by Byron Acohido, USA TODAY
SEATTLE - Bad guys are poised to plunder online holiday shoppers.
On
Black Friday, Cyber Monday and throughout the 2012 holiday shopping
blitz, cybergangs are expected to unleash a variety of old and new
Internet-based scams to steal identities and hijack online accounts.
"This is prime time for cybercriminals," says Brendan Ziolo, vice president at security firm Kindsight.
Crooks'
incentive: Some 41% of consumers plan to use their PCs, tablets and
smartphones to shop online, up from 37% last year, according to
PriceGrabber.
That means millions of people will be using
computers at home and work to shop for gifts. What's more, roughly half
of them use Web browsers lacking the latest security patches, making
them prime targets for computer infections that saturate the Web.
"Users
of all major browsers are using outdated software containing known
vulnerabilities," says Wolfgang Kandek, chief technical officer at patch
management firm Qualys.
Qualys recently analyzed more than
1 million Internet-connected Microsoft Windows PCs and Macs. It found
56% of users of Microsoft's Internet Explorer surfed the Internet using
an older version of the popular Web browser carrying widely known
security flaws. Hackers are expert at tapping into such flaws to seed
infections.
Some 49.2% of users of Mozilla's Firefox, 47.5% of
Google's Chrome and 37.4% of Apple's Safari also used browser versions
lacking the latest security updates. Using an outdated browser - and
clicking on a Web page booby-trapped with a hidden virus - can turn
control of your computer over to an intruder.
Last month,
antivirus firm Avast identified more than 52,000 American Web domains
containing at least one infected Web page; that was up from 50,000
infected domains in September and 46,000 in August. "Sometimes it could
be several infected pages on each domain," says Avast researcher Milos
Korenko. "Not only porn sites and other dodgy sites, many were perfectly
legitimate websites."
Professional cybergangs in Russia and Eastern Europe are steering victims to these booby-trapped Web pages via:
• Social networking. Free
Web mail services, Facebook, Twitter and Pinterest are littered with
lures to click on tainted Web links. These come disguised as bogus
coupons, gift cards, package-delivery notices and charity solicitations.
"Social-media scams are spreading like wildfire," says Catalin Cosoi,
chief researcher at antivirus firm Bitdefender.
Cybercriminals
take full advantage of the lax attitude toward privacy fostered by
social networks, says Mark Patton, manager of the security business unit
at GFI Software. This time of year, tainted Web links proliferate on
Facebook wall postings, get embedded in Tweets and show up associated
with YouTube videos.
"You could easily foresee a scenario where a
holiday-decorating tutorial on YouTube could play host to nasty embedded
links," Patton says.
• Search queries. Search Engine
Optimization, or SEO, refers to techniques used by media companies and
advertisers to get their Web links ranked highly in response to specific
search queries. Crime gangs have become expert at using SEO tactics to
boost the rankings of "poisoned" search results directing victims to
tainted Web pages.
Analysis of Web traffic from over 75
million users on home and corporate networks conducted by Blue Coat
Security Labs found criminals are poisoning Google and Bing search
results four times as often as sending out viral e-mail.
Criminals
are certain to aim poisoned results at shopping-related queries. "By
getting high rankings for pages that are actually infected, they
increase the likelihood of leading victims to their infected pages,"
says Proofpoint security blogger Keith Crosley.
• Mobile devices. Online
transactions conducted via iPhones have increased 11% so far in
November compared with the same period a year ago; for Windows
smartphones transactions are up 53% and for Android 7%, according to
analysis of 40 million mobile devices by security firm ThreatMetrix.
Cybergangs
have identified these new mobile device-enabled services as the source
of valuable personal data, particularly logons to banking and shopping
accounts, says Alisdair Faulkner, ThreatMetrix chief products officer.
"The uptick in mobile usage has increased the risk of fraud," Faulkner
says.
Android smartphone users should be especially wary of
free apps and unsolicited text messages, says Bitdefender's Cosoi. One,
called ZitMo, intercepts text messages and e-mails containing bank
authentication tokens and is designed to help thieves gain control over
online bank accounts, he says.
So what can online holiday shoppers
do? Shop on reputable sites, use strong passwords and avoid using a
debit card, says cybersecurity expert Bob Bunge, information sciences
professor at DeVry University.
Using a debit card is unwise, he
says, because it can give thieves direct access to your personal
checking account. One other piece of advice: "Think before you click,"
Bunge cautions. "If it seems too good to be true, it probably is."