Most of us spend a great deal of time on social media in one form or another. I know that I do for a myriad of reasons. I seek entertainment, spreading humor, gather information, keep up on the daily news that I need to go fact check to make sure I am getting the truth, and even run a micro home business.
We know that we are giving up data to the social media host of course as we provide information in getting the account.
To use Facebook as a generic example (you can really use any social media platform for this discussion.) it will only take a few minutes of scrolling in your ever growing feed to find your self participating in fun interactive memes and discussions.
Have you seen the memes that ask what was the number one song the year that you were born? Well many of us are aware that one of the common security questions is “What was the first concert that you went to?” Oh, so many fall for that one every hour. Even with the wise commenting that it is a security question… sigh, so I and other that are like minded like populating the answers with smart alec responses to pollute the data that the scrapers are gathering.
For all intents and purposes scammers can either post those memes to directly get the responses or they can just pull data in from other people’s posts as long as they can read them. the data that they want? well it could be anything.
Here is where I am starting to take the discussion to help you learn something important. Something that many do not consider. We will call it a value add for your reading this far and actually caring.
Let’s suppose that instead of being a white hat (at least mostly white, or white by day and maybe some shades of gray after hours) cyber professional working for the betterment of humanities cybersecurity… I am a black hat who had relocated to a nation without an extradition treaty with the United States. Why would someone want to do that? Well with black hat cyber skills it can be lucrative and here is a possible option.
Set up a nice server room with a very comfy desk or recliner. Learn how to build databases. They are not hard to learn, they do take forethought to build them effectively to house enormous amounts of data.
At this moment it is very likely that your username and password has been compromised in some data breach in the past. (there are scam emails that rely on this data, I think I have described it in the past) There are places on the web that you can find repositories of usernames and passwords that were stolen and posted for others to use. Sometimes it is free to download and other times, it is for sale.
If I take a few of the free collections, I can add that to my database (think of it as an excel spreadsheet on steroids). Perhaps the file had email addresses and passwords. The low hanging fruit would be to try to access the accounts since so many rarely change their passwords. If I can get in, I might download all of the email and examine it for other data such as your name, location, family members pets, think of all that you have sent in emails. Each of those items get added to the database.
Remember that the initial data gathered was free. Perhaps it COULD have been sold but not for much. The price would be in cryptocurrency so that it is less trackable or at least harder to track. Do not let people make you think that it cannot be tracked, that is movie madness. Maybe you started with 1000 email addresses and passwords.
So you started with 1000 usernames and passwords, and after a few hours of login attempts, perhaps you used a testing script to complete the tests in fifteen minutes. You ended up with the passwords of 100 poor suckers who never change their password. To be very honest, I think that there will be more due to password reuse [link]. So now you have a new table with known good email accounts.
When I was doing ISP tech support, I frequently heard “It is just dumb email, if someone want to get my recipes or bad jokes form my family, they can have them.” Oh, my… what a treasure trove. A few paragraphs ago I mentioned the kind of data gathered from a live email account. So now your tables have linked the person’s name with the email address and if there are signature blocks, perhaps street address, city, state, country, phone number. If you wanted to sell that data, its value has gone up a little.
With all that email that you downloaded, you also identified family members. Those records get copied to another database, this one to use for trying to scam the users family members out of their money as they pay to get bail, medical attention, bail, or who knows what ploy they will use for their deception? Now I have two databases to sell.
Now I try to see if I can log into your social media accounts using those email addresses and passwords. Maybe I am able to get access to fifty of those one hundred? why so many? well, remember that they are already password reusers, so why expect that they will be better with their social media accounts?
Think of your social media account and how many friends that you have there. More data to feed into the master database as being connected to the victim. I do some scrolling through the feed and I see that they identified their first job (clickety click into their records) and their first car was a 79 Celica ((clickety click into their records)… oh look their profile shows that they graduated from Gullible State University in 87. You guess it, (clickety click into their records). This person’s record keeps getting more to it and each added element makes it more valuable. I find more and more family, job history, favorite sports teams. Have you recognized how many security questions may be answered with this data? I may have enough gathered data to try logging into the victim’s bank account, or even open a line of credit after all I know the answers. If I can get into the bank account, think of the transactions I can make. I could buy cryptocurrency online and trade it back and forth through a myriad of wallets or other transactions to make it difficult to track it back.
Now that I have stolen the victim’s money, I can use it to purchase more equipment, or buy more ill gotten data to add to my database, always seeking to build it for a better sale price. When you have thousands of live and accurate records with a ton of supporting information that price tag keeps going up. Remember that when selling data, you sell it over and over. There is no physical inventory to run out of.
Maybe my database was only worth 20 bucks per copy since it was small, but with a little knuckle grease (remember, just typing not actual elbow grease) I improved the data to be worth $500.00/copy.
Remember that there was the second database for scams? I can use AI voice tool to make convincing replicas of the victims loved ones if I can get a sample of their voice. Maybe I called them to a bogus survey to get that sample. Now I can call their mother, using that replicated voice to convince mom that I need bail money. Pick a scam there are thousands of variations.
Since I have all of those email addresses stored from getting into those mailboxes, I can add them to a third database to use for phishing emails. Just spray those email addresses and any other email address that I can collect from the web. Someone running a phishing campaign generally only needs a 1% win rate to stay profitable. (Please for all that you care about watch for red flags and do not fall for these emails) Does your employer have an email contact directory online? Perhaps and org chat that shows the person, their name, email, and maybe their desk phone? (clickety click into their records) yes more tables, with even more data. Those company based records got into another database. they may be handy for other types of attacks. Surveillance phases perhaps to see if I can gain access to the corporate network to obtain yet more data. If I can get into the HR systems, will I find social security numbers nicely paired with all of the other employee data? Some days it can be too easy. Maybe I can access the networked printer in HR. Most modern printers are just computers that print. They have hard drives. Is your corporate printer also a scanner, perhaps used to scan driver licenses and social security cards to process an I-9 form for the IRS? Yeah, there is a hard drive that stores that data in the scanner/copier that might be nice for me to get in to. Driver licenses…. yep, you guessed it…. (clickety click into their records) This data is getting quite valuable now.
With all of this data and being connected to family members… I wonder if I found any adult oriented associations or proclivities during my hunting. [In my profession, I once stumbled onto an employee that I did not know personally soliciting prostitutes via his email.] Now if the victim is not worried about intruders in their email box, this information could be used to blackmail them. How much would they pay to not have all these sordid details posted online? Or how much to prevent their significant other from getting a phone call? Just transfer a certain amount of crypto currency to me and I will delete your record. I wont really delete the record, but I will mark it as used. I will still sell it to others for their use as they see fit.
It isn’t just the big companies that make a killing off of you playing on social media, it is criminals world wide. This is one of the reasons that cyber professionals are well compensated. With what I understand and can do, I would be quite dangerous if I retired overseas. I am here teaching you how to protect yourself. It is where I get my reward, that and any ad clicks that happen in appreciation. Money is good, but as long as my family is housed, clothed, fed, and loved by our dogs… then I am happy.
If you came away with nothing but an understanding of how those silly meme games sneak valuable data out of you then it is a positive step. Stop and think before you reveal personal information. It does not take much to turn it into Personally Identifiable Information.