Privacy Jargon Busters

December 15, 2021

by Ito Onojeghuo | LLM, FIP

Jargon Busters – Did you know?

In the fast moving ever developing sphere of data usage, new concepts are popping up left and right, some for better some for worse.

Here is a handy run down of some common concepts you might come up against.

#1 Malvertising

MALVERTISING is a malicious cyber tactic that incorporates malware into legitimate online advertisements.

MALVERTISING attacks happen when cybercriminals introduce malicious ads into online advertising networks. The malicious ads then appear on popular and trusted websites and either redirect victims to corrupted webpages or install malware directly on their computers.

#2 Zuckering

ZUCKERING occurs when website users are tricked into publicly sharing more information about themselves than they really intend to. By having a complex and often obscure T&Cs and Privacy Notices, users get “zuckered”.

How can a Social Network Service Provider be transparent about its processing of personal data?

By providing…

  • Where relevant, notice if the personal data will be used for marketing purposes, along with the right to opt out.
  • Notice if the personal data will be shared with third parties
  • Explanation of any profiling that will be conducted
  • Information about the processing of sensitive personal data
  • Warning about risks to privacy

#3 Honeypot

A Honeypot is used as a trap to gather information about malware & detect attacks by hackers by mimicking real computer systems. Once the hackers are in, they can be tracked, and their behaviour assessed for clues on how to make a real network secure.

#4 Spear-phishing

Phishing Vs Spear-phishing

The intent is the same, but spear-phishing is much more customised for victims.

Spear-phishing is a type of phishing that targets individuals. It favours quality, meaning attempting to attack a specific victim with a personalised message.

Phishing is a broad term that covers any type of cyber attack that to fool a victim into taking some action. Phishing favours quantity meaning attempting to obtain many victims at once and with generic messaging.

Then there is – Whaling -is a type of sphere-phishing that targets high ranking victims within a company.

Spear-phishers often prey on their victims via targeted emails, social media, direct messaging apps, and other online platforms. And the strength of these cyberattacks is that they’re tailor-made for victims and grounded in quality over quantity. That’s because spear phishers do a great deal of reconnaissance, meaning research or homework, to be able to pull off a disguise of a trustworthy source.

Protect yourself from spear-phishing

Help avoid falling victim to spear phishing with these helpful tips, beginning with exercising caution with all your online activities.

1. Check sender addresses

Though a spear phishing email looks generally like a regular email from a friend or business, there are several ways to mark it as something more sinister.

Spear phishers can usually mimic the name of a person or organization you get emails from regularly but might be unable to perfectly mimic their tone. If you think an email might be suspicious, check the sender’s email address — typically, there will be subtle changes, such as the letter “o” replaced with a “0.”

2. Verify links

If an email includes a hyperlink, a quick way to check its legitimacy is to hover over the URL. Once your mouse hovers over the link, the full URL that is being linked to will appear. If it seems suspicious, don’t click it.

In addition, recognize you needn’t click on a link you didn’t ask for. Instead, go directly to a website to find a link yourself.

3. Try another communication channel

Spear-phishing emails are sent under the guise of a friend or a trusted person. If you think it’s odd that a friend would be emailing you to ask for your password or username, use another form of communication like a phone call, text, or face-to-face conversation to ask your trusted source if the ask is legit. Keep in mind, you shouldn’t share passwords or usernames.

4. Keep your personal information close

  • Do not share sensitive data or personal information in all online interactions – Do not overshare information online via your social media accounts or even in bios on company websites. This can make it harder for spear-phishers to conduct reconnaissance for their cyberattack.
  • You can also adjust your privacy settings across your devices and social media accounts to ensure only those you want to see your information can.
  • Regularly take inventory of your online profiles and reset your privacy settings as you see fit.

5. Keep your software updated

Beyond considering antivirus software that can flag phishing attempts, be sure this software and your devices’ operating systems are up to date. When your applications are up to date, it’ll make it harder for a spear-phisher to
get through since updates often patch security holes.

6. Stay suspicious of the signs of spear phishing

It’s important to protect your data and a company’s data. Recognising the characteristics of spear phishing can help:

  • Urgent requests
  • Strangely worded messages from a “trusted” source
  • Links or attachments you didn’t request
  • Asks for personal information

And if you think an email seems suspicious, trust your gut and investigate it further. In addition, mark the message as spam to avoid being contacted again and set your spam filters to a high protection level.

7. Know how to react

It can be easy to get duped by spear phishing attacks. If you do click on a phishing link in an email or download a suspicious attachment, here’s what to do next:

  1. Disconnect from the internet: Turning off your Wi-Fi or pulling out your ethernet cable can help stop the immediate spread of malware.
  2. Backup your files: It’s smart to frequently back up your files, but in the event of a spear phishing attack it becomes more crucial. Backup your important files to an external source so you’ll still have them if the cybercriminal deletes your data.
  3. Change your passwords: Once a hacker gains access to one of your accounts, they can work their way through others. If you think an account has been compromised, change all of your passwords as soon as possible and consider opting for two-factor authentication where possible.
  4. Scan your hardware: Using security software can help identify and eradicate the threat.

#5 Clickjacking

Clickjacking is an attack that tricks a website user to perform unwanted actions on the website. It works by layering the target website in an invisible frame on a malicious website. When the user thinks they are clicking a button on the attacked web page, in reality, they click something on a completely different website.

A way to prevent Clickjacking attacks is to block other websites from framing your website.

#6 Roach Motel

Roach Motel is a ‘dark pattern’ that provides an easy or straightforward path to get in but a difficult path to get out. An example of this is when a subscriber finds it difficult finding or is unable to unsubscribe from a mailing list or a service, that was initially easy to sign up for.

This practice is in breach of the GDPR principle of ‘lawfulness, fairness and transparency’. Furthermore, one of the conditions of consent under the GDPR is that consent should be as easy to withdraw as to give.

This term was coined from the American brand roach bait called ‘Roach Motel’, the product contains a special lure that attracts roaches into the trap. Once inside pests become stuck in powerful glue and die.

#7 Eavesdropping Attack

An eavesdropping attack, also known as a ‘sniffing’ or ‘snooping’ attack, is a theft of information as it is transmitted over a network by a computer, smart phone, IoT or another connected device.

The attack takes advantage of unsecured network communications to access data as it is being sent or received by its user.

How to prevent Eavesdropping attacks:
• Eavesdropping attacks can be prevented by using a personal firewall, keeping antivirus software updated, and using a virtual private network (VPN).
• Avoiding public wi-fi networks and adopting strong passwords are other ways to prevent eavesdropping attacks.

#8 Cyber Espionage

Cyber espionage refers to malicious software used to extract trade secrets or sensitive confidential information from corporations or government for harm (financial, strategic, political) or profit. This also encompasses spying through the use of advanced persistent threats (APT) such as viruses and ransomware which can also be used to destroy data.

Whilst government bodies are a firm target for cyber espionage hoping for widescale disruption, the threat is real for organisations of any kind.

Well-known Cyber Espionage Incidents

  • South Korean’s Ministry of National Defence announced that unknown hackers had compromised computer systems at the ministry’s procurement office.
  • The United States Department of Justice announced a foreign state sponsored operation with a botnet meant to disrupt by targeting companies in the media, aerospace, financial, and critical infrastructure
  • sectors.
  • The Norwegian software firm Visma revealed that it had been targeted by hackers who were attempting to steal trade secrets from the firm’s clients.
  • Individuals were caught in the early stages of gaining access to computer systems of several political parties and of the Australian Federal Parliament.
  • European aerospace company Airbus revealed that it was targeted by alleged nation-state sponsored hackers who stole personal and IT identification information of many employees.
  • More recently, cyber espionage has focused on research efforts related to the COVID-19 pandemic. Since April 2020, intrusion activity targeting coronavirus research has been reported against U.S., U.K., Spanish, South Korean, Japanese and Australian laboratories; this activity was conducted on the part of Russian, Iranian, Chinese and North Korean actors.

Cyber Espionage Detection, Prevention and Remediation

The growing sophistication of cyber attackers and cyber spies has enabled them to bypass many standard cybersecurity products and legacy systems. Although these threat adversaries are often highly advanced and can leverage complex tooling in their operations, defending against these attacks is not a lost cause. There are many cybersecurity and intelligence solutions available to assist organisations in better understanding the threat adversaries, their attack techniques and the tradecraft they regularly employ.

#9 Web Scrapping

Web scraping to the extraction of data from a website. Some websites contain large amounts of invaluable data – stock prices, product details, sports stats, company contacts etc.

This information can be collected using a web scraping tool then exported into a format that is more useful for the user.

NOTE: The user is obligated to inform data subjects of this ‘indirect’ collection when the scraped data constitutes ‘personally identifiable information’. (GDPR Art. 14) GDPR Penalty on Web Scraping

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order.

Article 14 obligates data controllers to inform people whose personal data they intend to process when the information in question has not been obtained directly from the individual. Bisnode’s business model is based on web scraping (processing data obtained from public databases and registers found on the Internet).

UODO argued that the company business model is based on processing scraped data, and that the company was aware of its obligations under Article 14. It further stated that the mere inclusion of information on the company’s website could not be considered sufficient fulfilment of Article 14 requirements.