Holiday shoppers using smartphones should beware of fake commerce apps and fake Wi-Fi hot spots inside malls. Hackers use these fakes to grab account numbers and sensitive personal information.
Many smartphone users compare prices and evaluate products while shopping inside a physical store, which means they are probably connected to a Wi-Fi network. Often, stores and malls offer Wi-Fi for the convenience of customers, but thieves also set up fake Wi-Fi hotspots to be able to steal data. Sometimes the cyber thieves even monitor consumer communications over legitimate Wi-Fi hotspots that haven't been properly configured and expose a user's information openly.
When shopping online anywhere, users need to be aware that hackers have set up fake store apps that look like legitimate ones, usually enticing smartphone users with deals and rewards. They observe unencrypted traffic or even manipulate the content the victim sees online to redirect the user to a malicious website or to download malware.
When a hacker sets up a fake Wi-Fi network, the hacker will mimic a legitimate network, often using the same name. Hackers might set up a network that uses the word "free" in the name to lure victims. Even short access to a malicious network may give a hacker enough information to later access bank accounts or social media accounts.
For online shoppers using commerce apps, Skycure said hackers will sometimes repackage legitimate apps so the fake app looks exactly like the real one. The fake app works in the background to steal data or spy on the user. The security firm found a repackaged version of a Starbucks app, for example, and said users can avoid the problem by installing the official app from the Apple and Google app stores.
Or, hackers will create fake apps from scratch. Such fake apps promise rewards to get people to download the apps. With the fake Amazon Rewards app, Skycure found it was actually a trojan that spreads by using SMS messages with fake Amazon vouchers and a link to a fake website. It even accesses the user's contact list so that it can send SMS messages to even more people.
To safeguard against risky apps:
- Download apps only from Google and Apple official app stores.
- Beware of apps that ask for suspicious permissions like access to contacts, text messages, stored password or credit card information.
- Be skeptical of favorable reviews for apps, since rave reviews can be forged. Also examine the developer of the app to see if the app comes from an unusual developer or if the app description uses quirky spelling or poor grammar. A Google search will tell more about the developer.
- Read the warnings on your device and don't click "Continue" if you don't understand the exposure level.
- Update your device to the most current operating system.
- Disconnect from the network if your phone behaves oddly, has frequent crashes or receives a warning notice.
- When visiting shopping sites on the web, look for the "s" in HTTPS when you visit; without the S there could be weak encryption.
To safeguard against risky Wi-Fi:
- Avoid "free Wi-Fi networks" since 10% of malicious networks use the word "free" in their name.
- If a Wi-Fi zone is named as if it is hosted by a store and the store isn't nearby, don't connect.