Black Hat USA 2021: Who will sell my data to spammers?

Black Hat USA 2021: Who will sell my data to spammers?

Dr. Alan Michaels and Kiernan George from the Virginia Polytechnic Institute worked with students to investigate the question of whether organizations pass on the personal data entrusted to them to third parties. An obvious thought with new spam emails and calls reaching internet users all the time.

To the experiment setup (PDF file) included 300 fake identities, including an individual email address, postal address, profile photo (for social media accounts) and, in some cases, political orientation. Half of these identities created in summer 2020 were still equipped with a virtual US telephone number. The students then carried out an action with each of these identities – creating a user account, subscribing to a newsletter, shopping online and so on – at one of 185 organizations.

The organizations included mainly US companies such as Amazon, Apple, Facebook, Netflix and Pinterest. But also political organizations like the Republican Party and international companies like Alibaba or Xing. According to Kiernan George, Facebook in particular showed itself to be very good at detecting fake accounts: the platform blocked six of the fake accounts immediately after they were set up, and two more were history a week later.

After completing the transaction, the researchers passively collected all incoming communication: e-mails, SMS, voice messages. Result: around 16,500 e-mails were found in the 300 mailboxes. The US television broadcaster Fox News is solely responsible for 2,300 of these messages. On the day of the US presidential election, Fox News sent an email every 30 minutes on average. A total of 278 messages went to the account of the Communist Party of the USA, Apple sent 240 emails. According to the researchers, the number decreased from week to week. Probably due to a lack of interaction on the part of the recipient.

The top 10 email senders also include two non-US companies, Le Figaro and Kaufhof owner Hudson’s Bay.

(Bild: Virginia Polytechnic Institute and State University)

Of around 1000 messages evaluated on the voice mailbox, 250 attempted to sell unwanted products and a good 150 fell into the attempted fraud category. At the time of the presentation, it was not yet clear whether individual e-mails were also malicious and had malware in their luggage or whether they were linked to phishing sites.

Of the 300 accounts, only ten were affected by data transfer. This means that virtually all organizations played by the rules and did not pass personal data on to third parties without asking – a result that, according to their own admission, surprised the researchers. Exceptions were, among other things, the Communist Party of the United States, which passed contact details to two linked groups, and B-Stock, a kind of virtual leftover ramp that passed data on to Etsy. According to the experiment, anyone who registers with the Japanese cooking recipe service Cookpad will receive advertising emails from the online dating platform Badoo.

The researchers also analyzed which emotional states the received emails addressed. While an anti-firearms lobby toyed with fear, E-Harmony and IMDB resorted to positive language.

(Bild: Virginia Polytechnic Institute and State University)

Twitter and TikTok became politically active: According to the researchers, the social media platforms evaluated cookies and passed on user data relevant to the two major US parties to the Republicans (Twitter) and the Democrats (TikTok).

All raw data were provided by the researchers published on GitHub. In order to possibly achieve better results in the future, the research group wants to roll out an even larger test set-up in the coming year: up to 100,000 fake identities, which can then also react to the messages sent, should be.


(tiw)

Article Source