How to stay protected on the web this holiday season

Introduction

It should come as no surprise that while online shopping spikes during the holiday season, there is also a marked increase in cyber attacks capitalizing on holiday-themed offers and promotions.

Zscaler ThreatLabz has been observing web threats for many years. While the attacks have evolved over time, they share a few commonalities that enable us to recommend how online shoppers (users) can protect themselves and how security teams can safeguard corporate data.

This blog examines recurring attack trends during the holiday season and provides key recommendations  to protect sensitive information. In addition, this blog explains how Zscaler Advanced Threat Protection mitigates web-based threats like phishing and web skimming.

Phishing Attacks

Over the years, phishing scams have become more sophisticated, making them harder to detect and block. By leveraging phishing kits and AI tools, even non-technical malicious actors can plan and execute highly targeted phishing campaigns, compromising organizations to access sensitive data for  exfiltration and/or extortion. 

The Zscaler ThreatLabz 2023 Phishing Report indicates that phishing attackers exploit certain consumer trends by impersonating popular brands to deceive consumers. Malicious e-commerce sites and emails are popular phishing tactics during the holiday season because of the heavy online shopping and spending that occurs during this period.

A widely employed method of phishing involves using trusted domains to exploit unsuspecting consumers, redirecting them to phishing websites. Malicious actors abuse popular online shopping platforms such as Walmart and Amazon in an attempt to collect login credentials. Attackers send free gift cards via email, post ads, or send fake customer service alerts in an attempt to manipulate victims into clicking on phishing links.

In addition to popular online shopping websites, banking and personal finance sites become frequent targets during the holiday season. Some attacks are served over non-secure connections using HTTP and are easy to spot. However, they can also be more elaborate and sophisticated, served over an HTTPS connection with an interface that seems like a legitimate banking and finance website. In 2019, PayPal phishing scams were executed widely by malicious actors. A blog by the Zscaler ThreatLabz team drills into how the threat actors executed the attacks successfully.

In recent years, attackers have also engaged in smishing, i.e., using text messages (SMS communications) to deliver scams, typically with malicious URL links. The message sender appears to be a known e-commerce brand or famous online shopping website. A text message with a tracking link might divert a user to a malicious site that looks legitimate. In the past, Zscaler ThreatLabz has observed these seemingly innocuous websites luring unsuspecting users with polls and surveys that promise monetary rewards

Web Skimming Attacks

Historically, the e-commerce industry sector has faced the brunt of skimming attacks, which focus on capturing sensitive data such as online shoppers’ credit card information. In recent years, web skimming attacks have become increasingly popular among malicious actors, given that they are easy to execute and hard to detect. What makes it even harder to detect these types of attacks is that web skimming attacks are commonly launched over encrypted (SSL) channels and many organizations don’t inspect encrypted traffic.

Card skimmer groups are active throughout the year, but given the increased online shopping activity during the holiday season, there usually is a spike in such attacks around this time. Last year, ThreatLabz identified four emerging skimming attacks to watch, with little to no prior documentation in the public domain. The ThreatLabz research team discovered that Magento and Presta-based e-commerce stores in the US, UK, Australia, and Canada were primarily targeted, with attackers managing to keep their malicious activities under the radar for several months.

Malicious actors using skimming attacks tend to use newly registered domains that appear similar to any web service or web analytics service to remain undetected for long and infect multiple e-commerce websites. JavaScript skimmer code is hosted on attacker-registered domains, and the link to these skimmers is injected into the compromised e-commerce websites. Sometimes, the skimming attacks rely on heavy use of JavaScript obfuscation, which makes detection even more difficult.

Guidelines for Users Shopping on Corporate Devices

Users engaging in online shopping should follow the basic guidelines outlined below to protect their personal information and corporate data:

• Avoid holiday shopping on any corporate device thereby avoiding web threats. 
• If an advertised deal seems too good to be true, it probably is. Be particularly wary of these offers and pay close attention to any associated web pages and links.
• Download apps from large official app stores, such as Google or Apple, as they generally have stronger governance.
• Verify the authenticity of the URL or website before accessing it. Be wary of links with typos.
• When visiting shopping, e-commerce, or financial websites, check for HTTPS/secure connections. All legitimate vendors, retailers, and payment portals use HTTPS connections for their transactions.
• Enable two-factor authentication, or “2FA,” to provide an additional layer of security, especially for sensitive financial accounts.
• As a rule, don’t click links or open documents from unknown parties who promise exciting offers and opportunities.
• Always ensure that your operating system and web browser are up-to-date and have the latest security patches installed.
• Use a browser add-on, such as Adblock Plus, to block malvertising (compromised/malicious websites bombard visitors with pop-up ads).
• Avoid using public or unsecured Wi-Fi connections for shopping.

Recommendations for Enterprise Security Teams

• Given the spikes in cyber attacks during the holiday season, it is important to raise user awareness. Leverage the above section on "guidelines for users" to educate your user base.
• Utilize web policies that restrict access to unknown, miscellaneous, newly registered, and newly active domains. If there are legitimate business use cases for these websites, leverage browser isolation to enable safe access.
• Turn on SSL/TLS traffic inspection to gain visibility and the ability to apply advanced security controls, such as phishing detection, IPS, and inline sandboxing, to all traffic.
• If you are an e-commerce company, ensure that your own infrastructure is not exploited by keeping all systems patched and up-to-date, utilizing secure passwords and MFA, and following PCI compliance guidelines.

While the above recommendations are critical, especially during the holiday season, improving and maintaining your security posture is important throughout the year, not just during the holiday season.

Zscaler Advanced Threat Protection Helps Safeguard Data During the Holidays

Traditional threat protection comes with its own downsides: inspecting traffic from start to finish is challenging, appliance-based and VM approaches cannot perform 100% SSL/TLS decryption, traditional sandboxing solutions don't operate inline, which means they can only detect malware after they've compromised your systems and the minute your users drop off the network or VPN, you lose the ability to enforce policies. This is why we recommend Zscaler Advanced Threat Protection.

When it comes to phishing attacks, Zscaler Advanced Threat Protection utilizes its cloud-native proxy to inspect web traffic comprehensively. It leverages advanced threat intelligence and behavioral analysis to identify and block malicious websites attempting to deceive users.

For combating web skimming, Zscaler Advanced Threat Protection’s approach involves thorough inspection of web content and transactions. By scrutinizing every packet of data, it can detect and block attempts by malicious actors to inject code into legitimate websites. Zscaler’s focus on encrypted traffic means its unlimited SSL inspection capacity allows it to uncover hidden threats within encrypted communication, a common tactic employed by web skimmers.

Take a look at how VF Corporation, which includes brands like Timberland, The North Face and Vans, went through a zero trust journey powered by Zscaler enabling them to improve threat protection with threat insights from the world’s largest security cloud.