Happy Online Christmas Shopping

December 9, 2009 Archive

You may think online Christmas shopping is the easy option, but beware, there are many potential pitfalls for the unwary.

Guillaume Lovet, international cybercrime expert, researcher and author has highlighted five fundamental pieces of advice on how to avoid the basic cybercrime tricks at Christmas and ensure you’re not the one facing identify theft and damaged bank balances in the New Year. ..

1) Do not follow links found in unsolicited emails you may receive. Even if some look like fantastic bargains, don’t get tempted. They’re not real shops, they’re scams. They’ll use your credentials to siphon your money, and you will never get the wrist-watch you ordered.

2) Do not either assume that an online shop is ‘real’ (as opposed to a scam) just because you reached it using your own initiative, with a search engine. Over the past two or three years cybercriminals have mastered the so-called ‘SEO attack’ techniques, which consist in fooling the search engines’ ranking algorithms, in order to push their malicious websites in the first results returned for searches such as ‘Xmas gifts’. Of course, search engines anti-fraud teams struggle against this phenomenon, but it’s a cat and mouse game, so it’ll happen during certain time windows.

3) Do not assume that shopping on a website with an established reputation (as opposed to looking for one from Google), is safe. It might be but it might not. Over the past two years, massive SQL injections have been rampant, and even reputed sites were not spared (Canadian Defense, Superbowl site, MTV, etc, for example). SQL injected websites won’t send users to rogue shops, that’s true. But they’ll attempt to silently install Trojan horses, bots, keyloggers and rootkits onto the visitors’ systems; which in turn, are designed to steal the banking or credit card credentials of victims. Have a solid and up-to-date AV solution running on your computer to prevent this in the first place. With thousands of compromised legitimate websites over the past year, you can’t solely rely on your own sagacity to avoid malicious sites anymore; it used to be true, it’s not anymore.

4) What to do if your PC is already loaded with Trojans? It doesn’t only happen to others. After all, over 3.5 million computers are part of the Zeus botnet, why not yours? Zeus is a trojan horse specialised in intercepting banking credentials as they are typed by the infected user. And no, it displays no (easily) visible symptoms.

The good news is, there is a way to shop or bank online from your computer, while being 100 percent sure that kind of critter won’t intercept your credentials: boot up a Live CD (ie an operating system on a CD, such as Ubuntu Linux), and bank from here. Of course you’ll find the OS inconvenient (because you’re not used to it), but it’s no big deal: you only need the browser to bank, right? And it’s probably the same as on your Windows computer, provided you’re a Firefox user.

5) Last but not least, advice very specific to this year, with regard to current trends in social networking: do not blindly trust your friends. I mean, your social network friends. The prevalence of Facebook worms such as Koobface is such that, if you have a (social networking-wise) regular amount of friends (300+), chances are high that at least some of those had their account compromised over the past year. Those compromised accounts are used by cybercriminals to distribute Spam 2.0 (ie spam in the form of user comments or messages on social networking sites) and to seed more malware. So, if you receive a message that says something along the lines of “check this website out, it’s GREAT for Xmas gifts”, you may want to double-check with the friend who sent it.

Happy online Christmas shopping!