Vulnerabilities / Threats
11/26/2008
01:21 PM
Connect Directly
RSS
E-Mail
50%
50%

Nightmare Before Christmas: Researchers Warn Of Holiday Shopping Threats

Increases in malware, enterprise vulnerabilities, laptop theft expected

Move over, Ebenezer -- there's a whole new class of holiday gloom in town.

During the past several weeks, security vendors and researchers have been predicting a wide range of attacks and threats for the holiday shopping season that begins Friday. This year's warnings include malware, phishing, insider threats, lost laptops, and a partridge wearing a surveillance camera in a pear tree. (OK, kidding about that last one.)

As a service to our readers and shoppers everywhere, Dark Reading presents this year's list of holiday threats. If you still want to go shopping online after this, better check your eggnog -- it might be spiked.

  • Eighty-four percent of retailers expect online fraud to increase this season as a result of the economic downturn. In a survey of attendees at the recent Merchant Risk Council conference, researchers from 41st Parameter found that 67 percent of retailers are most concerned about increased fraud ring activity and botnets. Thirty percent said their biggest challenge is a lack of funding to purchase better fraud-fighting technology.

  • IBM's ISS X-Force security research team last week issued a series of warnings, including a new wave of "parasitic" malcode-carrying spam, an increase in phishing attacks disguised as banks or online shopping portals, new launches of malware hidden on legitimate Websites, and even the infection of electronic toys and gadgets as a means of reaching corporate networks.

  • Security vendor Cyveillance this week issued a warning for online retailers and consumers to prepare for a significant increase in phishing attacks during the Thanksgiving weekend. Last year, Cyveillance saw a 300 percent increase in phishing attacks on Thanksgiving Day alone. With the current economic downturn -- and with phishing attacks peaking at more than 13,200 during recent months -- Cyveillance analysts expect phishing attacks to hit record highs this weekend.

  • Webroot is warning enterprises that it saw an 87 percent jump in malicious URLs between October and December of last year, and this year's holiday shopping season could be even worse. These sites are typically used to trick shoppers into giving their debit or credit card numbers, or to download malware, the security vendor says.

  • According to a report released by Shop.org this week, 55.8 percent of employees with Internet access at work -- roughly 72.8 million people -- will shop for holiday gifts from work. This figure is up from 44.7 percent in 2005. Web security firm Finjan believes there could be a near-term surge in infected corporate computers resulting from employees shopping from work.

  • Similarly, a new survey of 200 individuals who use computers at work indicates that 36 percent expect to do some online shopping from their desks this holiday shopping season, up 1 percent from last year. The study, conducted by Web filtering tool vendor St. Bernard Software, states that 79 percent of respondents plan to spend two work hours per week doing online shopping, and 14 percent may use up to four hours. Enterprises should consider developing "acceptable use" policies that guide employees as to how and when they may use the corporate network for shopping, St. Bernard says.

  • In a survey of IT professionals published last week, ISACA -- an association of IT professionals -- found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks.

  • A recent survey by RSA Security indicates that 10 percent of all laptop computer users have lost their machines at some point. Mozy, which offers an online data backup service, is encouraging users to back up their data before they take their laptops over the river and through the woods.

  • Absolute Software echoed Mozy's warnings, citing a study by the Ponemon Insitute that indicates a laptop goes missing every 50 seconds at U.S. airports.

    Virtually all of the studies predicted an increase in online holiday shopping this season, even though overall sales are expected to drop as a result of the economic downturn. The researchers all suggested that IT departments take the time to educate end users about the dangers of online shopping, as well as threats posed to laptops and other portable devices.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    Partner Perspectives
    What's This?
    In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

    As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
    Featured Writers
    White Papers
    Cartoon
    Current Issue
    Dark Reading's October Tech Digest
    Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-3304
    Published: 2014-10-30
    Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

    CVE-2013-7409
    Published: 2014-10-30
    Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

    CVE-2014-3446
    Published: 2014-10-30
    SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

    CVE-2014-3584
    Published: 2014-10-30
    The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

    CVE-2014-3623
    Published: 2014-10-30
    Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Follow Dark Reading editors into the field as they talk with noted experts from the security world.