IT Security: Holiday shopping by mobile phone? Beware fake apps and bad Wi-Fi hotspots

“Buyer beware” takes on added urgency with more smartphone purchases on Black Friday

Black Friday holiday shoppers using smartphones should beware of fake commerce apps and fake Wi-Fi hot spots inside malls, two security firms have warned.

Hackers use these fakes to grab account numbers and sensitive personal information.

Cyber criminals are increasing our risk of using mobile devices while shopping, whether it is Black Friday ” warned Brian Duckering, mobility strategist for Skycure, an enterprise security firm, in a blog. “Going to physical stores and connecting to risky Wi-Fi networks, or shopping online both pose increasing risks we should all be aware of.”

Smartphone risk is higher this year than in 2015. There are more active cyber criminals and many more shoppers using smartphones to find products and make purchases, either via Wi-Fi in stores or online in other locations.

It has been predicted nearly 30% of spending on Black Friday will take place on mobile devices. Meanwhile several analysts predicted three times as many mobile payments will be conducted in 2016 compared to 2015. Online shopping from all venues totaled $5.8 billion on Black Friday in 2015, according to the Adobe Digital Index.

The rapid increase in mobile e-commerce is not only because of the increased number of mobile users, but also the increase in minutes spent on a smartphone every day as opposed to a laptop or desktop.

Many smartphone users compare prices and evaluate products while shopping inside a physical store, which means they are probably connected to a Wi-Fi network. Often, stores and malls offer Wi-Fi for the convenience of customers, but cyber criminals also set up fake Wi-Fi hotspots to be able to steal data.

Sometimes the cyber thieves monitor consumer communications over legitimate Wi-Fi hotspots that haven’t been properly configured and expose a user’s communications openly.

When shopping online anywhere, users need to be aware that hackers have set up fake store apps that look like legitimate ones, usually enticing smartphone users with deals and rewards.

Hackers also use man-in-the-middle exploits on poorly secured but legitimate Wi-Fi networks to gain access to user data. A hacker will observe unencrypted traffic or even manipulate the content the victim sees online to redirect the user to a malicious website or to download malware.

When a hacker sets up a fake Wi-Fi network, the hacker will mimic a legitimate network, often using the same name. Hackers might set up a network that uses the word “free” in the name to lure victims. Even short access to a malicious network may give a hacker enough information to later access bank accounts, social media accounts or corporate accounts.

For online shoppers using commerce apps, hackers will sometimes repackage legitimate apps so the fake app looks exactly like the real one. The fake app works in the background to steal data or spy on the user. The security firm found a repackaged version of a Starbucks app, for example, and said users can avoid the problem by installing the official app from the Apple and Google app stores.

Or, hackers will create fake apps from scratch. One hacker created an app called “Amazon Rewards” even though no such apps exists in the official app stores. Such fake apps promise rewards to get people to download the apps. The fake Amazon Rewards app was actually a trojan that spreads by using SMS messages with fake Amazon vouchers and a link to a fake website. It even accesses the user’s contact list so that it can send SMS messages to even more people.

In a separate report on Monday, it was found more than 1,000 Black Friday-specific apps that were malicious or that could be used to trick a user into downloading malware or giving up login credentials or credit card information.

It was also found that of the biggest five leading e-commerce brands, there were more than 1 million apps that have been blacklisted that were using the brands in the title of app or the description of the app.

Many of the blacklisted apps can be found in hundreds of third-party app stores outside of the Apple and Google app stores that don’t have the most rigid requirements for banning malicious apps.

To guard against fake or insecure apps it is recommended:

  • Download apps only from Google and Apple official app stores;
  • Beware of apps that ask for suspicious permissions like access to contacts, text messages, stored password or credit card information;
  • Be skeptical of favorable reviews for apps, since rave reviews can be forged. Also examine the developer of the app to see if the app comes from an unusual developer or if the app description uses quirky spelling or poor grammar. A Google search will tell more about the developer;
  • Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure level;
  • Update your device to the most current operating system;
  • Disconnect from the network if your phone behaves oddly, has frequent crashes or receives a warning notice;
  • When visiting shopping sites on the web, look for the “s” in HTTPS when you visit; without the S there could be weak encryption.

To protect against fake and insecure Wi-Fi:

  • Avoid “free Wi-Fi networks” since 10% of malicious networks use the word “free” in their name;
  • If a Wi-Fi zone is named as if it is hosted by a store and the store isn’t nearby, don’t connect.

For more information and a personalized IT Solutions business offer, please contact us.