Threat Intelligence Blog

This month, a service called Blippy was rolled out to the general public. In a CNN article this week, Blippy was described as a “financial version of twitter.com”, where users’ credit card transactions are posted to the internet much like the short tweets that people post to twitter. On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Jason Calacanis of Mahalo paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.


Example of a Blippy transaction. Click the image to see a larger version or see the original here.

CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?

Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them. Let’s go back to the example in the image above.

We find:

  • a user’s name
  • the name of a business with whom they had a financial transaction
  • how much they spent
  • for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

  • The email is made to look like it comes from one’s bank or other business institution.
  • A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

Conclusion

Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault?

Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. Luckily Blippy can take the simple measure of hiding usernames or otherwise referring any link to users’ real names.


As always, if you think you have received a phishing email, please send it to:

 

reportphishing@cyveillance.com

 

Additional Posts

Typosquatting and Brand Owners; Comments from Ben Edelman

In mid-February Harvard researchers Tyler Moore and Benjamin Edelman posted their research on the ...

Report Phishing Attacks

If you think you have received a phishing email, please send it to:   ...