When you use the Internet, you leave behind a data trail, a set of digital fingerprints. These include your social media activities, web browsing behavior, health information, travel habits, location maps, device usage information mobile, photos, audio and video. This data is collected, aggregated, stored, and analyzed by various organizations, from large social media companies to app makers to data brokers. As you can imagine, your digital fingerprints put your privacy at risk, but they also affect cybersecurity.
As a cybersecurity researcher, I monitor the threat posed by digital fingerprints to cybersecurity. Hackers can use personal information gathered online to find answers to security questions such as “in what city did you meet your spouse?” or to refine phishing attacks by impersonating a colleague or work associate. When phishing attacks are successful, they give attackers access to networks and systems that victims are authorized to use.
Follow footprints to better bait
Phishing attacks have doubled since the start of 2020. The success of phishing attacks depends on the authenticity of message content for the recipient. All phishing attacks require certain information about the targeted people, and this information can be obtained from their digital fingerprints.
Hackers can use freely available open source intelligence gathering tools to uncover the digital fingerprints of their targets. An attacker can mine a target’s digital fingerprints, which can include audio and video, to extract information such as contacts, relationships, occupation, career, likes, dislikes, interests , hobbies, travel and frequented places.
They can then use this information to create phishing messages that look more like legitimate messages from a trusted source. The attacker can send these personalized messages, spear phishing emails, to the victim or dial as the victim and target the victim’s colleagues, friends and family. Spear phishing attacks can fool even those who are trained to recognize phishing attacks.
One of the most successful forms of phishing attacks has been business email compromise attacks. In these attacks, attackers impersonate people with legitimate business relationships – colleagues, suppliers and customers – to initiate fraudulent financial transactions.
A good example is the attack on Ubiquity Networks Inc. in 2015. The attacker sent emails, which appeared to be from senior executives, to employees. The email instructed employees to make electronic transfers, resulting in fraudulent transfers of $46.7 million.
Access to the computer of a victim of a phishing attack may allow the attacker to gain access to the networks and systems of the victim’s employer and customers. For example, one of the employees of retailer Target’s HVAC supplier was the victim of a phishing attack. The attackers used his workstation to gain access to Target’s internal network and then to their payment network. The attackers took the opportunity to infect point-of-sale systems used by Target and steal data on 70 million credit cards.
A big problem and what to do about it
IT security firm Trend Micro found that 91% of attacks in which attackers gained undetected access to networks and used that access over time started with phishing messages. Verizon’s Data Breach Investigation Report found that 25% of all data breach incidents involved phishing.
Given the significant role phishing plays in cyberattacks, I think it’s important for organizations to educate their employees and members about managing their digital footprint. This training should cover how to find the extent of your digital footprint, how to browse safely, and how to use social media responsibly.
[Over 150,000 readers rely on The Conversation’s newsletters to understand the world. Sign up today.]
This article by Ravi Sen, Associate Professor of Information and Operations Management, Texas A&M University, is republished from The Conversation under a Creative Commons license. Read the original article.