Security firms said shoppers should be on the lookout for a variety of threats, including well-crafted phishing emails and other online scams, insecure websites and companies that do not properly disclose their privacy policies.
"It's just a recipe for disaster," Derek Manky, security research engineer at Fortinet, told SCMagazineUS.com. "You have more and more volume. A lot of end-users are joining and not a lot of them are savvy. Meanwhile, the cybercriminals are getting better at targeting these fresh bait."
Online retailers are pulling out all the stops to attract shoppers this year. On so-called Cyber Monday, the day in which workers return to their desks following the extended Thanksgiving holiday, many internet merchants are offering promotions and sales. Their hope is that shoppers will continue to purchase gifts online throughout the season.
This year, some 54.5 percent of office workers with internet access, or 68.5 million people, are expected to shop online – a jump from 50.7 percent last year, according to a BIGresearch survey conducted for Shop.org, a retail association.
But with this increasing customer base, holiday fraudsters also will be drawn to the web, experts said.
Manky said he expects the gang behind the Storm Worm to be out in full force on Monday – and throughout the holiday season – to launch attacks that either try to infect users with malware or seek to expand the Storm botnet.
"They're getting to be masters at the social engineering practice," he said. "This is something to be definitely concerned about this year. They have a wide audience, as far as zombie PCs go, to launch any attack they wish."
Laura Yecies, general manager of Check Point Software Technologies' consumer division, told SCMagazineUS.com that aside from the traditional holiday scams, users should brace for an uptick in well-trafficked websites hosting malware.
"You may have a legitimate site, but it's serving ads and typically the ad server is nothing they can control," Yecies said, adding that these malicious ads could permit drive-by downloads of trojans that do not require any user interaction to install.
Sophos recommends consumers only buy from reputed merchants and never follow links from unsolicited email. Users should also ensure they are using computers whose patches and security solutions are updated and enabled.
During the holiday season, businesses should make it a weekly priority to remind their users about the risks of the internet, Manky said.
"A corporation can have so many lines of defenses, but when it comes to social engineering, all it takes is one person to visit a compromised site and give away sensitive information," he said.
Online retailers, meanwhile, should be using encryption technology and monitoring their event logs for suspicious activity, according to Sophos.
Mary Landesman, senior security researcher at ScanSafe, said many websites – even the most trusted – are susceptible to exploits, such as cross-site scripting and SQL injection, due to their dynamic makeup.
"Shopping sites rely heavily on AJAX and other Web 2.0 technologies, which offer a more interactive shopping experience," she said. "The downside is that these technologies are more vulnerable."
See original article on SC Magazine US
Online shopping season promises cybercrooks
By Dan Kaplan on Nov 22, 2007 10:11AM