Online shoppers are seemingly unaware of credit card skimming threats & malicious shopping apps, as they head from this year’s Black Friday to today’s Cyber Monday event.
Despite being concerned about the security risks behind online shopping, consumers lack knowledge about some of the biggest retail risks, with over half unaware of digital credit-card skimming threats posed by the Magecart group.
In a new report last week, RiskIQ found that 64% of polled are unaware of Magecart threats.
Despite this fact, shoppers are concerned overall about security as they turn to online shopping preceding this holiday season.
According to the research, 85% are at least ‘mildly concerned’ about their personal information being compromised when shopping through a website or browser; whilst 88% of shoppers are at least ‘mildly concerned’ about the safety of mobile apps for retail use.
“RiskIQ has found that the average length of a Magecart breach is 22 days,” observed RiskIQ researchers in the report this week, entitled Consumer Holiday Shopping Sentiment & Outlook 2020. “If you are to purchase on a compromised site during such a period of the breach, you will likely become a victim of credit-card theft.”
Magecart – Lack of Awareness
Magecart is an umbrella term encompassing several different threat groups who all use the same methods.
They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment-card details & other information entered into the fields on the page.
Researchers recently reported that they have seen an increase in the number of e-commerce sites that are being attacked by Magecart & related groups, linking with new tactics. Earlier, in Sept., Magecart was seen using the secure messaging service Telegram as a data-exfiltration mechanism.
“The data also indicates a general lack of knowledge of the prevalence of online card-skimming by Magecart actors,” explained researchers.
“The best way to avoid being victimised by Magecart is to avoid entering any payment information into any website. Instead, use 3rd-party payment platforms like Amazon Pay & PayPal that have your credit-card details already saved.”
Additional to avoiding manually entering their payment details online, shoppers should also be alert to deceptive domains, commented researchers.
“Hackers will engage in domain infringement, including but not limited to deceptively-spelled ‘look-alikes’ or using a ‘.org’ when the real site uses ‘.com’ to con you into providing your sensitive information,” they observed. “They may use this tactic in combination with other hacker go-tos like spear-phishing email campaigns.”
Researchers also outlined that 72% of respondents said they would download a shopping-related app, if it offered a big discount. Also, 58% of consumers revealed that they do not check who the developer is before downloading an app.
“This leaves an easy way for hackers to siphon your data, as all they have to do is offer a discount to lure a customer in,” stated researchers.
They warned further that consumers should always avoid downloading apps with ‘uncertain origins’, e.g. ones not from official app stores like Google Play or the Apple App Store.
Also, consumers should “ensure that an app developer or website has a ‘good reputation’ before downloading or visiting a domain—your data could be at stake,” cautioned researchers.
Experts anticipate holiday shopping during the 2020 Black Friday & Cyber Monday season to be largely carried out online, because of the COVID-19 pandemic this year keeping many in their homes. Also, health concerns related to the pandemic, & convenience, were respondents’ 2 main reasons for online shopping it was reported.
According to RiskIQ’s report, more than half (58%) of respondents plan to do 75% or more of their holiday shopping online this year. Of those who plan to shop online, 70% plan to mainly use a mobile phone.
Researchers & security agencies are warning consumers to beware of scams, phishing attacks & other cyber-security threats ahead of shopping days like Black Friday & Cyber Monday, with the US Cybersecurity & Infrastructure Security Agency (CISA) cautioning US shoppers in an advisory last week.
“With more commerce occurring online this year, & with the holiday season upon us, CISA reminds shoppers to remain vigilant,” according to the alert. “Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, & unencrypted financial transactions.”