10 Easy-to-Keep Resolutions for Safe Online Shopping

This article by Pat Ciavolella, Head of Malware Desk and Analytics at The Media Trust, was originally published in Fraud & Identity Today on December 18, 2017.

Read article

Let’s admit it; online shopping can sometimes feel like junk food – it’s really good when you “virtual window-shop” but there is some element of guilt when you finally decide to splurge. Unfortunately, just like junk food binges can harm your health, online shopping can hurt you, too—malware and stolen card details are just the tip of the iceberg!

There is proof in the pudding: 2017 bore witness to several unsettling examples of ecommerce website attacks. In the Spring, at least 25 reputable, mid-tier ecommerce sites were compromised to steal customer payment card details. Then, six months later it was revealed that some of the world’s popular websites—a list that includes several brand-name retailers—were found recording your every keystroke.

Experiencing the effects of a digital compromise is a likely prospect for the average online shopper; it’s no longer something that only occurs during high-volume shopping periods or on dodgy websites. According to Adobe Analytics, online sales hit a record-breaking $6.59 billion on Cyber Monday, up 16.8 percent from 2016. How much of these record-breaking online sales were safe for you as a consumer? Good question. But, in preparation for 2018, everyone can resolve to be more vigilant.

A good first step is following these 10 easy-to-keep resolutions to protect your online shopping adventures:

 1. Judge loyalty programs: treat as guilty until proven innocent!

Read the fine print when signing up for loyalty programs that enable you to take advantage of additional discounts. Many retailers share your personal information with industry partners to promote seemingly complementary products, but the security of your personal data is not guaranteed.

2. Be a grammar guru: make sure URLs are spelled correctly

Domain spoofing is a widespread issue. It is easy to get enticed by a deal for a new gadget only to end up shopping on a completely fake website that has purposely been setup to entice and trick users, e.g., greatsales.com vs. gratesales.com. Also, pay close attention to grammar and spelling on various pages of the website, too. It’s easy to accidentally navigate off a legitimate site to a spoofed site.

3. Do a little detective work: check brand legitimacy

While shopping online, chances are, you are looking at multiple brands of goods. Before hitting the buy button, verify if the brand has a legitimate website, physical address and customer reviews before you splurge. Again, it doesn’t hurt to continuously keep an eye out for spelling errors on the url/domain and also general website text grammar. It’s unlikely a reputable brand would accidentally have these types of errors.

4. Build a routine: change passwords, often

This basic security practice is one that many consumers need to adopt. Changing passwords often, possibly a weekly or monthly basis, and creating strong passwords is important. And, no, your birthday isn’t a good password.

5. Seek trouble: with the payment page

Did you see an error message popup on the payment page? Or, did an error message flash just after you hit submit on your order? Chances are, there is something amiss and threat actors are trying to steal your payment card information. For the most part, the payment page should look “clean”, mimic other pages and contain minimal text – it shouldn’t have too many images, ads or other offers.

6. Confirm credibility: check for security certificates

Review the website’s security certificates, especially those on the payment page. While there is no guarantee that these certificates protect against a website attack, you at least want the ecommerce platform to meet industry security best practices around online payments, e.g., comply with PCI DSS standards.

7. Be perceptive: watch out for abnormal website behavior

Redirects, ad overload, ads that auto-refresh continuously, videos or images that take too long to load could signal some kind of trouble, possibly a compromise. Leave the site immediately by closing the tab and/or browser; you may even want to power off your device.

8. Work on reflexes: steer clear of fake updates and surveys

If the webpage displays a survey promising more discounts on completion or prompts you to update a plugin/ software, close the page down as quickly as possible. These are typical ploys to facilitate phishing or exploit kit drops. Don’t fall for it; some of these “you’ve won” scenarios ask an endless stream of user-identifying questions with a promise of a reward at the end. The reward never appears. Exit the browser right away!

9. Don’t walk and shop: mobile isn’t always safe

You might think you are better off shopping on your mobile phone, but carried-targeted malware is on the rise. This malware is only triggered if a person is visiting an infected website through a mobile device using data, i.e., the malware will not drop if you are on a secure Wi-Fi network.

10. Develop reading habits: start with privacy policies

Learn a little bit more about how cookies are used, how information about you is either shared or protected.

 

High Court Ruling That Could Reverberate Around the World

U.K. and EU flags

This article first appeared in Corporate Compliance Insights on December 18, 2017

Read Article

In a precedent-setting move, the High Court in the United Kingdom (U.K.) ruled that a company is liable for data breaches caused by employees, shedding insight into the future of data privacy regulatory enforcement. The speed and flexibility of today’s digital world require the adoption of risk strategies that address not only employee behavior but also the vendors executing on enterprise websites and mobile apps. The changing regulatory environment mandates better control of these digital assets and the role they play in collecting, storing and sharing consumer data.

CPO: US Federal Websites in Urgent Need of Web Security Upgrade

Article originally published in CPO Magazine on December 8, 2017

CPO Mag - US-federal-websites-2017-1208

Read article

The U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security.

The problem with federal – and many enterprise – websites is that no one individual is in charge of the entire website operation.

Continue reading

 

CSO Blog: Web-based Malware Not up to Code

Article first published to CSO Blog via IDG Contributor network on November 20, 2017

Cyber security concept shieldRead article

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC

Continue reading

 

MarTech Today: Companies are afraid of everyone’s website but their own

iStock_000001511231_Small

Article appeared in MarTech Today, Nov. 16, 2017

Read article

The Media Trust CEO: Most of what happens on your web site is not controlled by you

And this third-party code, says Chris Olson, results in dozens of cookies for each user, security vulnerabilities and performance hits.

 

PODCAST: How do we fix the internet?

Check out Charles Tendell’s interview of Chris Olson, CEO of The Media Trust, about the challenges of website security and the risk contributed by third-party code.

Listen here.

The world is a digital economy; however, there is a general lack of awareness for how to secure the highly-dynamic digital environment which requires a continuous security approach. The onus is on mobile app developers & website operators to ensure their assets are safe. The key to managing risk requires:

  • Knowing your digital vendors/partners
  • Identifying & authorizing their activity
  • Communicating your policy & establishing responsibility
  • Evaluating vendor compliance with your policy

 

This podcast was recorded on October 24, 2017

Parked Domains, pantry moths, and you

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

Parked domains have little security

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Pantry moths are like parked domainsYes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.
Parked domains are dangerous

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:
Parked Domains FAQs

  1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
    Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
  2. Can my own parked domain be compromised?
    Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
  3. Can my current website security solution detect these parked domains?
    Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
  4. So what can I do?
    Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
    “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
  5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
    Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.