Despite predictions of a gloomy holiday shopping season, Internet bargains, gas saving and easy price comparison
spur online shopping. Millions are planning to do their shopping online from work to
save both time and money. But this might be opening the door to a whole other group
of shoppers: cyber-criminals trolling
for data and using malicious code to steal valuable information from corporate
The number of people shopping online from work is increasing, according to a
recent report released by Shop.org, which indicates that 55.8 percent of employees with
Internet access at work, or roughly 72.8 million people, will shop for holiday gifts
from work this year. This is up from 44.7 percent in 2005. Forrester Research is
also projecting that U.S. consumers will spend an estimated $44 billion online
during November and December 2008, up 12 percent from the same period last year.
This online shopping surge is likely to become a cybercrime haven. Today’s
cybercriminals are infecting legitimate websites with their malicious code, gaining
significant Web traffic volume without having to send out spam to promote infected
websites. At the same time these attacks evade traditional protection solutions, as
these security measures are more effectively blocking websites correlated to links
in mass spam. However, recent industry statistics show that 75 percent to 90 percent
of malware on the Web originates from infected legitimate websites.
Cybercriminals are especially keen to get data collected from employees shopping
online from work. Although stolen credit card numbers are still appealing to
cyber-criminals, the abundance of such stolen information has commoditized in
such a way that credit card numbers can only be traded for $10-$20. Sensitive and
confidential corporate data such as FTP or Citrix credentials on the other hand, are
‘premium’ data that can be traded at a much higher price. Once an employee’s PC at
the workplace is infected, a crimeware Trojan will stealthily send out valuable
information to the cybercriminals ‘drop zone’. Such information includes both
personal credentials as well as corporate sensitive information. Finjan’s Malicious Code Research Center
finds more and more corporate information including FTP, Exchange and Citrix
credentials and even e-mail correspondence stored on crime-severs.
It might come as a surprise, but the chance of getting infected by a
data-stealing Trojan is scarily high. An employee only needs to visit an infected
shopping website to automatically get his PC compromised. Today’s malware is
especially tailored to exploit multiple vulnerabilities in the browser, operating
system, media player and other script-enabled applications. Malicious code is almost
always obfuscated or hidden in such a way that makes it ‘invisible’ to antivirus and
signature based security solutions. An estimated 80 percent of today’s malware is
obfuscated, as found by the Finjan Malicious Code Research Center. Once the malware
neutralizes protection measures of the infected application, it downloads a
malicious ‘payload’, usually an advanced data-stealing Trojan. These Trojans are
often highly sophisticated allowing cybercriminals to control the compromised PCs
from a remote command and control center.
A specific strain of ‘Phishing Trojans’ is capable of remaining latent, silently
listening to the browser communication and ‘waking up’ only when the user visits a
specific target website. The Trojan then takes control of the browser and a
carefully crafted webpage with tailored text boxes overlays the original webpage and
sends the sensitive credentials to its masters. During this time, the browser
maintains its connection with the original website, so even when a secure SSL
session is in place and the familiar SSL sign appears, there is no guarantee that
information can’t be grabbed by a stealthy Trojan.
bercriminals are also keeping up with the latest consumer trends to employ the most
effective social engineering techniques. As today’s online shoppers are spending
more time hunting for discounts and special offers, cybercriminal
s are taking advantage of this trend by drawing more victims to their infected
web pages. They do so by infecting websites that advertise discounted products or
that advertise special offers with the malicious ad compromising the visitor’s PC.
Another way to draw visitors is through spam linked to malicious pages promoting
popular shopping list items at special discounts. More sophisticated cybercriminals
use search engine optimization (SEO) techniques to craft infected webpages that are
ranked high when shoppers search for popular items or for special offers. These
webpages may be hosted on compromised legitimate websites, Web 2.0 sites or
dedicated malware sites.
Several precautions are recommended to protect employee and corporate data:
- Awareness is the first factor—employees need to be made aware of the
way cybercriminals think and be on alert when shopping for discounted or popular
- They should be especially careful when entering their credentials, regardless of
the reputation of the website or the shown SSL sign.
- Downloadable browser plug-in tools can be used to alert consumers what websites
might be infected with malware by giving a designation.
- Corporate IT staff needs to make sure all known vulnerabilities are patched and
web security measures are in place, ideally by deploying a secure web gateway that
utilizes active real-time code inspection.
With the online holiday shopping season just gearing up, businesses need to make
sure they are well protected against today’s cybercriminals so they don’t enter the
New Year as victims of data theft.
Ophir Shalitin is the marketing director at Finjan, a global provider of web security solutions
for the enterprise market. Finjan’s Malicious Code Research Center (MCRC) is dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular