Friday, January 22, 2010

How Blippy Will Give Crooks and Phishers Info to Attack You

Cyveillance, a most-excellent cyber intelligence blog, has an informative write-up on Blippy, a newly-launched service that allows users to post their financial transactions to the web in a Twitter-esque manner.

Yeah. And putting your credit card purchases online for the world to see, while a terrible idea, isn't the worst part of this. Not by a long shot.


Not sure why the world needs to know that Jason bought a SanDisk card at Amazon, but I'm old and just want the kids to get off of my lawn.

Cyveillance points out the wealth of good data available to evildoers:

We find:

    * a user’s name
    * the name of a business with whom they had a financial transaction
    * how much they spent
    * for certain retailers, what they bought

And then they speculate on the following scenario:

From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,

Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here…

Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like,,,, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.

What could possibly go wrong?

Dear Blippy - I think I'll keep my purchases to myself, as much as that's possible given our global data-sharing practices, but thanks for asking.

Now get off my lawn.

No comments:

Post a Comment

Please tell me what you think.