Expect to see attackers expand their use of current consumer-targeting tactics while exploring new ways to target Internet users — with implications for businesses.

A combination of maturing and emerging consumer-facing cyber threats could add to the many challenges that enterprise security teams will need to contend with in 2023.

Researchers at Kaspersky, looking at how the cyber threat landscape will likely evolve over the next year, expect that threat actors will expand use of many of their current tactics while exploring new avenues for attack via social media, streaming services, and online gaming platforms.

For business admins, the expansion of brands into the world of the metaverse (the theoretical universal and immersive virtual world of the Internet, facilitated by the use of virtual reality and social media) could open them up to attack. And in the era of remote work and bring-your-own-device (BYOD), any consumer threat is potentially an enterprise one, so IT security teams would do well to follow the trends in this space.

**Attacks Using Current Techniques Will Grow...**

The security vendor for example expects that cybercriminals will continue to take advantage of the post-pandemic surge in consumer interest around online streaming services to try to distribute malware, steal data, and execute other malicious activity.

Many of the attacks will target individuals looking for alternate sources for downloading a legitimate streaming app, or a particular episode of a show. Expect to see cybercriminals use widely anticipated titles and streaming service provider names such as Netflix, Hulu, and Amazon Prime Video as lures to get users to download malware or to direct them to phishing sites, according to Kaspersky.

Consumers will also face more gaming subscription fraud and scams that involve online currencies and artifacts. Attackers will primarily target games that use currencies and allow sale of in-game items and boosters because they give threat actors a way to process money obtained from other illegal activities.

In a report earlier this year, Kount, an Equifax-owned fraud protection service, also identified online currencies as offering a plethora of opportunities for adversaries to launder money and carry out payment card fraud. "For example, a fraudster creates a free account for an online multiplayer game then uses stolen credit cards to fill up the account with in-game currency and skins," Kount researchers had noted, adding, "Once the account is loaded, the fraudster sells it on a trading site," for anywhere between several hundreds to several thousands of dollars.

Kaspersky expects that attackers will also try to exploit a continuing shortage in the availability of popular gaming consoles via fake pre-sale offers as well as fraudulent giveaways and discounts from online stores purporting to sell hard-to-find consoles.

**...Even as Threat Actors Explore New Attack Avenues**

Meanwhile, the metaverse, online education platforms, and certain categories of health-related apps will all become new avenues for attack in 2023, Kaspersky said.

Privacy will emerge as a major concern in the metaverse, Kaspersky predicted. "As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification," Kaspersky said.

Others have also expressed concern over the increased amount of personal information that will be collected in fully immersive environments via VR headsets and their collection of cameras, microphones, and motion trackers. Many expect the data will reveal a lot about a user's location, appearance, and other private information while also enabling attackers to carry out more sophisticated phishing and social engineering scams.

At least some of the attacks in virtual reality and augmented reality environments will involve virtual abuse and sexual assault — such as that involving cases of avatar rape, Kaspersky said.

The security vendor pointed to an incident where an avatar associated with a researcher at a nonprofit advocacy group was raped on a metaverse platform owned by Meta as one example of the kind of issues consumers can increasingly run into.

Despite efforts by technology companies to build protection mechanisms into metaverses, "virtual abuse and sexual assault will spill over into metaverses," Kaspersky said. "As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023."

"The metaverse represents an area where consumer threats will be different from years past," says Anna Larkina, a security expert at Kaspersky. "Fake, malicious VR and AR apps, as well as privacy risks and potential abuse associated with this new frontier, will account for threats we haven't necessarily seen before," she says.

Certain kinds of apps — such as those related to meditation or those where a consumer might offer a hint of their current emotional state — could become another new attack avenue, Larkina says.

"It is easy enough to imagine a variety of applications for meditation, in which you indicate your current state/emotions, and they select the appropriate course for you," she explains. "Such data can easily be collected and stored in order to track the state of the user and offer them suitable meditation practices." An attacker that gains access to such data could execute successful spear-phishing and social engineering scams in a highly targeted manner, she notes.

Attacks targeting consumers should matter to enterprise security teams because attacks on companies quite often involve the human factor, Larkina says. "If the system is technically secure enough, then you can get inside the system by 'hacking' employees of the company."

The Metaverse Could Become a Top Avenue for Cyberattacks in 2023

The enterprise's shift to the cloud means digital forensics investigators have had to adopt new remote techniques and develop custom tools to uncover and process evidence off compromised devices.

With more organizations moving to the cloud for storage, applications, and processing, digital forensics investigators increasingly require new tools and techniques capable of conducting investigations on systems where they have no physical access.

Gone, for the most part, are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyze it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network could be located almost anywhere — for European Union cloud infrastructures, servers generally have to be in the same country as where the data was created, but that’s as specific as the law gets. For the most part, investigators have no direct access to the servers.

Instead, companies need to work with their cloud providers in advance to articulate clearly what access they can have before an event occurs, says Thomas Brittain, former managing director of cyber risk at Kroll who recently joined Amazon Web Services as a security leader for cloud response.

For example, ask the cloud provider up front about any limitations during an investigation, Brittain recommends. Questions include: What logging or log sources are available from each of your cloud vendors? How do you ensure that your personnel have the training and the understanding to do an investigation in that cloud environment?

Considering that investigators will not have physical access to compromised disk drives, enterprises need to ensure ahead of time that the investigators will have the ability to obtain a forensic image of the hard disk even without having actual physical access. That may mean the provider’s staff would need to create and provide the image to the investigators, or the provider would allow the investigators virtual access to the compromised devices.

**Cloud-Ready Forensics Tools**

New digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.-

Because there are no standardized tools designed to meet every cloud vendors’ network needs, many forensics teams develop custom applications. But there is still a problem. “It's insane, trying to figure out standardized training, there is no, there are no standardized tools,” Brittain says.

“We've had to adapt from more of a forensic standpoint to more of a live-by-instant-response in triage,” concurs Aaron Crawford, senior security consultant with NCC Group’s North America Incident Response. “The lines between triage and forensics have absolutely blurred with the introduction of the cloud. It's even more complicated because you have several flavors of clouds out there and providers such as Tencent, Google, Amazon, and Microsoft — the primary Big Four out there.”

Crawford also acknowledges the lack of industry-standard tools. “We've had to become our own tool smiths now. We've had to write our own tools \[and\] create our own custom solutions to address a lot of these issues to help relieve the burden for our clients,” he says. “One of the biggest things that's changed is that immediacy for information and updates is absolutely critical. And that's because the threat landscape changed. The threat landscape got significantly more malicious, and the repercussions are even greater than they were before.”

While forensics teams are creating tools for the various environments, they also need to ensure that their tools will interoperate with existing security tools. Custom tools need to be “sustainable, explainable, \[and\] repeatable. If I go to court as an expert witness, I have to make sure that those tools are repeatable, and you can understand them, and someone else other than me can use them.”

Wayne Johnson, director of Global Cyber Incident Response and leader of the forensics practice at Protiviti, also sees challenges and possibilities with custom forensic tools. “From an interoperability perspective, I think that's incumbent on those that are that are making those one-off tools, \[that\] as the different coding languages change, as the different coding capabilities increase, the digital forensics domain has to be able to move with them right and be able to understand those," he says.

“Even with traditional architectures that are that are on-prem, there are many organizations that still have their own custom code and custom applications. So be those in the cloud or on prem., the same concept applies.”

**Soliciting Board Support**

As the attack surface grows, in part due to the explosion of internet of things (IoT) devices, cybersecurity experts need a place at the table with the board of directors and general counsels, Johnson notes. Ultimately, combining the digital forensics capabilities with incident response is “an area where we've really seen the board's taking notice and realizing that there's definitely a conversation there.”

The added benefit to having a cyber-savvy board member is to help the other board members “understand and interpret what’s coming from the CISO and the CIO.” The addition of cybersecurity experts on the board, combined with a cyber-knowledgeable general counsel, will further bolster the board’s understand on what cybersecurity and forensics can do to protect corporate assets.

“I think we're seeing, we're seeing a much more sophisticated and cyber-savvy boards starting to emerge as you start looking across various industries,” Johnson says.

How the Cloud Changed Digital Forensics Investigations

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

CVE-2022-24190: Automating Unsolicited Richard Pics; Pwning 60,000 Digital Picture Frames

BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.

Let’s start with some basics: Your data can, and should, be encrypted at rest and in motion.

Data can be encrypted on the client side or on the server side. In the security realm, we have well-known best practices, which include defense in depth (i.e., not relying on a single security protective measure), and security by obscurity, which really isn’t security.

Here's what the cloud industry is doing, along with some underlying gaps. Most cloud service providers (CSPs) offer bring your own key (BYOK) in one way or another. Amazon Web Services, for instance, supports the following key management service (KMS) options:

*   **KMS only:** Customer-managed keys (CMKs) stored in the KMS.

*   **KMS with customer key store and CMK:** Again, managed by the customer and stored in the cloud hardware security module (HSM ).

*   **KMS with third-party HSM:** Customer-provided KMS with a direct connection to the KMS.

The keys are retained in the volatile KMS memory, meaning once the data encryption keys (DEKs) are decrypted, they are accessible within the CSP environment without requiring the key encrypting key (KEK) for each decryption or encryption.

In all implementation options listed, the data encryption keys are generated by the CSP's KMS and may or may not be exportable. The DEK is used to encrypt defined scopes of data (e.g., per bucket, day, file, etc.) and these DEKs are encrypted with the KEK.

**BYOK Benefits and Risks**

BYOK is meant to provide cloud customers more control over their hosted data. In reality, when BYOK is used, it actually works more like share your own key (SYOK), since once the key is provided to the CSP, customers have no control over the key use. The only benefit of SYOK, in my view, is ensuring the key randomness if you don't trust their random number generator. Otherwise, you may as well let the CSP generate the key.

BYOK is also offered by some CSPs in another model and connects to the customer’s hardware, which stores and controls the KEK. There are several outstanding issues with this model.

The DEKs may still be accessible to the service provider, purposely or otherwise, in addition to a malicious actor capable of succeeding in breaching the CSP's protective measures technically, or via social engineering, thus gaining access to the DEKs, whether in memory, cache, log files, or a malicious codebase. Retaining the KEK in memory is a double-edged sword, since you're effectively performing SYOK for better performance. But then why not just perform SYOK, in that case?

Another issue is that the service provider may not use the customer KEK to secure the DEK. And the CSP architecture, code, and various offerings may have security lapses that allow interception points. Even if DEKs are decrypted on the fly, which isn't usually supported or recommended, a communication issue could bring your business to a grinding halt, preventing existing data from being decrypted and new DEKs from being encrypted.

Trust is also a key element when working with a CSP. Trust should stem from certifications and third-party audits. Reference customers using the CSP for their sensitive data or production may also be an important factor in strengthening this trust. You also have to decide if you trust the CSP's authentication and authorization security. Even with federated security, that doesn't mean there aren't additional authentication and privilege escalation means.

In short: BYOK does not solve the problem nor reduce the risk!

**What Else Can We Do?**

Most CSPs offer customers self-service capabilities to revoke, rotate, and otherwise control the KEK. Enhanced security may be achieved by protecting the data prior to moving or granting the CSP access to it. But this is rarely beneficial and mostly recommended for securing PII/PHI or other strongly regulated data.

The most important factor is to consider all ingress and egress routes, including APIs and file transfers, as well as various privileged access needs. This also extends to authentication and authorization that uses role- or attribute-based access control to ensure non-repudiation, data sanitation, and industry best practices like zero trust**.**

****The Bottom Line****

My goal here is to raise awareness, not to reflect negatively on CSPs. But BYOK, for the most part, is snake oil. It’s often misunderstood as a panacea to working in the cloud while not requiring trust for the CSP.

SYOK is worthless. If you assume the CSP cannot generate sufficiently random keys for the KEK, why rely on it for the DEK? It's important to ensure there’s a well-designed security architecture in place that is constantly reassessed, tested, and monitored.

Bring Your Own Key — A Placebo?

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.

The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6.

"This attack abuses the AppSync service to assume \[identity and access management\] roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

In a coordinated disclosure, Amazon said that no customers were affected by the vulnerability and that no customer action is required.

It described it as a "case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service's cross-account role usage validations and take action as the service across customer accounts."

AWS AppSync offers developers GraphQL APIs to retrieve or modify data from multiple data sources as well as automatically sync data between mobile and web applications and the cloud.

The service can also be used to integrate with other AWS services through specific roles designed to perform the necessary API calls with the required IAM permissions.

While AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role's unique Amazon Resource Name (ARN), the problem stems from the fact that the check could be trivially bypassed by passing the "serviceRoleArn" parameter in a lower case.

In getting around the ARN validation, the issue could be exploited to provide the identifier of a role in a different AWS account and interact with any resource.

"This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," Frichette said.

"By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.
The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.
The shortcoming was reported

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.

The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6.

"This attack abuses the AppSync service to assume \[identity and access management\] roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

In a coordinated disclosure, Amazon said that no customers were affected by the vulnerability and that no customer action is required.

It described it as a "case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service's cross-account role usage validations and take action as the service across customer accounts."

AWS AppSync offers developers GraphQL APIs to retrieve or modify data from multiple data sources as well as automatically sync data between mobile and web applications and the cloud.

The service can also be used to integrate with other AWS services through specific roles designed to perform the necessary API calls with the required IAM permissions.

While AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role's Amazon Resource Name (ARN), the problem stems from the fact that the check could be trivially bypassed by passing the "serviceRoleArn" parameter in a lower case.

This behavior could then be exploited to provide the identifier of a role in a different AWS account.

"This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," Frichette said.

"By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers also applaud abandonment of customization feature abused by scammers

Adam Bannister 25 November 2022 at 15:00 UTC

Researchers also applaud abandonment of customization feature abused by scammers

A cross-site scripting (XSS) vulnerability in ConnectWise Control, the remote monitoring and management (RMM) platform, offered attackers a powerful attack vector for abusing remote access tools.

Now patched, the stored XSS flaw was disclosed by Guardio Labs, which in July published an analysis of tech support scams, a widespread phenomenon whereby scammers abuse RMM platforms in order to create fake technical support portals and dupe victims into inadvertently installing malware.

Once installed, a remote access tool gives attackers remote control of a victim’s desktop PC or mobile device and, said the report, “is persistent, mostly undetectable, and bypasses almost all regular forms of protection. And in a show of supreme chutzpah, these scammers even manipulate this capability to bypass 2FA protection and take full control of PayPal and bank accounts”.

Read more of the latest hacking tools news

A new technical write-up documenting the ConnectWise XSS explains how attackers could easily register for a free, anonymous email account and submit fake personal details. This would give them a corporate-grade remote access agent and support portal they could customize – with no coding skills needed – to convincingly mimic famous brands.

Scammers could then call and dupe victims by, for example, sending “them a fake invoice for some service they never registered to, urgently referring them to a \[…\] fake refund service portal to enter the ‘invoice’ code (triggering the dedicated silent \[remote access tool\] installation),” wrote Nati Tal, head of Guardio Labs.

**Full control**

The stored XSS bug arose from a lack of sanitation of the resource. “Any code we maliciously inject in between the tags with some manipulations is executed as any other code in the context of the webapp – as if was authored by the official owner of the service,” explains Tal.

“A script executing from this context gives an attacker full control over any element of the webapp, potentially altering any element of the page as well as connection to the backend servers,” contined Tal.

Scammers could also “abuse the hosting service itself – allowing misuse of ConnectWise hosting, identity, and certificate to serve malicious code or gain full access to admin pages even after the trial period is over.”

**‘Bold move’**

ConnectWise recently added a prominent advisory to its remote support service to alert visitors to this social engineering threat. However, Guardio Labs found that attackers could also execute code that removes this warning.

ConnectWise has since responded by removing the customization feature for trial accounts – “a bold move” that would prevent scammers from creating credible-looking Amazon or Microsoft support pages but at the cost of losing a useful feature and commercial differentiator, noted Tal. “They sure took this matter seriously which is very appreciated and will surely help make web browsing safer and the scammers’ life a bit harder,” he said.

“ConnectWise was very responsive and quickly fixed the issue” by adding sanitization to that neutralized Guardio’s exploit code, added the researcher.

Users are advised to update to version v22.6, released on August 8, 2022, or later.

YOU MIGHT ALSO LIKE Google Roulette: Developer console trick can trigger XSS in Chromium browsers

ConnectWise closes XSS vector for remote hijack scams

Attackers could gain full control of a cloud-hosted database

Attackers could gain full control of a cloud-hosted database

A vulnerability in Amazon Web Services (AWS) AppSync enabled unauthorized cross-account access to AWS resources, according to the findings of security researchers.

AppSync is a service that allows developers to create serverless GraphQL and Pub/Sub APIs. When creating GraphQL API with AppSync, developers must specify the data source that stores or has access to the data the API will interact with, such as Lambda functions, DynamoDB, RDS, and external APIs.

**Tricking AppSync**

One of the features of AppSync is to directly invoke AWS APIs such as Amazon S3. To do this, the developer must create a role that has access to the target resource. The developer then creates a “trust policy”, a JSON document that allows AppSync to assume that role.

Researchers at DataDog Security Labs were interested in seeing if they could somehow use the trust policy to trick AppSync to give them unauthorized access to other AWS accounts.

AWS protects against this kind of attack by making sure the AppSync endpoint and the target resource are in the same account.

This validation is performed through Amazon Resource Name (ARN), the unique identifier of the AWS resource.

Read more of the latest news about web security vulnerabilities

The researchers at DataDog found that they could bypass the ARN validation by simply changing the letter case of the JSON field for the ARN.

This enabled them to create AppSync data sources that could be tied to other AWS accounts. Using this loophole, they could interact with any resource associated with a role that trusts the AWS AppSync service in any account.

In a proof of concept, the researchers show how an attacker could exploit the vulnerability to obtain full control of a cloud-hosted database.

**Difficult detection**

Since the logs generated by the attack indicate all activity is coming from the AppSync service, detecting the attack would be difficult. Therefore, if the attacker knew the ARN of the AppSync role and the resources they wanted to access, the logs would indicate normal activity.

However, under normal circumstances, the attacker would need to do some brute force probing to find the target resources, which would result in an unusual amount of events in the AWS log. Administrators would also be able to detect attacks by looking for anomalous behavior, such as an AppSync service accessing an AWS resource for the first time.

Amazon patched the vulnerability in AppSync in September, while the research blog post was published this week. According to the company, there were no indications of the vulnerability having been exploited in the wild.

“\[We\] have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted,” Amazon said in a statement.

YOU MAY ALSO LIKE F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

Vulnerability in AWS AppSync allowed unauthorized access to cloud resources

By Deeba Ahmed
Around one hundred people have been arrested by the Metropolitan Police in the United Kingdom’s biggest-ever fraud operation.…
This is a post from HackRead.com Read the original post: Police Seize iSpoof domains as UK’s largest bank call scam is disrupted

Around one hundred people have been arrested by the Metropolitan Police in the United Kingdom’s biggest-ever fraud operation. The Scotland Yard has also shut down iSpoof domains which served as a spoofing hub for scammers.

Reportedly, through that website, scammers stole tens of millions of pounds from British citizens through fake bank phone calls. The police stated that the website was used to defraud 200,000 Brits, and at least £50 million was stolen.

In June 2021, the Scotland Yard, European law enforcement agencies, and the FBI initiated an international investigation dubbed Operation Elaborate.

Authorities now plan to contact around 70,000 victims in Briton for the investigation. These individuals fell victim to the UK’s biggest scam campaign. An extensive probe revealed that scammers paid a subscription fee to iSpoof.cc and iSpoof.me for using its technology and phone victims impersonating staff members of reputed banks like Halifax, Barclays, and NatWest.

The fraudsters tricked people into giving their bank account credentials or transferring funds. Until August, they had made 10 million fake calls through iSpoof, and around 3.5 million calls were made in the UK, out of which 350,000 calls lasted over a minute.

Authorities in the USA and Ukraine helped Scotland Yard take down this website. As per the authorities, during the campaign, scammers sometimes contacted around twenty people every minute of the day using fake identities created through iSpoof.

Seized iSpoof website (Image credit: Hackread.com)

The amount stolen from the victims is yet unknown, but authorities claim it is close to £50m. One of the victims suffered a loss of £3m, and another lost £10,000. Scammers earned around £3.2m within 20 months, investigators estimated.

For your information, the iSpoof website was set up in December 2020 to allow users to disguise their phone numbers and pretend to be a caller from a reputed organization, mainly a tax office or bank. Scammers paid the subscription fee in bitcoin.

The website had around 59,000 users who paid subscriptions worth £150 and £5,000. The service was taken offline this week, and more than 100 suspects have been arrested, most of whom were residing in London. 40% of the victims were in the USA and 35% in Britain.

A British citizen and resident of east London, Teejai Fletcher, is suspected to be the mastermind of this scam campaign. The 34-year-old suspect was charged with fraud, participating in activities of an organized criminal group, and supplying/making articles used in fraud. The suspect is in police custody and will be presented before the court in two weeks.

1.  Indian call center seized over Amazon hacking scam
2.  World’s Largest Private Torrent Site Filelist.ro Seized
3.  WT1SHOP Cybercrime Market Seized by US and Portugal
4.  179 Dark Web vendors arrested, 500kg worth of drugs seized
5.  Domain, server of DoubleVPN used by ransomware gangs seized

Police Seize iSpoof domains as UK’s largest bank call scam is disrupted

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

Black Friday attracts crowds, and crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. There'll be people out there eager to relieve you of more money than you'll save on a TV set or a gaming console.

The following precautions apply any time of year, but it's worth reminding yourself of them every time a serious holiday season comes around. In the rush to get gifts sorted, it's all too easy to miss a warning sign, or get complacent about online security.

Update All Your Software

Keeping programs and operating systems up to date is important enough that Microsoft, Apple, Google, Mozilla, and all the other big names in tech now make it difficult for anyone to lag behind with their updates—most of the time you'll be prompted regularly to install new versions of your software, and it might even happen automatically in the background without you noticing.

The biggest retail event of the year has grown into an entire month of sales that ebb and flow. Here’s how to make the most of it.

Today's browsers, apps, and OSes are adept at spotting scams as they happen, whether it's phishing emails (designed to lure you to a fake shopping or banking site) or unauthorized logins on your accounts. To make the most of this built-in security, ensure you're running the latest versions across the board, which means the latest security patches—if you've been putting off updates on your phone or your computer, then get them done ahead of Black Friday.

If you do have a laptop that's too old to run the latest versions of Windows or macOS, avoid using it if possible—you'll be safer shopping on your phone, as long as it's running the most recent Android or iOS updates. On Android, you can check for updates via **System** and **System Update** in Settings; on iOS, it's **Settings** and then **General** and **Software Update**.

Be Wary of Email and Social Media Deals

You're likely to be inundated with special offers over email and social media this Black Friday, but be careful when it comes to clicking through on deals that come from suspicious sources (stores you've never shopped at before, for example). Always check that the link you clicked sent you to the website you were expecting to visit.

There's no hard and fast way to guarantee you'll never get caught out by a dodgy link (apart from just ignoring them all completely), but you can minimize the risk: Check that the social media account or email address sending the link is genuine, head to the site in question in a separate browser window to see whether you can find the same offer advertised, and be sure the offer you're looking at is the one that was promoted.

If your browser is up to date, as we mentioned above, dangerous links should be blocked before you reach them, but we'd still recommend being wary. You'll see some great offers advertised over social media and email, but no discount is worth the risk of exposing yourself to scammers.

Make sure all your devices are updated before shopping.

Android via David Nield

Do Your Research

Wherever possible, stick to trusted stores online. All the major players have robust security procedures in place, so the chances of them (and you) getting hacked are smaller. Still, if you're buying from any site, always check you're on the store website you think you are by checking in your browser's address bar.

We're not saying you should never shop at smaller outlets, but make sure they're using HTTPS technology (indicated with a padlock in your browser's address bar). Look for contact details, an office with a physical address, and reviews left by other users (Trustpilot can be helpful here). See if they're on Twitter and Facebook—and whether those accounts are actually active.

Debit and credit card issuers will usually protect you against fraud—check their policies online if you're not sure about yours—but nevertheless, keep an eye on your bank accounts throughout the Black Friday weekend to make sure only the amounts you're expecting to be debited are going out.

Double-Check Deals

Retailers change their prices all the time—especially online—so a "big discount" you see might only apply to whatever the price was last week, not what it's been over the course of the past year. Price trackers such as CamelCamelCamel can help you work out whether you're getting a genuine bargain or just something that was already heavily reduced.

Checking out product reviews on the web is a useful way of determining how current something is and how much you should be spending on it. Are you looking at the genuine article, or just a cheap knock-off? Is the gadget you're about to buy future-proofed with the latest tech or will it be out of date in six months? And (especially on Amazon) is it being sent from your current region or the other side of the world? Who's the actual seller? Make sure you read what previous buyers have to say via the user reviews before spending your money.

Just be aware that stores also use the occasion to try and shift their remaining stock of older, less popular products. Make sure you're looking at what you're buying and not just the price drop.

CamelCamelCamel will show you previous price drops on Amazon.

CamelCamelCamel via David Nield

Protect Your Accounts

As always, keep your accounts locked down and protected on Black Friday. Use strong, unique passwords for all your accounts (a dedicated password manager or your browser's password management system can help here), and turn on two-factor authentication on every account that offers it (Microsoft, Apple, Google, Facebook, and Twitter ones all do, for a start).

While it may seem convenient to quickly set up a new shopping account with your “usual” password, it only takes one account sharing the same password to get exposed, and all the others can come tumbling down after it. If you're using the latest versions of Chrome and Safari, you'll notice you can now use a strong password suggested by your browser (the option should pop up automatically when you're in a password field).

If you're planning on shopping at outlets where you haven't purchased anything before, it's a good idea to get these accounts set up ahead of time—this means you aren't rushing when it comes to thinking up new passwords and entering potentially sensitive information into your web browser.

Guard Your Payment Info

Many places that you're shopping at on Black Friday and Cyber Monday will already have your payment info on file, but if you're entering details into a new site, again make sure the padlock symbol is showing in the address bar—the full URL should also begin “https://”, which indicates that your payment details will be encrypted in transit.

If you’re on vacation or out of town, we recommend waiting until you get back home before buying anything—or at least using the cellular data on your phone to make a connection rather than a public Wi-Fi hotspot, as it's much harder for hackers to intercept your details (or look over your shoulder as you're typing them). If you are shopping in-store, be careful to guard your PIN numbers and other sensitive details when you're surrounded by crowds—or even just one shop assistant.

As tempting as Black Friday offers might be, it's usually a good idea to shop in as few places as possible, if you can: The fewer companies that hold your payment data, the less likely you are to be victim to a data breach, and the risk of those breaches are really down to the company's security policies rather than any precautions you can take.

Tag

#amazon