10 Easy-to-Keep Resolutions for Safe Online Shopping

This article by Pat Ciavolella, Head of Malware Desk and Analytics at The Media Trust, was originally published in Fraud & Identity Today on December 18, 2017.

Read article

Let’s admit it; online shopping can sometimes feel like junk food – it’s really good when you “virtual window-shop” but there is some element of guilt when you finally decide to splurge. Unfortunately, just like junk food binges can harm your health, online shopping can hurt you, too—malware and stolen card details are just the tip of the iceberg!

There is proof in the pudding: 2017 bore witness to several unsettling examples of ecommerce website attacks. In the Spring, at least 25 reputable, mid-tier ecommerce sites were compromised to steal customer payment card details. Then, six months later it was revealed that some of the world’s popular websites—a list that includes several brand-name retailers—were found recording your every keystroke.

Experiencing the effects of a digital compromise is a likely prospect for the average online shopper; it’s no longer something that only occurs during high-volume shopping periods or on dodgy websites. According to Adobe Analytics, online sales hit a record-breaking $6.59 billion on Cyber Monday, up 16.8 percent from 2016. How much of these record-breaking online sales were safe for you as a consumer? Good question. But, in preparation for 2018, everyone can resolve to be more vigilant.

A good first step is following these 10 easy-to-keep resolutions to protect your online shopping adventures:

 1. Judge loyalty programs: treat as guilty until proven innocent!

Read the fine print when signing up for loyalty programs that enable you to take advantage of additional discounts. Many retailers share your personal information with industry partners to promote seemingly complementary products, but the security of your personal data is not guaranteed.

2. Be a grammar guru: make sure URLs are spelled correctly

Domain spoofing is a widespread issue. It is easy to get enticed by a deal for a new gadget only to end up shopping on a completely fake website that has purposely been setup to entice and trick users, e.g., greatsales.com vs. gratesales.com. Also, pay close attention to grammar and spelling on various pages of the website, too. It’s easy to accidentally navigate off a legitimate site to a spoofed site.

3. Do a little detective work: check brand legitimacy

While shopping online, chances are, you are looking at multiple brands of goods. Before hitting the buy button, verify if the brand has a legitimate website, physical address and customer reviews before you splurge. Again, it doesn’t hurt to continuously keep an eye out for spelling errors on the url/domain and also general website text grammar. It’s unlikely a reputable brand would accidentally have these types of errors.

4. Build a routine: change passwords, often

This basic security practice is one that many consumers need to adopt. Changing passwords often, possibly a weekly or monthly basis, and creating strong passwords is important. And, no, your birthday isn’t a good password.

5. Seek trouble: with the payment page

Did you see an error message popup on the payment page? Or, did an error message flash just after you hit submit on your order? Chances are, there is something amiss and threat actors are trying to steal your payment card information. For the most part, the payment page should look “clean”, mimic other pages and contain minimal text – it shouldn’t have too many images, ads or other offers.

6. Confirm credibility: check for security certificates

Review the website’s security certificates, especially those on the payment page. While there is no guarantee that these certificates protect against a website attack, you at least want the ecommerce platform to meet industry security best practices around online payments, e.g., comply with PCI DSS standards.

7. Be perceptive: watch out for abnormal website behavior

Redirects, ad overload, ads that auto-refresh continuously, videos or images that take too long to load could signal some kind of trouble, possibly a compromise. Leave the site immediately by closing the tab and/or browser; you may even want to power off your device.

8. Work on reflexes: steer clear of fake updates and surveys

If the webpage displays a survey promising more discounts on completion or prompts you to update a plugin/ software, close the page down as quickly as possible. These are typical ploys to facilitate phishing or exploit kit drops. Don’t fall for it; some of these “you’ve won” scenarios ask an endless stream of user-identifying questions with a promise of a reward at the end. The reward never appears. Exit the browser right away!

9. Don’t walk and shop: mobile isn’t always safe

You might think you are better off shopping on your mobile phone, but carried-targeted malware is on the rise. This malware is only triggered if a person is visiting an infected website through a mobile device using data, i.e., the malware will not drop if you are on a secure Wi-Fi network.

10. Develop reading habits: start with privacy policies

Learn a little bit more about how cookies are used, how information about you is either shared or protected.


CPO: US Federal Websites in Urgent Need of Web Security Upgrade

Article originally published in CPO Magazine on December 8, 2017

CPO Mag - US-federal-websites-2017-1208

Read article

The U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security.

The problem with federal – and many enterprise – websites is that no one individual is in charge of the entire website operation.

Continue reading


CSO Blog: Web-based Malware Not up to Code

Article first published to CSO Blog via IDG Contributor network on November 20, 2017

Cyber security concept shieldRead article

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC

Continue reading


You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.