For retail security professionals, Black Friday has become synonymous with long lines and short tempers as shoppers converge on brick-and-mortar stores looking for the best deals. But while the annual day after Thanksgiving shopping bonanza remains a significant challenge from a physical security perspective, it appears that many fraudsters have shifted their focus from in-store schemes to online scams as consumers increasingly turn to e-commerce as a way to save both time and money during the busy holiday season.
According to Adobe Digital Index, more than $5 billion was spent online by the end of Black Friday in 2016, a nearly 18 percent year-over-year increase. And, according to a recent survey conducted by RetailMeNot, consumer spending over the Black Friday/Cyber Monday weekend is expected to increase by 47 percent in 2017 from the same time period in 2016. However, just as shoppers stand poised to increase their online spend this year, criminals are also ramping up their cyber efforts, spoofing the websites and apps of well-known retailers as well as launching cleverly disguised phishing attacks to trick consumers into unwittingly handing over credit card numbers and other personal information.
Research conducted by digital threat management firm RiskIQ recently found that 1 in25 Black Friday-themed apps are fake and that 32,000 blacklisted apps overall misuse the branding of the top five e-tailers. In addition, at least 15 blacklisted apps for each of these brands contained both branded terms and “Black Friday” in the title or description, which signals a clear intent on the part of scammers to leverage the holiday shopping period to their advantage.
“Savvy threat actors will use convincing branding, language, and URLs to make their apps and landing pages more realistic and more difficult for users to quickly authenticate. However, many of the schemes that leverage popular brands during the Black Friday season depend on user indiscretion. These blacklisted apps and landing pages are often meant to mimic legitimate ones, but if scrutinized, tell-tale signs become apparent,” explains Lou Manousos, CEO of RiskIQ. “There are often misspellings in the title or description of the app and/or the branding is slightly off. Also, if the app asks for excessive permissions that have nothing to do with the apparent function of the app, there’s likely something fishy happening. Developers of blacklisted apps will also often use free email services such as Google and Yahoo! rather than domains associated with the brand for which they portend to be making apps.”
Another threat report published by Barracuda Networks on Tuesday echoes Manousos’ sentiments and warns against mass phishing attacks that impersonate popular retail brands as part of an attempt to get consumers into divulging personal information. Among the three most popular methods cyber criminals are using to entice shoppers, according to the firm, include:
- Hijacking e-commerce brands like Amazon with gift card scam emails;
- Impersonating brick and mortar stores including Walmart and Kohl’s;
- And, hijacking brands of well-known consumer products such as Ray-Ban and Michael Kors.
Research has also found that shoppers are increasingly concerned about protecting their personal data online. A survey conducted by Netsparker Ltd., a developer of security solutions for web applications, found that 44 percent of Americans fear that their credit card information will be stolen from a website where they have saved it. In addition, 80 percent of the more than 2,000 adults surveyed say they make most of their purchases online each year between Black Friday and Christmas and 85 percent said they planned to do at least some holiday shopping online this year.
How Retailers Should Fight Back
These fraudulent schemes not only harm consumers and divert potential profits for retailers into the coffers of criminals but they can also cause irreparable harm to the reputation of e-commerce sites, causing consumers to potentially think twice about doing business with that store or brand ever again. Manousos says that retailers must bear the burden of protecting their name online.
“The onus is now on brands to protect their customers and prospects by making sure that their brand is not being abused across the web and mobile space,” he says. “It’s crucial that retailers monitor and police the distribution and use of apps and websites using their branding, awareness that requires internet-scale visibility into how their brand is being used across the web and mobile app ecosystem.”
Although the prominent app stores, such as Apple’s App Store for iOS devices and Google Play for Android users, have stringent security controls in place and are the safest places to buy an app, Manousos says some malicious programs still make their through. As such, he says retailers need to be able to detect these apps and work with both Apple and Google to take them down.
“The main stores are far and away the safest places to purchase apps, but some bad ones do get through. This may be a result of an app changing or becoming compromised after already being in the store,” he adds. “In fact, there’s an astonishingly small portion of apps fully under the control of their lawful owners. Updates and fixes to the app may not occur because the registration or download details were never transmitted to the retailer. This app could become the means for a cyber attacker to compromise a user’s device and conduct a data breach - or worse.”
While bogus applications masquerading as the official apps of brand name retailers on the App Store and Google Play are concerning, Manousos says there are also hundreds of other app stores around the world that companies need to be concerned about.
“Regardless of the store, they need to be able to uncover rogue mobile apps and discern between legitimate apps from modified versions, unauthorized fakes, and look-a-likes,” he says. “They must also be able to dive beyond just the title and description, to analyze all app content and code to discover logos, brand references, and malicious code hidden within app files.”
Aside from making sure there are no blacklisted apps and sites misusing their name, Manousos urges retailers to also publicize known threat campaigns that are leveraging their brands a way of raising public awareness. Failure to meet these online schemes head-on could have much bigger consequences down the road for those retailers that depend on e-commerce to turn a health profit.
“If a consumer is ripped off by a threat actor pretending to be a brand, the targeted brand will often refund that consumer, so there is a monetary loss. However, after associating the brand with an instance of fraud or malicious activity, there is a good chance the consumer will use that brand less, or stop shopping with that brand altogether,” Manousos says. “That consumer turns into a detractor, not a promoter.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
