Ho ho oh no: How malware hijacks holiday shopping

Android malware imitating banking apps

Online shoppers this holiday season may be getting more than they bargained for: Alongside gadgets, clothes and stocking stuffers, many are picking up invasive computer viruses.

Malware infections spiked by almost 124 percent from Black Friday through Cyber Monday, according to data from Clearwater, Florida-based Enigma Software, which sells SpyHunter antimalware software. That's on top of a doubling of infections during the same period last year. The cities with the biggest spikes were Charlotte, Detroit, New York and Salt Lake City.

Scammers are moving opportunistically to profit from a period during which consumers are particularly vulnerable: An influx of novice online shoppers starts scouring for deals, online shopping hits its annual peak and retailers aim to make it as easy as possible for customers to close the deal.

The scam artists deliver their malicious payload by tricking consumers into clicking links -- many of them delivered via emails disguised as shipping notifications, special offers and spoofed messages in which a retailer purportedly gives you a chance to reverse a transaction you never actually made.

Security experts find serious flaws in Amazon Key

"Anytime there are more people who are online engaging in any activity, there's a greater chance there are going to be more infections," said Ryan Gerding, a spokesman for Enigma, which has 250 global employees. "There's more people. There's more traffic. There's more opportunity."

In 2016, the volume of cyberattacks spiked about 20 percent during the November to December period, correlating with the annual bump in online shopping, and attacks are on a similar pace for 2017, according to Carbon Black, a cybersecurity firm with 3,000 global customers. The culprits range from spoofed holiday greeting messages to online gift cards and bogus shipping notifications.

"We've seen a number of massive hacks and data breaches this year, and cybersecurity has never been more top of mind than it is today," said Carbon Black CEO Patrick Morley, in an email to MoneyWatch. "Despite this notion, there's still room for improved education and awareness for the general public around proper security hygiene. Black Friday and Cyber Monday bring great deals and convenience to online shoppers, but also provide hackers an opportunity to prey on unsuspecting consumers."

Many of the potentially dangerous messages that are designed to spoof legit customer emails are flagged by authentication firms and intercepted in email spam folders. One such firm, ValiMail, which has clients including Yelp and Uber, reported a huge spike in "fraudulent email attempts" over the Thanksgiving weekend: up 38 percent on Thanksgiving Day, 23 percent on Black Friday and about 54 percent on the following Saturday.

Pretty much anyone can be a target -- 89 percent of consumers are likely to purchase a gift online this holiday season, and 69 percent expect to do all or most of their shopping online (up from 54 percent last year), according to a survey by the computer-security powerhouse McAfee.

Of those surveyed, 18 percent said they believe it's unnecessary to use security software. On the bright side, more consumers (53 percent, versus 46 percent last year) are taking precautions to secure their devices.

Holiday shopping season off to a strong start online

At the same time, retailers are hesitant to do anything that could slow sales during such a critical period for their bottom lines, said Ryan Wilk, a vice president at Mastercard-owned NuData Security.

"Bad actors know that retailers are much more cautious about creating any type of friction this time of year as sales generated over Black Friday, Cyber Monday and the general run-up to Christmas can make or break a retailer's year," he said in an email.

Retailers also have to deal with attacks on their own infrastructure, added Alex Heid, chief research officer at New York-based SecurityScorecard. "The effort/reward ratio is in favor of the attacker this time of year, as each major e-commerce platform is busy processing large amounts of orders and activity."

More shoppers than ever are buying online using mobile phones, which introduces a host of additional concerns about fraud. In fact, the 2017 Black Friday shopping week was the first time smartphones were more commonly used (41 percent) than desktop computers (38 percent) and laptops (34 percent), according to a survey by the Consumer Technology Association.

Phone shoppers should watch for fake mobile-retail apps in the App Store and Google Play markets, said Corey Nachreiner, chief technology officer at Seattle-based WatchGuard Technologies. The apps can be used for ad fraud, to steal your credit card or even install spyware on your phone, Nachreiner said. Bad grammar and misspellings can sometimes tip you off to a bogus app.

Another sneaky way scammers exploit mobile phones is by spoofing apps designed as companions for toys or games. For instance, a fake "helper" app that promised to improve users' scores on Pokemon Go was actually spying on those who downloaded it and possibly selling information to other parties, said John Michelsen, chief technology officer at Dallas-based mobile security firm Zimperium.

"Hackers need something to intercept, latch on to or piggyback on to spoof you," he said in an email. "The holiday season is an excellent opportunity with all of the changes people will make to their phones."

Other ways to avoid scams include updating your operating system, running regular scans and updates, avoiding clicking on links in "suspicious or unsolicited" emails and also being cautious of links found in social-media messages, including on Twitter, that seem to be coming from a friend, Enigma advises.

Adds Accenture Security: Do your online shopping at home to avoid public Wi-Fi, vary usernames and passwords for each online retailer and enable credit-card alerts for large purchases charged to your account.