What happened to Black Friday and Christmas?

03 February 2021

Nigel Thorpe, technical director, SecureAge Technology

Nigel Thorpe, technical director, SecureAge Technology

If you Google cyber crime during Black Friday and Christmas you can find plenty of warnings and advice from a plethora of experts, vendors and even the UK National Cyber Security Centre (NCSC). But the strange thing is that there appears to be no headlines featuring online scams or breaches.

So, what happened in a year when more of us were online shopping than ever before? Previous festive periods have provided fertile ground for cybercriminals intent on spoiling our celebrations and bargain hunting. Was it the case that it’s been a tough year for hackers too and they took time off? Or maybe they have been too busy crafting phishing attacks preying on our anxieties around the pandemic. Or have we just got better at spotting a malicious email or link during those long winter nights promising a great deal?

Alternatively, it could be that a successful festive phish is no longer news. We have become so accustomed to cyber crime headlines that it takes a major breach to make the news. And of course, the SolarWinds and FireEye attacks provided plenty of big stories to write about.

There is probably some truth in all these explanations, but we should not get complacent or assume that we can rest on our cyber security laurels. After all, consumers will always provide high volume attack opportunities, albeit delivering low per-unit returns. Send an email containing some very attractive deals to enough people and the cybercriminal will always manage to scam good pickings from a small percentage.

This is exactly where all those millions of stolen email addresses fit. Throughout the year we hear of organisations who have been attacked, with their customers’ data stolen. ‘But it’s OK’, they say, ‘no important information was stolen; just email addresses’. The problem is that both personal and business email addresses are valuable to cybercriminals who will use them directly for activities like Black Friday or Christmas deal scams, or they may just sell these contacts to other criminals.

The fact is that it’s not just credit card or bank details that are valuable. Organisations need to realise that ALL data is important. 

 

Working on the supply chain

A second area of attack is against retailers directly along with other product and service suppliers, including the growing number of Managed Service Providers (MSPs). In a busy sales period, the last thing a retailer or product supplier needs is an interruption to the smooth running of its operations. So, this is the perfect time to launch ransomware attacks.

To cause any damage to an organisation’s systems, the cybercriminal has to sneak in, on the back of an employee, contractor, via a supplier’s network, or in the case of an online service provider, through a customer account. Phishing and social engineering are the favourite avenues, but drive-by downloads and compromised user accounts work too. So, using a Black Friday and Christmas deal or a COVID-19 promise as phishing bait is a golden opportunity.

Today’s ransomware doesn’t just stop at disabling everything until the ransom is paid. The first job the cybercriminal completes today, once inside the target network, is to steal as much data as possible. We’ve seen this through the year with incidents like the attack on Blackbaud that provides hosted fundraising software used by many universities, schools, charities and other organisations.

Organisations often make things easy for the hackers, but even with the best multiple layers of defence it is impossible to keep all the bad guys out, all of the time. This is demonstrably the case, since we daily see stories about hacked companies and stolen data. And if some of the best IT security and tech companies can’t protect themselves – what chance is there for other corporates or SMEs?

Once in, the cybercriminal can unleash the ransomware, disabling systems and having the additional leverage that an unpaid ransom will result in published data. If the organisation chooses to pay the ransom, they must trust the criminal to keep their side of the agreement, unlocking systems and not publishing or reselling the data. If you can’t trust a good, reliable, upright cybercriminal, who can you trust?

 

Lessons learned 

As we enter an uncertain 2021, we need to understand that all data is important and needs strong protection – not just for Christmas or Thanksgiving. Full disk encryption won’t solve this problem. On a running system with full disk encryption, every process that requests access to data will be given it, no questions asked. After years of simply trying to stop the ‘bad guys’ getting in, the new year resolution for CIOs and CISOs should be to take a data-centric approach and protect the information by encrypting all data, all of the time. It’s the ultimate in zero trust and ensures that the cybercriminals will be disappointed with what they get for Christmas next year. www.secureage.com