[00:00:00] Rob Aragao: Well, hello everyone and welcome to the Reimagining Cyber podcast once again with Rob and Stan joining you in today's conversation we're going to be talking about what we're dealing with this time of the year which is Black Friday and Cyber Monday and all of those threats that come along for the ride Stan.
[00:00:17] Stan Wisseman: Hey Rob, you sound a little different today.
[00:00:19] Where are you?
[00:00:19] Rob Aragao: You picked up on that didn't you, so I am in Miami. I had really, I thought, mapped out my itinerary pretty perfectly to have a meeting and then run back to my hotel room and do this recording. And so as I get to the hotel room, housekeeping is there. And I'm like, okay, great. Now, what?
[00:00:42] So I come scrambling down to the lobby area looking for a quiet spot. It is an absolute zoo down there. And so I was told hey, there's no meeting rooms available, but if you go just across the way, there's another lobby that we have that is much more of a quiet scene. I get here, it is quiet, with some [00:01:00] lovely background music that may come across, a little Frank Sinatra, Dean Martin, so it's very, very soothing.
[00:01:05] Stan Wisseman: Well, it doesn't sound bad.
[00:01:08] Rob Aragao: Good. We might have some of that throughout the episode. Let's talk a little bit about some of those threats. That both my business, I guess, and the consumer aspect, right, Stan, we can go over. So, so maybe you can kind of kick us off. What are some of the things we should be considering here?
[00:01:22] Stan Wisseman:
[00:01:23] Well, even before we get to that, Rob, just let's, let's talk about the scale, right? I mean, if you think about it last year, 9 billion was spent on Black Friday alone, and then close to 11 billion on Cyber Monday. And between that, you know, there were like close to 5 billion on both that Saturday and Sunday.
[00:01:44] So if you're thinking about it. That's roughly 30 billion spent and they think there are up to 197 million shoppers here in the U. S. alone. I mean, I know, I don't know about you, but I, I personally [00:02:00] do all my Christmas shopping during that weekend. I tried to get it all done before I, you know, feel like I'm behind the curve, you know.
[00:02:08] Rob Aragao: I think it's funny though, you know, each year it seems like it goes earlier and earlier. You get all these different notifications about, Hey, Black Friday, Cyber Monday deals already happening like two weeks before we even get to the point. But, but, you know, there are all these lurking kind of concerns.
[00:02:22] So maybe we can kind of, I'll start standing on the consumer side, if you don't mind and you know, you get all these different, you know, basically it's phishing, smishing type of events occurring or attacks in a certain way occurring where here comes this great email with a deal, best deal you could ever imagine, right?
[00:02:41] It's too good to be true. And there's this temptation, go click on that link vendor that you may not know. And so, so again, you know, listen, if you don't know them, do a little research before you actually go and click on that link, these sites are getting spun up and people are putting out these different types of [00:03:00] emails and the consumer falls for that trap over and over and over again.
[00:03:03] Stan Wisseman: I think you're absolutely right. The phishing emails are getting more sophisticated. The one I have, you know, I know people, you know, are tempted to fall for are those that are trying to confirm an order. Yes. You're thinking to yourself. Did I order that? Did, did I do that? You're tempted to click on that link just to say, did I, is that something I ordered?
[00:03:24] And so, you know you know, in that mad rush of buying all this stuff, was that something that was on that, you know, frenzied list of things? And so you have to be careful. One of the ones that I, I think you need to be aware of as well is just, you know, you have to be very careful about the websites.
[00:03:40] Verifying that the retail website is legit and they're shopping on the, on the real site because, you know, cyber criminals will often you know, put up a mirror site that, you know, looks very similar to what the legitimate company site looks like. But you really do need to check the URL.[00:04:00]
[00:04:00] And look for signs of authenticity to make sure that it truly is the site before you start putting in your credit card information.
[00:04:06] Rob Aragao: You know, another kind of play on that is also where you get these pages, landing pages, basically, that it's for a fake browser update. So you're, you're redirected because, Hey, listen, your browser's not up to date.
[00:04:18] It's got this, you know, missing security patch as an example. No, no, browsers don't update like that. Right. So, so listen, you know, like as an example, a Google Chrome, take a look on the top right hand corner. You'll see if there's an update that you require or not. Right. So don't, don't fall for those types of, you know, kind of misdirections as well.
[00:04:35] Stan Wisseman:
[00:04:35] But I do recommend that you go ahead and do your software updates. Yes. So, you know, don't be prompted by an email or something that is actually causing you to do the update and fall for that trick, but go ahead and ensure that you are up to date to ensure that you're, you're not falling for any kind of recent vulnerabilities.
[00:04:53] You know, another thing to be aware of, and we all love gift cards. But sometime these gift cards are [00:05:00] Trojan horse as it were, right? And not a classic definition of our cybersecurity Trojan horse as much as they're fake. And, you know, these fake cards will not work when you try to use them. But you may be trying to, you may have to, you know, done something to give money to somebody to get the card.
[00:05:18] And it looks like it's too good of a deal.
[00:05:20] Rob Aragao: yeah, it's a, it's a two for one deal. It's a three for one deal, right? Give me this, you know, 25 and you're going to get 50 or 75 back in the amount for that gift card. You're right. You're right. Hey, you know, another one talking about updates which was interesting kind of on the business side.
[00:05:35] Is I think it was around the middle of October, actually. So Adobe, you know, published a big update and saying, Hey, listen, make sure that you update the Adobe Ecom software. Because there are about nine vulnerabilities, security vulnerability patches available within there. So telling, you know, again, the business side to, again, ensure that their side is updated with the right security controls.
[00:05:58] Because again, it's a busy [00:06:00] time of the year, right? This, this is where you see all these different organizations relying heavily on major revenue streams coming through. Literally going into a freeze, locking things down, you know, back in the beginning of the month of November, all the way through into January.
[00:06:12] So again, it's a great job from Adobe in this case, actually getting the communication out to their customers, ensuring that they're updating their own software platforms that run the Adobe e-commerce solutions on them and being ahead of the curve of what's coming for their, their timing of the year.
[00:06:26] That's most critical.
[00:06:26] Stan Wisseman: No, you're absolutely right. Hey, you know, another thing just, and this should be obvious nowadays, but it may not I think everyone should be using, you know, multi factor authentication, two factor authentication for their online shopping accounts. And it just helps ensure that you're, iif you happen to be you know, in a public WiFi or some way exposing you know, yourself, , you're mitigating some of the threats.
[00:06:55] By having a stronger authentication approach. And so, you know, take advantage [00:07:00] of those two factor authentication opportunities at these online shopping sites.
[00:07:04] Rob Aragao: You can't say it enough, right? We continuously are talking about the need for multi factor authentication, but you're absolutely right to ensure that, you know, the vendors that you're typically doing business with, they very likely have
[00:07:16] multi factor authentication there is an option to turn on, go ahead, make sure you go look for that and turn it on the other thing, Stan, but I was just thinking, you know, being that I'm traveling right now and you look for these, like, you know, geez, I got to get access right in the moment, right. Avoiding those public WIFI connection points.
[00:07:34] There's always a major risk associated with those two.
[00:07:35] Stan Wisseman: aHey we've talked about the consumer side. Do you want to pivot over to the business side? Yeah, I think
[00:07:41] Rob Aragao: Yeah, I think the Adobe example is one, right? That is definitely more on the business side because it's their businesses that they are, are, are, you know, leveraging the solutions to create their e commerce platforms for the consumer to go ahead and transact with.
[00:07:55] The other thing too is, you know, it's back to the consumer as well. But again, [00:08:00] more so on the business risk is payment fraud, right? And there's so many different angles on what can happen there. But again, you know, just, just submitting what looks like you know, valid type of form of payment. And not having the right kind of control mechanisms in place to verify it's, it's, it's not fraudulent that's coming across.
[00:08:18] Stan Wisseman:
[00:08:19] Well, I mean, you know, again, stolen payment information that's used for purchases, and then you end up having to dispute, handle disputed transactions with the ultimate customer. Right. Right. And so, you know, yes, you did buy it. No, I really didn't. You know, somebody stole my credit card information. You know, one of the ones that, you know, I mentioned.
[00:08:40] From the consumer side, being aware of whether or not the, the, the site is authentic as an e commerce business, you also need to be monitoring for any fake websites that you know, could be offering, you know, deep discounts or other offers to lure the unsuspecting consumer. [00:09:00] to those sites and, and again when the customer enters their credit card information, on that fake website it can be, it can be stolen by those cyber criminals.
[00:09:10] So that, that's something that, you know, actively monitoring for potential fakes to help shut those down quickly.
[00:09:19] Rob Aragao: You know, the, just got me thinking too. The other thing is, again, Just, just good hygiene when you're going through you know, the different store websites, making your purchases, make sure that it is, again, secured transactions, right?
[00:09:31] It's HTTPS. You see the little lock on the top, usually left, right? Prefixed in front of the URL. And then the other kind of, you know, best practice too, is your, your purchasing should actually be done through a credit card and not using your debit card for anything in that regard. Right.
[00:09:48] Yeah. Anything else you can think of, Stan, that comes to mind?
[00:09:49] Stan Wisseman: Well, I mean, there are some classic ones, right, that still are applicable to businesses. I mean, if you think about this as being a big time year for [00:10:00] these e commerce sites to actually sell a lot, right? And so, ransomware attacks. can be effective in the sense that they know the target is motivated to resolve things quickly to not miss out on these, you know, four or five days of, of key you know, sales.
[00:10:18] And so there's that, and then I don't hear about it as much, but distributing denial of service attacks against these sites is another way of extorting potentially an e commerce organization who is dependent on these sales in this time of year to, you know, to make changes or to, you know, you know, extract money out of them.
[00:10:39] You know, you can bring down these sites during these key days and disrupt their operations and prevent them from processing orders. So that, that, that could be, again, they need to be aware of that potential
[00:10:49] Rob Aragao: threat. That is a good point too on the, on the ransomware that you brought up. You know, I wasn't actually thinking of that, but this is like a prime.
[00:10:56] time because they're very much more likely to, unfortunately, to go ahead and pay the ransom. You [00:11:00] know, the other, the other thing, almost going back into the way, you know, phishing emails now are crafted it's, it's how AI is being used to actually make the language that much more clearer and human like, you know, because in the past, right, we could take a look at some emails and just look at the context of the email.
[00:11:15] This isn't correct. The verbiage is off. But now with the utilization of AI to actually craft these messages it is much more realistic. And so again, that risk becomes that much more evident for these, these consumers really that may be receiving those, those emails and think that they're real.
[00:11:32] Stan Wisseman: The social engineering and phishing, it just gets more and more difficult. You just have to be very aware of the threat and, and to your point, even when you're aware, you can
[00:11:41] Rob Aragao: be fooled. You can, you can. Well, Stan, I think we covered the majority of the bases on both the business and consumer front. What I will ask you is this.
[00:11:49] Just, just don't go spending too much this year again, Stan, please.
[00:11:55] Stan Wisseman: Sounds like my wife.
[00:11:58] Rob Aragao: Mine too. [00:12:00] Well, until next time, my friend, we'll catch you again on the other side.
[00:12:04] Stan Wisseman: Happy shopping.