Cybercriminal minds: How holiday hackers will steal your online identity in Singapore

The size of the Singapore online shopping market reached S$1.1 billion in 2010 and is forecast to hit S$4.4 billion in 2015, according to recent PayPal research. 

The same study showed that nearly half (46 per cent) of Singapore’s 1.8 million online shoppers made purchases on Black Friday and Cyber Monday (23 and 26 November), spending an average of nearly S$100 per shopper. 

The survey also found that Singapore’s online shoppers are expected to shop online 15 times during this year’s festive season, expecting to save an average of three hours each time, versus going to brick-and-mortar shops. 

Unfortunately, throughout the 2012 holiday shopping season, cybercriminals are expected to unleash a variety of old and new Internet-based scams to steal identities and hijack online accounts.

So, what are some of the key techniques used by cybercriminals to steal online shoppers’ identities and valuable data or cheat them with fraudulent scams?

First, online shoppers need to be aware of cybercriminals’ motives and techniques.  

Cybercriminals are mostly motivated financially, with an interest in scamming users into paying for goods that they will never receive or stealing credit card details, authentication details (e.g. usernames and passwords for banking and payment sites) and personal details for use in other fraud.

Second, attackers target not only online shoppers as individuals, but also the institutions that these shoppers visit.  To target individuals, attackers can use a variety of techniques, such as:

1.     Advertising goods and services online, accepting payment, but never delivering these goods

2.     Sending out phishing emails that drive users to sites that have the same look and feel as legitimate sites, but are imitations designed only to steal user data

3.     Installing malicious software onto unsuspecting users' computers to capture sensitive data as users enter it into e-commerce sites

Unfortunately, these personal attacks are more likely to succeed, as individuals tend to have less information-security awareness and defences than institutions.  At the same time, such attacks can be more difficult to execute as they call for the compromise of many individuals, one at a time, in order to work. 

To target institutions, attackers usually focus on vulnerabilities within the e-commerce infrastructure of the institution.  Flaws that allow for SQL injection and weaknesses in file-upload functionality enable attackers to compromise e-commerce sites and mine the data stored on those sites. 

Even if an institution is not storing sensitive information, attackers are often able to gather what data is there by hacking into the site and making changes to the institution’s software.

Predictably, according to the same PayPal research, almost half of Singapore’s online shoppers (43 per cent) will choose smartphones and tablets to shop online during this holiday season, compared to laptops (37 per cent) and desktops (20 per cent).  

At this point in time, shoppers may actually be more secure shopping on a smartphone or tablet, as there is less malware and fewer attackers targeting users on these platforms.  However, this is expected to change in the coming years as these platforms become increasingly popular.

Unfortunately, several controls that have helped mobile users protect themselves online in the past are no longer effective. 

For example, most users know they should check for the "padlock" icon to confirm secure connection to an e-commerce site.  They also know they should check the URL to ensure that they are sending their data to an authentic site. 

However, these tips no longer apply for mobile devices.   

The smaller screen size of mobile devices means that application designers have had to be very deliberate in deciding what to display onscreen.  This has led to sacrifices resulting in a reduced amount of security feedback given to users. 

As a result, some types of attacks, including phishing attacks, are actually easier for an attacker to execute successfully if their target is on a mobile device.