Threat Research

5 Tips to Ensure Safe Online Holiday Shopping

By Rick Popko | November 22, 2010

Don’t let today's cyber criminals spoil the holiday season

With the holiday shopping season just around the corner and more than 55% of Web users planning to do their holiday shopping online, now is a good time to reiterate a few important online shopping safety tips that could prevent your computer from becoming infected and/or your banking credentials from being stolen.

1. **Unsolicited emails: **Spammers and scammers love the holidays, because they know a large number of people on the Web during that time have their wallet open and are looking for bargains. And while it may be really tempting to click on an email link that says, “Great Deal on iPads… 50% off!” Be careful! By clicking on that link, you could be taken to a compromised Website that downloads malware onto your computer. That malware can then be used to capture your computer key strokes, download additional malware, such as fake antivirus applications, or simply turn your computer into a spam generator.

**What to do: **If the deal looks too good to be true, it probably is. But if you’re still tempted to click on that link, place your cursor over the link (without clicking on it) and check the URL where you would be directed had you clicked on it. If you don’t recognize the URL, stay far away.

2. ** ****Nefarious search engine results: **Search Engine Optimization (SEO) attacks typically occur during major events, such as the Super Bowl, World Cup, World Series and the holiday shopping season. SEO attacks occur when cybercriminals game a search engine’s ranking algorithm in order to push their malicious Websites to the top of key word search lists. They might use search terms such as “Holiday Sale,” “Christmas bargains,” or “Year End Specials.” When a user clicks on the malicious link, they could be taken to a Website where their computer can be immediately compromised.

**What to do: **As with the tip above, before you click on a link, place your cursor over it to make sure it’s not redirecting you to a different site than the one advertised. Look at the context of the search result link before clicking. Often SEO attacked sites contain content that might not make sense relevant to your search words. For example, there may be lots of keywords globbed together on a page and not in a properly formed sentence.

**3. Unknown online retailers: **If you discover an online store that’s offering unbelievable specials on holiday merchandise, do some digging to make sure it’s a legitimate store and not a false front that will disappear later that day along with your credit card information. And even if they are legitimate, you’ll want to make sure their site hasn’t been unknowingly compromised by SQL injection or other server attacks. Compromised websites won’t always redirect you to a malicious site, but often will phish or try to surreptitiously install other forms of malware on your computer, such as Trojans, bots, keyloggers and rootkits, which are designed to harm systems and steal personal information.

**What to do: **Make sure your antivirus client is up-to-date, as well as intrusion prevention to help guard against exploits that often are hosted on compromised sites. Exploits will transparently infect your system through a “drive-by” attack through software security holes. If you are hit by such an attack without proper mitigation, you will likely not even know you are infected.

**4. Beware of friends bearing unsolicited links: **Malicious links don’t always come from spam emails. They could come from your closest friend whose machine has been unknowingly compromised. The infected machine may have a botnet that’s been programmed to comb through email address books and send malicious links to everyone in them. The message might say, “Hey, check out the holiday sale going on here!” or “This place is have a 50% off Christmas sale!” By clicking on the link you could be taken to a malicious Website that installs malware on your system or phishes for your credit card credentials.

**What to do: **Use some common sense. Does your friend normally update you on when sales and/or bargains abound? If not, then a simple reply (preferably using a different communication medium) asking, “Did you mean to send me this?” is all it will take. When they say “no,” you can safely delete the email and inform your friend that they may want to run a system scan of their computer, because it could be compromised.

**5. Beware of unsecured Wi-Fi hotspots: **If you’re a holiday shopper who likes to augment online shopping with actual store browsing and like toting your notebook along for the ride so you can do quick price comparisons, do not connect to an unknown unsecure hotspot. An unsecure hotspot allows hackers to capture any and all data that’s flowing to and from the hotspot, enabling them to intercept logins and passwords, email messages, attached documents and other personal and confidential information.

**What to do: **If you feel the urge to jump online while you’re up and about town, go to familiar locations that offer secure wired or Wi-Fi connections. Remember that phishing attacks can happen cross-platform, whether you’re on your laptop or smart phone; so be sure to take all of the precautions outlined in the above steps.

Special thanks to Fortiguard threat researchers Guillaume Lovet and Derek Manky for contributing to this story.

Join the Discussion