Security pros warn of Black Friday threats
Annual shopping bonanza offers cybercriminals some great online deals
It's not just retailers who can cash in on consumers looking for cash-saving online Black Friday deals, cyber criminals are out to bag a bargain too.
According to the security community, both retailers and their customers face threats, albeit from different perspectives.
From the point of view of retailers, one of the biggest dangers is a database compromise, leading to customer data being leaked and reputations being ruined.
"This week Black Friday sales are expected to hit record levels, which, while good for the British economy, will raise concerns about the opportunities for scammers and cyber criminals," said Ross Brewer, vice president and managing director of EMEA at LogRhythm. "Indeed, all eyes will be on who and there will be some will fall victim to hackers' increasingly persistent and smart tactics. Retailers are prime targets because of the confidential data they hold whether it's bank details, email addresses or personal information.
"There's absolutely no doubt that cyber criminals will take advantage of this week's online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months."
There's also the danger of DDoS attacks disrupting their sites and forcing their customers to shop elsewhere.
"The run up to Black Friday and Cyber Monday is a trying time for those of us in cyber security," said Darren Anstee, CTO of Arbor Networks. "Cyber criminals are still up to old tricks, and will not miss an opportunity to deliberately target websites at a time of peak demand. Those unable to contain a DDoS attack risk losing their customers to competitors if they are unable to counter the attack, so it is essential that organisations expect cyber-attacks and know how to respond."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Of course, not all outages are down to a deliberate DDoS attack - with so many people looking for Black Friday Deals, websites can simply buckle under the weight of genuine traffic.
Indeed, this seems already to have happened to some sites on Black Friday eve, including Ted Baker, Game and Calvin Klein.
"Before Black Friday even got underway, a number of e-commerce sites had already gone down as they couldn't cope with traffic surges." said Simon Wharton, managing director at PushON. "Not long after 9pm, Ted Baker was struggling to meet demand with users temporarily unable to access the site. GAME was also down for about three hours ... and Calvin Klein had opted to pay for adverts on Google, yet when users clicked on the ads, they were led to a blank page"
"This just highlights that some retailers have not taken the necessary steps to prepare for Black Friday ... why haven't retailers like Debenhams and Ted Baker learnt from last year's mistakes and took the time to make sure their sites were crash-proof early on?"
For consumers looking for a bargain, there are other perils to be aware of, particularly phishing scams, fake websites and malvertising.
"It's highly likely that almost everyone with an email account has been sent a phishing email at some point. But phishing attacks are becoming increasingly sophisticated and much harder to spot," added John Shier, senior security Advisor at Sophos. "Though many [people] don't think that they have been phished, if phishing is done right you wouldn't know about it, so it's highly likely that the number of those who have been phished is actually a lot higher."
For both retailers and consumers, however, these potential threats don't stop once the Black Friday frenzy has cleared, as the run-up to Christmas and January sales also offer prime pickings for malicious actors thanks to the increase in transactions taking place.
How businesses can protect themselves
For businesses, dealing with Black Friday threats is a combination of ensuring standard security measures are up to scratch and having in place the sytems and means to deal with surges of traffic.
For standard security measures, this means ensuring sufficient network protections, such as firewalls and intrusion detection systems, are in place with the software up to date. Other prevention, detection and resolution measures are also important, such as machine learning-driven software that can bring attention to erratic behaviour which could indicate an attempted intrusion or existing infection.
All retailers should also be ensuring end-to-end encryption for financial transactions in particular, as well as encrypting sensitive data at rest on its systems, such as credit card numbers, customer addresses, emails, telephone numbers and so on.
For traffic surges, whether they're caused by a DDoS attack or a genuine increase in interest, there are plenty of cloud bursting and traffic management services out there that can offer one-off protection or ongoing contracts (which could help for other busy times of year or any "out of the blue" attacks, which could happen at any time).
How consumers can protect themselves
While there's not much consumers can do to protect their data once it's on a retailer's system, there are many things that can be done before their data ever gets to that point.
Phishing scams are among the most popular when it comes to Black Friday and there are many ways cyber criminals may try to tempt you to click on a link. However, offering incredibly - perhaps impossibly - good deals, such as 94% off an iPhone X should raise a red flag.
"The old adage, 'if it seems too good to be true, it probably is' stands true with most of the Black Friday cyber scams, but it is important for consumers to become conditioned to recognise the signs of fake deal," said Aaron Higbee, CTO of PhishMe.
Other tips include making sure the site really does have "https" in the url and not just "http", even if it's displaying the padlock icon in the address bar, watching out for "typo-squatting" (for example, "ebya" rather than "ebay", or "amazan" rather than "amazon"), and ensuring there are contact details available in case something goes wrong with the order, such as a working phone number or customer service emails address.
Finally, ensure you have security software installed that protects you while you are browsing online and also offers protection against malware downloads, no matter where they come from.
For trusted and genuine Black Friday Deals, you can head over to our sister site Alphr, which has a list of the best bargains on offer right now.
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.