The top 10 2008 holiday Web threats

The season of giving may come at a price as cybercriminals take advantage of one of the busiest online retail seasons of the year and rely upon various social engineering schemes and scams to lure unknowing users. The Top 10 2008 Holiday Threats ranked by Trend Micro’s global network of advanced threat researchers are:

10. Bargain-Hunter Scams
Discounts and special offers of popular items of the season are often used by malware authors to lure users into clicking malicious links, and enter information into specially-crafted fake sites. For example, the recent TROJ_AYFONE.A registered itself as a Browser Helper Object (BHO) on the affected system’s Internet browser to ensure execution each time you open the browser. It displayed fake advertisements about the then-newly released Apple iPhone, as well as a fake Web site of an online store where it can be bought.

9. Fake Charity Sites
Give to the Red Cross! Help hurricane Katrina victims! Cybercriminals are experts at exploiting calamities and tragedies. They also know that online users are more likely to donate to charities during the holiday season. Typically, spammers send out messages pleading recipients for donations; generous users who open the message and click on the link to donate end up robbed of confidential information.

8. Greeting Cards That Bring Bad Tidings
Electronic cards or e-cards are often used by spammers and malware authors as a lure for users to click on malicious links. This type of attack usually takes advantage of holiday seasons, when users are likely to send out e-cards that are distributed though links placed within the spammed messages or as file attachments. Clicking the link or opening the attachment then leads to malware being downloaded into the affected system.

7. Malvertisements: Malicious Advertisements
Everyone wants a good deal and cybercriminals often use online advertisements and promos to distribute malware. Advertisements placed on high-trafficked websites are often used as triggers for malware downloads. Popular sites such as Google, Expedia.com, Rhapsody.com, Blick.com, and even Myspace were rigged with malicious banner ads that contained malware.

6. Poisoned Christmas Shopping Search Results
Query results for certain strings of words can be rigged with malware. Malware authors exploit different seasons in choosing which strings will yield the malicious results. For example, in 2007, results to searches for the phrase “Christmas gift shopping” were found yielding malicious results leading to a wide variety of malware. Earlier this year, results to “Halloween costumes” were found to lead to a Rogue AV, a malware disguised to be antivirus software.

5. Compromised High-Traffic Web Sites
Cybercriminals follow the masses – they target Web sites that are popular and have high traffic, especially during the holiday season as shoppers flood online stores, auction and ecommerce sites.

4. Mining Personal Data – Bogus Gift Card Promos
Users who fill out seemingly harmless online surveys in exchange for gift cards, cash, free items or special promotions are at risk for this type of attack. A compromised survey page is actually a phishing site and is part of a plot to steal confidential information.

3. Ecommerce Phishing
Cybercriminals usually launch a phishing attack with an email message purporting to be from a trusted source but, in actuality, contains a malicious link. That link then directs the users to a “spoofed” Web site that looks real and legitimate but is fake. For example, eBay ranks among the most popular retailers; it is also the site where cybercriminals launch the most phishing attacks.

2. Bogus Courier Receipts That Deliver Trojans
Messages from popular couriers that signal package pick-up along with an invoice are infected with Trojans. Online shoppers awaiting delivery of a package are sure targets of this scam.

1. Shopping Invoices for Ghost Transactions
Fake receipts sent via email are infected with malware. When users open or click on the malicious receipt link, they are immediately vulnerable to identity theft. Even users who are not expecting an online purchase receipt may open the attachment anyway out of curiosity.