Having encountered several friends and associates who have suffered, what seemed to be sustained Phishing Campaigns I decided to invest some time and bated-responses to set up a little research experiment to prove, or disprove a suspected theory – but for me, theories are only proven when they are put to the test, so I set the stage.
All of those who I had spoken to, all had two factors in common, one of which was each one of them in a very small window of time had received multiple Phishing, Vishing communications with a hooked bait topic, ranging from offers, locked Paypal Accounts, Apple ID update, through to Amazon Tracking emails and unexpected files shared through Dropbox – all of which were fake, and sent by spammers within a period of just 5 days. The second common area was, without exception, each of my samples had completed an online document, providing the attacker with multiple pieces of information – e.g. Telephone number, email address etc!
Below are some examples of the Spams which were received:
So to set the research ball rolling, I followed their actions on one of the danger-sites which seemed to have initiated a campaign – and as if by magic, the same conditions were replicated, and the phishing stared to pour into the email box, cell phones and by text – exactly the same condition that had been encountered by those who had shared their adverse experiences with me.
My conclusions here are somewhat obvious, born out of my first-hand encounter with what I call Long-Cast Phishing:
- Where information is shared with a criminal entity (Hacker of otherwise) there is a high probability it will be subject to further abuse
- Where multiple elements of information are exposed to a criminal entity. For example, email address, cell phone etc – expect each one of these elements to be potentially abused in their own channel of communication
- When sensitive contact information is harvested by a criminal entity, such data assets have a value, so one may expect them to be shared on the Darkweb – Personal Information, or Credit Card information which has been supplied with the required details to transact a Card-Not Present opportunity is valuable and holds a resale value
Putting the above considerations and conclusions into a real-world 2018 context, focuses the mind on the recent discoveries of security breaches the like of which has been observed at BA. The abuse of any valuable data assets will not necessarily be subject to immediate use – they may sit in the potential attackers’ hands until they are ready for exploitation to their own criminal advantage. However, one thing is for sure here, the dangers of encountering a Long Cast Phishing Campaign are common and active, and no matter the type of user, they must be served with Security Education and Awareness to underpin their own personal Cyber-Security.