Black Friday is nigh, and with millions of credit card-wielding shoppers ready to pounce on arguably the best deals of the year, the shopping fest may turn out to be a bonanza for malicious hackers too.
Hackers have used Black Friday fests to defraud and rob millions of buyers over the years, and this year’s shopping fest will be no different.
The UK will, in all probability, witness sales in excess of £10bn on Black Friday, with shoppers using the fest to gift themselves and their loved ones new products that they usually plan on purchasing during discount seasons. However, a burst in online sales and millions of transactions are sure to attract the notice of cyber thieves who specialise in stealing and selling credit card details and other personal information of citizens.
The biggest threat to Black Friday shoppers this year are such hackers. According to threat intelligence firm RSA Security, malicious actors on the Dark Web will run their own shopping fest, selling stolen credentials at throwaway prices. Stolen credentials of UK residents will cost an average of £9.03, while those of German and French residents will cost £8.62 and £8.34 respectively.
An analysis by RSA Security revealed that those purchasing such stolen credentials on the Dark Web, use them to purchase products online and earn huge profits in the process. Such fraudsters spend an average of £189 per transaction in the UK with stolen credentials after purchasing them for just £9.03, thereby earning a profit of 95% on average.
As such, for those selling and purchasing stolen credentials on the Dark Web, Black Friday will offer a tremendous opportunity to get their hands on millions of credit card details which will be used by shoppers during the fest.
They will steal such credentials by either breaching e-commerce websites, hacking into point-of-sale machines at major retail stores, or by setting up fraudulent websites by impersonating major brands.
‘Major sales events like Black Friday have historically seen a huge number of compromised accounts being sold by hackers, used to make illegitimate purchases and siphon funds from virtual wallets,’ says Tim Ayling, EMEA Director of Fraud and Risk Intelligence at RSA Security.
‘In the past, there has even been a dialing-down of proactive fraud detection on big shopping days like these. Merchants and card issuers were so insistent on allowing their transactions to flow through, they would often choose to allow more risky transactions to continue.
‘This is slowly changing and anecdotal evidence suggests that both maturity in fraud prevention tools, as well as the scale of the fraud problem, are allowing the financial institutions to become more stringent on these days. However, shoppers must remain vigilant. Fraudsters are opportunists by their very nature, and many will see Black Friday as a golden opportunity, hiding amongst the spike in legitimate purchases,’ he adds.
RSA Security’s analysis further revealed that malicious actors are, at present, carrying out phishing attacks every 30 seconds that inflict losses of £805,000 every hour and earn £202,560 every hour by breaching, taking over or stealing payment information.
What shoppers must do to protect themselves from hackers
With malicious actors intent on getting their hands on every single credit card in your possession or to max out all your cards by stealing credentials online, it goes without saying that you need to be very,very vigilant about where you shop, and if the retailers you are dealing with online are genuine.
‘Stolen credentials continue to be one of the biggest reasons behind data loss and financial fraud, and it’s vital that everyone – even those not shopping on Black Friday – is monitoring for suspicious activity across their bank accounts between now and Christmas,’ says Rashmi Knowles, EMEA Field CTO at RSA Security.
‘Online shoppers should enable two-factor authentication on popular accounts such as Amazon, to ensure any attempts to login from an unknown device will be unsuccessful.
‘In general, users should never reuse a password or choose one that is so complex you can’t remember it, and take time to educate themselves through initiatives like ActonFraud, which offers a number of helpful tools to keep consumers safe,’ she adds.
According to threat intelligence firm Domain Tools, hackers will seek to fool millions of online shoppers on Black Friday by impersonating known brand names like Amazon, Tesco, John Lewis, Sainsbury’s, Debenhams, and Apple and then using their names on phishing e-mails. The firm has advised buyers to visit company websites directly to view product deals and offers rather than clicking on spam e-mails.
‘Phishing attacks prey on human habits such as pattern recognition and distraction. While emails sent from Nigerian princes are easy to spot, today you’re much more likely to receive a note purportedly from a www[.]amaz0n[.]com that tricks you into sharing personal or financial information, or into purchasing fake goods online,’ the firm added.
Hackers may also create fraudulent websites by utilising typos like Amazonsecure-shop[.]com, Amazn[.]com, Amazoncom[.]me or starbucks[.]com-latte[.]us to trick customers. To guard against such tactics, you should look closely at URLs for typos, look out for domains that have added affixes, visit company websites directly, and ensure your devices have malware detection tools to prevent potential malware infections.
A recent research by consumer rights group Which? revealed that Black Friday is nothing but a sham and a common retailer trick to coax people to spend all their money on once-a-year deals that really aren’t. The research tracked prices for 35 of the most popular tech, home and personal care products and found that 60% of them were either priced at the same rate or even cheaper during at other times of the year.
As such, it really not as if you won’t be able to buy your favourite tech toy for another year if you don’t spend this Black Friday. Nevertheless, shop as much as you wish to, but be very careful about where to shop and where to punch in your credit card number. It’s all about saving your hard-earned money after all!
Will retailers be impacted on Black Friday?
According to several security analysts, hackers will seek to target retailers with as much zeal as they target online shoppers during Black Friday. Some common modes of cyber-attacks that hackers will inflict on retailers will be attacks on point-of-sale machines, and Distributed Denial of Service (DDoS) attacks.
According to Matt Aldridge, Solutions Architect at Webroot, PoS machines usually have low level of security and are easily accessible because of their location. Hackers can thus infiltrate sophisticated malware into such machines which will then ‘scrape the details of every card that passes through the payment machine and can even record PIN numbers’.
As such, retailers need to ensure that their PoS devices are up-to-date with the latest software patches and that they are not left unattended so that malicious actors cannot access them physically as well.
As far as DDoS attacks are concerned, retailers will need to be on their toes and stay prepared for large targeted attacks that will seek to take their websites offline or shut them down for long periods.
David Kennerley, Director of Threat Research at Webroot, says that retailers with large online presence should be as pro-active as possible, as their approach towards DDoS attacks will make the difference between a success and failure with regards to their expected financial targets for the financial year.
‘Retailers need to do their part by ensuring that the best technology and robust processes are in place to protect their assets – and most importantly the customer data they hold.
‘After all, a large breach may not only impact a retailer financially, but also cause considerable damage to a brand which takes a lot longer to restore,’ he adds.