Home
Blog
Gone in 24 hours: Why cybersecurity is not just for Black Friday

Gone in 24 hours: Why cybersecurity is not just for Black Friday

Paul Ducklin
Paul Ducklin
11/20/2024
Share this article:

Don’t let your Black Friday precautions evaporate on Saturday!

Any cybersecurity precautions that you think are worth adopting because Black Friday is coming are almost certainly worth taking all year round.

Cybercriminals are happy to rely on scam campaigns that will probably only last for 24 hours, because they fully intend to come back for more on the following day, and the day after that, and the next day, week, month, and so on.

Out of the red, and into the black

We’re heading towards Thanksgiving, famously followed by Black Friday.

The name Black Friday is a metaphor borrowed from the banking and accounting industries, where red and black traditionally denote being in debt and in credit respectively.

Thanksgiving in America is always on a Thursday, and it has become part of a long-weekend vacation tradition for many families.

Retailers learned that by staying open on the Friday and offering great deals, they had a good chance of making enough money on that one day alone to tip their balance sheet for the year so far from red to black.

If they could do that, then everything they sold in the rest of the year, including during the holiday season that closely followed, was icing on the fiscal cake.

This made the day right after Thanksgiving so important that it was given a special name of its own: Black Friday.

What Valentine’s Day is to florists, so Black Friday is to retail in general.

Understandably, perhaps, much of the marketing machinery in the cybersecurity industry has glommed onto this newsworthy day, like moths drawn to a light, as a fantastic opportunity to talk up cybersecurity products and services.

After all, retail splurges attract criminals too, especially when there are incredible but short-lived deals on offer and customers are fighting (in some cases quite literally) over products and prices.

It’s hardly surprising that whenever and wherever money is being spent at speed and in volume, criminals of all stripes will be buzzing around, both online and offline: credit card fraudsters, bank machine skimmers, online scammers, snatch-and-run cellphone robbers, pickpockets, and many other types of ne’er do well.

Just one day among very many

As it happens, most of the world doesn’t actually have Thanksgiving, at least not on a Thursday, and not in November.

In the British Commonwealth, for instance, many countries maintain the church tradition of a Harvest Festival, the closest equivalent, but it is generally a low-key affair on a Sunday, and is timed to land close to the autumnal equinox, which happens in September. (Or, of course, in March, if you live south of the equator.)

So, in countries that lack any Thanksgiving Thursday, you might not expect to find Black Friday at all…

…yet you will very likely find it embraced both with zest and with enthusiasm.

Such enthusiasm, in fact, that you may come across ads for self-contradictory events such as Black Friday Week, and even Black Friday Month.

Black Friday is now more of a season than a single day, and has become a truly global phenomenon, too.

In the matter of Black Friday, therefore, there is no longer “a day” to beware of, or “a day” on which cybersecurity is suddenly so much more important than during the rest of the year that you need to take unique precautions for it.

Simply put, any precautions you decide to adopt on the back of Black Friday itself are precautions you should keep up all year round.

More importantly, even if there really is a greater chance of you being scammed during Black Friday season than at any other time of year, or of having your still-unlocked phone stolen in a drive-by snatch-and-go robbery, that’s not because cyber-related criminals go on vacation for the rest of the year.

A greater chance of being scammed or robbed when Black Friday deals are on the table is probably explained by the simple fact that you spend more time online, spend more time excitedly running from store to store while following maps on your phone, or make more online purchases from more new merchants than at any other time.

It is probably not explained by the fact that the chance of being scammed or defrauded in any individual online interaction is significantly higher around the time of the last Friday in November, and thus that you can let your guard down at other times.

As an analogy, imagine that you throw a pair of dice 8766 times during the year (that’s approximately once an hour).

You would expect to end up with about 243 or 244 double-sixes, because 8766 × 1/36 = 243.5.

If 200 of those double-sixes happen inside your own home, that doesn’t mean your home is ‘lucky’, but merely that you happened to throw the dice when you were at home more often than you did anywhere else.

On any individual throw, whether you are at home, at the mall on Black Friday, in the middle of rushing to sign up online for a special deal, or at a craps table in Las Vegas, the chance of rolling ‘boxcars’ is consistently 1 in 36.

Gone in 24 hours

If there is one aspect of cybersecurity where it pays to think about the impact of any one 24-hour period, it’s the fact that a day is more than long enough for most individual cybercrime campaigns.

For example, in recent years, very many of the phishing emails I have received myself and decided to analyze in detail have relied on a rogue URL using a domain name that was registered either on the very same day or on the day before.

The timing of domain registrations is a matter of public record, even if the identity of the domain registrant is not:

Gone in 24 hours: Why cybersecurity is not just for Black Friday - SolCyber

Unfortunately, albeit understandably because it protects individuals against stalkers and other privacy-draining abusers, the true details of domain registrants are almost always suppressed these days, in jurisdictions where this is permitted. Where not permitted, of course, the original registrant may easily be able to supply fake data, given that many domains are registered online through fast and entirely automated systems.

Whenever a spam or scam campaign kicks off with a domain name registered just hours or minutes before, you can be sure that the criminals behind the operation neither expect nor require the domain to last very long.

Criminals know that although some domains may last for ages, perhaps far longer than they ever hoped, it is usually not too long before some person or monitoring system spots their abuse, and blocklists a new, rogue domain as part of the traditional “whack-a-mole” method still used by many cybersecurity vendors.

As long as the fraudulent email reaches sufficiently many potential victims sufficiently quickly that sufficiently many people are tricked into clicking through, and sufficiently many are lured into taking the bait on the rogue page…

…then the criminals have succeeded, even though their domain may then get blocklisted or even deregistered entirely within 24 hours.

Registering new domains can be automated, and the process is fast and cheap.

Additionally, criminals who don’t want the hassle of registering or paying for their own domains can sign up for free or low-cost cloud-based web hosting services that handily include a subdomain, a ready-to-use web server, and an HTTPS certificate to vouch for the site.

Subdomains don’t actually belong to the customer, but to the service provider who owns the domain above it, as in customer.vendor.example. The owner of a domain such as vendor.example automatically acquires control over, and the right to use or ‘sub-let’, that domain and everything underneath it.

Worse still, many legitimate businesses share, and expect you to trust, easy-to-acquire third-party URLs such as file download URLs from popular blogging services such as WordPress, or from well-known sharing services such as OneDrive.

And OneDrive links, at least for individual users if not for business users, nullify the popular cybersecurity advice to “take a careful look at the link before you click on it.”

Files shared on OneDrive often end up with a shortened domain name followed by an enormously long and apparently meaningless URL path of letters and numbers, looking something like this:

Gone in 24 hours: Why cybersecurity is not just for Black Friday - SolCyber

Speed and ease for good or bad

The speed and ease with which cybercriminals can acquire new online identities for the short period they need can be seen in a recent chart published by Statista that documents the rate at which fake LinkedIn accounts are dealt with.

Although the majority of fake accounts are helpfully blocked before their registration is completed, figures for the second half of 2023 show nearly 100,000 fake accounts a day (17 million in six months) that were only blocked after being activated, and more than 1200 new fake accounts a day (232,000 in six months) that were not taken down until someone complained:

Gone in 24 hours: Why cybersecurity is not just for Black Friday - SolCyber

Figures for LinkedIn’s true growth, in other words the increase in non-fraudulent user accounts whether active or not, suggest that about 60 million to 70 million new accounts are created every year.

There would therefore seem to be about at least twice that many attempts to create fake accounts, of which close to 40 million succeed at least for a time. (And that, of course, is just the fake accounts that are spotted and removed.)

Clearly, even if cybercriminals are keenest around Black Friday, their interest in preparing for and getting on with criminal activity has no obvious seasonal bounds.

After all, once Black Friday season is over, it’s Holiday Season; then it’s the New Year Sales; then it’s tax season in the US, followed three months later by tax season in the UK, followed by tax season in Australia, followed by summer vacation season in the Northern Hemisphere…

…followed, of course, by another Thanksgiving, another Black Friday, and so on.

Your cyber-vigilance therefore needs to be consistent on every day of the year, not merely on Black Friday or thereabouts.

In other words, please treat Black Friday warnings, even if they’re from cybersecurity vendors who really only want to sell you “more tools, more tools”, in the same way that you might treat Cybersecurity Awareness Month or Quit Smoking Day.

Quit Smoking Day, if you have ever seen or attended such a thing, is not meant to be one day on which you give your lungs a break and don’t smoke, or cut down from your usual intake.

It’s meant to be a day to encourage those who would like to give up smoking, which is a known health risk that many people find hard to get out of, to do just that for the rest of their lives.

What to do?

  • Think about physical security whenever you use your phone. If you can, avoid having your phone out and unlocked while you are walking, because robbers who snatch it and get away at speed may end up with live access to your apps and accounts. If you need to have one app active, such as a map to help you navigate, learn how to lock your phone down to that one app temporarily, by reading last week’s article about cellphone snatch-and-run crimes.
  • Avoid rushing online transactions out of a sense of urgency. Cybercriminals are adept at using fear as a reason to trick you into skipping your usual online precautions. Examples include fear of missing out on Black Friday deals that don’t exist anyway; and pressure exerted by phone scammers pretending to be chasing down fraud against your account and demanding you to ‘act immediately’ by handing over PINs or passwords. (The only fraud they are ‘chasing down’ is the scam they are perpetrating against you at the time.)
  • Logout from websites and phone apps when you aren’t using them. Many people skip this simple precaution because it does, admittedly, add extra hassle to their online life. But it removes any cached browser or app data that makes it easy for someone who steals your phone or who implants malware on your laptop to access your accounts right away, without needing to guess or steal your password first. It also prevents you being tricked into activating website features by mistake (such as sneakily-hidden likes or ‘one-click’ purchase approvals) because you forgot you were logged in already.
  • Never call or get back to people back based entirely on information from a message they sent to you. Get phone numbers from an official source, such as the back of your physical bank card. Get email addresses or instant messaging names from a second, independent source. It’s no good calling the number in an email and asking the other end if you have reached the right person or company!
  • Remember these three simple sayings. You can even say them out loud to yourself before you take any online action that might put you in harm’s way. Be aware before you share. It’s as good as impossible to recall posts or pictures once you’ve published them. Stop, think, and only then connect. Create your own modest speed-bumps to give yourself a second chance to spot scammers and crooks. If in doubt, don’t give it out. If you think it might be a scam, back yourself, assume that it is, and don’t hand over any data at all.

A little caution goes a very long way, on Black Friday and every other day of the year!


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Gone in 24 hours: Why cybersecurity is not just for Black Friday - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of sale shoppers by Artem Beliaikin via Unsplash.

Paul Ducklin
Paul Ducklin
11/20/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

9838