6 hacker scams targeting holiday consumers

Cybercriminals love the Christmas season, not only because people are shopping more — spreading their card numbers willy nilly across the World Wide Web and the often insecure networks of physical stores — but also because they are overburdened and stressed out. This latter factor makes them an easier target for “social engineering” holiday scams, ranging from phishing emails to phone fraud.

Just as big-box retailers count on Christmas to keep their companies in the red, so too do many criminal gangs, and they have no shortage of tricks for doing so.

Here are the top holiday scams to watch out for this season:

Formjacking

It is a common assumption that if a website has a tiny padlock symbol in the address bar, it must be safe. True? Well, not exactly.

One attack which you could say exploits this trust is “formjacking” (also known as a digital card skimmer).

Most Santa are just a guy in a suit and like holiday scams, they can come in all shapes and sizes. (Photo: INTRO/Peter Himsel/ullstein bild via Getty Images)

Formjacking involves compromising the checkout page of a legitimate retailer by slipping in through the back-end platform or supply chain. A malicious script hides on the page and waits for the visitor to type information into the order form, such as the credit card number. It instantly scoops this information up and sends it back to the hacker — even before the person clicks the ‘complete order’ button to process the transaction.

More criminal groups are now using this attack, according to reports by RiskIQ and Symantec. Dozens of sites are believed to have been compromised, including well-known brands like Ticketmaster, SteinMart, Newegg, British Airways and the widely used rating service Shopper Approved.

Fake e-tailers:

Scammers often spoof well-known retailers to steal their customers’ account logins or to infect them with malware.

Cybercriminals have become very adept at imitating prominent brands, so don’t think you’ll always be able to tell a fake website from a real one. Scammers will also use “keyword stuffing” and other tricks to get a fake site to pop up in search engine results during the holidays, further enhancing its credibility. They will also promote fake sites via social media campaigns, bogus online deals and coupons, and phishing emails.

The best way to tell if a retailer has been spoofed is to look at the URL. Generally speaking, hackers can’t use the retailer’s actual web address, so they will try to imitate it instead. One common trick is to replace certain letters with numbers (the numerals “0” and “1” look very similar to letters “o” and “l”). See how easily this blends in: Kohls(dot)com becomes Koh1s(dot)com.

Holiday scams come in the form of internet tricks these days. (Photo: REUTERS/Eduardo Munoz)

Another popular tactic is called “combosquatting.” This is when a hacker adds words or punctuation to the retailer’s real web address in order to change the actual domain. For example: Macys(dot)com could be changed to deals-Macys(dot)com, Macysdeals(dot)com or Macys(dot)deals(dot)com, all of which creates a new non-Macy’s domain.