Friday, November 8, 2024
Custom Text
Home NEWS Watch out! Criminals scrape, sell personal data on social media

Watch out! Criminals scrape, sell personal data on social media

-

Watch out! Your fingers may put you in the hands of cybercrooks

By Jeph Ajobaju, Chief Copy Editor

Smart devices have revolutionised communication, presenting on a finger tip instant access to personal interaction with individuals and impersonal engagement with a universal audience.

Using smart phones and their cohorts also comes with risks of exposing personal data that can be harvested through cyber spying by the government to curtail freedom or by criminals who scrape, steal, and sell data; use it to blackmail; or extort ransom.

- Advertisement -

The world is now learning more about Pegasus, a spyware developed by NSO Group, an Israeli firm.

The spyware, developed a decade ago with the help of Israeli ex-cyberspies, easily circumvents typical smartphone privacy measures, “like strong passwords and encryption,” according to investigation by 17 international media outlets, including The Washington Post.

Pegasus can “attack phones without any warning to users” and “read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts.

“Spyware also can activate cameras and microphones for real-time surveillance.”

Pegasus can initiate the attack in a number of different ways, including through “a malicious link in an SMS text message or an iMessage.”

- Advertisement -

Some spyware companies use “zero-click” attacks which deliver spyware simply by sending a message to a user’s phone that produces no notification.” “Users ” of such attacks “do not even need to touch their phones for infections to begin.”

__________________________________________________________________

Related articles:

SERAP sues Buhari over his plan to spy on social media

Countries acquire Pegasus to spy on activists. Nigeria in on the act

Google alerts 2.65b Chrome users about hacking. Apple scrambles to block iPhone spyware

UK police underscore links between terror and tech. Zamfara, Katsina pick up the gauntlet

__________________________________________________________________

Data out in the public domain

Hackers can also steal personal data by other means, says the BBC in a report published below:

How much personal information do you share on your social media profile pages?

Name, location, age, job role, marital status, headshot? The amount of information people are comfortable with posting online varies.

But most people accept that whatever we put on our public profile page is out in the public domain.

So, how would you feel if all your information was catalogued by a hacker and put into a monster spreadsheet with millions of entries, to be sold online to the highest paying cyber-criminal?

That’s what a hacker calling himself Tom Liner did in June “for fun” when he compiled a database of 700 million LinkedIn users from all over the world, which he is selling for around $5,000 (£3,600; €4,200).

The incident, and other similar cases of social media scraping, have sparked a fierce debate about whether or not the basic personal information we share publicly on our profiles should be better protected.

In the case of Liner, his latest exploit was announced at 08:57 BST (British Summer Time) in a post on a notorious hacking forum.

It was a strangely civilised hour for hackers, but of course we have no idea which time zone, the hacker who calls himself Tom Liner, lives in.

“Hi, I have 700 million 2021 LinkedIn records”, he wrote.

Included in the post was a link to a sample of a million records and an invite for other hackers to contact him privately and make him offers for his database.

Understandably the sale caused a stir in the hacking world and Tom tells the BBC he is selling his haul to “multiple” happy customers for around $5,000 (£3,600; €4,200).

He won’t say who his customers are, or why they would want this information, but he says the data is likely being used for further malicious hacking campaigns.

The news has also set the cyber-security and privacy world alight with arguments about whether or not we should be worried about this growing trend of mega scrapes.

Taking freely available information

What’s important to understand here is that these databases aren’t being created by breaking into the servers or websites of social networks.

They are largely constructed by scraping the public-facing surface of platforms using automatic programmes to take whatever information is freely available about users.

In theory, most of the data being compiled could be found by simply picking through individual social media profile pages one-by-one. Although of course it would take multiple lifetimes to gather as much data together, as the hackers are able to do.

So far this year, there have been at least three other major “scraping” incidents.

In April, a hacker sold another database of around 500 million records scraped from LinkedIn.

In the same week another hacker posted a database of scraped information from 1.3 million Clubhouse profiles on a forum for free.

Also in April, 533 million Facebook user details were compiled from a mixture of old and new scraping before being given away on a hacking forum with a request for donations.

The hacker who says he is responsible for that Facebook database, calls himself Tom Liner.

The BBC spoke with Tom over three weeks on Telegram messages, a cloud-based instant messenger app. Some messages and even missed calls were made in the middle of the night, and others during working hours so there was no clue as to his location.

The only clues to his normal life were when he said he couldn’t talk on the phone as his wife was sleeping and that he had a daytime job and hacking was his “hobby”.

API as back door

Tom told the BBC he created the 700 million LinkedIn database using “almost the exact same technique” that he used to create the Facebook list.

“It took me several months to do,” he said. It was very complex. I had to hack the API of LinkedIn. If you do too many requests for user data in one time then the system will permanently ban you.”

API stands for application programming interface and most social networks sell API partnerships, which enable other companies to access their data, perhaps for marketing purposes or for building apps.

Tom says he found a way to trick the LinkedIn API software into giving him the huge tranche of records without setting off alarms.

Privacy Shark, which first discovered the sale of the database, examined the free sample and found it included full names, email addresses, gender, phone numbers and industry information.

LinkedIn insists that Tom Liner did not use their API but confirmed that the dataset “includes information scraped from LinkedIn, as well as information obtained from other sources.

“This was not a LinkedIn data breach and no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

In response to its April data scare Facebook also brushed off the incident as an old scrape. The press office team even accidentally revealed to a reporter that their strategy is to “frame data scraping as a broad industry issue and normalise the fact that this activity happens regularly”.

However, the fact that hackers are making money from these databases is worrying some experts on cyber security.

The chief executive and founder of SOS Intelligence, a company which provides firms with threat intelligence, Amir Hadžipašić, sweeps hacker forums on the dark web day and night.

As soon as news of the 700 million LinkedIn database spread he and his team began analysing the data.

Hadžipašić says the details in this, and other mass-scraping events, are not what most people would expect to be available in the public domain. He thinks API programmes, which give more information about users than the general public can see, should be more tightly controlled.

“Large-scale leaks like this are concerning, given the intricate detail, in some cases, of this information – such as geographic locations or private mobile and email addresses.

“To most people it will come as a surprise that there’s so much information held by these API enrichment services.

“This information in the wrong hands could be significantly impacting for some,” he said.

Tom Liner says he knows his database is likely to be used for malicious attacks.

He says it does “bother him” but would not say why he still continues to carry out scraping operations.

Hadžipašić, who is based in southern England, says hackers who are buying the LinkedIn data could use it to launch targeted hacking campaigns on high-level targets, like company bosses for example.

He also said there is value in the sheer number of active emails in the database that can be used to send out mass email phishing campaigns.

Need to improve API programmes

But cyber-security expert Troy Hunt, who spends most of his working life poring over the contents of hacked databases for his website haveibeenpwned.com, is less concerned about the recent scraping incidents and says we need to accept them as part of our public profile-sharing.

“These are definitely not breaches, there’s no ambiguity here. Most of this data is public anyway.

“The question to ask, in each case though, is how much of this information is by user choice publicly accessible and how much is not expected to be publicly accessible.”

Troy agrees with Amir that controls on social network’s API programmes need to be improved and says we can’t brush off these incidents.

“I don’t disagree with the stance of Facebook and others but I feel that the response of ‘this isn’t a problem’ is, whilst possibly technically accurate, missing the sentiment of how valuable this user data is and their perhaps downplaying their own roles in the creation of these databases.”

Liner’s actions would be likely to get him sued by social networks for intellectual property theft or copyright infringement.

He probably wouldn’t face the full force of the law for his actions if he were ever found but, when asked if he was worried about getting arrested he said “no, anyone can’t find me” and ended our conversation by saying “have a nice time”.

Must Read

No law prohibits prosecution of minors in Nigeria, says Fagbemi

0
No law prohibits prosecution of minors in Nigeria, says Fagbemi By Jeffrey Agbo Attorney-General of the...