The holiday shopping season, especially Black Friday and Cyber Monday, is a prime time for cybercriminals. McAfee Labs consistently observes a significant spike in malicious activity during this period, fueled by the combination of high web traffic, deals that create a sense of urgency, and a massive increase in card-not-present online transactions that create a perfect storm. Attackers exploit the chaos, knowing shoppers are often distracted and rushing to find the best Black Friday deals, making them more susceptible to phishing scams, fake websites, and malware designed to steal financial information.
As we gear up to feast with family and friends this Thanksgiving, and prepare our wallets for Black Friday and Cyber Monday, let’s look at how these two popular shopping events can impact your online security, and how to protect yourself from scammers.
The consequences of falling for a holiday scam can be devastating. Beyond the initial financial loss from a fraudulent purchase, victims often face the long-term nightmare of identity theft. According to the Federal Trade Commission (FTC), consumers reported losing $12.5 billion to fraud in 2024, with online shopping scams as the second most commonly reported incident. Recovering from identity theft is not just costly. It’s also incredibly time-consuming. On average, it can take victims months to clear their names and correct their credit reports, adding significant emotional stress during what should be a joyful season.
Historians trace the use of Black Friday to the 1960s, when Philadelphia police officers named the day after Thanksgiving as Black Friday because they had to work overtime to manage the mob of holiday shoppers and attendees to the traditional Army-Navy football game on Saturday. Later on, Shop.org coined the term Cyber Monday as a way for online retailers to participate in the Black Friday shopping frenzy.
Since the beginning of these two massive shopping holidays, both have seen incredible growth as more shoppers are turning to the Internet to participate in holiday bargain hunting. In the US, consumers reportedly spent $10.8 billion online on Black Friday 2024, a 10.2% increase from 2023, while Cyber Monday brought in a record $13.3 billion.
The uptick in online shopping activity provides cybercriminals the perfect opportunity to disrupt shoppers’ holiday activities and compromise their online security. During this festive season, it is best to take proactive measures to safeguard your digital presence.
Historically, Black Friday was initially focused on in-store shopping, while Cyber Monday centered on online deals. As such, each shopping event presented its own cyber risks:
As retailers embrace both in-store and online platforms, cyber fraudsters are blurring the lines to take their scams to both domains.
With the surge in online shopping during both shopping holidays, cybercriminals are also on high alert, crafting sophisticated scams to trick unsuspecting shoppers. It’s essential to approach every email or text message suspiciously, checking the sender’s information and avoiding clicking on unsolicited links.Thankfully, there are steps you can take to protect yourself when shopping online during Black Friday and Cyber Monday.
One of the most effective ways to protect your financial data is to avoid entering your actual debit or credit card number directly on websites. Instead, use payment methods that act as a buffer. Virtual credit cards, offered by many banks and privacy services, generate a unique, temporary card number for a single transaction or vendor, making your real account information useless to thieves if a site is breached.
Similarly, digital wallets such as PayPal, Apple Pay, and Google Pay use tokenization to mask your card details. When using browser extensions for coupons, be cautious. Only install trusted extensions and check their permissions.
Everyone wants to find the best price, but be wary of how you track those Black Friday deals. While some deal-tracking apps and browser extensions are helpful, others are privacy nightmares, requesting broad permissions to read all your browsing data.
Before installing any price tracker, carefully review the permissions it requests. Better yet, use well-known, reputable services or set up price alerts directly on major retail websites. Before you download any new app to your phone or computer, use a security solution with a safe-app check feature to ensure it doesn’t contain malware or spyware.
Keeping your digital data and identity safe during the holiday shopping fever might be the best gift you could give yourself and your family. Consider these top features:
Shopping for Cyber Monday deals on your phone can be convenient, but it requires extra caution. The biggest pitfall is using unsecured public Wi-Fi networks in places like coffee shops or malls, allowing criminals to intercept your data.
Another major threat is fraudulent shopping apps designed to steal your information. For another layer of protection, use mobile wallets like Apple Pay or Google Pay as they use tokenization to process payments without exposing your actual card number.
They can be, but social media is also rife with scams. Instead of clicking links in ads, go directly to the retailer’s official website to find the deal. Scammers often create fake storefronts on social platforms to steal your money and data.
Yes, many retailers start their Cyber Monday deals during the Black Friday weekend or earlier. However, be cautious of unsolicited emails announcing “early access.” Always verify these offers on the retailer’s actual website, as this is a common phishing tactic.
Only use QR codes from trusted sources. Criminals can place malicious QR code stickers over legitimate ones, redirecting you to a phishing site. When in a store, confirm the QR code is legitimate with an employee. When shopping online, only scan codes on a retailer’s official site or app.
Do not click any links in the email or text message. Scammers send fake shipping alerts to get you to click on malicious links or provide personal information. Instead, go to the retailer’s website and use your official order number to track your package directly.
Black Friday and Cyber Monday are prime opportunities for consumers to snag once-a-year deals and for cybercriminals to exploit their eagerness to save. However, being aware of the prevalent scams and knowing how to protect yourself can save you from falling prey to these ploys.
One effective way to do so is by investing in top-tier online protection solutions. McAfee offers award-winning cybersecurity solutions developed to shield you from the ever-evolving threats. Explore the features of our McAfee+ Ultimate and Total Protection plans and stay informed about the latest cyber threats with McAfee Labs.
Always strive to shop wisely and stay safe, and remember that if an offer seems too good to be true, it probably is.
The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blog.
The value of Bitcoin has had its ups and downs since its inception in 2013, but its recent skyrocket in value has created renewed interest in this virtual currency. The rapid growth of this alternative currency has dominated headlines and ignited a cryptocurrency boom that has consumers everywhere wondering how to get a slice of the Bitcoin pie. For those who want to join the craze without trading traditional currencies like U.S. dollars (i.e., fiat currency), a process called Bitcoin mining is an entry point. However, Bitcoin mining poses a number of security risks that you need to know.
Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. Miners, as they are called, essentially maintain and secure Bitcoin’s decentralized accounting system. Bitcoin transactions are recorded in a digital ledger called a blockchain. Bitcoin miners update the ledger by downloading a special piece of software that allows them to verify and collect new transactions. Then, they must solve a mathematical puzzle to secure access to add a block of transactions to the chain. In return, they earn Bitcoins, as well as a transaction fee.
As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning, a Bitcoin user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power. This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices.
One example of this security breach happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors used this time delay to access the users’ laptops for mining. In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. When an attacker loads mining software onto devices without the owner’s permission, it’s called a cryptocurrency mining encounter or cryptojacking.
It’s estimated that 50 out of every 100,000 devices have encountered a cryptocurrency miner. Cryptojacking is a widespread problem and can slow down your device; though, that’s not the worst that can happen. Utility costs are also likely to go through the roof. A device that is cryptojacked could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.
Now that you know a little about mining and the Bitcoin security risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:
The post Bitcoin Security: Mining Threats You Need to Know appeared first on McAfee Blog.
This blog was also published by APNIC.
With so much traffic on the global internet day after day, it’s not always easy to spot the occasional irregularity. After all, there are numerous layers of complexity that go into the serving of webpages, with multiple companies, agencies and organizations each playing a role.
That’s why when something does catch our attention, it’s important that the various entities work together to explore the cause and, more importantly, try to identify whether it’s a malicious actor at work, a glitch in the process or maybe even something entirely intentional.
That’s what occurred last year when Internet Corporation for Assigned Names and Numbers staff and contractors were analyzing names in Domain Name System queries seen at the ICANN Managed Root Server, and the analysis program ran out of memory for one of their data files. After some investigating, they found the cause to be a very large number of mysterious queries for unique names such as f863zvv1xy2qf.surgery, bp639i-3nirf.hiphop, qo35jjk419gfm.net and yyif0aijr21gn.com.
While these were queries for names in existing top-level domains, the first label consisted of 12 or 13 random-looking characters. After ICANN shared their discovery with the other root server operators, Verisign took a closer look to help understand the situation.
One of the first things we noticed was that all of these mysterious queries were of type NS and came from one autonomous system network, AS 15169, assigned to Google LLC. Additionally, we confirmed that it was occurring consistently for numerous TLDs. (See Fig. 1)
Although this phenomenon was newly uncovered, analysis of historical data showed these traffic patterns actually began in late 2019. (See Fig. 2)
Perhaps the most interesting discovery, however, was that these specific query names were not also seen at the .com and .net name servers operated by Verisign. The data in Figure 3 shows the fraction of queried names that appear at A-root and J-root and also appear on the .com and .net name servers. For second-level labels of 12 and 13 characters, this fraction is essentially zero. The graphs also show that there appears to be queries for names with second-level label lengths of 10 and 11 characters, which are also absent from the TLD data.
The final mysterious aspect to this traffic is that it deviated from our normal expectation of caching. Remember that these are queries to a root name server, which returns a referral to the delegated name servers for a TLD. For example, when a root name server receives a query for yyif0aijr21gn.com, the response is a list of the name servers that are authoritative for the .com zone. The records in this response have a time to live of two days, meaning that the recursive name server can cache and reuse this data for that amount of time.
However, in this traffic we see queries for .com domain names from AS 15169 at the rate of about 30 million per day. (See Fig. 4) It is well known that Google Public DNS has thousands of backend servers and limits TTLs to a maximum of six hours. Assuming 4,000 backend servers each cached a .com referral for six hours, we might expect about 16,000 queries over a 24-hour period. The observed count is about 2,000 times higher by this back-of-the-envelope calculation.
From our initial analysis, it was unclear if these queries represented legitimate end-user activity, though we were confident that source IP address spoofing was not involved. However, since the query names shared some similarities to those used by botnets, we could not rule out malicious activity.
These findings were presented last year at the DNS-OARC 35a virtual meeting. In the conference chat room after the talk, the missing piece of this puzzle was mentioned by a conference participant. There is a Google webpage describing its public DNS service that talks about prepending nonce (i.e., random) labels for cache misses to increase entropy. In what came to be known as “the Kaminsky Attack,” an attacker can cause a recursive name server to emit queries for names chosen by the attacker. Prepending a nonce label adds unpredictability to the queries, making it very difficult to spoof a response. Note, however, that nonce prepending only works for queries where the reply is a referral.
In addition, Google DNS has implemented a form of query name minimization (see RFC 7816 and RFC 9156). As such, if a user requests the IP address of www.example.com and Google DNS decides this warrants a query to a root name server, it takes the name, strips all labels except for the TLD and then prepends a nonce string, resulting in something like u5vmt7xanb6rf.com. A root server’s response to that query is identical to one using the original query name.
Now, we are able to explain nearly all of the mysterious aspects of this query traffic from Google. We see random second-level labels because of the nonce strings that are designed to prevent spoofing. The 12- and 13-character-long labels are most likely the result of converting a 64-bit random value into an unpadded ASCII label with encoding similar to Base32. We don’t observe the same queries at TLD name servers because of both the nonce prepending and query name minimization. The query type is always NS because of query name minimization.
With that said, there’s still one aspect that eludes explanation: the high query rate (2000x for .com) and apparent lack of caching. And so, this aspect of the mystery continues.
Even though we haven’t fully closed the books on this case, one thing is certain: without the community’s teamwork to put the pieces of the puzzle together, explanations for this strange traffic may have remained unknown today. The case of the mysterious DNS root query traffic is a perfect example of the collaboration that’s required to navigate today’s ever-changing cyber environment. We’re grateful and humbled to be part of such a dedicated community that is intent on ensuring the security, stability and resiliency of the internet, and we look forward to more productive teamwork in the future.
The post More Mysterious DNS Root Query Traffic from a Large Cloud/DNS Operator appeared first on Verisign Blog.
The Domain Name System has provided the fundamental service of mapping internet names to addresses from almost the earliest days of the internet’s history. Billions of internet-connected devices use DNS continuously to look up Internet Protocol addresses of the named resources they want to connect to — for instance, a website such as blog.verisign.com. Once a device has the resource’s address, it can then communicate with the resource using the internet’s routing system.
Just as ensuring that DNS is secure, stable and resilient is a priority for Verisign, so is making sure that the routing system has these characteristics. Indeed, DNS itself depends on the internet’s routing system for its communications, so routing security is vital to DNS security too.
To better understand how these challenges can be met, it’s helpful to step back and remember what the internet is: a loosely interconnected network of networks that interact with each other at a multitude of locations, often across regions or countries.
Packets of data are transmitted within and between those networks, which utilize a collection of technical standards and rules called the IP suite. Every device that connects to the internet is uniquely identified by its IP address, which can take the form of either a 32-bit IPv4 address or a 128-bit IPv6 address. Similarly, every network that connects to the internet has an Autonomous System Number, which is used by routing protocols to identify the network within the global routing system.
The primary job of the routing system is to let networks know the available paths through the internet to specific destinations. Today, the system largely relies on a decentralized and implicit trust model — a hallmark of the internet’s design. No centralized authority dictates how or where networks interconnect globally, or which networks are authorized to assert reachability for an internet destination. Instead, networks share knowledge with each other about the available paths from devices to destination: They route “by rumor.”
Under the Border Gateway Protocol, the internet’s de-facto inter-domain routing protocol, local routing policies decide where and how internet traffic flows, but each network independently applies its own policies on what actions it takes, if any, with data that connects through its network.
BGP has scaled well over the past three decades because 1) it operates in a distributed manner, 2) it has no central point of control (nor failure), and 3) each network acts autonomously. While networks may base their routing policies on an array of pricing, performance and security characteristics, ultimately BGP can use any available path to reach a destination. Often, the choice of route may depend upon personal decisions by network administrators, as well as informal assessments of technical and even individual reliability.
Two prominent types of operational and security incidents occur in the routing system today: route hijacks and route leaks. Route hijacks reroute internet traffic to an unintended destination, while route leaks propagate routing information to an unintended audience. Both types of incidents can be accidental as well as malicious.
Preventing route hijacks and route leaks requires considerable coordination in the internet community, a concept that fundamentally goes against the BGP’s design tenets of distributed action and autonomous operations. A key characteristic of BGP is that any network can potentially announce reachability for any IP addresses to the entire world. That means that any network can potentially have a detrimental effect on the global reachability of any internet destination.
Fortunately, there is a solution already receiving considerable deployment momentum, the Resource Public Key Infrastructure. RPKI provides an internet number resource certification infrastructure, analogous to the traditional PKI for websites. RPKI enables number resource allocation authorities and networks to specify Route Origin Authorizations that are cryptographically verifiable. ROAs can then be used by relying parties to confirm the routing information shared with them is from the authorized origin.
RPKI is standards-based and appears to be gaining traction in improving BGP security. But it also brings new challenges.
Specifically, RPKI creates new external and third-party dependencies that, as adoption continues, ultimately replace the traditionally autonomous operation of the routing system with a more centralized model. If too tightly coupled to the routing system, these dependencies may impact the robustness and resilience of the internet itself. Also, because RPKI relies on DNS and DNS depends on the routing system, network operators need to be careful not to introduce tightly coupled circular dependencies.
Regional Internet Registries, the organizations responsible for top-level number resource allocation, can potentially have direct operational implications on the routing system. Unlike DNS, the global RPKI as deployed does not have a single root of trust. Instead, it has multiple trust anchors, one operated by each of the RIRs. RPKI therefore brings significant new security, stability and resiliency requirements to RIRs, updating their traditional role of simply allocating ASNs and IP addresses with new operational requirements for ensuring the availability, confidentiality, integrity, and stability of this number resource certification infrastructure.
As part of improving BGP security and encouraging adoption of RPKI, the routing community started the Mutually Agreed Norms for Routing Security initiative in 2014. Supported by the Internet Society, MANRS aims to reduce the most common routing system vulnerabilities by creating a culture of collective responsibility towards the security, stability and resiliency of the global routing system. MANRS is continuing to gain traction, guiding internet operators on what they can do to make the routing system more reliable.
Routing by rumor has served the internet well, and a decade ago it may have been ideal because it avoided systemic dependencies. However, the increasingly critical role of the internet and the evolving cyberthreat landscape require a better approach for protecting routing information and preventing route leaks and route hijacks. As network operators deploy RPKI with security, stability and resiliency, the billions of internet-connected devices that use DNS to look up IP addresses can then communicate with those resources through networks that not only share routing information with one another as they’ve traditionally done, but also do something more. They’ll make sure that the routing information they share and use is secure — and route without rumor.
The post Routing Without Rumor: Securing the Internet’s Routing System appeared first on Verisign Blog.
Login