In the US, the holiday season is approaching fast, with Thanksgiving a week away on 26th November. I guess most of us outside the US are aware of Thanksgiving if we work with Americans, since almost the entire country closes down on the 4th Thursday in November. (Apologies to the Canadians in the audience, who had their own Thanksgiving celebration back in October.)
However, fewer people outside the US will be aware of Black Friday (the day after Thanksgiving) and Cyber Monday (the following Monday – that’s the 30th November this year) unless they’re in global retail. Black Friday isn’t officially a holiday, but it’s taken to be the start of the Christmas shopping season because many people do get given the day off, and many big retail organizations go the extra mile with extended opening hours, in order to give customers the incentive to start spending.
Cyber Monday is, reputedly, the best day on which to get good deals for on-line customers. In fact, the identification of single days over this period with peaks in sales is flawed, and a recent article by Josh Smith suggests that “the deals are better” on Black Friday.
Nonetheless, retailers on- and offline make a big deal of Cyber Monday with one day sales and specials, as innumerable “Cyber Monday” retail sites bear witness – just try googling the term and see how many hits you get! Rather like the January sales in the UK, I guess, so it does represent an opportunity for bargains, as well as for retailers to unload substandard or obsolete goods. However, it also offers scammers of all persuasions the opportunity for some social engineering.
There is usually a spike in emails using social engineering to lure around public holidays like July 4th, “Hallmark holidays” like St. Valentine’s Day, topical events like disasters, anniversaries, and incidents related to celebrities, and even sheer works of fiction like “Paris Hilton strangled my budgie” or “Martians land in Manhattan”. For example, ESET saw an amazing spike in the numbers of malware samples received on the 4th and 5th July this year: 43% and 25% more respectively than the average for June. (The figures may even be skewed slightly by the fact that some July 4th malware was sent out prematurely because anti-malware companies spotted social engineering trends ahead of time: otherwise, there might have been more infections.)
Cyber Monday isn’t qualitatively very similar to 4th July (I’m pretty sure most people won’t exchange greetings cards on 30th November, and it certainly doesn’t have the emotional and patriotic pull of Independence Day), so we haven’t seen noticeable spikes in malware around Black Friday and Cyber Monday in previous years.
However, cybercriminals are not fussy about what hook they hang their social engineering on, and even a retail event provides extra leverage for psychological manipulation based on the victim’s urge to get a bargain. So my colleague Randy Abrams has listed some generic safety tips on the ESET blog,while I notice that Josh Smith has also followed up on his earlier post with some safety tips.
*Apologies to the late, great T-Bone Walker: http://en.wikipedia.org/wiki/Call_It_Stormy_Monday_(But_Tuesday_Is_Just_as_Bad)
David Harley CISSP FBCS CITP
Director of Malware Intelligence, ESET