Despite being concerned about the security risks behind online shopping, consumers lack knowledge about some of the biggest retail risks – with more than half unaware of digital credit-card skimming threats posed by the Magecart group.
In a new report this week, RiskIQ found that a full 64 percent of respondents are not aware of Magecart threats.
Despite this statistic, shoppers are concerned overall about security as they turn to online shopping during this holiday season. According to the research, 85 percent are at least mildly concerned about their personal information being compromised when shopping through a website or browser; while 88 percent of shoppers are at least mildly concerned about the safety of mobile apps for retail purposes.
“RiskIQ has found that the average length of a Magecart breach is 22 days,” said RiskIQ researchers in the report this week, entitled Consumer Holiday Shopping Sentiment and Outlook 2020. “If you are to purchase on a compromised site during such a period of the breach, you will likely become a victim of credit-card theft.”
Magecart: Lack of Awareness
Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment-card details and other information entered into the fields on the page.
Researchers recently reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, dovetailing with new tactics. Earlier in September, Magecart was seen using the secure messaging service Telegram as a data-exfiltration mechanism.
“The data also indicates a general lack of knowledge of the prevalence of online card-skimming by Magecart actors,” said researchers. “The best way to avoid being victimized by Magecart is to avoid entering any payment information into any website. Instead, use third-party payment platforms like Amazon Pay and PayPal that have your credit-card details already saved.”
In addition to avoiding manually entering their payment details online, shoppers should also be alert to deceptive domains, said researchers.
“Hackers will engage in domain infringement, including but not limited to deceptively-spelled look-alikes or using a ‘.org’ when the real site uses ‘.com’ to con you into providing your sensitive information,” they said. “They may use this tactic in combination with other hacker go-tos like spear-phishing email campaigns.”
Researchers also said that 72 percent of respondents said they would download a shopping-related app if it offered a steep discount. In addition, 58 percent of consumers said they do not check who the developer is before downloading an app.
“This leaves an easy way for hackers to siphon your data, as all they have to do is offer a discount to lure a customer in,” said researchers.
They warned that consumers should always avoid downloading apps with ambiguous origins – such as ones not from official app stores like Google Play or the Apple App Store.
Also, consumers should “ensure that an app developer or website has a strong reputation before downloading or visiting a domain—your data could be at stake,” said researchers.
Overall, experts anticipate holiday shopping during the 2020 Black Friday and Cyber Monday season to be largely carried out online, particularly with the COVID-19 pandemic this year keeping many in their homes. In fact, health concerns related to the pandemic, and convenience, were respondents’ two primary reasons for online shopping in the report.
According to RiskIQ’s report, more than half (58 percent) of respondents plan to do 75 percent or more of their holiday shopping online this year. Of those who plan to shop online, 70 percent plan to primarily use a mobile phone.
Various researchers and security agencies are warning consumers to beware of scams, phishing attacks and other cybersecurity threats ahead of shopping bonanzas like Black Friday and Cyber Monday, with the Cybersecurity and Infrastructure Security Agency (CISA) cautioning shoppers in an advisory this week.
“With more commerce occurring online this year, and with the holiday season upon us, CISA reminds shoppers to remain vigilant,” according to the Tuesday alert. “Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.