Blog

“Ho, Ho, Ho, Merry Phishing!” – Part 2

posted by: Blog Author date: Dec 21, 2016 category: All, Phishing comments: 0

Mobile Shoppers, Beware of Mobile Treats!

Today, our society is more Internet-connected than ever before: millions of sales are now done from a smartphone or tablet, and it’s especially true for holiday shopping. The amount of mobile shopping and transactions increases every year, with active buyers turning to their smartphones for their day-to-day shopping. Anyone travelling on public transport around this time of year will notice that a large number of commuters have their heads down, scrolling through pages and pages of gift ideas from different websites or apps. Consumers are extremely fond of convenient “one-stop-shops” where they can purchase everything they need, on a unique website: efficiency is the key for online shoppers.

The e-commerce sector is booming thanks to the increase of mobile users; but also, due to the increase in time spent on smartphones compared to laptops/PCs. Naturally, hackers follow that trend and target this largely connected-crowd, where each individual is a potential victim.

Two of the major cyber-threats that mobile holiday shoppers should be concerned about are fake e-commerce websites and apps, along with malicious Wi-Fi hotspots.

Fake websites and apps: hackers are tech savvy and design applications from scratch, using a brand’s reputation and logo to trick victims into downloading their malicious version. Cyber-criminals name their apps so that they attract gullible and naïve consumers, with names such as “Apple Rewards”, “McDonalds Free Treats”… . Some of these malicious apps can host Trojans, which will spread through the victims’ contact list using SMS and sending fake vouchers and links to phishing websites. Recently, over a 1,000 Black-Friday related apps were identified as malicious, containing malware or phishing tools causing victims to unknowingly disclose their log-in credentials or credit card details to hackers. Most fake apps can be downloaded on the numerous third-party app stores, which have lower security parameters and weak app reviews therefore allowing malicious apps to proliferate on these platforms.

Malicious Wi-Fi hotspots: another insidious threat to keep in mind, designed to drain personal information from Internet-connected devices. Shoppers are now used to turning to their smartphones while they are in a store, to compare prices and read reviews for the items they are interested in; often, they are doing so while being connected to a public Wi-Fi network. Every free Wi-Fi network can represent a risk to the integrity of a user’s critical details, especially those found in shopping centres or other public areas.

When involved in Wi-Fi scams, cyber-criminals reach their victim’s sensitive personal details by setting up malicious hotspots, or exploiting poorly secured legitimate Wi-Fi hotspots to monitor consumer communications – sometimes using the man-in-the-middle technique.

Hackers often entice their victims to connect to their malicious hotspots by using the word “Free”: naming them “FreePublicWiFi”, “FREE_Wifi”, “Free_Internet” and the like. Research indicates that around 10% of networks using the word “Free” in their names were used for malicious purposes. Even a brief connection to a fraudulent network is enough for crooks to drain necessary data from their victim’s device: a door to their victim’s banking details or social media accounts which they can sneak into later on.

No matter where online shoppers are – in a shop, using public transport, at work or in a mall; consumers need to be aware that their communications and browsing can be spied on if they are not careful.

Our Tips, Do’s & Don’ts

FraudWatch International’s experts strongly recommend that online and mobile shoppers remain aware of potential threats, and avoid all types of insecure behaviour online this season (note: the holidays are a high time for scams and fraud, as are all times of major event, like tax season, Super Bowl, Olympics etc. Our tips apply all year long!)

In order to stay safe from fake, insecure and/or malicious apps, we recommend the following:

  • Only download apps from official app stores (GooglePlay for Android apps and Apple Store for iPhone apps)
  • When downloading an app, don’t be too quick to trust reviews: just because there are thousands of reviews doesn’t necessary mean they are all legitimate (hackers can generate a whole lot of fake ones)
  • If possible, do a quick Google search on the app developer; it will make it easier to determine if the app is genuine or not
  • Check the app description for grammatical and/or spelling errors, and look out for poor language
  • Be cautious of which access permissions you give to apps; malicious apps may ask to get access to your contact list, text messages or other previously downloaded apps (especially banking ones) – if your phone initiates a warning, do not continue with the app installation
  • Always keep your phone updated with the latest operating system.

To stay safe from fake, insecure and/or malicious Wi-Fi, we recommend the following:

  • Avoid public Wi-Fi hotspots as much as possible, especially the ones using “Free” in their names
  • Never connect to a Wi-Fi hotspot using a famous store name if the said-store is nowhere to be seen (practice good judgement)
  • While connected to a public network, disconnect without delay if you notice that your phone starts operating unusually – such as unexpected crashes, warning notices or text/email failures notifications for correspondence you didn’t initiate.

 

Anytime of the year, no matter which device you use or your activity (work or leisure), remember to always practice good cyber-hygiene. Always:

  • Shop online from trustworthy websites only
  • Monitor your bank account for any suspicious activities or unauthorised transfers
  • Use strong passwords and two-factor authentication (when possible)
  • Use a search engine to find and visit a website. Never, ever, ever click on a link you received in an email (no matter who the sender is)
  • Double-check when you receive an email attachment. Before opening it call, text or email back the sender to make sure they originated the message. Never, ever, ever open an attachment received from an unknown sender
  • Ignore emails and pop-up messages asking for any type of credentials (usernames, passwords, credit card numbers, telephone numbers, email addresses, and so on)
  • Secure all of your devices (from desktop to smartphones to tablets) by systematically downloading the latest operating system, anti-virus software, firewalls, etc…
  • Use good judgment. To avoid being scammed, the most important thing to remember is: if it looks too good to be true, it probably is!

Comments are closed.