Security pros warn of Black Friday threats

Annual shopping bonanza offers cybercriminals some great online deals

It's not just retailers who can cash in on consumers looking for cash-saving online Black Friday deals, cyber criminals are out to bag a bargain too.

According to the security community, both retailers and their customers face threats, albeit from different perspectives.

From the point of view of retailers, one of the biggest dangers is a database compromise, leading to customer data being leaked and reputations being ruined.

"This week Black Friday sales are expected to hit record levels, which, while good for the British economy, will raise concerns about the opportunities for scammers and cyber criminals," said Ross Brewer, vice president and managing director of EMEA at LogRhythm. "Indeed, all eyes will be on who and there will be some will fall victim to hackers' increasingly persistent and smart tactics. Retailers are prime targets because of the confidential data they hold whether it's bank details, email addresses or personal information.

"There's absolutely no doubt that cyber criminals will take advantage of this week's online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months."

There's also the danger of DDoS attacks disrupting their sites and forcing their customers to shop elsewhere.

"The run up to Black Friday and Cyber Monday is a trying time for those of us in cyber security," said Darren Anstee, CTO of Arbor Networks. "Cyber criminals are still up to old tricks, and will not miss an opportunity to deliberately target websites at a time of peak demand. Those unable to contain a DDoS attack risk losing their customers to competitors if they are unable to counter the attack, so it is essential that organisations expect cyber-attacks and know how to respond."

Of course, not all outages are down to a deliberate DDoS attack - with so many people looking for Black Friday Deals, websites can simply buckle under the weight of genuine traffic.

Indeed, this seems already to have happened to some sites on Black Friday eve, including Ted Baker, Game and Calvin Klein.

"Before Black Friday even got underway, a number of e-commerce sites had already gone down as they couldn't cope with traffic surges." said Simon Wharton, managing director at PushON. "Not long after 9pm, Ted Baker was struggling to meet demand with users temporarily unable to access the site. GAME was also down for about three hours ... and Calvin Klein had opted to pay for adverts on Google, yet when users clicked on the ads, they were led to a blank page"

"This just highlights that some retailers have not taken the necessary steps to prepare for Black Friday ... why haven't retailers like Debenhams and Ted Baker learnt from last year's mistakes and took the time to make sure their sites were crash-proof early on?"

For consumers looking for a bargain, there are other perils to be aware of, particularly phishing scams, fake websites and malvertising.

"It's highly likely that almost everyone with an email account has been sent a phishing email at some point. But phishing attacks are becoming increasingly sophisticated and much harder to spot," added John Shier, senior security Advisor at Sophos. "Though many [people] don't think that they have been phished, if phishing is done right you wouldn't know about it, so it's highly likely that the number of those who have been phished is actually a lot higher."

For both retailers and consumers, however, these potential threats don't stop once the Black Friday frenzy has cleared, as the run-up to Christmas and January sales also offer prime pickings for malicious actors thanks to the increase in transactions taking place.

How businesses can protect themselves

For businesses, dealing with Black Friday threats is a combination of ensuring standard security measures are up to scratch and having in place the sytems and means to deal with surges of traffic.

For standard security measures, this means ensuring sufficient network protections, such as firewalls and intrusion detection systems, are in place with the software up to date. Other prevention, detection and resolution measures are also important, such as machine learning-driven software that can bring attention to erratic behaviour which could indicate an attempted intrusion or existing infection.

All retailers should also be ensuring end-to-end encryption for financial transactions in particular, as well as encrypting sensitive data at rest on its systems, such as credit card numbers, customer addresses, emails, telephone numbers and so on.

For traffic surges, whether they're caused by a DDoS attack or a genuine increase in interest, there are plenty of cloud bursting and traffic management services out there that can offer one-off protection or ongoing contracts (which could help for other busy times of year or any "out of the blue" attacks, which could happen at any time).

How consumers can protect themselves

While there's not much consumers can do to protect their data once it's on a retailer's system, there are many things that can be done before their data ever gets to that point.

Phishing scams are among the most popular when it comes to Black Friday and there are many ways cyber criminals may try to tempt you to click on a link. However, offering incredibly - perhaps impossibly - good deals, such as 94% off an iPhone X should raise a red flag.

"The old adage, 'if it seems too good to be true, it probably is' stands true with most of the Black Friday cyber scams, but it is important for consumers to become conditioned to recognise the signs of fake deal," said Aaron Higbee, CTO of PhishMe.

Other tips include making sure the site really does have "https" in the url and not just "http", even if it's displaying the padlock icon in the address bar, watching out for "typo-squatting" (for example, "ebya" rather than "ebay", or "amazan" rather than "amazon"), and ensuring there are contact details available in case something goes wrong with the order, such as a working phone number or customer service emails address.

Finally, ensure you have security software installed that protects you while you are browsing online and also offers protection against malware downloads, no matter where they come from.

For trusted and genuine Black Friday Deals, you can head over to our sister site Alphr, which has a list of the best bargains on offer right now.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020