The Dark Underbelly of Holiday Shopping: Christmas, Cyber Monday, & Black Friday Cyber Attacks

The end of the year is approaching and preparations are in full swing. Guest lists, meal menus, gifts. And to get ready for it all, what better way than to look for bargains online during Black Friday, Cyber Monday, or the Christmas sales?

The last two months of the year see online transactions explode. According to a study published by Fevad, in the last quarter of 2020, “the number of online shoppers rose to almost 42 million, an increase of 1.5 million online shoppers in just 1 year.” Of course, these astronomical numbers attract the attention of malicious people who, if you’re not careful, could invite themselves to the Christmas dinner table and take all the gifts as a bonus. 

Consumers aren’t the only ones looking to take advantage of Black Friday and Cyber Monday. Cybercriminals are increasingly exploiting the holiday season to conduct spear-phishing campaigns and spread malware.

Security researchers at Carbon Black warn that individuals and businesses should expect an increase in holiday cyber attacks, as the number of incidents has increased in recent years.

And there’s no reason to doubt that cybercriminals won’t continue their efforts to exploit the holidays to their advantage this year.

“Based on existing precedent, we expect the same trend to continue, if not increase, during the holiday shopping season,” said Tom Kellermann, head of cybersecurity at Carbon Black.

Black Friday: connected objects open the door to hackers

Black Friday marks the start of the holiday shopping season. According to CNBC in 2020, online sales rose 22% to a record $9 billion. 

“Black Friday and Cyber Monday are great days to get deals by shopping online, but it’s also a time when hackers become more active,” said Russ Schrader, executive director of the National Cybersecurity Alliance.

Hacking into connected objects

Credit card data theft is well known, but with the advent of IoT and connected objects, hackers have a new playground. Beware of offers that sound too good to be true. It’s tempting to buy a cell phone or the latest surveillance camera on the cheap. But these prices often hide significant cybersecurity shortcomings. These connected devices are an open door for hackers to hack into your accounts and retrieve your information and passwords. And according to Which?, 1,800 products sold on Amazon, Ebay and AliExpress, including doorbells, wireless cameras and tablets, could pose a security risk. 

If criminals manage to misuse them, home automation can prove to be disastrous, making burglary without breaking and entering possible, as well as car theft through copying ignition keys.

The public’s fascination with Internet-connected objects has led to the emergence of new forms of crime: from ransomware to crypto-currency creation to burglary without breaking and entering, scams are on the rise. “These objects, which are part of our daily lives, have few updates and will create vulnerabilities.” Lt. Col. Fabienne Lopez, head of the Center for the Fight against Digital Crimes (C3N) in Pontoise (Val d’Oise – France), concludes, “Criminals will be able to access your data through them.”

In rare cases, hacking attacks on connected objects target a single person, but luckily this is not the case in the majority of attacks. In other cases, hacking connected objects allows hackers to build an army of “zombie machines.” This involves using the object’s computing power to conduct other cyber attacks, including denial-of-service attacks (DDOS). In other words, your dog food dispenser or connected refrigerator can be used to hack a website halfway around the world. According to the experts, “zombie machines” are sold on the dark web for a few dollars.

Cyber Monday: Protecting your websites

It’s tempting to target shoppers and steal their data, but attacking a business can be more lucrative for hackers. Indeed, especially during this busy time of year, targeting a popular business or even any business that is planning a sale can be a good way to extort large amounts of money. 

Such a mishap can be very, very costly. One small French company learned this fact the hard way last year. After a ransomware attack, the boss lost everything and had to close his company. The attack came with a message that appeared on all the screens of the affected computers in which the hacker demanded the payment of 3,800 euros in virtual bitcoin currency: a sum to be paid for each day of blocking. What’s worse, the ransom increased every day that the victim chose not to pay. 

Attacks on small and medium-sized businesses often go unnoticed in the media landscape and are very difficult for small businesses, which often lack insurance and struggle to recover from such problems. A cybersecurity report from Hiscox notes that 23% of small businesses experienced a cyber attack in the year 2020. And the costs can be devastating. The report states that “the average financial cost of cyber attacks to a US small business over 12 months is high at $25,612.”

Magecart, an assault on banking data

Another phenomenon has been rocking the eCommerce world for the past two years and is seriously hurting small businesses and consumers. It is the Magecart attacks. These high-profile incidents have brought the threat of online card skimming back to the forefront of security conversations. 

In the week leading up to Black Friday 2021, the Magecart threat hit the United Kingdom, and the National Cyber Security Center (NCSC) warned over 4,000 small and medium-sized businesses that their online stores had been hacked by Magecart attacks.  These attacks allow “skimmers” to harvest and steal payment and/or personal information submitted by customers.

“On Black Friday and Cyber Monday, hackers will be looking to steal shoppers’ money and damage businesses’ reputations by turning their websites into cyber traps,” said Steve Barclay, chancellor of the Duchy of Lancaster. 

Christmas: silent night or silent threat?

With Black Friday and Cyber Monday behind you, it’s easy to think you’d seen everything that could spoil your end of year. But what if we told you that Christmas is the best time for hackers? 

Yes, Christmas is now a peak time for hackers to show off their skills and try to extort money from vulnerable businesses.

Five years ago, an incident disrupted the Christmas of millions of gamers who, after getting a Playstation or Xbox, planned to spend the day going through the levels one by one. But that wasn’t the plan hackers had in mind. They sent a denial-of-service attack, DDoS, which involves sending a large stream of fake traffic to the servers so that they saturate and crash. Within minutes, both PlayStation Network and Xbox LIVE succumbed to these attacks with greater damage on Sony’s side as the service simply went down, while Xbox LIVE saw its access limited.

It was a group of hackers called Lizard Squad that chose December 24, 2014 to launch an attack on the computer networks of both gaming systems, and managed to take the networks offline for much of the next two days – temporarily rendering the highly anticipated Christmas gift unusable.

Patrick Sullivan, senior director of security at Akamai Technologies, referred to this kind of attack as one that The Grinch might plan. “Everyone gets this gift and can’t wait to play it, and they’re deprived of that opportunity,” Sullivan went on to say.

The idea of ruining Christmas morning by taking down a company or government computer network is so tempting to some hackers that there may be no other day on the calendar that compares, except perhaps Black Friday.

Don’t let hackers ruin your holiday

As you can see, the holiday season brings its share of good surprises, but now we must contend with the darker side of every special occasion – an unfortunate side effect of living in a fully digital world. The online security of many websites and stores could be compromised by unscrupulous hackers looking for data and money. You will need to be extremely vigilant when shopping online to make sure that your data and money are safe. 

And if you have a small business, you should take every precaution necessary to protect your customers and safeguard your operations. Start by investing in SSL/TLS certificates for your ecommerce shop and read our other blogs to get more tips for securing your site.