Don't let the Grinch Steal Your Passwords this Holiday Season

November 20, 2024
Lucie Cardiet
Product Marketing Manager
Don't let the Grinch Steal Your Passwords this Holiday Season

The holiday season is here, bringing festive cheer, gift shopping, and unfortunately, an increased risk of cyberattacks with attackers moving faster than ever, leveraging advanced tools and AI to exploit vulnerabilities in real time. While you hunt for the perfect gifts or take advantage of irresistible sales online, cybercriminals are also hard at work. They know this is a time when many people let their guard down, making it easier to target them through malicious websites. Let’s explore how you can protect yourself and enjoy a secure holiday season.

A holiday story gone wrong

Imagine this: Sarah, a busy professional, is browsing online for last-minute holiday deals. She clicks on an ad and finds an unbelievable discount on a site that looks just like her favorite retailer. Excited, she enters her payment information and completes the purchase. But the confirmation email never arrives. Instead, her credit card company alerts her to suspicious transactions. Sarah also starts receiving notifications about logins to her accounts on different platforms. Why? She used the same password across multiple sites, and the attackers leveraged her stolen credentials.

Unfortunately, stories like Sarah’s are common. But the good news is, you can avoid falling victim by understanding the risks and taking simple precautions.

The hidden danger of malicious websites

Cybercriminals create malicious websites designed to trick you into revealing sensitive information or downloading harmful software. These sites often mimic popular retailers, complete with logos, product images, and even fake reviews. They rely on you not noticing small details, such as a misspelled URL or the absence of “https” in the web address.

According to Checkpoint’s research, 25,668 new domains related to holidays or vacations were registered in May 2024 alone, with approximately 3% identified as malicious or suspicious.

These fake sites are particularly effective during busy times, like the holidays, when people may overlook subtle differences in URLs in their rush to complete purchases.

How do attackers create malicious websites

Cybercriminals commonly use lookalike domains to deceive unsuspecting users. These fraudulent websites are designed to mimic legitimate ones, tricking you into entering sensitive information like login credentials or payment details. Attackers rely on small changes to URLs that can be easily overlooked, particularly during busy times like the holiday season. Lookalike domains can take many forms, with typosquatting being one of the most prevalent.

Types of lookalike domains

Typosquatting

Typosquatting exploits simple human typing errors. For instance, instead of typing "www.amazon[.]com," you might accidentally type "www.amaz0n[.]com" or "www.amazonn[.]com." These domains are often registered by attackers to redirect traffic to malicious websites.

According to Infoblox, many typosquatted domains are initially parked for advertising revenue or resold to legitimate owners. However, a significant number are used for malicious purposes, such as distributing malware, phishing for credentials, or launching further attacks.

Combosquatting

Combosquatting involves combining a legitimate brand name with additional words or phrases to create a deceptive URL. For example, "paypal-login[.]com" or "software-updater[.]com" appear credible but are often malicious. Combosquatting increases the likelihood of tricking users into believing they are on an official website.

Homographs

Homograph attacks leverage characters that look visually similar to legitimate ones, such as replacing "o" with "0" or using Cyrillic characters that resemble Latin letters. For example, "paypal[.]com" might be disguised as "paypaI[.]com," replacing the lowercase "L" with an uppercase "I" (which looks nearly identical in many fonts).

Soundsquatting

Attackers use homophones—words that sound similar—to create deceptive domains. For instance, they might register "adobee[.]com" to mislead users searching for "adobe[.]com."

How do attackers drive traffic to these malicious sites?

Google Ads exploitation

Attackers exploit Google Ads to direct unsuspecting users to their malicious websites. By creating seemingly legitimate ads with official logos and enticing offers, they manipulate users into clicking. The clicks then redirect through tracking templates to fraudulent sites that may deliver malware such as BatLoader or DanaBot. These malware programs enable attackers to steal credentials, install ransomware, or gain unauthorized access to devices.

Example of a malicious Google Ad
Image source: Malwarebyte

SEO Poisoning or Spamdexing

Another tactic attackers use is SEO poisoning (Spamdexing), where they manipulate search engine algorithms to make their malicious sites rank high in search results. For example, when searching for popular holiday items or services, you might encounter a malicious site disguised as a legitimate retailer. SEO poisoning is particularly dangerous because users often trust organic search results over ads.

The danger of reusing passwords

Attackers create malicious websites for three primary reasons: stealing credentials, delivering malware, and capitalizing on weak password practices.

Once you enter your information on a fake site, attackers can use your credentials to access other accounts. This is especially damaging if you reuse passwords across multiple platforms.

Reusing passwords across accounts makes you an easy target for credential stuffing—where attackers use leaked credentials to access multiple accounts.

You might think your password isn’t important on an obscure shopping site, but if you use the same one for your email or bank account, you’re putting yourself at significant risk. In Sarah’s case, her stolen password allowed attackers to gain access to her primary email account, which they used to reset passwords for her other accounts.

How do you know if your password has been exposed?

A popular and free service, Have I Been Pwned, can help you determine if your email address or passwords have been exposed in a data breach. “Pwned,” a term derived from “owned,” refers to situations where bad actors gain control of your sensitive information. If your credentials appear in Have I Been Pwned’s database, it means they have been leaked and could already be in the hands of cybercriminals.

Hackers exploit these leaked credentials by testing them against various services. In mere minutes, your compromised password could grant attackers access to your email, financial accounts, and even your social media profiles, leaving your identity “owned” and vulnerable to further exploitation.

homepage of the website haveibeenpwned?
haveibeenpwned.com

Practical steps for a safe holiday season

Staying secure doesn’t mean you have to avoid online shopping. By following a few best practices, you can enjoy the convenience of online deals without exposing yourself to unnecessary risks.

  1. Start by using trusted retailers and verifying URLs before entering any personal or payment information.
  2. Avoid clicking on links in unsolicited emails or text messages, as these are common phishing tactics.
  3. Consider using a browser extension or cybersecurity tool that flags suspicious domains. Organizations can combat typosquatting by proactively registering similar domains, including common misspellings of their official URLs.

When it comes to passwords:

  1. Stop reusing passwords and use a unique, complex password for each site. Password managers make this easier by securely storing and generating strong passwords for you.
  2. Enable multi-factor authentication (MFA) wherever possible. Even if your password is compromised, MFA adds an extra layer of protection by requiring a second verification step, like a code sent to your phone. However, make sure your phone number is up to date—an outdated or compromised number can leave your account vulnerable to attacks like SIM swapping.
  3. Stay informed about breaches involving your email address or other credentials and act immediately to secure your accounts.

How vectra ai helps detect and prevent threats

If you’re part of a security team protecting an organization, the stakes are even higher during the holidays, but protecting your organization’s network during the busiest time of the year doesn’t have to be overwhelming. The Vectra AI Platform offers advanced threat detection powered by artificial intelligence, helping you stay ahead of malicious activity.

Whether it’s identifying unusual behavior or detecting credential misuse in real-time, Vectra AI gives you the tools to respond quickly and effectively. The holiday season should be a time of joy, not stress over cybersecurity threats. By staying vigilant against malicious websites, typosquatting, and practicing strong password hygiene, you can significantly reduce your risk.

With a little extra caution, you can focus on what truly matters—celebrating with your loved ones.

FAQs