Businesses Brace For Cyber-Monday Holiday Shopping Threats

Website attacks can target business data or exploit weaknesses to set up an attack platform aimed at potential customers. Meanwhile, phishing and spam campaigns can reap havoc on a business' reputation and bottom line, targeting both employees and customers shopping for gifts with scams designed to steal data or spread malware, said Richard Hyde, director of sales at Whitehall, Pa.-based managed services provider EZ Micro Solutions.

"It doesn't matter how great your security is," Hyde told CRN. "It really comes down to the choices that the user makes behind the desk."

[Related: Phish Food For Thought: 10 Ways To Identify A Phishing Attack ]

Hyde said his firm is assisting its clients, which primarily consists of small businesses, in the process of assessing their security posture. Firewalls and other security appliances, as well as antivirus and antispam filters, need to be checked for configuration problems that can open up a hole to an attacker. Security policies need to be maintained and clearly communicated so employees can begin to recognize when a potential threat presents itself, he said.

For small businesses with limited IT staff, devices deployed with default configurations are a common problem, said Ben Goodman, president of 4A Security, a managed security service and risk management consultancy based in New York City. Goodman said vulnerability scans on his clients' systems often find a variety of issues, including default passwords or outdated user accounts left open. The poor security practices open up weaknesses that make it far too easy for an attacker to gain access to the corporate network, he said.

Attackers are after a variety of data, according to Symantec, which was among several security firms issuing warnings about threats during the holiday shopping season. A victim's account credentials, often used to access multiple services, can be extremely valuable to attackers. Credit card data has long been a valuable commodity for cybercriminals. Credit card fraud is typically on the rise during the holiday season, Symantec said. System files and other personal data can also be harvested and sold on underground forums.

Security firms have seen a steady increase in attacks targeting website vulnerabilities, and the trend is expected to continue through the end of the year. Watering-hole attacks, designed to target a common group of visitors to a single website, infecting their systems with malware, are a growing threat. Attackers look at social networks, LinkedIn job roles, for example, and other information that people post online to design an attack targeting a specific group of individuals, said Craig Williams, a threat researcher on Cisco Systems' Threat Research Analysis and Communications (TRAC) team. The company has been tracking a steady rise in watering-hole-style attacks in 2013, Williams told CRN.

"The reality is that in most watering-hole attacks, the victim is completely unaware of what has happened," Williams said.

A watering-hole attack is similar to the classic drive-by attack, which can target a broad number of website visitors. The attacker probes a website's components for an open vulnerability, often injecting malicious JavaScript that can scan visitors' systems and infect their PCs with malware without their knowledge. SQL injection and Cross-site scripting remain among the top Web application vulnerabilities exploited by cybercriminals.

PUBLISHED NOV. 26, 2013