Stay Cyber Safe This Holiday Season

While online shopping has gained popularity over the years, this year may result in the largest online shopping holiday season as the country continues to live through the COVID-19 pandemic. Though overall gains in retail sales compared to last year is anticipated to be modest, e-commerce sales are expected to rise by 25 to 35 percent as shoppers head to their computers and smartphones instead of brick-and-mortar stores. Cybercriminals, inspired by this assumption, will likely aim efforts to target online shoppers and e-commerce marketplaces for financial gain; therefore, it is vital to maintain awareness of the many cyber threats posed by these individuals. Threat actors may target victims through a variety of methods, including compromised or spoofed websites, phishing emails, social media ads and messages, or unsecured Wi-Fi networks. Reviewing the following list of common attack vectors, along with tips and best practices, will help to combat the threats posed by cybercriminals this holiday season.

Magecart and Other Online Skimming Attacks

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sold in dark web or other marketplaces. With the anticipated rise in online shopping this holiday season, cybercriminals are likely to increase their targeting of online marketplaces this year. To help protect online shoppers, they are encouraged to use credit cards over debit cards when shopping online as they often have better consumer fraud protections, and consider enabling charge notifications for every card transaction, where available. Enabling these notifications may make it easier for a customer to identify a fraudulent transaction as soon as it occurs. If a customer discovers fraudulent activity on their account, lock the affected card where this option is available, notify the banking institution immediately, and request a new payment card.

Be Wary of Links and Attachments in Unsolicited Emails

Around the holidays, users are likely to receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate, and may contain links or attachments that install malware or lead recipients to spoofed websites that steal user credentials. These emails may attempt to convey a sense of urgency - "Limited Time Offer!" - to prevent users from thoroughly inspecting the email for red flags. Recently, the NJCCIC has observed Amazon, PayPal, and FedEx phishing emails attempting to deliver to New Jersey state employees in order to steal users' credentials. Users are advised to navigate directly to retailer websites by typing the legitimate URL into their browser instead of clicking on links in emails, and refrain from entering login credentials on websites visited via links delivered in emails.

Take Caution with Social Media Ads

Users are often faced with ads as they scroll social media platforms. While many of these ads link to known, legitimate vendor websites, users may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. URL shortening can be employed by cybercriminals to trick users on social media sites and other outlets by hiding the true destination of a link. Users are advised to use a URL expander to reveal the true destination of shortened URLs prior to visiting websites and verify websites are the legitimate vendor prior to making any purchases.

Look Out for Holiday-Themed eCards and Messages Meant to Install Malware

In the past, users reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Additionally, an Emotet banking trojan campaign was observed using Thanksgiving lures, such as the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, users are reminded to exercise caution with unexpected or unsolicited emails, especially those with a holiday theme.

Do Your Online Shopping at Home

Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to personal accounts or conduct online shopping. Public computers could be infected with malware designed to steal your information and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, users are advised to refrain from using work computers to make online purchases as cyber threats could endanger company and/or customer information. For information on how to secure your home network, review the NJCCIC guide "Configuring & Secureing a Home Wi-Fi Router."

Enable Multi-Factor Authentication on All Accounts

Be sure to enable multi-factor authentication (MFA) - authentication by combining at least two of the following: something you know, something you have, and something you are - on every account that offers it, as this will greatly reduce the risk of account compromise via credential theft. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA.

Avoid Connecting Devices to Public Charging Stations

Public charging stations supplied with power cables or USB ports located in stores, airports, libraries, and schools may seem like a convenient way to charge your mobile devices on-the-go, but can you be sure that your device and data will be safe if you connect? These kiosks can contain concealed computers that attempt to extract data such as contact information, photos, and videos from connected devices, unbeknownst to the users. Additionally, malicious or compromised charging stations can expose devices to the risk of a malware infection. Even if the charging station is not malicious, the manufacturer or owner of the kiosk may require users to input their email addresses or phone numbers in order to charge their devices, potentially exposing them to unwanted marketing campaigns, phishing emails, and scam calls.

Verify Charities Before Donating

It is common around the holidays to donate to charities, particularly those that provide goods and/or services to those individuals in need. Users may be prompted to donate via solicitations received through email or social media; however, these may be promoting fake charities or impersonating legitimate charities. Prior to donating, visit the FTC site to verify a charity’s legitimacy and ensure you are visiting the charity’s legitimate website to donate. The FTC offers guidance in their ‘How to Donate Wisely and Avoid Charity Scams’ post.

We hope everyone has a happy and healthy holiday season!

If you experience a cyber-related incident, you may report it to the NJCCIC via the Cyber Incident Report form. All other scams can be reported to the Federal Trade Commission via their website.