Researchers from Cyveillance are calling the recently launched "Twitter of personal finance" service - Blippy, a "spear phisher's dream" due to the massive amounts of real-time purchasing history shared by its users.
With fraudsters actively crawling Web 2.0 services (Spammers harvesting emails from Twitter - in real time) for data to be later on integrated in targeted attacks, the detailed and publicly obtainable financial data on Blippy can come handy if they manage to solve a simple problem - obtaining the emails of Blippy users.
Here's are some sample scenarios that cybercriminals can easily take advantage of.
- Event-based social engineering campaigns - With every purchase that a Blippy user makes automatically featured on their accounts, based on the service/credit cards linked to it, this event presents a window of opportunity for the fraudster which is now aware what you've just purchased, from which company and the exact amount of the purchase. Based on this data, a targeted phishing campaign can be launched, with personalization rarely seen in a mass-marketing phishing campaign.
- Calculate the biggest spender based on publicly obtainable data - Since quality assurance is now becoming an inseparable part of the cybercrime ecosystem (Spammers go multilingual, use automatic translation services; Localizing Cybercrime - Cultural Diversity on Demand Part Two; Managed Polymorphic Script Obfuscation Services), cybercriminals can basically aggregate all the data of prospective victims, and calculate who's the biggest online spender based on the purchasing history. Due to their frequent, and high value purchases, these individuals easily turn into prospective victims.
- From a fraudster's perspective, online presence equals touch points to engage -With so much descriptive and personally identifiable data that users leave in order to build their online presence, such as full names and personal blogs where contact details can be found, a potential fraudster doesn't even need to engage in dictionary attacks. A simple test with a random Blippy user that appears to be a frequent purchaser of high value items, made it possible to find his personal blog, where he had naturally published all of his contact details. This was made possible due to the fact that he included a relevant picture of himself, which was also visible on his personal page, next to the user's full name also published at Blippy.
The potential for abusing Blippy (Phishing experiment sneaks through all anti-spam filters) as a tool for building spear phishing (targeted attacks) is pretty evidence due to the real-time sharing of purchasing history. But would phishers really bother embracing such a time-consuming approach compared to the well-proven business model of mass-marketing, localization and segmentation of the harvested emails for more accurate reaching of prospective customers?
The eventual systematic abuse of Blippy is similar to that of the experimental phishing tactic called 'Chat-in-the-Middle', where an actual human being will act as the Live Support attempting to obtain more data from the victim. Despite the personalization offered, it undermines the large scale mass marketing campaigns from which phishers derive their profit.
The single most practical thing a Blippy user can do to undermine these campaigns given the nature of their financially oriented social networking, is to limit the amount of personally identifiable information published at the site. That's, of course, next to the lack of gullibility when a "perfect timing" phishing campaign reaches you.