Holiday shopping at work could harm far more than your productivity

As Canadians and Americans become more concerned about the price of presents this year, they are increasingly flocking to the Internet for better deals, special online discounts and gas-saving benefits.

According to a Shop.org report released last week, 55.8 per cent of employees in North America who have access to the Internet at work will shop online this holiday season.

The number of workplace Internet shoppers is up from previous years, already 10 per cent higher than 2005 figures.

South of the border unusually low retail sales in November were followed by a 10 per cent surge in online sales on Monday, Dec. 1, according to reports from Nielson Online.

(In the U.S. this Monday after the American Thanksgiving has been dubbed “Cyber Monday” because of increased spending when people return to work and buy online).

The surge in online shopping during work hours is worrisome for an executive from San Jose, Calif.-based data security products vendor, Finjan Inc., who says the phenomenon could result in corporate computer systems getting infected.

This year far more legitimate sites are being attacked than last year – especially shopping sites, said Ophir Shalatin, marketing director at Finjan.

Finjan’s malicious code research centre reports legitimate shopping Web sites are being compromised with data-collecting Trojans that not only harvest employees’ personal banking information, but also e-mail correspondence and security passwords for internal company files. 

Legitimate sites, said Shalatin, are preferred channels for injecting malware into user computers because they generate a lot of traffic, while spurious sites would first require to evade search engine security.

Around 75 to 90 per cent of all sites with malicious obfuscated code have genuine URLs, Shalatin said.

He said users need only visit a malicious page to become infected with a data stealing or phishing Trojan that remains dormant on the browser until a specific Web site is entered.

Then the Trojan “wakes up” and takes control of the Web browser, putting an overlaying text field on to the check-out area of a shopping site, for example, sending sensitive information to the criminal’s server.

“If we look at all the trends these days, we find cybercriminals always attack what’s popular and right now it’s retail shopping sites,” Shalatin said. “The most popular online stores or items this holiday season will be targeted.”

The increase in malicious online shopping pages is directly related to the huge spurt in online shopping from work, he says. “The attack is tailored to commercial companies because the value of corporate information is higher than credit card or PIN numbers.”

Finjan’s labs have witnessed an increase in the collection of corporate information, such as Citrix credentials, e-mail correspondence, server passwords and other types of valuable data that can be sold directly.

Shalatin expects the trend to gather momentum until the end of December.

“Any Web site can be compromised, regardless of reputation, so shoppers should be cautious and ensure there is nothing peculiar in regards to fields to fill in,” he said. “Be on alert when searching popular gift items and discounts.”

Quite apart from the productivity factor, security risks involved in online holiday shopping at work can pose a big challenge for Canadian businesses, according to David Senf, director of security and software research at Toronto-based IDC Canada.

And it’s an issue that doesn’t have a quick fix.

“Firms can try to sell employees on the idea of shopping online from their own home computer, but good luck!”  

Senf says as we approach the last day for online shoppers to make purchases so delivery actually happens before December 25, no amount of begging from IT or HR will deter employees from using their work machines to make purchases.

“Even if employees are convinced not to use their work e-mail address, phishing scams can still be launched from online e-mail accounts,” Senf says. “Drive-by attacks launched through the browser or through HTML rendered e-mail are also problematic.”

The popularity of corporate notebook computers means a lot of online shopping will take place on company computers on the road or from the home.

Senf suggests companies use network access control (NAC) technology to protect firms from malware brought from outside.  NAC quarantines a machine from the company network until it is scrubbed for any malware, Senf said.

Some of his other suggestions are: rendering e-mail as text rather than HTML, keeping anti-virus software up to date, educating employees on the dangers of online shopping, and instructing them not to click links from their e-mail.  

Share on LinkedIn Share with Google+