Your Cyber Intelligence Source

This month, a service called Blippy was rolled out to the general public. In a CNN article this week, Blippy was described as a “financial version of twitter.com”, where users’ credit card transactions are posted to the internet much like the short tweets that people post to twitter. On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Jason Calacanis of Mahalo paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.

Example of a Blippy transaction. Click the image to see a larger version or see the original here.

CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?

Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.

We find:

• a user’s name
• the name of a business with whom they had a financial transaction
• how much they spent
• for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

• The email is made to look like it comes from one’s bank or other business institution.
• A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

Conclusion

Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault?

Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. Luckily Blippy can take the simple measure of hiding usernames or otherwise referring any link to users’ real names.

As always, if you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

If you think you have received a phishing email, please send it to:

reportphishing@cyveillance.com

Cyveillance will analyze the suspected phishing attack and take the necessary action the minimize the number of victims of the attack.

Background: What Are Phishing Attacks?

Phishing is a method online criminals use to try to gain access to the username and password you use for important online activities like banking and paying bills. The attackers will send an email that looks like it comes from places like your bank or financial institution. The email can look very real, and will provide a link for you to access your account online.

Unfortunately when you log in to your account using the link in that email (don’t!), you will have provided your username and password to criminals who will then use it to access your account and likely remove funds from your account.

Some types of companies that cyber criminals commonly try to impersonate to gain access to your account information:

• Banks
• Credit unions
• Online payment services like Paypal
• Hosting companies (see example)
• Software vendors (see example)
• Utilities, like your gas, electric, or internet service provider (ISP)

Further Reading

For a detailed analysis of the economics behind phishing attacks, please see Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks.

Here at Cyveillance we spend a lot of time educating our customers about threats to their business online. When time allows we also post information about such risks here on the Cyveillance Blog. As part of this effort to educate users about the risky online environment that exists out there, we are especially excited about our upcoming, in-person classes that will be offered on January 19 in Reston, Virginia. Details are below. Hope to see you there!

Registration:

• 8:30AM – 12:30AM session
• 1:00PM – 5:00PM session

Description: Too often, “Cyber security” is seen as a technical matter and the purview solely of IT professionals. Unfortunately, it is both the machines and the users which are under attack. In Cyber Safety 101: An Introduction to Cyber Threats and Internet Risk, students are exposed in friendly, non-technical terms to the basic workings of the Internet and how criminals, scammers, adversaries, hackers and spies exploit those technologies, systems and, most of all, the users themselves in the insecure Cyber universe.

Learning from professionals with years of experience tracking and monitoring the “dark underbelly” of Cyberspace, you will learn how bad actors use the Internet to steal, impersonate, compromise and hijack not just funds and identities but entire networks and sensitive data.

From the teenage “script kiddy” draining Paypal accounts to the state-sponsored adversaries threatening our national security, you will see the scope, breadth, variety and sophistication of today’s online enemies, and learn how to protect yourself, your agency or enterprise, its data and its mission from the dark forces at work on the Internet.

When students leave this course they will:

• Have a solid understanding of how the Internet actually works, and the inherent vulnerabilities and weaknesses in the system we all rely on every day

• Understand the sophistication of today’s online threats, and be much more adept at recognizing, stopping and avoiding those

• Be better equipped to protect themselves, their hardware, and the data, systems and mission of the agencies and enterprises for which they work

Who Should Take This Course?

This course is invaluable education for every federal or commercial knowledge worker whose PC, laptop, PDA or cell phone is connected to the Internet. As more and more systems and devices are permanently online, and as more agencies and enterprises incorporate Internet technologies into critical systems, the risks to these systems and the agencies and enterprises commensurately increase.

Today, every employee working online is a potential target. Every connected device is a potential entry point for a criminal, adversary or enemy of the country. And the risks are so new, so numerous and so sophisticated that education is absolutely vital to helping your staff safeguard your systems, data and business or mission.