Social networking sites have been identified as a nesting ground for purveyors of malware and phishing techniques, thus financial information gathering. It isn't difficult for them to round up needed information, but why make it easy for them by signing up to have your purchases show up as "blips" on the bad guys radar screens? I was waiting for someone else to see the naked emperor before saying anything. Cyveillance has spoken...
Blippy, could be a valuable tool for cyber criminals, warns Cyveillance.
Blippy, a Spear Phisher’s Dream
On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Michael Arrington of TechCrunch paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.
CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:
CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.
Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.
We find:
- a user’s name
- the name of a business with whom they had a financial transaction
- how much they spent
- for certain retailers, what they bought
- The email is made to look like it comes from one’s bank or other business institution.
- A call to action, where the recipient is asked to follow a link to a website online.
From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:
Dear Johann Gonzales,
Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…
Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.
Conclusion
Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault? Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers.