As Singaporeans go about celebrating the festivities, we typically let our guard down amidst the shopping and partying. Cyber criminals take advantage of the holiday season by using different social engineering techniques to lure victims into performing activities that they would not normally do, such as clicking links in spammed messages, downloading files, or filling out forms with confidential personal information.
These usually translate to profit for the cyber criminals, who are expected to attempt to exploit the holiday season as more Internet users are expected to be online this year - to search, shop, and purchase items on the Web.
Don't let cyber criminals the holiday cheers into jeers. Here's a countdown to ten notable social engineering techniques which we should always be on the lookout for on the Internet.
10.Bargain-Hunter Scams: Cyber criminals use bogus discounts and promos to lure victims into clicking malicious links, or entering confidential information into fake sites. Products typically being used for these types of schemes are popular and hot retail items, which may make them irresistible to users. This year, Trend Micro saw the Trojan TROJ_AYFONE.A take advantage of the release of Apple iPhone. The malware displayed fake advertisements as well as a fake website of an online store where the product can be bought.
9.Fake Charity Sites: The holiday season is also a time where most users are in a 'generous & giving mood', making the holidays the perfect time for cyber criminals to attempt to carry out their schemes. Generous users who respond to scam email messages or Web sites unfortunately end up not helping anyone in need, but instead robbed of their money or confidential information.
8.Greeting Cards - Bringing Bad Tidings: Electronic cards are often used by cyber criminals as a lure for victims to click malicious links in spammed messages, and possibly 'self-compromising' their PCs. This type of attack usually takes advantage of holiday seasons, when users are likely to send out e-cards and expect to receive them from friends or relatives.
7.Malvertisements (Malicious Advertisements): Cyber criminals also use malicious advertisements and promos to distribute malware, relying on the inclination of online shoppers to investigate bargains. Advertisements placed on high-trafficked websites are used as triggers for malware downloads. Popular sites such as Expedia.com and MySpace have been unwittingly harbored malicious banner ads in the past, which when clicked downloaded malware into users' systems.
6.Poisoned Christmas Shopping Search Results: Query results for certain strings are rigged with malicious scripts that could lead to various payloads - malware, phishing sites, dangerous URLs. Malware authors usually bank on different seasons in choosing which strings will yield the malicious results. In 2007, results to searches for the phrase 'Christmas gift shopping' were found yielding malicious results leading to a wide variety of malware.
5.Compromised High-Traffic Websites: Compromised websites are major threats to online users since the point of infection happens in websites that are supposedly safe and trusted. As the holiday season draws near, shoppers are likely to flood online stores and auction sites to do their online shopping. Cyber criminals could then infect more victims by compromising popular and highly-trafficked websites.
4. Mining Personal Data - Bogus Gift Card Promos: Users in search of freebies on the Web place themselves at a higher risk as seemingly harmless surveys are used to harvest personal data. Promises of retailer rewards, gift cards or even cash are used to trick victims into participating in bogus surveys. What they don't know is that the survey page is actually a phishing site and part of a plot to steal confidential information.
3.e-Commerce Phishing: eBay ranks as the most popular online retailer in 2007, having more than 124 million unique users. As Singaporeans search for deals on brands unavailable locally, they need to be aware that eBay also topped the list of the most phished websites. From identity theft to ratings manipulation, cyber criminals continuously weave sophisticated schemes to extort user information for financial gain.
2.Bogus Courier Receipts Delivering Trojans: Messages from popular couriers, alerting recipients of an undelivered package that needs to be retrieved - together with a file that is supposedly an invoice - are spammed to users to trick them into installing Trojans. Online shoppers waiting for his or her purchased item to be delivered by couriers for the holidays should be wary.
1. Shopping Invoices for Ghost Transactions: Potential victims receive an email message telling them to open and print a 'receipt' sent as an attachment to the message. The attached file, however, is not a real receipt but a Trojan. Frequent online shoppers who are used to receiving such receipts are the targets of this threat. Users who are not online shoppers and did not make an online purchase may get curious and open the attachment as well.
The volume and sophistication of Web threats make it imperative that a multilayered, real-time protection is used, if online shoppers are ever to successfully and safely transact their activities online.
The writer is the Regional Marketing Director of Trend Micro APAC.
