Scammers jingle all the way

At this time of year, cyberscams take on a holiday flavor and credit card fraud gets a snowball effect. Images: Holiday phishing

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
With the holidays just days away, shoppers rush around late into the night, radio stations blare seasonal tunes--and cybercriminals busily try to scam unsuspecting targets.

"Fraudsters use current affairs to create legitimacy," said Melih Abdulhayoglu, chief executive of Comodo Group, a provider of Web site security certificates in Jersey City, N.J. Credit card fraud is easier now than any other time of year because of the high volume of transactions, experts warn. "The holidays are a great reason to send people e-mail to try to scam them into giving up their information," Abdulhayoglu said.

Holiday scams

Internet users, in fact, can expect to see almost twice as many phishing attacks this December compared with last year, said Andrew Klein, manager of the threat center at MailFrontier, an e-mail security company in Palo Alto, Calif. Phishing scams combine spammed e-mail messages and fraudulent Web sites to trick people into giving up sensitive information.

"Holidays are an excellent hook for scams," Klein said. Last year there were 8,829 different phishing campaigns in December, and the number has increased since, hitting a high of 15,820 in October, he said. "The real problem with phishing e-mail is that they really look like e-mail that you would expect to receive."

In one example, scammers crafted an e-mail that looks like it came from eBay. The mail announces that "Christmas is coming!" and encourages recipients to click on a link to "www.ebaychristmas.net" for advice on "seasonal selling." Though they appear legitimate, the e-mail message and the Web site were fraudulent, Klein said.

eBay and its online payment division PayPal have traditionally been popular among fraudsters looking for login names, credit card numbers and other sensitive information. eBay is aggressive in fighting such scams and offers a browser toolbar to help protect users against fake copies of its Web sites.

While eBay is a known phishing target, scams that involve charities are relatively new. With many in the spirit of giving, December could be a lucrative month for miscreants looking to profit on the generosity of Internet users.

"A lot of the security controls are relaxed in order to handle volume."
--John Pironti, principal security consultant, Unisys

"Since Katrina we have seen the Red Cross show up much more frequently in the list of top-phished Web sites," said Craig Sprosts, a product manager at e-mail security vendor IronPort Systems in San Bruno, Calif. In the aftermath of Hurricane Katrina, Web sites popped up that sought to defraud Internet users who thought they were doing good.

IronPort's filters have also stopped at least one e-mail that promised the recipient a prize in a "holiday lottery" and offered a link to a malicious Web site to collect the reward, Sprosts said.

Aside from phishing scams, Internet security companies have seen the so-called Nigerian scams take on a seasonal twist. Typically, swindlers send out junk e-mails around the world promising recipients a share in a fortune in return for an advance fee. Those who pay never receive the promised windfall.

"They will have words like Christmas and Jesus in them, which makes them a little harder to filter out," MailFrontier's Klein said.

While some attacks will adapt to the season, the deluge of traditional attacks continues. Internet users need to stay on guard and not let the holiday rush weaken their defenses, security experts warned.

"There is more online activity and consumers are more vulnerable because they are out on the Internet looking for deals," Sprosts said. "They might let their guard down and click on a phishing attack."

Klein agreed: "We're all running around a little faster because it is Christmas and we're all doing things we might not do throughout the year, such as buying a lot online and visiting sites we don't normally go to." His advice to online consumers: Pay attention and don't let your guard down.

Crooks don't only stand to benefit from a change in online consumers' behavior during the holidays. They can also benefit from a lower level of fraud checks at online stores, payment processors and credit card companies, said John Pironti, a principal security consultant at Unisys, an IT services company in Blue Bell, Penn.

"A lot of the security controls are relaxed in order to handle volume," Pironti said. "Not as much fraud will get caught, so immediately you see an uptick in activity. Fraudulent people tend to know this; it is a well-known secret."

MasterCard denies that it decreases the level of fraud checks during the holidays to cope with a high volume of transaction. "We do capacity planning to make sure that we are able to operate," Linda Locke, a MasterCard spokeswoman, said. "MasterCard relaxes no antifraud controls during the holiday season."

Visa did not respond to requests for comment.

While making your list of what to watch out for online this holiday season, don't forget worm and virus attacks.

A Santa Claus worm that targets America Online, Microsoft and Yahoo instant-messaging users surfaced on Tuesday. The worm attempts to dupe IM users into thinking a friend has sent them a link to a harmless Santa Claus image, but clicking on the link results in malicious software being downloaded to the target's PC.

Security experts have also warned of malicious software that can pose as an electronic Christmas card, like last year's Zafi pest. They advise consumers not to open e-mail attachments and to send friends Christmas greetings in plain text or via traditional mail.

If your PC is not yet secured, consider making a New Year's resolution to install antivirus software and a firewall and perhaps an antiphishing toolbar.