SEATTLE — 'Tis the season for cyberscams — and it's stacking up to be one of unprecedented plunder for cybergrinches.
Crooks go where the money is, and cybercriminals are concentrating their cleverness this year on mobile devices and social media.
With Black Friday and Cyber Monday just around the corner, cybercriminals have begun to flood e-mail, social media postings and search results with tainted web links, offers for worthless products and pitches for all variety of scams.
"All these things have something in common: social engineering and greed," says Sorin Mustaca, security analyst at anti-malware firm Avira.
The crooks count on one in 10 recipients of holiday-themed phishing lures to click on a poisoned link, or fill out a bogus form.
The bad guys have been planning all year for this. Messaging security firm Proofpoint says e-mail carrying faked delivery confirmations and order notices purporting to be from FedEx, UPS, DHL, Amazon, eBay, WalMart, Target and ToysRus have already begun to swell. Clicking on the enclosed links turns over control of your computer to the attacker.
"We're human; we're compelled to click," says David Knight, Proofpoint executive vice president. "And we're even more human during the holiday season."
Phishing attacks – faked e-mail carrying tainted web links – are expected to spike in coming weeks, purporting to come from shipping companies, says Bob Pratt, vice president of product management at anti-phishing company Agari.
Agari's analysis of billions of e-mail messages shows faked shipping company e-mails increased 62% in the third quarter, versus the second quarter. Based on historical patterns, the volume of faked shipping company e-mail messages can be expected to double in the final months of 2013, compared to the third quarter, because "there's a lot more cover for bad guys to take advantage," Pratt says.
Holiday shopping has come to mean fielding recommendations from our Facebook friends and Twitter followers, and using our smartphones and touch tablets to hunt for bargains and make purchases. That all translates into a gift-wrapped bonanza for the bad guys.
"We tend to trust our mobile devices because nobody else can touch it," says Daniel Cohen, RSA cybersecurity strategist. "But our hyper-connectivity, together with a small screen, make it easier for fraudsters to come at us."
And the cyberscammers are coming, drawn like zombies to live flesh. Identity verification firm Signifyd dissected 10 million transactions made on computing devices in the past six months and found 25% of retail traffic coming from mobile devices. Of that grouping, 10% originated from tablets, 14% from smartphones.
At the moment, smartphones are the least secure purchasing platform. Signifyd discovered that 1.3% of e-commerce sales on phones are fraudulent, compared with just 0.8% for sales via desktops and 0.5% from tablets.
"Companies are trying to get the mobile experience to be as frictionless as possible, so they're putting less checks at the point of checkout to give the customer that terrific experience," says Rajesh Ramanand, Signifyd's chief executive. "Fraudsters are finding ways to exploit this hole."
Consumers should use robust passwords, pay close attention to where sensitive information gets stored and patronize only trusted Web properties. And a healthy dose of holiday skepticism also is in order.
"It's OK to be a little paranoid," says Ronnie Flathers, of security consultancy Neohapsis. "Modern phishing techniques are subtle and dangerous. It's OK to mistrust e-mail and links. If something seems phishy, exit out."
It's also a good time to think about privacy. The voracious tracking systems deployed by Google, Facebook, LinkedIn, Microsoft and others, which correlate your online behaviors for advertisers, also inform the NSA's surveillance programs, as we now know thanks to Edward Snowden.
On Monday, privacy solutions vendor Abine released version 3.0 of its acclaimedDoNotTrackMe browser tool used by some 2 million people to block hidden tracking mechanisms. This free service, and others like it, such as AVG's PrivacyFix and Virtual World Computing's Cocoon, are powerful, though they require you to give up a sliver of convenience.
"Consumers can control who knows where they shop, who can charge them, and, importantly, have complete peace of mind if a site where they shopped ever loses their information or has it stolen by a hacker," says Abine co-founder Rob Shavell, referring to DoNotTrackMe.
Also worth checking out are Hotspot Shield and TunnelBear, two free virtual private networks that establish a secure tunnel between your computing device and the Internet. Your information remains inside this tunnel, which also protects your computer or mobile device from malware and phishing scams.