Seasonal events & pop culture as an attack route

Seasonal events & pop culture attack - Pentest

Cyber-attacks are often considered to be carefully planned out, sophisticated in nature and targeted against big companies. In some cases, that’s true, but for the most part attackers aren’t sophisticated at all, they are simply looking for the easiest opportunity, whether that be on a company (of all sizes!) or individuals.

Pop culture and seasonal events can often provide them with this opportunity, with fraudsters imitating legitimate organisations, websites or even government departments in an attempt deliver malware or conduct social engineering attacks against their unsuspecting victims. But what are some of the common events attackers are taking advantage of?

Sales season

E-commerce is big business and where there’s money there’s usually fraudsters looking to seize upon a potential opportunity. This problem is year-round, however malicious activity can really start to ramp up around busy trading periods, such as Black Friday or the Boxing Day sales.

  • Attacking the retailer

A retailer’s e-commerce site is critical during any busy trading period and the percentage of sales delivered through online channels is increasing every year. This makes it a big target.

Vulnerabilities within e-commerce websites, mobile applications and the third-party apps are a common attack route and this approach has led to some of the most notable company breaches in recent times. Any weakness within an application could be exploited by attackers and a successful breach could result in them gaining access to the payment information input by customers, the ability to redirect traffic to spoof sites or the opportunity to view sensitive data held in the backend.

Alternatively, attackers may want to attempt to bring an e-commerce site down completely. The usual route to do this is through a Distributed Denial of Service (DDoS) attack, where attackers try to bring down a site server by directing huge amounts of traffic to it. According to figures, in 2018, there was a 70% increase in DDoS attacks during the Black Friday sales.

  • Targeting the customer

Companies aren’t the only ones at risk during peak sales periods, attackers will also look to extort information, and money, from consumers themselves.

Banks are often impersonated by criminals looking to access payment information, and it’s easy to create an email or text messages to appear like it comes from the official source. These communications will often play on fear, declaring that a suspicious transaction has taken place on their account and that they should call a number to provide details.

The number is of course fraudulent, but thanks to the busy sales period, these types of messages are more likely be effective.

And it’s not just banks that attackers will look to imitate; they can choose from several companies within the retail supply chain. From the retail companies themselves, pretending to offer refunds or further sales promotions, through to couriers, spoofing emails regarding non-existent failed deliveries.

When a data breach hits the news

Data breaches are often making the news, especially when it’s a household name and customer payment information may have been stolen. Customers using that company will obviously be worried by such news and will be concerned that they will be personally affected by the breach.

This worried state is perfect for criminals to take advantage of and they understand that consumers will be looking to take action to ensure their details and finances are safe.

Attackers will often look to masquerade as the company affected, whether that be through phone calls, emails or even text messages, telling consumers they may have been affected. They will then try to trick the customer to handover vital information such as account details, payment details or passwords.

The latest blockbuster releases

Streaming services such as Netflix have changed the way we consume entertainment, and people want to watch the latest movies and television series from the comfort of their own home, when they demand.

When a popular series or movie does have an upcoming release date it can be all too tempting for eager fans to start searching online for a sneak preview, and there are often plenty of sites offering just such an opportunity.

But beware, sites offering free downloads of movies, or TV shows, yet to be released are likely to be malicious and any download is likely to contain malware.

End of the tax year

The end of the tax year is another popular event scammers will try to take advantage of and HMRC received over 900,000 reports of suspicious calls, texts and emails in 2019 alone.

As with other scams of this nature, it’s relatively easy for an attacker to imitate official HMRC emails and telephone numbers, luring victims in with the promise of tax rebates or frightening them into payments with the threat of legal action.

So, what can you do to prevent being caught out by such attacks?

Firstly, don’t take information at face value, treat every email, text or phone call you receive from a company or other institution with suspicion. Always ask yourself, do I trust the information I’m being provided with or the website I am on? If you’re not 100% sure, don’t input your information or download anything.

If you do receive a communication that worries you, don’t panic or be rushed into any action, take your time to assess whether the claims being made are real, from an official source, or are just fraudulent.

If you are sent an email check the ‘from’ address, does this look like an official email address of the company? Spelling is also a good giveaway, if the email is poorly worded and contains a host of simple spelling errors then it is more likely to be a phishing attempt. Whatever you do, don’t click on any link or hand over any personal information until you’ve verified that the communication is legitimate.

But how do you find out if a communication is legitimate or not?

Find official contact details from several known and trusted sources, such as the official company website, email, in-store or the back of a payment card. It’s always wise to check a few sources as there is no guarantee details have not been spoofed, especially on company websites.

Once you’ve verified an official number, call from a different phone than the one you may have been contacted on previously or wait five minutes or more after the initial call to ensure the line is clear. In many circumstances you could also speak to someone at a physical store/office that may be able to verify any communication claims.

share this post

Share on linkedin
Share on twitter
Share on facebook
Share on reddit