The end of Thanksgiving means the beginning of holiday shopping season, and as usual, a great deal of that shopping will be done online. But while online shopping is easy and convenient, it’s also fraught with dangers.
Sure, it’s easy to search the Web for the best price on that laptop or video gaming console you want to get, but some of the results that pop up contain malicious links or malware.
It’s easy for online shoppers to get taken to fake websites where they can have their personal and financial information stolen.
And if they are shopping online from their places of work, they might introduce malware into the corporate IT system.
For many shoppers, simply refusing to buy anything at all online isn’t practical, so what can they do to keep themselves safe and avoid infecting their corporate IT systems? And what are the most dangerous holiday gifts for shoppers to buy online?
Online Purchases Grow
Online shoppers spent just over US$9 billion in the first 21 days of November, according to ComScore. That’s 13 percent more than during the same period in 2009.
Comscore predicts that online retail spending for the November-December period will hit $32.4 billion. This is 11 percent more than in the same period last year.
“We conducted a survey of about 2,500 consumers in the last two months and found that more people are coming online,” Jeff Horne, director of threat research at Webroot, told TechNewsWorld. “It’s more than users just checking email or doing online search; they’re using social networking sites or buying things online.”
Dangers of Purchasing Online
One of the most appealing things about shopping online is that it’s easy to hunt for bargains. There’s any number of price aggregators, such as Pricewatch and MacPrices.net, that help consumers find the best deals for products they want to buy.
“We found that 55 percent of people use search engines as a trusted site to get onto commercial sites for online shopping,” Horne said.
However, an online search can turn up unexpected results.
Cybercriminals use SEO techniques to get their sites to the top of the list of responses to online queries, Horne warned.
Black-hat SEO, or search engine optimization, consists of techniques that are used to artificially generate higher search rankings in response to online queries. It’s also known as “spamdexing.” Black-hat SEO uses gambits like link farms, keyword stuffing and article spinning.
“People who use black-hat SEO are gaming the system — they automatically query Google’s trending topics feature every minute with PHP scripts to find out the most popular topics,” Sean-Paul Correll, a threat researcher at PandaLabs who specializes in black-hat SEO, told TechNewsWorld.
Once they find out the leading topics, cybercriminals query Google for search material related to those keywords and use that to get top ranking in response to online searches. They use techniques that hide their sites’ links to malware so Google’s GoogleBot Web crawler doesn’t see these, Correll said.
The Instant Preview Google introduced recently adds to the danger for consumers because cybercriminals can game it to show fake ads for legitimate companies, thus sucking consumers in, Correll warned.
The Death List
The more popular a gift is, the more likely it is to be used by cybercriminals as a come-on, F-Secure warns.
The company has come up with a list of the top 10 targets for cybercriminals this holiday season.
These include Kinect for Xbox, “Call of Duty: Black Ops,” the Amazon Kindle, the iPad, “Toy Story 3,” and jewelry.
However, online shoppers don’t just have to watch out for cybercriminals; they also have to keep an eye peeled for scammers who will try to sell them older products.
One possible way consumers can ensure they’re getting new products might be to go to the Black Friday Resource Center set up by Retrevo. This lets shoppers sort through deals from major retailers quickly.
“Consumer electronics are high on the priority lists for Black Friday shoppers, and with so many retailers offering so many deals on a wide variety of gadgets, it’s near impossible for shoppers to sort out the deals from the duds,” Manu Sachdeva, Retrevo’s director of e-commerce, told TechNewsWorld.
The Newbie’s Guide to Staying Safe
There are a number of things consumers can do to protect themselves while shopping online.
Don’t use search engines to look for special deals, PandaLabs warned. Instead, go directly to reputable sites you’re familiar with. Don’t click on embedded links in ads you get through email; go directly to the retailer’s website instead.
Install all the latest patches for your operating system and apps, especially Adobe Flash, Adobe Reader, and Java software, the company said.
Look for an icon of a lock on the webpage you log onto, or for your browser’s address bar or status bar to turn green, Webroot’s Horne suggested. The lock indicates the site is using SSL, while the green color indicates it’s using an extended validation (EV) certificate from VeriSign.
Don’t click on links emailed to you by friends from social networking sites such as Facebook, Horne warned. People have more trust in such links than they otherwise would, and cybercriminals are aware of this and exploit it, he said.
Use your credit card or a gift card to make purchases online. You get more protection from banks if you use credit cards than if you use debit cards, Horne stated.
Safeguarding the Enterprise
Some consumers may make purchases or conduct searches online from their office computers, and this might expose the enterprise IT system to worms, hacks and other security problems.
“Most companies expect people will be online and doing things from work, so often they allow it as long as it doesn’t interfere with their work,” Adam Chernichaw, a partner in White & Case‘s privacy practice, told TechNewsWorld.
He recommends educating employees and keeping the enterprise IT system up-to-date with system and application patches.
“Taking a strong position with employees on going online at work could be a double-edged sword,” Chernichaw warned. “You may prevent them from accessing files on personal business, but then there’s little incentive for them to report if they’ve downloaded a suspect file. It’s all about communicating with employees and encouraging them to communicate back.”