Vulnerabilities / Threats
11/26/2008
01:21 PM
Connect Directly
RSS
E-Mail
50%
50%

Nightmare Before Christmas: Researchers Warn Of Holiday Shopping Threats

Increases in malware, enterprise vulnerabilities, laptop theft expected

Move over, Ebenezer -- there's a whole new class of holiday gloom in town.

During the past several weeks, security vendors and researchers have been predicting a wide range of attacks and threats for the holiday shopping season that begins Friday. This year's warnings include malware, phishing, insider threats, lost laptops, and a partridge wearing a surveillance camera in a pear tree. (OK, kidding about that last one.)

As a service to our readers and shoppers everywhere, Dark Reading presents this year's list of holiday threats. If you still want to go shopping online after this, better check your eggnog -- it might be spiked.

  • Eighty-four percent of retailers expect online fraud to increase this season as a result of the economic downturn. In a survey of attendees at the recent Merchant Risk Council conference, researchers from 41st Parameter found that 67 percent of retailers are most concerned about increased fraud ring activity and botnets. Thirty percent said their biggest challenge is a lack of funding to purchase better fraud-fighting technology.

  • IBM's ISS X-Force security research team last week issued a series of warnings, including a new wave of "parasitic" malcode-carrying spam, an increase in phishing attacks disguised as banks or online shopping portals, new launches of malware hidden on legitimate Websites, and even the infection of electronic toys and gadgets as a means of reaching corporate networks.

  • Security vendor Cyveillance this week issued a warning for online retailers and consumers to prepare for a significant increase in phishing attacks during the Thanksgiving weekend. Last year, Cyveillance saw a 300 percent increase in phishing attacks on Thanksgiving Day alone. With the current economic downturn -- and with phishing attacks peaking at more than 13,200 during recent months -- Cyveillance analysts expect phishing attacks to hit record highs this weekend.

  • Webroot is warning enterprises that it saw an 87 percent jump in malicious URLs between October and December of last year, and this year's holiday shopping season could be even worse. These sites are typically used to trick shoppers into giving their debit or credit card numbers, or to download malware, the security vendor says.

  • According to a report released by Shop.org this week, 55.8 percent of employees with Internet access at work -- roughly 72.8 million people -- will shop for holiday gifts from work. This figure is up from 44.7 percent in 2005. Web security firm Finjan believes there could be a near-term surge in infected corporate computers resulting from employees shopping from work.

  • Similarly, a new survey of 200 individuals who use computers at work indicates that 36 percent expect to do some online shopping from their desks this holiday shopping season, up 1 percent from last year. The study, conducted by Web filtering tool vendor St. Bernard Software, states that 79 percent of respondents plan to spend two work hours per week doing online shopping, and 14 percent may use up to four hours. Enterprises should consider developing "acceptable use" policies that guide employees as to how and when they may use the corporate network for shopping, St. Bernard says.

  • In a survey of IT professionals published last week, ISACA -- an association of IT professionals -- found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks.

  • A recent survey by RSA Security indicates that 10 percent of all laptop computer users have lost their machines at some point. Mozy, which offers an online data backup service, is encouraging users to back up their data before they take their laptops over the river and through the woods.

  • Absolute Software echoed Mozy's warnings, citing a study by the Ponemon Insitute that indicates a laptop goes missing every 50 seconds at U.S. airports.

    Virtually all of the studies predicted an increase in online holiday shopping this season, even though overall sales are expected to drop as a result of the economic downturn. The researchers all suggested that IT departments take the time to educate end users about the dangers of online shopping, as well as threats posed to laptops and other portable devices.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading Must Reads - September 25, 2014
    Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2012-5485
    Published: 2014-09-30
    registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

    CVE-2012-5486
    Published: 2014-09-30
    ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

    CVE-2012-5487
    Published: 2014-09-30
    The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

    CVE-2012-5488
    Published: 2014-09-30
    python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

    CVE-2012-5489
    Published: 2014-09-30
    The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.