For one day a year (23rd November this year), retailers take advantage of consumers’ appetite to spend by offering “loss leader” deals, which they advertise broadly on email and social media. The purpose of these offers is to entice shoppers to retailers’ sites and stores and convince them to buy more than the too-good-to-be-true TV for R500. And cybercriminals know and take advantage of this.
There’s good news and bad news for Black Friday shoppers this year. The bad news is that cybercriminals are using new tactics that make it harder to spot fake deals. The good news is that with robust cybersecurity awareness training, an understanding of the new attack methods and sophisticated email security systems, consumers can protect their money and personal information, and businesses can better protect their sensitive data and systems.
Old dogs, new tricks
Black Friday is like Christmas for hackers. While you’re shopping for bargains, they’re shopping for your credentials, which they use to log into your Internet banking and other online accounts to steal your money. If cybercriminals have your login details, they can access your profile even on sites implementing good security practices. Criminals are hitting various online services with credentials in the hopes of a password and username being accepted as legitimate.
Black Friday grows every year in South Africa. Last year, sales increased by 2571% over 2016 as more retailers jumped on the bandwagon. This year will be even bigger, which means gullible and uninformed consumers – many of whom work for enterprises – are ripe for the picking. And chances are they aren’t aware of the new tactics being used against them.
Forget everything you know about cyber security
Ok, maybe not everything. But a lot of what we know about cybersecurity, and the tips and tricks that protected us in the past, no longer apply to some phishing attacks.
As we’ve already learnt, we’re often told to be suspicious of ridiculously cheap deals, but on Black Friday, ridiculously cheap is expected, so we’re not likely to question R500 TVs.
Another thing we’re told is to look for the green or black padlock on a website, or for the all-important ‘s’ in ‘https’ of the site’s URL. But we can’t even trust this anymore. That’s because cybercriminals can create or buy a real security certificate for their fake website in minutes. One site issued over 14,000 SSL certificates to “PayPal” sites – 99% of these were used for phishing fraud. So, while a fake website looks secure, it really isn’t.
So, what security advice is still valid?
- Look out for spelling errors in emails. While the days of phishing emails with dozens of grammatical errors are gone, many cybercriminals still deliberately include a few to filter out smart people and target those who are not paying attention
- Don’t click on links within emails. Enter the site’s address directly into your browser. If you can’t find the deal that was advertised in the email, warning bells should be ringing.
- Check the sender’s address. Takealot won’t send you an email from a Gmail account, they will use their domain.
- Be password smart. Don’t re-use passwords across multiple services
- Use two-factor authentication (2FA) wherever possible: This makes it harder (but not impossible) for criminals to use your username and password against you if your credentials have previously been stolen.
New and evolving attack methods
Cybercriminals increasingly use various forms of domain similarity– when they subtly change characters and words in URLs and email addresses to match a trusted organisation. These types of attacks often bypass certain email security systems because the sites and email senders aren’t known to be malicious.
To create lookalike domains, attackers often use non-Western character sets to display letters that look identical to the naked eye. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. You might think we’re getting fancy with our font. We’re not. Combined with a legitimate certificate, it becomes much harder to spot a fake website.
This creates prime conditions for a successful phishing attacks: nearly half of all South African firms in a recent Vanson Bourne and Mimecast research report saw an increase in targeted spear phishing attacks using malicious links over the past year.
Quick tip: Check the URL carefully. A very long URL might be a sign that the website is fake. However, these are difficult to spot when browsing on a mobile phone, unless you scroll all the way. Rather check on your computer to be sure.
Stay safe in the wild
Consumers and businesses can stay safe this Black Friday.
- Be suspicious by default. Don’t trust any email and go straight to the retailer’s website instead of clicking on links.
- Create a separate email address when signing up for Black Friday alerts. Don’t use your work or personal email.
- Use a separate credit card for online purchases to limit your losses if you are attacked.
- Conduct regular security awareness training to ensure all employees have the awareness to spot potential cyber threats. Human beings are an organisation’s greatest cyber risk and its best defence against cybercrime. During high-risk periods such as Black Friday, unaware users could expose the organisation and their families to unwanted cyber risk. Focus on implementing effective, modern training techniques and create a human firewall around sensitive company data.
The threat landscape has evolved yet again. We can never let our guard down and we have to assume that we’re never completely safe – even if we have robust security systems in place. Apple CEO Tim Cook said recently that cyber resilience is like running on a treadmill. You can’t just stop. If you do, you’ll fall off and will probably get hurt.
Think of Black Friday emails as you would Black Friday crowds outside Checkers. When you’re distracted by the pushing and shoving, you’re not likely to notice the pickpocket until he’s made off with your wallet.
Stay alert. Stay safe. And happy shopping.
Password managers don’t protect you from hackers
Using a password manager to protect yourself online? Research reveals serious weaknesses…
Top password manager products have fundamental flaws that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE).
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
In the new report titled “Under the Hood of Secrets Management,” ISE researchers revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals 93,000 businesses worldwide rely on password managers. Click here for a copy of the report.
Password managers are marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead ISE found just the opposite.
Click here to read the findings from the report.
MWC: Next generation of inflight connectivity to be unveiled
Next week at Mobile World Congress, the Seamless Air Alliance will reveal progress on its mission towards enabling the next generation of inflight connectivity. This follows a significant start for the Alliance, which has seen membership increase five-fold since the first meeting in June of last year. The Alliance has a new research laboratory setup and continues progress through its three working groups, writing specifications for the technology, requirements, and operations.
These developments represent a huge leap towards the goal of making connectivity as easy and enjoyable in the skies as it is on the ground. Appearing as part of the Airbus stand (Hall 6, stand 6G34), the Seamless Air Alliance will reveal specification topics that have been completed and published to its membership.
“The passenger experience with inflight connectivity remains one of the great technology challenges. From Day One we have been determined to deliver on our mission to bring industries and technologies together to make the inflight internet experience simple to access and a delight to use,” said the Alliance’s Chief Executive Officer, Jack Mandala.
“I have been tremendously encouraged by the enthusiastic and committed response we have seen and the widening areas of expertise we can call upon as more and more companies and organisations continue to join us,” he added.
Announced during MWC 2018, the Seamless Air Alliance has since grown to twenty-three membercompanies with more than one-hundred key personnel from across the membership participating in its three working groups, with numbers continuing to increase.
The Seamless Air Alliance was created by founding members Airbus, Airtel, Delta Air Lines, OneWeb and Sprint, and quickly joined by Air France KLM, Aeromexico, and GOL Linhas Aereas Inteligentes and global technology leaders including Astronics, Collins Aerospace, Comtech, Cyient, iDirect, Inmarsat, Intelsat, Latecoere, Nokia, and Panasonic.
Today, the Alliance is pleased to announce five additional new members: Adaptive Channel, Etihad Airways, GlobalReach Technology, Safran, and SITAONAIR.
“We are extremely pleased to have these companies join and be a part of the companies driving the next generation of connectivity.” said Mr Mandala.
The Seamless Air Alliance will enable travelers boarding any flight, on any airline, anywhere in the world, to use their own devices to automatically connect to the Internet with no complicated login process nor paywall to scramble over.
The Alliance is also announcing the release of a new research study on the economic benefit of standardization on the inflight connectivity market at Mobile World Congress. This report is available for download at https://www.seamlessalliance.com/publications/
The Alliance is moving rapidly towards an expected demonstration of the technology later in 2019 and anticipates massive interest in Barcelona from the whole communications eco-system.