Who’s after your data?
By now most people are aware of the old adage, ‘if something sounds too good to be true, then it probably is’ and, thankfully, the once common ‘419 emails’ purportedly from executors of recently deceased Nigerian princes offering riches in exchange for a small fee are becoming less prevalent. But phishing and social engineering attacks have evolved and represent a very real, probably even the largest, threat to online security.
The miscreants who indulge in it have a battery of tools at their disposal. A common type of phishing attack is to send potential marks an email which appears to come from their bank. It’s trivially easy to copy the styles, wording and address information from an official bank email, and easy enough to register a domain name that looks something like the official domain (think replacing letter ‘o’ with number zero, or using a ‘.co’ domain instead of ‘.co.uk’) from which to send the email. This email might say something like ‘following a security review, <meaningless jargon>, you need to log in here and update your details.’ From here victims are taken to the imitation domain, which looks exactly like their bank’s website (because cloning websites is trivially easy too) and unwittingly key in all the details needed by the fraudster to drain their account. Campaigns may target a specific individual (spear phishing), perhaps a sysadmin or a high-ranking manager with access to valuable or incriminating data. Such an effort relies on knowing something about the individual, and in some cases a lot can be gleaned from a simple Google search. Dates of birth, employment history, email addresses and even Amazon reviews can be enough to get the ball rolling. Presented with an email that seems to know something about them, people are much more likely to open that dodgy attachment or visit that link. Worse, with the right information and the right patois, a fraudster can sweet talk their way past many companies’ security checks, allowing them to reset passwords, change addresses and generally do not nice things.
It’s always worth remembering that no matter what information governmental agents or private detectives may be siphoning from your internet traffic, it’s probably significantly less than what many people happily give to Facebook, Google etal for free. If you have a Google account visit https://myaccount.google.com and have a look in the My Activity section. All those web searches, YouTube videos, directions and even audio snippets (if you’re one of the ‘OK Google’ people) have all been dutifully archived by the Chocolate Factory, so that they can ‘tailor your web experience’ (or just target ads better).
Facebook has a similar tool for viewing and downloading everything they know about you. Of course, none of this data retention and analytics should come as a surprise, since these companies’ entire business models are based on selling ad space. That ad space becomes highly valuable when marketeers can target buyers in a particular area, with a particular interest, who are friends with one demographic or another… The more data, the more revenue. It makes some people feel, rightly or wrongly, a little bit queasy. Then again, it would be silly to just go giving away a neat webmail account with a ton of storage, or a way to connect with all your friends (or hold them at arm’s length and just like or emote your way through the social jungle). That would be an expensive business model. Of course, you don’t have to use these services, but if you do can always be more wary about how you use them.
“Social engineering attacks have evolved and represent a very real threat to online security.”