Risk Management: Employees’ Online Shopping Jeopardizes Your Corporate Data

Despite predictions of a gloomy holiday shopping season, Internet bargains, gas saving and easy price comparison spur online shopping. Millions are planning to do their shopping online from work to save both time and money. But this might be opening the door to a whole other group of shoppers: cyber-criminals trolling for data and using malicious code to steal valuable information from corporate networks.

The number of people shopping online from work is increasing, according to a recent report released by Shop.org, which indicates that 55.8 percent of employees with Internet access at work, or roughly 72.8 million people, will shop for holiday gifts from work this year. This is up from 44.7 percent in 2005. Forrester Research is also projecting that U.S. consumers will spend an estimated $44 billion online during November and December 2008, up 12 percent from the same period last year.

This online shopping surge is likely to become a cybercrime haven. Today’s cybercriminals are infecting legitimate websites with their malicious code, gaining significant Web traffic volume without having to send out spam to promote infected websites. At the same time these attacks evade traditional protection solutions, as these security measures are more effectively blocking websites correlated to links in mass spam. However, recent industry statistics show that 75 percent to 90 percent of malware on the Web originates from infected legitimate websites.

Cybercriminals are especially keen to get data collected from employees shopping online from work. Although stolen credit card numbers are still appealing to cyber-criminals, the abundance of such stolen information has commoditized in such a way that credit card numbers can only be traded for $10-$20. Sensitive and confidential corporate data such as FTP or Citrix credentials on the other hand, are ‘premium’ data that can be traded at a much higher price. Once an employee’s PC at the workplace is infected, a crimeware Trojan will stealthily send out valuable information to the cybercriminals ‘drop zone’. Such information includes both personal credentials as well as corporate sensitive information. Finjan’s Malicious Code Research Center finds more and more corporate information including FTP, Exchange and Citrix credentials and even e-mail correspondence stored on crime-severs.

It might come as a surprise, but the chance of getting infected by a data-stealing Trojan is scarily high. An employee only needs to visit an infected shopping website to automatically get his PC compromised. Today’s malware is especially tailored to exploit multiple vulnerabilities in the browser, operating system, media player and other script-enabled applications. Malicious code is almost always obfuscated or hidden in such a way that makes it ‘invisible’ to antivirus and signature based security solutions. An estimated 80 percent of today’s malware is obfuscated, as found by the Finjan Malicious Code Research Center. Once the malware neutralizes protection measures of the infected application, it downloads a malicious ‘payload’, usually an advanced data-stealing Trojan. These Trojans are often highly sophisticated allowing cybercriminals to control the compromised PCs from a remote command and control center.

A specific strain of ‘Phishing Trojans’ is capable of remaining latent, silently listening to the browser communication and ‘waking up’ only when the user visits a specific target website. The Trojan then takes control of the browser and a carefully crafted webpage with tailored text boxes overlays the original webpage and sends the sensitive credentials to its masters. During this time, the browser maintains its connection with the original website, so even when a secure SSL session is in place and the familiar SSL sign appears, there is no guarantee that information can’t be grabbed by a stealthy Trojan.

Cy bercriminals are also keeping up with the latest consumer trends to employ the most effective social engineering techniques. As today’s online shoppers are spending more time hunting for discounts and special offers, cybercriminal s are taking advantage of this trend by drawing more victims to their infected web pages. They do so by infecting websites that advertise discounted products or that advertise special offers with the malicious ad compromising the visitor’s PC. Another way to draw visitors is through spam linked to malicious pages promoting popular shopping list items at special discounts. More sophisticated cybercriminals use search engine optimization (SEO) techniques to craft infected webpages that are ranked high when shoppers search for popular items or for special offers. These webpages may be hosted on compromised legitimate websites, Web 2.0 sites or dedicated malware sites.

Several precautions are recommended to protect employee and corporate data:

• Awareness is the first factor—employees need to be made aware of the way cybercriminals think and be on alert when shopping for discounted or popular items.
• They should be especially careful when entering their credentials, regardless of the reputation of the website or the shown SSL sign.
• Downloadable browser plug-in tools can be used to alert consumers what websites might be infected with malware by giving a designation.
• Corporate IT staff needs to make sure all known vulnerabilities are patched and web security measures are in place, ideally by deploying a secure web gateway that utilizes active real-time code inspection.

With the online holiday shopping season just gearing up, businesses need to make sure they are well protected against today’s cybercriminals so they don’t enter the New Year as victims of data theft.

Ophir Shalitin is the marketing director at Finjan, a global provider of web security solutions for the enterprise market. Finjan’s Malicious Code Research Center (MCRC) is dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs.