Don’t Get Charcoal in Your Stocking: Tips for the Holiday Cyberattack Season

November 23, 2018 • Andrew Scott

On December 23, 2013, a man wearing a Santa Claus suit and brandishing a fake bomb robbed a South Florida bank and made away with the cash. As silly as this may sound — after all, it is actually the premise for at least one Hollywood movie — the risks around doing business during a busy holiday season are very real. In an effort to help spread the holiday cheer, here are some cybersecurity tips to help you avoid receiving the dreaded email at night when spending time with your family: “Come into the office. Emergency situation. All hands on call.”

The Risks of Cyber Monday and Online Sales

As the holiday season gets going in full swing and inboxes fill up with every sale and offer conceivable — likely including phishing campaigns impersonating legitimate sales and websites — information security professionals must double down on awareness and vigilance when protecting their organizations from would-be attackers.

Here’s a quick list of common risks faced around this time of year, and some things you can do about them:

  • Public Wi-Fi: Wi-Fi found in public places usually has no password, and anybody can connect to it, right? That means using your devices on public Wi-Fi to, for example, shop on the go, can open up your data to risk. This can be especially risky if you have a single device for both your personal and business uses.
  • Payment Processing Risks: The holiday season is a time of gift giving, so of course, a significant number of purchases are made in the final months of the year. It’s important, therefore, to be mindful of payment processing risks. You can build a query in Recorded Future (shown below) to identify any known malware targeting point-of-sale technologies or payment processing services you may employ.
  • Social Engineering: Varying from creative phishing campaigns to scammers calling about “suspect activity on your bank card,” social engineering efforts also see an uptick this time of year. Educate yourself, your employees, and your customers about what social engineering tricks to watch out for and encourage smart, safe holiday purchasing habits. Additionally, using Recorded Future to identify ongoing or potential phishing campaigns and associated typosquatting domains can support your organization’s security posture. Many shoppers will seize the chance to take advantage of great deals and sales, and most will be oblivious to the cyber risks presented to them. Ensuring you are both shopping on and hosting secure payment sites for purchases is a good first step.

Recorded Future Query

Recorded Future query to identify any known malware targeting POS technologies you use.

It’s Not Me, It’s You: Knowing Your Third-Party Exposure

As with many attacks, your organization may be fairly secure — but are the third-party providers and partners with whom your organization does business? Developing a list of known third-party providers and business partners can be extremely valuable, especially those organizations that support retail, e-commerce, point of sale, or hosting services that your organization may rely upon. Further, monitoring for cyberattacks or threat actors targeting these providers in Recorded Future allows your organization to have advanced awareness of threats outside the four walls of your building.

Another major concern is the prevalence of malicious mobile apps for smartphones. Using Recorded Future to monitor both your and your business partners’ mobile applications is a good way to reduce exposure and get ahead of a possible emergency.

Understanding your approved applications on both personal and business devices is important as well. As families will call each other on video chat applications like Skype on the company laptop, so come the phony Skype messages and phishing emails asking if your profile picture is actually you. The elderly aunt you haven’t seen in 10 years would love to see your actual face on video, and will likely not send you an email at 3:30 AM asking the photo she found is in fact you — it’s probably a scam.

12 Scams of Christmas

It can’t be this simple — but it is. (Source: BBB)

But We Provide a Service, Not a Product! Why Does This Matter?

Your organization doesn’t operate in the retail or e-commerce industries, so you must be safe this holiday season, right? Wrong. While much of the holiday frenzy is focused around whatever hot new smartphone, TV, action figure, or wearable technology is on the market, customers in the aviation, tourism, hospitality, and banking industries are also targeted this time of year.

Imagine the millions of people moving globally on airlines to families or destination vacations, the sharp increase of travelers and customers at hotels, the volume of credit cards used. Recognizing the value of your customer’s personally identifiable information (PII) and other data is a great wake-up call to be vigilant this holiday season. The diagram below shows the approximate value that a threat actor will pay to acquire a single user credential for various services and providers.

Value of Customer Credentials

Value (USD) of customer credentials by industry and type. (Source: RSA)

Using Recorded Future to Support Your Organization

This holiday season, make sure that the only things getting sent in the mail are gifts and greeting cards, not your customers’ credit card data. This is a great time of year to identify your known and unknown vulnerabilities — and Recorded Future is here to help. Using and updating your domain, tech stack, methods, and attackers watchlists is a great way to maintain situational awareness and amp up your alerting rules from Recorded Future.

For example, using Recorded Future to complete emergency patches for vulnerabilities being mentioned or exploited is a great best practice, regardless of what time of year it is. Another example is monitoring the legitimate domains you hold for potential typosquatting that may target your customers through phishing attacks or by passing malware along to unsuspecting visitors.

Here are a few industry-specific notes for best practices this time of year:

  • Retail: Monitor point-of-sale attack vectors and your payment card industry (PCI) compliance and vulnerability risk, and research ongoing and potential threat actor operations and methods that may target your company.
  • Aviation: A single system outage at an airport can cause millions in lost revenue. Researching mentions and threats to your IP space, brand, major hubs, and proprietary information will go a long way to not drown in emergencies.
  • Banking and Finance: Use Recorded Future to research current trends in exploits, targets, or social engineering through the ever-annoying “vishing” scams (scammers attempting to gain your personal details through convincing phone calls or voicemails), “Hi, we’ve noticed suspicious activity on your credit card and we need your bank information to validate this.”
  • Tourism and Hospitality: Monitoring for phony or “too good to be true” vacation deals is a good way to protect your customers.

Final Thoughts

Using security best practices is advised year round, but the holiday season can be a great time to get ahead on your cybersecurity New Year’s resolutions. Being mindful of the risks facing the retail, e-commerce, aviation, tourism, banking, and finance industries during this holiday season will help you find more peace as the year ends and let you rest easier while you spend time with family and friends. Being vigilant, setting up additional safeguards with your Recorded Future intelligence services consultant, and practicing safe online behavior can all help at this time of year.

No one wants to be the Grinch who has to work on Christmas due to a breach. So enjoy the eggnog, family time, and roaring fire stress free with help from Recorded Future!

Andrew Scott

Andrew Scott is an intelligence services consultant at Recorded Future.