Post-lockdown eCommerce boost increases security concerns

News by Chandu Gopalakrishnan

Orders up 23 percent year-on-year in UK; scamsters target card details and user info as more and more stay online

Independent online retailers in the UK have seen a spike of 23 percent orders on an average this March than in 2019, said data from e-commerce ancillary services company James and James Fulfilment. Cyber-criminals are making the most of this information avalanche, as more and more users stay online, sharing valuable data about their finance, activities and whereabouts online. 

Essentials such as health supplements and store cupboard ingredients saw triple-digit growth in orders between the last week of February and third week of March. Demand for home entertainment and fitness products, such as board games, journals and yoga mats have also gone up as more and more families self-isolate at home. The incidence of card data theft too has subsequently increased. 

Household brand Tupperware and its associated websites faced a cyber-attack, SC Media UK reported last week. Attempts to alert Tupperware went unanswered, wrote Jérôme Segura, director of threat intelligence at Tupperware. Such data has improved the accuracy of social engineering schemes, said KnowBe4, disclosing the latest Covid-themed phishing scam.

The scam warns people that they’ve come into contact with a friend/colleague/family member who has been infected with the Coronavirus.

"This email is simple, succinct, and alarming. Moreover, it spoofs a hospital, lending additional credibility to this particular social engineering scheme designed to elicit a panicked response from readers and override any form of rational, measured thought," wrote Stu Sjouwerman, founder and CEO of KnowBe4.

The email instructs them to fill out a spreadsheet, which is actually a macro-laden Office document that serves as a trojan downloader and is currently only detected by a handful of anti-virus applications. 

“This is a new type of malware that we’re seeing, as it was reported for the first time just a few days ago,” commented Eric Howes, principal lab researcher at KnowBe4. 

“For the bad guys, this is a target-rich environment that preys on end-users’ fears and heightened emotions during this pandemic. Employees need to be extra cautious when it comes to any emails related to Covid-19 and they need to be trained and educated to expect them, accurately identify them and handle them safely.”

In the case of Tupperware, a malicious code was hidden within an image file that activates a fraudulent payment form during the checkout process. This form collected customer payment data through a digital credit card skimmer and passed it onto the cyber-criminals.

"Online credit card skimming differs from the physical skimming practices most people have heard about in that there isn’t an obvious way the average person will be able to identify if or when a website has been compromised,” noted Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center).

There are ways to identify websites that use online card skimmers, he said.

“The primary potential tell-tale sign might be that the website itself doesn’t quite look right, though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging.”

According to him, consumers staying online and using their cards for e-shopping should take these steps to stay safe during this period of crisis: 

  1. Do not store credit card information on any website:
    If the website could be hacked to install skimming software, it can probably be hacked to collect credit card information other ways.

  1. Restrict the use of third party one-time use payment method such as Apple Pay, Google Wallet or PayPal: 
    Users should confirm that the prompt from the web page presented by their chosen payment method looks and behaves normally. That’s because if the website could be hacked to install skimmers, then it likely can be hacked to redirect users to a fake payment portal.

  1. Enable purchase alerts on all credit cards:
    This allows for immediate monitoring of purchases and helps shorten the length of time malicious actors can use a stolen card. This would be an effective alert method if a Tupperware-like scenario happens.

  1. Disable international purchases for all credit cards: 
    This not only limits the ability for malicious actors to profit from the card, but also enables law enforcement to better prosecute perpetrators

  1. Use only your home/cellular provider’s network for e-shopping:
    While open and free WiFi locations are convenient, they carry the risk that someone has poisoned the DNS settings and can divert users to fake sites.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews