Friday, October 20, 2023

Helping attackers collect your personal information: spearphishing and imgur

Since this is the cybersecurity month, let's talk about one of the sure ways to help malicious people attack you or steal your identity. Of course we are talking about companies which nudge people to place their personal information in public. In today's example, we will focus on imgur. It is not that bad of a website if you take the usual precautions with your images and what you post on it. Worried the bad guys will need to put some effort, its creators offer a "Cake Day":

For those who are not able to see the image (do not consider yourselves unlucky), here is the exceprt from that email I would like you to focus on (boldface is mine):

It is customary to celebrate your Cake Day (that's your account’s creation day) by sharing something excellent with the Imgur community. Perhaps a favorite GIF, a great personal story, a meme, or some interesting information would do? Head on over to Imgur to create a new post.

"What is so bad about that?" you may ask if you skipped the first paragraph in this post. Well, let's start with a phishing attack: while most of them are half-hearted attempts to con users with badly written emails laden with links to unscroupulous websites or malware-filled attachments, the better ones are more carefully crafted and aimed at specific people. For these to work, they need to have as much information on their targets. So, knowing the personal stories and interesting information requested by imgur help with this information gathering step.

Note that this is technically not a GDPR violation as it seems (I am not going to ask the person to click on the imgur tracking link just to get more info for this blog entry) that it requires you to go through the effort to enter it and it does not require you to enter it to continue. In a future post we will show examples where that is not the case.