Black Friday and Cyber Monday holiday shoppers using smartphones should beware of fake commerce apps and fake Wi-Fi hot spots inside malls, two security firms have warned.
Hackers use these fakes to grab account numbers and sensitive personal information.
"Cyber criminals are increasing our risk of using mobile devices while shopping, whether it is Black Friday or Cyber Monday," warned Brian Duckering, mobility strategist for Skycure, an enterprise security firm, in a blog. "Going to physical stores and connecting to risky Wi-Fi networks, or shopping online both pose increasing risks we should all be aware of."
Skycure, a security company started in 2012, and enterprise security firm RiskIQ said that the smartphone risk is higher this year than in 2015. There are more active cyber criminals and many more shoppers using smartphones to find products and make purchases, either via Wi-Fi in stores or online in other locations.
RiskIQ predicted nearly 30% of spending on Black Friday and Cyber Monday will take place on mobile devices. Meanwhile, Skycure cited several analysts who predicted three times as many mobile payments will be conducted in 2016 compared to 2015. Online shopping from all venues totaled $5.8 billion on Black Friday and Cyber Monday in 2015, according to the Adobe Digital Index.
The rapid increase in mobile e-commerce is not only because of the increased number of mobile users, but also the increase in minutes spent on a smartphone every day as opposed to a laptop or desktop, said Varun Kohli, vice president of marketing at Skycure, in an interview. "If I'm a hacker I want to maximize my investment and go where the masses are, and the masses are on mobile phones," he said.
Many smartphone users compare prices and evaluate products while shopping inside a physical store, which means they are probably connected to a Wi-Fi network. Often, stores and malls offer Wi-Fi for the convenience of customers, but cyber criminals also set up fake Wi-Fi hotspots to be able to steal data.
Sometimes the cyber thieves monitor consumer communications over legitimate Wi-Fi hotspots that haven't been properly configured and expose a user's communications openly, Skycure said.
When shopping online anywhere, users need to be aware that hackers have set up fake store apps that look like legitimate ones, usually enticing smartphone users with deals and rewards, Skycure added.
Based on its own security tests of the nation's busiest malls, Skycure named 10 U.S. physical malls where it found at least five risky Wi-Fi networks to avoid. Fashion Show Mall in Las Vegas was judged the most risky for mobile shoppers, with 14 Wi-Fi networks that were found to be malicious or risky to connect to, based on the hacker signatures Skycure found on them.
Tysons Corner Center in McLean, Va., just west of Washington, was judged second by Skycure for risky Wi-Fi networks. The remaining eight malls named in the report are: Yorktown Center in Lombard, Ill.; Town Center at Boca Raton in Boca Raton, Fla ; Sawgrass Mills in Sunrise, Fla.; Mall of America in Bloomington, Minn.; Houston Galleria in Houston, Texas; King of Prussia Mall in King of Prussia, Pa.; Westfield Garden State in Paramus, N.J.; and Memorial City Mall in Houston, Texas.
Skycure said hackers also use man-in-the-middle exploits on poorly secured but legitimate Wi-Fi networks to gain access to user data. A hacker will observe unencrypted traffic or even manipulate the content the victim sees online to redirect the user to a malicious website or to download malware.
When a hacker sets up a fake Wi-Fi network, the hacker will mimic a legitimate network, often using the same name. Hackers might set up a network that uses the word "free" in the name to lure victims, Skycure said. Even short access to a malicious network may give a hacker enough information to later access bank accounts, social media accounts or corporate accounts.
Skycure found fake Wi-Fi networks at these shopping centers: Macysfreewifi at Park Meadows mall in Denver and at the Waterfront mall in Pittsburgh and in other places where there was no Macy's store; Belk_Guest in Columbiana center in North Carolina; Apple Store, in multiple locations where there was no Apple Store; Bloomingdalesfreewifi at Liberty Place in Philadelphia; officedepot in Magnolia Shops near Miami; and Panera near Baltimore.
Skycure warned in a white paper: "If you see a Wi-Fi that is named as if it is hosted by a store, but that store is nowhere nearby, don't connect." Also, Wi-Fi hotspots that use the term "free" like "FreePublicWiFi" are dubious.
For online shoppers using commerce apps, Skycure said hackers will sometimes repackage legitimate apps so the fake app looks exactly like the real one. The fake app works in the background to steal data or spy on the user. The security firm found a repackaged version of a Starbucks app, for example, and said users can avoid the problem by installing the official app from the Apple and Google app stores.
Or, hackers will create fake apps from scratch. One hacker created an app called "Amazon Rewards" even though no such apps exists in the official app stores, Skycure found. Such fake apps promise rewards to get people to download the apps. With the fake Amazon Rewards app, Skycure found it was actually a trojan that spreads by using SMS messages with fake Amazon vouchers and a link to a fake website. It even accesses the user's contact list so that it can send SMS messages to even more people.
In a separate report on Monday, RiskIQ found more than 1,000 Black Friday-specific apps that were malicious or that could be used to trick a user into downloading malware or giving up login credentials or credit card information.
RiskIQ also found that of the biggest five leading e-commerce brands, there were more than 1 million apps that RiskIQ have been blacklisted that were using the brands in the title of app or the description of the app. That 1 million "is a huge number but we monitor hundreds of online stores and millions of apps," said James Pleger, director of security and threat research at RiskIQ, in an interview.
Many of the blacklisted apps can be found in hundreds of third-party app stores outside of the Apple and Google app stores that don't have the most rigid requirements for banning malicious apps, he said.
RiskIQ also found that the five major e-commerce brands were connected to nearly 2,000 blacklisted URLs that contained their branded names and the words "Black Friday" that RiskIQ linked to phishing, malware or spam.
RiskIQ creates its blacklists by collecting data via scanning, crawling and sensing internet traffic on mobile apps, web pages and social websites. The company runs apps in sandboxes to see how they behave and then looks at underlying code for malicious code tied to known hacker signatures.
Skycure developed its list of fake Wi-Fi zones in malls by checking the Wi-Fi networks used by its tens of thousands of enterprise and consumer end users in millions of monthly security tests from July through September. All those users had installed a free Skycure app, available for both consumers and enterprise customers to download from Google Play or Apple App Store or at www.skycure.com.
Both companies issued tips for how consumers can protect themselves against fake apps and fake Wi-Fi.
To guard against fake or insecure apps they recommend:
- Download apps only from Google and Apple official app stores.
- Beware of apps that ask for suspicious permissions like access to contacts, text messages, stored password or credit card information.
- Be skeptical of favorable reviews for apps, since rave reviews can be forged. Also examine the developer of the app to see if the app comes from an unusual developer or if the app description uses quirky spelling or poor grammar. A Google search will tell more about the developer.
- Read the warnings on your device and don't click "Continue" if you don't understand the exposure level.
- Update your device to the most current operating system.
- Disconnect from the network if your phone behaves oddly, has frequent crashes or receives a warning notice.
- When visiting shopping sites on the web, look for the "s" in HTTPS when you visit; without the S there could be weak encryption.
To protect against fake and insecure Wi-Fi:
- Avoid "free Wi-Fi networks" since 10% of malicious networks use the word "free" in their name.
- If a Wi-Fi zone is named as if it is hosted by a store and the store isn't nearby, don't connect.
Skycure has posted a handy tool on its website to help users identify mobile threats at any destination.
Experts also urged consumers to use common sense. RiskIQ's Pleger suggested the age-old maxim:"If it sounds too good to be true, it probably is."
One independent analyst, Jack Gold at J. Gold Associates, noted that both RiskIQ and Skycure sell cybersecurity services and products to enterprises and have a financial stake in drawing attention to risky Wi-Fi and apps. For connecting to free Wi-Fi, he said that there isn't much of a threat in doing a search or getting directions because a user isn't passing important confidential information.
"However, if you are connected to a malicious network and you log in to a website or into an app that sends your credentials in the clear, then, yes, this could be compromised," Gold said. "Many apps now use a VPN tunnel that encrypts data but not all do. If you download a malicious app, all bets are off whether you get them from a malicious Wi-Fi network or click and download in the app store."