Skip to content

November 19, 2019 | Paul Mazzucco

2019 Holiday Shopping Security: Threats and Tips

With Black Friday and the holiday season rapidly approaching, businesses need to be more cyber-vigilant than ever. No matter what cybersecurity policies you set, it’s highly likely that malicious hackers are looking to find and exploit your vulnerabilities. In this blog post, we look at some of the major holiday shopping security threats in 2019, and explain how to protect your employees, business, and customers from cybercriminals.

Top cybersecurity threats to look out for this holiday shopping season

Phishing attempts via email

Phishing, the sending of an email under false pretenses designed to get the recipient to do something such as open an attachment or click on a file, should be top of mind for security experts. It’s one of the primary ways cybercriminals carry out their schemes, from malware injections, to stealing credentials, to DDoS attacks.

According to Symantec’s 2019 Internet Security Threat Report, almost one in every 400 emails is malicious. The average office worker may receive a hundred or more emails a day. So, chances are good that every single one of your employees will receive at least one malicious email sometime this week. If they’ve been visiting shopping sites more than usual (even on their personal devices connected to your network), perhaps even providing their work email address to receive a coupon or get a deal, that rate is only going to go up.

To stress how important it is to control this attack vector, bear in mind that as much as 92.4% of malware is distributed via email. (Verizon) That’s because it works. A 2018 research project which simulated phishing attempts found that 62% of campaigns captured at least one set of credentials. Unfortunately, this level of success wasn’t because of a single uninformed employee skewing the results. Almost a quarter of recipients clicked on the phishing links, and half of them entered credentials into a fake web site. (Duo)

Fake emails that include ransomware too

According to one recent study, 75% of verified phishing emails involved credentials phishing schemes. (CoFense) But, perhaps more worrisome this year is the potential for ransomware attacks.

In a ransomware/phishing attack, the recipient either opens an infected attachment or visits an infected website. Once the malware is on their system, its first goal is to spread throughout the network. Once in, it encrypts the organization’s data. These two actions don’t always happen in rapid succession. Ransomware code can stay dormant until triggered by the attackers or a specific event.

The attackers promise to turn over the encryption key once the company pays the ransom. ZDNet reports that about 96% of the time, this works, so it’s no surprise that so many companies take this route despite the FBI’s warning that it just encourages more ransomware attacks.

Ransomware attackers also know to attack organizations with the most to lose. Right now, their two favorite targets seem to be healthcare organizations and government entities, especially city governments. But, as the holiday shopping season comes closer, they’ll have their pick of desperate targets, e.g., the small manufacturer, distributor, or retailer that does most of their business from November through December.

In Q1 2019, the average ransom was just over $12K, so it’s easy to understand why so many businesses pay. That’s a drop in the bucket compared to the cost of losing access to systems for days, if not weeks. But, as previously mentioned, successful attacks simply breed more attacks. Cybersecurity Ventures predicts that there will be a ransomware attack on businesses every 14 seconds by the end of 2019 and every 11 seconds by 2021. (Cybercrime Magazine)

One of the trends that has cybersecurity experts most concerned is the availability of ransomware for hire. Using these services, a disgruntled customer, employee, or just someone with an axe to grind can carry out a ransomware attack with no technical knowledge. Some illegal operations are so sophisticated they even offer help desk support for their customers.

DDoS attacks on eCommerce sites & critical systems

Like ransomware, a Distributed Denial of Service (DDoS) attack cripples the business with the intent of extorting money. Cybercriminals are now combing the two into a type of attack called a Ransom Distributed Denial of Service attack (RDDoS). In an RDDoS, attackers use bots to flood a company’s website or servers with more traffic than they are designed to handle, crippling the organization’s website or systems. Then, they demand a ransom to call off the attack.

This year, 56% of shoppers expect to do at least some of their holiday shopping online. (National Retail Federation) This includes shopping at local retailers. In the same NRF study, 48% said they would buy online and pick up in store. Many local and regional retailers rely on the business their ecommerce site brings in over the holidays, making them more likely to pay a small ransom than risk losing sales.

Site sabotage

In another variation on the DDoS attack, some cybercriminals are using bots to sabotage retail sites. These bots fill carts and lock up inventory – all with the purpose of sabotaging their competition and stifling that brand’s ecommerce sales during the attack. The ecommerce site appears to have no inventory remaining, allowing the competition to charge higher prices and appear more appealing to search engines and shoppers.

Bot traffic to ecommerce sites continues to rise, and bad bot traffic is rising faster than good bot traffic. (A good bot might be simply comparing prices, whereas a bad bot has malicious intent.) In 2017, bad bots accounted for 21.8 percent of all website traffic, a 9.5 percent increase over the previous year. (Retail Insider) As with ransomware, non-technical users can launch DDoS, RDDoS, and Site Sabotage attacks by hiring bot services on the dark web.

4 ways to curb cybercrime during the Holiday shopping season

Recovery from a cyberattack is never simple. For example, even if paying the ransom nets the encryption key, a ransomware incident still puts an incredible strain on the business. At the very least, there’s always going to be some downtime as the organization decides how to respond and then puts that plan into action. And while ransomware isn’t data theft per se, there’s always the chance that data can be destroyed by the attack.

To prevent ransomware or other cyberattacks from ruining your holiday season, here are four actions you should take right away:

1. Educate your employees

More than half of all security breaches are the result of human error. (Disaster Recovery Journal) If you haven’t conducted a recent refresher on cybersecurity protocols for employees, schedule one ASAP. They need to understand the dangers and how to spot a suspected phishing scheme. (No, that isn’t the CEO asking you to buy 20 Google Play gift cards on his behalf.)

2. Install email security filters

In 2018, one in every 3207 emails was a phishing attack, and 7.8% of URLs included in emails were malicious. Email attachments also remain a popular attack vector, with Microsoft Office files accounting for 48% of malicious attachments. (Symantec) With this sort of onslaught, educating employees can only get you so far. From spam to malware, email security filters can prevent malicious emails from getting through to your employees.

3. Review your WAF implementation

With so many attacks on websites and ecommerce sites this holiday season, all businesses need a WAF, or Web Application Firewall. A WAF stands between the internet and your internal systems, detecting and quarantining potentially malicious traffic. Unfortunately, only 57% of businesses say they’ve deployed a WAF. (NGINX)

If you already have a WAF, it’s equally important to review your implementation regularly to ensure it is up to date and providing the coverage you need. For example, since DDoS, RDDoS, and Site Sabotage attacks are executed by malicious bots, you need the good bots found in mitigation tools to mount a proper defense. Like watchdogs for your systems, these tools sniff out incoming traffic and filter out anything that looks suspicious. WAF vendors continue to enhance their bot technology to address the latest threats.

4. Create a security plan

A comprehensive security plan includes three main components.

  • A security policy outlines the organization’s IT security threats and objectives and provides guidance to employees on expectations.
  • A security framework specifies how systems will be kept secure. Many organizations leverage the NIST Special Publication 800 Series when creating their framework. Designed to support the security and privacy requirements of the U.S. federal government, this framework provides a comprehensive foundation for businesses across industries.
  • An incident response plan will help everyone (IT professionals as well as those in non-IT-related roles) know what to do in the event of a cyberattack, speeding time-to-remediation and lessening the damage to your systems, reputation, and bottom line. Unfortunately, a 2018 study found that only 23% of organizations have a cybersecurity incident response plan that is consistently applied across the enterprise. (Ponemon/IBM)

Finally, remember that every aspect of your security plan should be documented and tested regularly to ensure that it works as designed in the event of an actual attack.

Don’t Let Your Holiday Season Become a Total Disaster

Knowing how you’ll recover your systems and data is a vital part of any incident response plan. Even if you have a disaster recovery plan in place already, it’s important to revisit it every year. Perhaps there’s no better time than right before your busiest time of year. Read: 10 Steps to Write a Better Disaster Recovery Plan.

One aspect to consider is whether your recovery objectives still meet your needs. Perhaps you first put the plan together during the slow summer months when the business could handle a few extra minutes of downtime. However, now that your busy season is fast approaching, you’ve realized that every minute could cost you tens of thousands of dollars.

Cloud-based disaster recovery is one way to address the variability in needs. Depending on the needs of the workload, you might set up a temporary failover site in AWS or Azure. One of the greatest advantages to this approach is cost. You’re not paying for duplicate resources you never use, and it’s easy to spin down resources you no longer need.

Cloud-based disaster recovery is also relatively quick to set up, especially if you know what you’re doing. We’ve helped hundreds of customers strengthen their resiliency with disaster recovery solutions.

Cybersecurity solutions to help you protect your business

As an IT security services provider, we specialize in the development, implementation and management of comprehensive IT security strategies. Contact us today to learn more and see how we can help you.

Strategic Guide to IT Security

Subscribe to the TierPoint blog

We’ll send you a link to new blog posts whenever we publish, usually once a week.