During the holiday season it's not unusual for both UPS and FedEx to show up at the Bradley household on an almost daily basis. We receive order confirmation and shipping notification emails for each delivery--and that's just what cybercriminals are counting on. It's just one of the many ways they exploit the holiday season to target more victims.
Brian Krebs, a respected authority on security and all-things-cybercrime, wrote a cautionary post earlier this week. "If you receive an email this holiday season asking you to 'confirm' an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities."
The trick with any phishing campaign is to make the message or website appear legitimate. Poorly designed scams are often easy to spot, but cybercriminals are getting much better at crafting believable fakes.
"Scammers have become incredibly good at making fraudulent emails look legitimate to the untrained eye," agrees Craig Young, security researcher with Tripwire. "Attackers will commonly flood the web with spam mail claiming you have a package waiting to be picked up, an order awaiting confirmation, and a plethora of other emails designed to get users to click links."
The strategy and tactics aren't any different than the rest of the year, really. Phishing scams typically leverage trending news or current events to capture attention--and increase the odds of compromising victims.
What makes the holiday shopping season different is volume. The unusually high number of legitimate order confirmation and shipping notification emails make it that much easier to inject fake malicious messages and trick victims into sharing sensitive data, or inadvertently downloading malware.
Ken Westin, security analyst with Tripwire, explains, "Phishing continues to be a successful attack vector, especially around the holidays because the attackers are able to take advantage of people's impulsive nature more easily during this time of year."
The Krebs On Security post cites information from Malcovery regarding the current phishing spam campaign. Malcovery claims the recent surge in fake order confirmation messages began around Thanksgiving, and uses a combination of malicious links and malicious file attachments to try and infect victim PCs with the Asprox spam botnet.
Young stresses, "The key thing for consumers to remember is that unsolicited emails are always a big red flag," adding "It may sound like a broken record but the fact of the matter is users must not blindly trust links from emails."
As with most security concerns, standard best practices and a little common sense are all you need to protect yourself. It is understandable that you might be expecting order confirmation emails, and shipping notifications this time of year, but exercise caution when you receive them. Legitimate businesses shouldn't be asking you to click links or open file attachments.
If you do receive a message about a problem with an order or shipment, don't click any links or open any files. If it appears legitimate, open a new browser window and visit the vendor's website yourself to check on order status, or just pick up the phone to clarify any potential issues without risking compromising your PC.