Does Blippy really pose a security risk?

Does Blippy really pose a security risk?

Summary: Researchers from Cyveillance are calling the recently launched "Twitter of personal service" Blippy, a "spear phisher's dream" due to the real-time purchasing history shared by its users. Does Blippy really pose a security risk?

TOPICS: Security

Researchers from Cyveillance are calling the recently launched "Twitter of personal finance" service - Blippy, a "spear phisher's dream" due to the massive amounts of real-time purchasing history shared by its users.

With fraudsters actively crawling Web 2.0 services (Spammers harvesting emails from Twitter - in real time) for data to be later on integrated in targeted attacks, the detailed and publicly obtainable financial data on Blippy can come handy if they manage to solve a simple problem - obtaining the emails of Blippy users.

Here's are some sample scenarios that cybercriminals can easily take advantage of.

  • Event-based social engineering campaigns - With every purchase that a Blippy user makes automatically featured on their accounts, based on the service/credit cards linked to it, this event presents a window of opportunity for the fraudster which is now aware what you've just purchased, from which company and the exact amount of the purchase. Based on this data, a targeted phishing campaign can be launched, with personalization rarely seen in a mass-marketing phishing campaign.
  • Calculate the biggest spender based on publicly obtainable data - Since quality assurance is now becoming an inseparable part of the cybercrime ecosystem (Spammers go multilingual, use automatic translation services; Localizing Cybercrime - Cultural Diversity on Demand Part Two; Managed Polymorphic Script Obfuscation Services), cybercriminals can basically aggregate all the data of prospective victims, and calculate who's the biggest online spender based on the purchasing history. Due to their frequent, and high value purchases, these individuals easily turn into prospective victims.
  • Opening a direct communication channel with the victim - Since the service doesn't list the emails of the owners, the cybercriminals face a basic problem of obtaining this data. Just how easy is it to find this data? According to Cyveillance, by "shooting into the dark" in terms of user names, they may actually reach the user: "Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like,,,, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are."
  • From a fraudster's perspective, online presence equals touch points to engage -With so much descriptive and personally identifiable data that users leave in order to build their online presence, such as full names and personal blogs where contact details can be found, a potential fraudster doesn't even need to engage in dictionary attacks. A simple test with a random Blippy user that appears to be a frequent purchaser of high value items, made it possible to find his personal blog, where he had naturally published all of his contact details. This was made possible due to the fact that he included a relevant picture of himself, which was also visible on his personal page, next to the user's full name also published at Blippy.

The potential for abusing Blippy (Phishing experiment sneaks through all anti-spam filters) as a tool for building spear phishing (targeted attacks) is pretty evidence due to the real-time sharing of purchasing history. But would phishers really bother embracing such a time-consuming approach compared to the well-proven business model of mass-marketing, localization and segmentation of the harvested emails for more accurate reaching of prospective customers?

The eventual systematic abuse of Blippy is similar to that of the experimental phishing tactic called 'Chat-in-the-Middle', where an actual human being will act as the Live Support attempting to obtain more data from the victim. Despite the personalization offered, it undermines the large scale mass marketing campaigns from which phishers derive their profit.

The single most practical thing a Blippy user can do to undermine these campaigns given the nature of their financially oriented social networking, is to limit the amount of personally identifiable information published at the site. That's, of course, next to the lack of gullibility when a "perfect timing" phishing campaign reaches you.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Does Blippy really pose a security risk?

    Using blippy is also posting an 'I'm not at home now' message to all the friendly neighborhood burglars as well as a 'here's where I am message' to those who might choose to stalk.
  • RE: Does Blippy really pose a security risk?

    Blippy seems to be a self-selecting idiot screening process and has much to be admired for such a large experiment.

    As pointed out above it is not just on-line attacks that users are laying themselves open to. I look forward to the time when recruiters will not only ask what exam grades have been obtained but whose a twit[ter].
  • RE: Does Blippy really pose a security risk?

    Yeah right.... and having a Facebook page increases your risk of cancer, having heart failure and developing cramps.

    A lot of morons out there can't cope with this ever open society and are finding ways to crawl back to their caves and shout "the end is near".

    As usual, one who publishes his expenses on the Net is twice more savvy against phishing attacks. Nigerians could offer you tons of millions in exchange for your credentials, but wise Blippy users will let them at bay.

    Also, let's be honest. These aren't the [b]REAL[/b] spending habits of the users, but just teasers. I could easily fool the intended by telling them I spent $10,000 on useless jewelry, but will never tell them I owe $50,000 in mortgage.

  • The END is not here (yet), but.....

    the "it can't happen to us" mentality IS!
  • OK, perhaps I just don't get it but...

    Why would I want to post my spending habits online? Anyone that know me well enough knows what I spend money on and wouldn't need me to post it online for the world to see. Twitter, Facebook and MySpace makes sense - I can see why folks use those services but Blippy just doesn't compute. Could someone please tell me the use of this service cause I just don't get it I guess.
  • Gotta sign up!!!

    It must be a conspicuous consumption thing for people who can't afford a Rolls Royce. "Look at Me! I just spent $79 at Sears!!"
    Signing up for the "service" seems like the financial security equivalent of finding a stretchy rope in an alley somewhere and feeling compelled to go find a bridge to try bungee jumping on.
  • Who the hell needs this?

    The stupidity of this app, or its users, knows no bounds.
  • open society hmmm..

    see the problem is that open society isnt compatible with real society. people out there have closed minds and can be rather vicious when it comes to making conclusions based on online data. im not about to go into a rant on how people can get into real trouble or just be completely judged based on some pictures on facebook or one swear word on twitter.

    but the fact remains that the real society can actually be a problem.

    for the record. think of the number of inventions that were invented with the purpose of helping mankind that ended up being used to harm and kill them instead.

    as much as i am for it, the world isn't nice enough for open society to be implemented without consequences.
  • RE: Does Blippy really pose a security risk?

    Yet no one asked the REALLY important question...

    what is Blippy. never heard of of it, have no clue what it does, is it a device? is it software? id it some sort of new pet? can you breed Blippies? do they float? do they fly? or is it just a new name for some over weight person sitting on a couch all day?

    I love getting my email and seeing all the blog postsw on ZDNet, but the author's never tell you what it is they are talking about when they write about obscure things. At least link to a website (if there is one, if not, try linking to a wikipedia page) that will let users find out what in the world you are talking about. None of the article made any sense because I have no idea what Dancho was talking about.

    yes I can infer it is a social networking application that some how has to do with money, but that is about it. is it a new banking feature that banks are setting up for budgeting purposes? I have no idea and this article doesn't tell me anything about it either.
  • RE: Does Blippy really pose a security risk?

    Well done! Thank you very much for professional templates and community edition
    <a href="">sesli sohbet</a> <a href="">sesli chat</a>