This article by Pat Ciavollela originally appeared in TMCnet.com on December 17, 2017.
Let’s admit it; online shopping can sometimes feel like junk food – it’s really good when you “virtual window-shop” but there is some element of guilt when you finally decide to splurge. Unfortunately, just like junk food binges can harm your health, online shopping can hurt you, too—malware and stolen card details are just the tip of the iceberg!
There is proof in the pudding: 2017 bore witness to several unsettling examples of ecommerce website attacks. In the Spring, at least 25 reputable, mid-tier ecommerce sites were compromised to steal customer payment card details. Then, six months later it was revealed that some of the world’s popular websites—a list that includes several brand-name retailers—were found recording your every keystroke.
Experiencing the effects of a digital compromise is a likely prospect for the average online shopper; it’s no longer something that only occurs during high-volume shopping periods or on dodgy websites. According to Adobe Analytics, online sales hit a record-breaking $6.59 billion on Cyber Monday (News – Alert), up 16.8 percent from 2016. How much of these record-breaking online sales were safe for you as a consumer? Good question. But, in preparation for 2018, everyone can resolve to be more vigilant.
A good first step is following these 10 easy-to-keep resolutions to protect your online shopping adventures:
1. Judge loyalty programs: treat as guilty until proven innocent!
Read the fine print when signing up for loyalty programs that enable you to take advantage of additional discounts. Many retailers share your personal information with industry partners to promote seemingly complementary products, but the security of your personal data is not guaranteed.
2. Be a grammar guru: make sure URLs are spelled correctly
Domain spoofing is a widespread issue. It is easy to get enticed by a deal for a new gadget only to end up shopping on a completely fake website that has purposely been setup to entice and trick users, e.g., greatsales.com vs. gratesales.com. Also, pay close attention to grammar and spelling on various pages of the website, too. It’s easy to accidentally navigate off a legitimate site to a spoofed site.
3. Do a little detective work: check brand legitimacy
While shopping online, chances are, you are looking at multiple brands of goods. Before hitting the buy button, verify if the brand has a legitimate website, physical address and customer reviews before you splurge. Again, it doesn’t hurt to continuously keep an eye out for spelling errors on the url/domain and also general website text grammar. It’s unlikely a reputable brand would accidentally have these types of errors.
4. Build a routine: change passwords, often
This basic security practice is one that many consumers need to adopt. Changing passwords often, possibly a weekly or monthly basis, and creating strong passwords is important. And, no, your birthday isn’t a good password.
5. Seek trouble: with the payment page
Did you see an error message popup on the payment page? Or, did an error message flash just after you hit submit on your order? Chances are, there is something amiss and threat actors are trying to steal your payment card information. For the most part, the payment page should look “clean”, mimic other pages and contain minimal text – it shouldn’t have too many images, ads or other offers.
6. Confirm credibility: check for security certificates
Review the website’s security certificates, especially those on the payment page. While there is no guarantee that these certificates protect against a website attack, you at least want the ecommerce platform to meet industry security best practices around online payments, e.g., comply with PCI (News – Alert) DSS standards.
7. Be perceptive: watch out for abnormal website behavior
Redirects, ad overload, ads that auto-refresh continuously, videos or images that take too long to load could signal some kind of trouble, possibly a compromise. Leave the site immediately by closing the tab and/or browser; you may even want to power off your device.
8. Work on reflexes: steer clear of fake updates and surveys
If the webpage displays a survey promising more discounts on completion or prompts you to update a plugin/ software, close the page down as quickly as possible. These are typical ploys to facilitate phishing or exploit kit drops. Don’t fall for it; some of these “you’ve won” scenarios ask an endless stream of user-identifying questions with a promise of a reward at the end. The reward never appears. Exit the browser right away!
9. Don’t walk and shop: mobile isn’t always safe
You might think you are better off shopping on your mobile phone, but carried-targeted malware is on the rise. This malware is only triggered if a person is visiting an infected website through a mobile device using data, i.e., the malware will not drop if you are on a secure Wi-Fi network.
10. Develop reading habits: start with privacy policies
Learn a little bit more about how cookies are used, how information about you is either shared or protected.
About The Author: Patrick Ciavolella is a seasoned malware researcher and manages The Media Trust’s Malware Desk, the team responsible for protecting clients’ digital ecosystems from the ever-evolving threat landscape. Since 2006, he has led efforts identifying and analyzing malware delivery and code obfuscation techniques and resolving incidents targeting the world’s largest, most highly-trafficked websites.
