Fortinet warns of festive shopping scams

Security company Fortinet is warning online shoppers to be wary in the festive season. The company reports a new trend in online scams that manipulate search results to send unwary shoppers to bogus sites.

The scam, which has been detected in a number of websites so far, target popular search engines, using Search Engine Optimization (SEO) a process which exploits the way search engines collect data and rank sites in order to make the bogus sites appear as popular results for searches.

In the most recently discovered examples, a network of sites used Christmas shopping related terms to try to misdirect online shoppers to sites that would attempt a ‘drive-by' installation of malware, with a variable payload. The sites only attacked shoppers using Internet Explorer, redirecting other browser users, and could also only be accessed through search referral, rather than accessed directly, to hamper security researchers.

Guillaume Lovet, threat response manager at Fortinet EMEA commented: "Basically what these sites are doing is abusing the Google algorithm, through loading sites with lots of pages, all with keywords relating to Christmas, so when [a user] entered ‘Christmas' into the search engine, these malicious sites would be in one of the first positions.

"It is interesting in the sense that when Christmas approaches, or other occasions, we usually see scam email trying to get people to click on fake sites, that are either selling bogus items or simply stealing credit card numbers," he added. "Usually what we advise is don't respond to unsolicited mail - now that advice is not as valid anymore, so it changes what threats people have to focus on." Fortinet has issued new advise to online shoppers, including:

• Never follow unsolicited links as suggested by a third party, including links from email, instant messaging or links posted to blogs or wikis
• Have an effective anti-spam, web-filtering and anti-virus solutions, or a Unified Threat Management system in place
• ‘Pick before you click' Users should think before clicking on any link, and be aware of links attempting to pass themselves off as well-known sites by using typos or odd sub-domains
• Never give out personal information such as credit card or passwords at the request of a third party
• When giving out personal information, know your vendor. Ensure it is a trusted source and over a secure connection (ie: SSL & HTTPS) when submitting data