Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Nightmare Before Christmas: Researchers Warn Of Holiday Shopping Threats

Increases in malware, enterprise vulnerabilities, laptop theft expected

Move over, Ebenezer -- there's a whole new class of holiday gloom in town.

During the past several weeks, security vendors and researchers have been predicting a wide range of attacks and threats for the holiday shopping season that begins Friday. This year's warnings include malware, phishing, insider threats, lost laptops, and a partridge wearing a surveillance camera in a pear tree. (OK, kidding about that last one.)

As a service to our readers and shoppers everywhere, Dark Reading presents this year's list of holiday threats. If you still want to go shopping online after this, better check your eggnog -- it might be spiked.

  • Eighty-four percent of retailers expect online fraud to increase this season as a result of the economic downturn. In a survey of attendees at the recent Merchant Risk Council conference, researchers from 41st Parameter found that 67 percent of retailers are most concerned about increased fraud ring activity and botnets. Thirty percent said their biggest challenge is a lack of funding to purchase better fraud-fighting technology.

  • IBM's ISS X-Force security research team last week issued a series of warnings, including a new wave of "parasitic" malcode-carrying spam, an increase in phishing attacks disguised as banks or online shopping portals, new launches of malware hidden on legitimate Websites, and even the infection of electronic toys and gadgets as a means of reaching corporate networks.

  • Security vendor Cyveillance this week issued a warning for online retailers and consumers to prepare for a significant increase in phishing attacks during the Thanksgiving weekend. Last year, Cyveillance saw a 300 percent increase in phishing attacks on Thanksgiving Day alone. With the current economic downturn -- and with phishing attacks peaking at more than 13,200 during recent months -- Cyveillance analysts expect phishing attacks to hit record highs this weekend.

  • Webroot is warning enterprises that it saw an 87 percent jump in malicious URLs between October and December of last year, and this year's holiday shopping season could be even worse. These sites are typically used to trick shoppers into giving their debit or credit card numbers, or to download malware, the security vendor says.

  • According to a report released by Shop.org this week, 55.8 percent of employees with Internet access at work -- roughly 72.8 million people -- will shop for holiday gifts from work. This figure is up from 44.7 percent in 2005. Web security firm Finjan believes there could be a near-term surge in infected corporate computers resulting from employees shopping from work.

  • Similarly, a new survey of 200 individuals who use computers at work indicates that 36 percent expect to do some online shopping from their desks this holiday shopping season, up 1 percent from last year. The study, conducted by Web filtering tool vendor St. Bernard Software, states that 79 percent of respondents plan to spend two work hours per week doing online shopping, and 14 percent may use up to four hours. Enterprises should consider developing "acceptable use" policies that guide employees as to how and when they may use the corporate network for shopping, St. Bernard says.

  • In a survey of IT professionals published last week, ISACA -- an association of IT professionals -- found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks.

  • A recent survey by RSA Security indicates that 10 percent of all laptop computer users have lost their machines at some point. Mozy, which offers an online data backup service, is encouraging users to back up their data before they take their laptops over the river and through the woods.

  • Absolute Software echoed Mozy's warnings, citing a study by the Ponemon Insitute that indicates a laptop goes missing every 50 seconds at U.S. airports.

    Virtually all of the studies predicted an increase in online holiday shopping this season, even though overall sales are expected to drop as a result of the economic downturn. The researchers all suggested that IT departments take the time to educate end users about the dangers of online shopping, as well as threats posed to laptops and other portable devices.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    RDP Bug Takes New Approach to Host Compromise
    Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
    The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
    Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-12162
    PUBLISHED: 2019-07-23
    Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
    CVE-2018-18669
    PUBLISHED: 2019-07-23
    GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
    CVE-2019-10101
    PUBLISHED: 2019-07-23
    Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
    CVE-2019-9815
    PUBLISHED: 2019-07-23
    If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
    CVE-2019-9816
    PUBLISHED: 2019-07-23
    A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...