of those who have been phished is actually a lot higher."

Advertisement
Advertisement - Article continues below

For both retailers and consumers, however, these potential threats don't stop once the Black Friday frenzy has cleared, as the run-up to Christmas and January sales also offer prime pickings for malicious actors thanks to the increase in transactions taking place.

How businesses can protect themselves

For businesses, dealing with Black Friday threats is a combination of ensuring standard security measures are up to scratch and having in place the sytems and means to deal with surges of traffic.

Advertisement - Article continues below

For standard security measures, this means ensuring sufficient network protections, such as firewalls and intrusion detection systems, are in place with the software up to date. Other prevention, detection and resolution measures are also important, such as machine learning-driven software that can bring attention to erratic behaviour which could indicate an attempted intrusion or existing infection.

All retailers should also be ensuring end-to-end encryption for financial transactions in particular, as well as encrypting sensitive data at rest on its systems, such as credit card numbers, customer addresses, emails, telephone numbers and so on.

For traffic surges, whether they're caused by a DDoS attack or a genuine increase in interest, there are plenty of cloud bursting and traffic management services out there that can offer one-off protection or ongoing contracts (which could help for other busy times of year or any "out of the blue" attacks, which could happen at any time).

How consumers can protect themselves

While there's not much consumers can do to protect their data once it's on a retailer's system, there are many things that can be done before their data ever gets to that point.

Advertisement - Article continues below

Phishing scams are among the most popular when it comes to Black Friday and there are many ways cyber criminals may try to tempt you to click on a link. However, offering incredibly - perhaps impossibly - good deals, such as 94% off an iPhone X should raise a red flag.

"The old adage, 'if it seems too good to be true, it probably is' stands true with most of the Black Friday cyber scams, but it is important for consumers to become conditioned to recognise the signs of fake deal," said Aaron Higbee, CTO of PhishMe.

Other tips include making sure the site really does have "https" in the url and not just "http", even if it's displaying the padlock icon in the address bar, watching out for "typo-squatting" (for example, "ebya" rather than "ebay", or "amazan" rather than "amazon"), and ensuring there are contact details available in case something goes wrong with the order, such as a working phone number or customer service emails address.

Advertisement - Article continues below

Finally, ensure you have security software installed that protects you while you are browsing online and also offers protection against malware downloads, no matter where they come from.

For trusted and genuine Black Friday Deals, you can head over to our sister site Alphr, which has a list of the best bargains on offer right now.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020