Hacking

SPOTLIGHT ON SECURITY

Cyber Grinches Could Disrupt Holidays’ Biggest Shopping Weekend

Recent high-profile distributed denial of service attacks on the Internet’s infrastructure and an investigative journalist’s website have spiked concerns over possible disruptions of traffic during the biggest online shopping weekend of the year.

Online spending last year exceeded US$5.8 billion on Black Friday and Cyber Monday, according to Adobe, and that figure is expected to be even higher this year.

“If you want to mess with the economy, that’s the most disruptive time to do that,” said John Wu, CEO of Gryphon.

“A lot of retail sales have shifted from brick and mortar to online these days,” he told TechNewsWorld. “Cyber Monday is a huge day for a lot retailers.”

Easy Target for Bot Herders

If hackers want to disrupt shopping during the Black Friday-Cyber Monday weekend, they’ll likely use a botnet composed of devices connected to the Internet of Things to do it. Such botnets recently attacked DNS server provider Dyn, disrupting Internet service in the United States.

Attackers also used them to launch one of the largest DDoS attacks ever on the website of security blogger Brian Krebs.

“The reason IoT devices are being used now is because they’re so easily attacked,” Wu said. “They also have enough processing power on them to carry out these kinds of attacks.”

What’s more, devices like routers and DVRs are always on, so they’re always available for enlistment in an assault on a website.

“You can have a huge effect because you can control lots of the devices — in some cases hundreds of thousands — and flood a server,” Wu said, “and it’s very difficult to prevent these attacks, because they’re coming from IP addresses around the world. You can’t scale your bandwidth fast enough to prevent it.”

During Black Friday-Cyber Monday weekend, the situation will be exacerbated by a legitimate surge in traffic.

“Some sites went down last year because they couldn’t handle the spike in traffic to them,” Wu explained. “You could compound that effect with a denial of service attack.”

10 Million Logins an Hour

Botnets can do more than disrupt shopping traffic during Black Friday-Cyber Monday weekend. They can crack into user accounts at e-commerce sites, using the millions of username and password pairs available on the Internet from hundreds of recent data breaches.

“Because human beings resuse their passwords, that attacker is going to be successful when he uses a password stolen from another website,” said Omri Iluz, CEO of PerimeterX.

“On average, a person uses six passwords for all their online activity,” he noted.

“These attacks are very successful,” Iluz told TechNewsWorld. “With 10,000 bots, thousands of accounts can be compromised in a matter of hours.”

Automation is crucial to those kinds of attacks, however, he said. “It’s only meaningful if they can run 10 million or more login attempts in an hour to get the success rate they need.”

Gift Card Scams on Steroids

Digital desperadoes also have brought the power of bots to another holiday scam: compromising gift cards. After figuring out how gift card numbers are generated for a retailer, an attacker can write a script for the botnet to execute to determine if there’s a balance on the card.

A hacker could check tens or hundreds of millions of combinations in that way and then register and sell cards discovered to have a balance.

Unsafe mobile apps also might victimize Black Friday-Cyber Monday shoppers.

Researchers found 5,198 Black Friday apps in global app stores for a recent RiskIQ study. Of those, one in 10 already had been tagged as malicious and unsafe to use.

Be Paranoid

Online bandits also are exploiting the reputation of some of the largest e-commerce sites on the Web to prey on consumers.

The top five brands leading in e-commerce have had a combined total of more than 1,950 blacklisted URLs that contain their branded terms as well as “Black Friday” and are linked to spam, malware or phishing, the RiskIQ report notes.

The same is true of apps from those brands. More than 1 million blacklisted apps reference one of the leading e-commerce brands in either their title or description, according to the study.

While consumers can’t do anything about a DDoS attack on one of their favorite shopping sites, they can protect themselves from attacks aimed directly at them.

“Consumers need to be paranoid about what kinds of things people might do to lure them into scams,” said Venkat Rajaji, senior vice president for marketing at Core Security.

“You’ve got to keep your guard up during the holiday season. Don’t click on any link in a consumer email unless it’s a highly, highly trusted source,” he told TechNewsWorld.

“You’ve got to be paranoid,” Rajaji added. “You’ve got to assume the worst when you’re shopping.”

Breach Diary

  • Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.
  • Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company, which resulted in unauthorized access to accounts of some 552,000 people.
  • Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk, which resulted in unauthorized access to personal data of nearly 160,000 people.
  • Nov. 15. TalkTalk reports profits more than doubled to $75 million from $31 million during the 12 months following a data breach at the telecommunications provider.
  • Nov. 15. Kryptowire discovers several models of Android mobile devices sold through major U.S.-based online retailers, which contain firmware that collects sensitive personal information without the owner’s knowledge or consent, and sends it to third-party servers.
  • Nov. 16. Workers at Indian security firm AI Solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.
  • Nov. 16. Database configuration error exposes to public Internet personal information of nearly 25,000 members of Sheet Metal Workers Local Union No. 104 in California.
  • Nov. 16. Protenus reports month-to-month decline in healthcare data breaches to 35 in October from 37 in September, although the number of patient records compromised increased to 776,533 from 246,876.
  • Nov. 16. Personal records of more than 34 million residents of the Indian state of Kerala were posted to Facebook by a hacker disenchanted with the security of the state’s computer systems, GulfNews reports.
  • Nov. 17. Chicago Public Schools notifies families of some 30,000 students that confidential information about them was shared improperly with a charter school operator for use in a mail advertising campaign.
  • Nov. 18. The Three mobile network in the UK reports personal information of more than 130,000 customers was compromised by data breach made public earlier in the week and for which three men were arrested on Wednesday.
  • Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.
  • Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites that contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.

Upcoming Security Events

  • Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295; Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.
  • Nov. 29, Secure Your Enterprise to Maintain Quality of Care. 5 a.m. ET. Webinar by Alto Networks, Free with registration.
  • Nov. 29-Dec. 1. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd., South Las Vegas, Nevada. Registration: $2,850; public sector, $2,350.
  • Nov. 30. Smart Cities & Critical Infrastructure Cyber Attack Vulnerabilities. 9 a.m. ET. Webinar by Cyber Education Centre. Free with registration.
  • Nov. 30. How is Data Analytics Reducing Payments Fraud? 10 a.m. ET. Webinar by BrightTalk and Fiserv. Free with registration.
  • Nov. 30. Cyber Attackers and the Law – Threats, Challenges & Regulations. 11 a.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Threat Hunting for Command and Control Activity. 2 p.m. ET. Webinar by Sqrrl. Free with registration.
  • Nov. 30. Securing the Cloud: Trends in Cloud, Collaboration & Security. 2 p.m. ET. Webinar by Dropbox. Free with registration.
  • Nov. 30. Cyber-Intelligence: Protecting Yourself Against Your Own Worst Enemy. 2 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Intelligence: The Planners Strategic Edge. 3 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Cyber Supply Chains: Risks & Protection. 4 p.m. ET. Webinar by U.S. Cyber Defence Advisor to NATO. Free with registration.
  • Nov. 30. How Artificial Intelligence Supports Security Science in Security Operations. 5 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Best Practices for Preparing for Breaches. 1 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Dec. 1. The Big Challenge of Big Data: Untangling the Security Conundrum. 11 a.m. ET. Webinar by Gemalto. Free with registration.
  • Dec. 2-3. B-Sides Phliadelphia. Drexel University, 3141 Chestnut St., Philadelphia, Pennsylvania. Free.
  • Dec. 6. The 2017 Threatscape. 9 a.m. ET. Webinar by ISF Ltd. Free with registration.
  • Dec. 6. Storm on the Horizon — 2017 Threats Both Foreign and Familiar. 2 p.m. Webinar by OCD Tech. Free with registration.
  • Dec. 7. Insider Threats and Critical Infrastructure: Vulnerabilities and Protections. 10 a.m. ET. Webinar by @LKCyber. Free with registration.
  • Dec. 7. Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing. Webinar by ZeroFOX. Free with registration.
  • Dec. 7. Quantum Threats: The Next Undefended Frontier of Cybersecurity. 1 p.m. ET. Webinar by Isara Corporation. Free with registration.
  • Dec. 7. Trends in Email Fraud, and How to Prevent Enterprise-Facing Email Attacks. 2 p.m. ET. Webinar by Agari. Free with registration.
  • Dec. 8. Cybersecurity Trends — Security Analytics Is the Game Changer. 1 p.m. ET. Webinar by Interset. Free with registration.
  • Dec. 8. I Heart Security: Developing Enterprise Security Programs for Millennials. 5 p.m. ET. Webinar by NCC Group. Free with registration.
  • Dec. 12. How Cybersecurity, Technology and Risk Is Maturing the Role of the Modern CISO. 5 p.m. ET. Webinar by City of San Diego, California. Free with registration.
  • Dec. 13. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.
  • Jan. 12. FTC PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Jan. 16. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels