image of breaking badness
Breaking Badness
Breaking Badness

149. You Data Broker My Heart

Coming up this week on Breaking Badness. Teach a Man to Phish, …And How Does That Make You Feel?, and Two Truths and a Lie.

Here are a few highlights from each article we discussed:

Teach a Man to Phish

  • We all know what phishing is at this point, but today we’ll talk about the accessibility of the practice and the rise of subscription models known as “Phishing as a Service”
  • How prevalent is phishing as a service at this point in time?
    • This has been prevalent for a while – really well-crafted phishing kits targeting financial institutions, FedEx, etc. to land on credential harvesting, account draining, and so are out there
    • Instead of every group rewriting these things themselves, you have people scaling their own industry – it’s like the mechanization of the phishing attack chain where you have these replicable parts that are made and resold across forums 
    • CyberArc received an SMS phish that was targeting an Israeli credit card company
      • They got an Owly link saying they needed to update payment information for security reasons 
      • It looked like it was coming from the company and that shortened link, taking victims to the phishing server
      • It was a billing page and looked like how you would expect it to look and at the end, they got dumped out to a normal website
      • When they looked at the server, they found a directory listing on the server and were able to expose that
        • They noticed a file in that and saw who was subscribed to the Telegram bot and were able to see all the content of the channel without needing an invite – how and where to buy phishing kits, folks chatting about the next campaign they would work on, and more 
  • Knowing this information, could threat hunters create their own phishing kits to fight bad actors at scale?
    • We would like to see that :) 
    • During our Predictions webinar, we did speculate that in light of layoffs in the industry, more people would be interested in taking a try at cybercrime, which we hope doesn’t come true
  • Is there any downside of sharing this information? Does it make the adversary get smarter?
    • We don’t think so 
    • This stuff does make it pretty “plug and play” 
    • No one is registering domains in this instance. The barrier to entry is at an all time low 
  • We talk about mitigation for phishing attacks a lot, and one of the notes is that it’s easy to spot phishing given the attacker usually doesn’t speak the same language as the victim. But will we see improvements on phishing given the rise of ChatGPT?
    • You could see ChatGPT handle the social engineering at scale 
    • We’re not sure at this point if the language aspect will be improved upon at this time using that tool necessarily

…And How Does That Make You Feel?

  • A Duke University report found 11 data brokers agreed to sell information that identified people by issues, including depression, anxiety and bipolar disorder, and often sorted them by demographic information
  • We talk about protecting our financial information, medical information and more, but we sometimes forget about our mental health data. How is this information dispersed?
    • First, we want to make it clear that anyone is alleging that protected health information is being leaked illegally or inappropriately 
    • However, there are many opportunities where this information can be collected and is collected that is not covered by things like HIPAA (Health Insurance Portability and Accountability Act of 1996)
      • That largely takes care of protecting health information in certain settings (“certain” being the key word) 
      • There is something called a “covered entity” – then that is protected information and there are pretty serious fines and ramifications of breaching that)
      • But now, there are many healthcare-adjacent cottage industries that are not covered entities and therefore the data you give them voluntarily can be shared with third parties such as data brokers 
  • This is an important topic to us because the information you share with a mental health professional is deeply personal and if this information is aggregated and shared with data brokers, it’s a huge problem and potentially cause more distrust in the industry than already existing distrust those have for cultural reasons
  • Some data is sold at a very low cost, so what exactly is the point of selling data for 5,000 people at $275? Is there a profit there?
    • For data brokers, it’s all about scale
    • 5,000 is nothing – 5 million is a different story 
    • You might say, “who cares who’s clinically depressed?”
      • You can be marketed to in quite insidious ways 
      • The information data brokers hold on us, we have no way to access it or request changes
        • There are no regulations for brokers in virtually all states
        • There are some where it’s slightly easier, but by and large you have no way to know what information they have and no way to correct any inaccurate information, and most people don’t realize that’s the case 
      • Insurance companies are free to pull information from data brokers
        • You might get charged higher rates if it seems like you’re a higher risk for certain things, and you won’t know why
        • As a result of this practice, there are those who perhaps would like to improve their mental health and get the assistance they need (be that with therapy or medication), but may not take the appropriate actions due to understanding that their information may be used against them in certain situations relating to work
  • A lot of companies do offer free mental health services to their employees (for example, 10 free sessions with a counselor, or something of the like), but should employees be leery of those services?
    • It’s a whole other can of worms
    • During the pandemic when things shut down and in-person sessions weren’t available, video conferencing became on the rise and emergency authorization was given to be in compliance
      • Then you have the mental health apps, where you may not be dealing with a licensed professional
        • Now you’re feeding your problems to this app and that information is saved on the backend 
        • Did you agree to have that information shared? It’s tricky and can be shady 
        • We’re not saying no one should use an app, but what we are saying is it is necessary to be a good consumer and do your research before feeding information to the app because of the unintended consequences of your data being shared with third parties 
  • What can people do to protect themselves if they’ve been using apps or seeking mental healthcare?
    • If you’re using apps, take the time to read through the privacy policy, as dry as it may be because that will give you the information on how your data will be shared and if you don’t like what you see, it may be time to change apps
    • If you’re seeing a licensed professional, there are lower qualms that that information will be used maliciously because mental health professionals’ licenses depend on following privacy laws 
    • In schools, there are mental health crises and the immediate knee jerk reaction is “there should be an app for that”
      • In theory it sounds good, but these portals are operated by third parties 
      • Who’s doing the review on them? 
      • Who’s handling the potential breaches? 
      • And there have been breaches with school data relating to students’ mental health

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

Teach a Man to Phish

[Taylor]: 3.5/10 Hoodies
[Daniel]: 3.5/10 Hoodies

…And How Does That Make You Feel?

[Taylor]: 6/10 Hoodies
[Daniel]: 6.5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!