In the fast moving ever developing sphere of data usage, new concepts are popping up left and right, some for better some for worse.
Here is a handy run down of some common concepts you might come up against.
MALVERTISING is a malicious cyber tactic that incorporates malware into legitimate online advertisements.
MALVERTISING attacks happen when cybercriminals introduce malicious ads into online advertising networks. The malicious ads then appear on popular and trusted websites and either redirect victims to corrupted webpages or install malware directly on their computers.
ZUCKERING occurs when website users are tricked into publicly sharing more information about themselves than they really intend to. By having a complex and often obscure T&Cs and Privacy Notices, users get “zuckered”.
How can a Social Network Service Provider be transparent about its processing of personal data?
By providing…
A Honeypot is used as a trap to gather information about malware & detect attacks by hackers by mimicking real computer systems. Once the hackers are in, they can be tracked, and their behaviour assessed for clues on how to make a real network secure.
The intent is the same, but spear-phishing is much more customised for victims.
Spear-phishing is a type of phishing that targets individuals. It favours quality, meaning attempting to attack a specific victim with a personalised message.
Phishing is a broad term that covers any type of cyber attack that to fool a victim into taking some action. Phishing favours quantity meaning attempting to obtain many victims at once and with generic messaging.
Then there is – Whaling -is a type of sphere-phishing that targets high ranking victims within a company.
Spear-phishers often prey on their victims via targeted emails, social media, direct messaging apps, and other online platforms. And the strength of these cyberattacks is that they’re tailor-made for victims and grounded in quality over quantity. That’s because spear phishers do a great deal of reconnaissance, meaning research or homework, to be able to pull off a disguise of a trustworthy source.
Protect yourself from spear-phishing
Help avoid falling victim to spear phishing with these helpful tips, beginning with exercising caution with all your online activities.
Though a spear phishing email looks generally like a regular email from a friend or business, there are several ways to mark it as something more sinister.
Spear phishers can usually mimic the name of a person or organization you get emails from regularly but might be unable to perfectly mimic their tone. If you think an email might be suspicious, check the sender’s email address — typically, there will be subtle changes, such as the letter “o” replaced with a “0.”
If an email includes a hyperlink, a quick way to check its legitimacy is to hover over the URL. Once your mouse hovers over the link, the full URL that is being linked to will appear. If it seems suspicious, don’t click it.
In addition, recognize you needn’t click on a link you didn’t ask for. Instead, go directly to a website to find a link yourself.
Spear-phishing emails are sent under the guise of a friend or a trusted person. If you think it’s odd that a friend would be emailing you to ask for your password or username, use another form of communication like a phone call, text, or face-to-face conversation to ask your trusted source if the ask is legit. Keep in mind, you shouldn’t share passwords or usernames.
Beyond considering antivirus software that can flag phishing attempts, be sure this software and your devices’ operating systems are up to date. When your applications are up to date, it’ll make it harder for a spear-phisher to
get through since updates often patch security holes.
It’s important to protect your data and a company’s data. Recognising the characteristics of spear phishing can help:
And if you think an email seems suspicious, trust your gut and investigate it further. In addition, mark the message as spam to avoid being contacted again and set your spam filters to a high protection level.
It can be easy to get duped by spear phishing attacks. If you do click on a phishing link in an email or download a suspicious attachment, here’s what to do next:
Clickjacking is an attack that tricks a website user to perform unwanted actions on the website. It works by layering the target website in an invisible frame on a malicious website. When the user thinks they are clicking a button on the attacked web page, in reality, they click something on a completely different website.
A way to prevent Clickjacking attacks is to block other websites from framing your website.
Roach Motel is a ‘dark pattern’ that provides an easy or straightforward path to get in but a difficult path to get out. An example of this is when a subscriber finds it difficult finding or is unable to unsubscribe from a mailing list or a service, that was initially easy to sign up for.
This practice is in breach of the GDPR principle of ‘lawfulness, fairness and transparency’. Furthermore, one of the conditions of consent under the GDPR is that consent should be as easy to withdraw as to give.
This term was coined from the American brand roach bait called ‘Roach Motel’, the product contains a special lure that attracts roaches into the trap. Once inside pests become stuck in powerful glue and die.
An eavesdropping attack, also known as a ‘sniffing’ or ‘snooping’ attack, is a theft of information as it is transmitted over a network by a computer, smart phone, IoT or another connected device.
The attack takes advantage of unsecured network communications to access data as it is being sent or received by its user.
How to prevent Eavesdropping attacks:
• Eavesdropping attacks can be prevented by using a personal firewall, keeping antivirus software updated, and using a virtual private network (VPN).
• Avoiding public wi-fi networks and adopting strong passwords are other ways to prevent eavesdropping attacks.
Cyber espionage refers to malicious software used to extract trade secrets or sensitive confidential information from corporations or government for harm (financial, strategic, political) or profit. This also encompasses spying through the use of advanced persistent threats (APT) such as viruses and ransomware which can also be used to destroy data.
Whilst government bodies are a firm target for cyber espionage hoping for widescale disruption, the threat is real for organisations of any kind.
Well-known Cyber Espionage Incidents
Cyber Espionage Detection, Prevention and Remediation
The growing sophistication of cyber attackers and cyber spies has enabled them to bypass many standard cybersecurity products and legacy systems. Although these threat adversaries are often highly advanced and can leverage complex tooling in their operations, defending against these attacks is not a lost cause. There are many cybersecurity and intelligence solutions available to assist organisations in better understanding the threat adversaries, their attack techniques and the tradecraft they regularly employ.
Web scraping to the extraction of data from a website. Some websites contain large amounts of invaluable data – stock prices, product details, sports stats, company contacts etc.
This information can be collected using a web scraping tool then exported into a format that is more useful for the user.
NOTE: The user is obligated to inform data subjects of this ‘indirect’ collection when the scraped data constitutes ‘personally identifiable information’. (GDPR Art. 14) GDPR Penalty on Web Scraping
Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order.
Article 14 obligates data controllers to inform people whose personal data they intend to process when the information in question has not been obtained directly from the individual. Bisnode’s business model is based on web scraping (processing data obtained from public databases and registers found on the Internet).
UODO argued that the company business model is based on processing scraped data, and that the company was aware of its obligations under Article 14. It further stated that the mere inclusion of information on the company’s website could not be considered sufficient fulfilment of Article 14 requirements.