Cisco’s security team notes the need to cautious and vigilance when using mobile devices to conduct e-commerce transactions during the 2015 holiday season.

http://blog.talosintel.com/2015/11/holiday-shopping-threat-avoidance.html

Executive Summary – The holidays are upon us and the shopping season is kicking into high gear. This year, an estimated 270 million consumers will shop online and, for the first time, more than half of them will use mobile devices to check off their holiday shopping lists.

Shopping While Mobile – One key prediction from Adobe’s holiday shopping report is that for the first time mobile devices will drive a majority (51%) of online shopping traffic. On the surface this is worrisome because many mobile devices are not configured to block advertisements, including malvertising. Further complicating the mobile ad-blocking scene is the fact that some popular ad-blocking apps require customers to proxy all of their web traffic through a third-party host so ads can be removed. This presents obvious data privacy complications for users of these apps regardless of their desire to eliminate advertising or protect themselves. There are some non-proxy-based alternatives, such as the new iOS 9 Safari Content Blocker extensions. All users of both mobile and non-mobile devices are encouraged to use some sort of ad-blocking software or plugin to protect themselves from the threat of malvertising.

Vectors for Badness – The Adobe report claims that holiday shoppers will be finding their steep holiday discounts primarily through display ads (23%), followed next by social media (14%), and then email (11%). Because so many threats propagate through spam, social media, and malvertising, the safest way to shop this season is directly purchasing goods from the merchant’s website.

Conclusion – Nobody wants to be the victim of cyber crime. To protect ourselves, we should deploy an array of different security layers. Talos recommends use of secure web proxies like Cloud Web Security (CWS) or Web Security Appliance (WSA). OpenDNS can provide security at the DNS layer. Secure email gateways like the Email Security Appliance (ESA) can protect against illegitimate holiday deals propagated through spam. Advanced Malware Protection (AMP) at the network or endpoint can convict malicious binaries that might somehow make it past the other layers. Local browser client protection from “ad blockers” such as Ghostery, Adblock Plus, NoScript, Request Policy, and others is also highly recommended.

Finally, beyond all the technical layers that can be deployed, we need to be smart. Especially when performing activities such as shopping, it’s far safer to navigate directly to merchant websites than risk being lead to malvertising in the form of online display ads, fake email offers, or malware disguised as social media promotions.