Recent high-profile distributed denial of service attacks on the Internet’s infrastructure and an investigative journalist’s website have spiked concerns over possible disruptions of traffic during the biggest online shopping weekend of the year.
Cyber Grinches Could Disrupt Holidays’ Biggest Shopping Weekend
Online spending last year exceeded US$5.8 billion on Black Friday and Cyber Monday, according to Adobe, and that figure is expected to be even higher this year.
“If you want to mess with the economy, that’s the most disruptive time to do that,” said John Wu, CEO of Gryphon.
“A lot of retail sales have shifted from brick and mortar to online these days,” he told TechNewsWorld. “Cyber Monday is a huge day for a lot retailers.”
Easy Target for Bot Herders
If hackers want to disrupt shopping during the Black Friday-Cyber Monday weekend, they’ll likely use a botnet composed of devices connected to the Internet of Things to do it. Such botnets recently attacked DNS server provider Dyn, disrupting Internet service in the United States.
Attackers also used them to launch one of the largest DDoS attacks ever on the website of security blogger Brian Krebs.
“The reason IoT devices are being used now is because they’re so easily attacked,” Wu said. “They also have enough processing power on them to carry out these kinds of attacks.”
What’s more, devices like routers and DVRs are always on, so they’re always available for enlistment in an assault on a website.
“You can have a huge effect because you can control lots of the devices — in some cases hundreds of thousands — and flood a server,” Wu said, “and it’s very difficult to prevent these attacks, because they’re coming from IP addresses around the world. You can’t scale your bandwidth fast enough to prevent it.”
During Black Friday-Cyber Monday weekend, the situation will be exacerbated by a legitimate surge in traffic.
“Some sites went down last year because they couldn’t handle the spike in traffic to them,” Wu explained. “You could compound that effect with a denial of service attack.”
10 Million Logins an Hour
Botnets can do more than disrupt shopping traffic during Black Friday-Cyber Monday weekend. They can crack into user accounts at e-commerce sites, using the millions of username and password pairs available on the Internet from hundreds of recent data breaches.
“Because human beings resuse their passwords, that attacker is going to be successful when he uses a password stolen from another website,” said Omri Iluz, CEO of PerimeterX.
“On average, a person uses six passwords for all their online activity,” he noted.
“These attacks are very successful,” Iluz told TechNewsWorld. “With 10,000 bots, thousands of accounts can be compromised in a matter of hours.”
Automation is crucial to those kinds of attacks, however, he said. “It’s only meaningful if they can run 10 million or more login attempts in an hour to get the success rate they need.”
Gift Card Scams on Steroids
Digital desperadoes also have brought the power of bots to another holiday scam: compromising gift cards. After figuring out how gift card numbers are generated for a retailer, an attacker can write a script for the botnet to execute to determine if there’s a balance on the card.
A hacker could check tens or hundreds of millions of combinations in that way and then register and sell cards discovered to have a balance.
Unsafe mobile apps also might victimize Black Friday-Cyber Monday shoppers.
Researchers found 5,198 Black Friday apps in global app stores for a recent RiskIQ study. Of those, one in 10 already had been tagged as malicious and unsafe to use.
Online bandits also are exploiting the reputation of some of the largest e-commerce sites on the Web to prey on consumers.
The top five brands leading in e-commerce have had a combined total of more than 1,950 blacklisted URLs that contain their branded terms as well as “Black Friday” and are linked to spam, malware or phishing, the RiskIQ report notes.
The same is true of apps from those brands. More than 1 million blacklisted apps reference one of the leading e-commerce brands in either their title or description, according to the study.
While consumers can’t do anything about a DDoS attack on one of their favorite shopping sites, they can protect themselves from attacks aimed directly at them.
“Consumers need to be paranoid about what kinds of things people might do to lure them into scams,” said Venkat Rajaji, senior vice president for marketing at Core Security.
“You’ve got to keep your guard up during the holiday season. Don’t click on any link in a consumer email unless it’s a highly, highly trusted source,” he told TechNewsWorld.
“You’ve got to be paranoid,” Rajaji added. “You’ve got to assume the worst when you’re shopping.”