The Safe Shopper’s Cyber Shopping Guide

Like lions laying in wait for the herd at the watering hole, cybercriminals are crouched and ready to spring on unwary shoppers queuing to buy online. This is not news to the cyber-savvy but even they can fall victim to the ever changing threat these criminals represent.

Sure, the litany of “don’t click links in an email, don’t download anything, and don’t give out personal information on social media sites or otherwise” still applies, but cybercriminals have evolved far beyond that piddling list of threats. If that litany is all you know about being safe online, perhaps you should review the lessons learned from the latest WikiLeaks fiasco: If the U.S. government can’t keep its secrets secret with the tools the CIA and NSA provide, then maybe the rest of us need to feel a little less smug about our anti-virus program and go bone up on our security skills too.

In an attempt to blow the cover on the latest cybercriminal activities, polled leading security companies and professionals on what is happening now. What follows are the latest, snakiest, trickiest tricks cybercriminals are using and what experts recommend you do to protect yourself against the assault.

Coupon Codes – Social networking-based scams abound but leading the list are “coupon codes” for popular stores and toys. Typically consumers pass on the coupon code to friends via tweets or Facebook posts thereby quickly increasing the number of people affected.

“Clicking on the link might send the shopper to a site before redirecting them to the real online store that contains drive-by malware or botnet installation, said Nicholas Percoco, senior vice president and head of SpiderLabs, Trustwave’s advanced security team. Trustwave is a global provider of on-demand information security and payment card industry compliance management solutions to businesses and government entities.

“This type of activity could happen at any time — and it does — but around the holidays people are looking for the best deals and could become easy prey.”

Because it is exceedingly difficult to sort good coupon codes from bad ones, you’re usually better off not using a coupon code at all. Ask yourself, do you really want to risk identity theft and your bank account just to save a few dollars on a single purchase?

Website Forms – Cyber criminals exploit security holes in websites to entice consumers into providing their confidential information so they can be exploited. “For example, with a simple cross-site scripting vulnerability (XSS) exploit, a hacker can prompt an innocuous looking form to the consumer asking to verify their user name and password information,” explained Mandeep Khera, CMO for Web security company Cenzic. “From that point on, they can do all kinds of damage including stealing credit card numbers, ordering items to be shipped to their address etc.

The best way to handle this situation is to “ignore any dialogue box that opens up, close the window and log-in like you normally do. Then go into your account setting or profile to see if there’s a request to change anything there.”

Malware on Legitimate Shopping Websites – Many legitimate websites have been compromised to host malware, and these hacked sites are promoted on search engines by the distributors of the malware. This means that legitimate, but hacked and loaded, websites will appear high on the search engine results and thus look even more legit to unsuspecting shoppers. Once a shopper clicks on the link in the search engine list, the criminals can download malware to the shopper’s computer.

“Since these websites are legitimate websites that have been hacked; it’s very difficult to identify the malicious content in advance,” said Martin Lee, senior Software Engineer at Symantec Hosted Services. “If you don’t have Web filtering enabled to detect and remove malware before it hits your Web browser, the best defenses are to ensure that all computers are up-to-date with patches and have an up to date anti-virus detection system running. For extra protection, change the settings and password on your router to create an additional firewall to prevent Web intrusions.

Offline and Online Coordinated Attacks – Financial services companies report seeing new forms of phishing all the time. Criminals are using a combination of phone calls, texts and emails to alert consumers about something urgent — including offers that seem too good to be true and problems with making deliveries.

“We advise consumers to be very suspicious of special offers from retailers that require you to submit account information electronically or over the phone,” said Anne Wallace, president of the Identity Theft Assistance Center (ITAC), a nonprofit that offers free victim assistance and shares victim data with law enforcement to help them investigate and prosecute identity crime. “Check with the retailer to make sure the offer is indeed real before you give out any information.”

“Smishing” – Smishing is Phishing 2.0. “Smishing is when you get a text message telling you to call a toll-free number, which is answered by a voice-response system that tries to fool you into providing your account number and password,” explained Kurt Roemer, Chief Security Strategist at Citrix Systems. “If you get a text alert about an account, don’t respond before you verify that it’s legitimate.”

Friend Phishing – Cybercriminals want to be your “friend” on social media sites like Facebook, Twitter, LinkedIn and Friendfeed. Don’t agree to be friends with people you don’t know and don’t automatically assume that an email, e-card, text, Facebook post or Tweet is actually from your friend even though your friend’s name is on it.

Criminals want to be your friend so they’ll know when you are away from home and when your birth date is so they can steal your identity. They will also hack your real friends’ accounts in order to send you malware through a “friendly” source. Stay on your guard. Protect yourself by staying educated on new and emerging threats and “be suspicious, buy from reputable companies and pass on any deal that just does not appear valid,” advised M86 Security’s Bradley Anstis, VP of Technology Strategy.

Fake Virus Notice Pop-ups – “If a dialogue box suddenly appears on your screen while surfing the Internet telling you that your computer is infected, and it wasn’t generated by your antivirus software, don’t fall for it because it will most likely be a rogue antivirus exploit,” warned Rich Baich, a principal in the Security and Privacy practice of ***Deloitte & Touche LLP.

Stolen Shopping Carts – Hackers are targeting online shopping carts. “While this happens throughout the year, during this time of the year, they’re not attempting to infect visitors to these online ecommerce sites like they normally would,” said Thomas Raef CEO and founder of “Instead, they install code in the checkout process that copies the credit card information before it goes to the gateway and then has their code email it to an address where they gather it and sell it.”

Raef said his company sees this happen on websites using Zen Cart, osCommerce and many other shopping cart systems. To reduce your risks of falling prey to this one, look to see if the site uses one of the many, third-party security systems available such as VeriSign. If it doesn’t show proof of extra security, go shop somewhere else.

Strippers (No, not that kind!) – Using a handheld device that is easily purchased online, thieves can swipe info from gift cards that are displayed on grocery and department stores racks, allowing them to steal the value of the card. “Unsuspecting buyers purchase the worthless gift card and are left with a useless piece of plastic,” said Roemer. “Buy cards that are behind a customer-service desk. Have the clerk scan the card to make sure full value is on it.”

Merry Christmas (or, after reading this far, is it “Bah, Humbug?”)!

A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine,, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).