I am sure you are so happy when you see the wall of congratulations on your Meta, Twitter, or Linkedin feeds. It brings joy and sometimes false happiness that you have so many friends who care about you.
When you share your birthday publicly, it brings some risks for you, and you might become a victim of a phishing attack.
Let me walk you through a simple scenario on how those attacks are executed.
The motivation of the attacker
The attacker has bad intentions. Their motivation, in this case, is to make you click on a link that could do a few things:
- To lead you to a page where you could enter even more information for you to help them execute more time-consuming attacks later such as identity theft or a social engineering attack.
- To force you to download an executable file (masked as a birthday gift card) and to install it on your computer giving them access to your personal or corporate network.
- To trick you to add your credit card information: Imagine a subject asking you to chip in for your friend’s birthday gift.
Why would that work?
Let’s be honest here: You are more likely to click on a message that says, “Happy Birthday, [your name], here is our gift for you” more than anything else. You feel special on that day and you think with the emotional part of your brain.
Let me go through one of the possible flow of events (attack vector) via Linkedin-type of service.
- If your birthday information is protected by a login-first method, the attacker would see if there is a leaked email/password combination for you on this website and will log in with your account. The leaked data are still available for sale and many of the people are still using the same combination.
- Then the attacker will see your friends list and will get their first and last name.
- If your contact published their email it will get it from there. If not it would go to their company information and get the email patterns for the company from services like this one.
- Then they need to construct the e-mail and to send it to you keeping in mind that you should not receive tons of emails at once.
This could be manually run or automated easily by using a web scraper and some basic python scripts to make it work in just a few hours.
If you look at the attacker motivation section above, you could construct even one that works even better. Pretend to be the person with the most connections among your friends and send an email to them a week before your birthday to buy you a present by submitting their credit card details on a special page. Of course, this page will be “credible”, because your picture, which you share publicly, will be shown there, together with some appropriate message to trigger your friend’s feelings.
You wouldn’t even understand that your friends chipped in before they asked you how do you like your new game console.
Those attack scenarios are just a few of the basic ones that cover some easy to explore patterns, supported by the publicly available data you have on your social media page.
To support this with data, I created a small experiment, doing exactly what I described, manually to some of my peers. 40% of them clicked on the link I sent pretending to be someone else. Of course on the landing page, I told them this is a joke and I told them to be more careful next time. How many peers do you have on social media? Imagine 40% of them clicking because they want to make you happy for your birthday.
What can you do?
I know you are a smart person and you will find a way to protect yourself, by here are some advice from me to help you get started
- You can help yourself stop sharing your birthday publicly. The friends that care about you will know when you were born and find a way to congratulate you. Every service you use allows you to delete or hide your birthday, which will limit the risk.
- Check regularly in here if your account has been compromised and see what data ended up in the wrong hands and consider removing this from your profile.
- Share the bare minimum details with those services. The more you share the bigger the risk for you.
- Consider moving your account to a new type of privacy-respecting data storage.
- Be careful about what messages you open and what links you click. Think before click.
Help your friends
Sharing is caring. If you like your friends and you see them sharing their birthday information everywhere, send them a link to this article to warn them about all the things that can happen by exposing this innocent, at first look, detail about their most precious day of the year.
Identity Theft with birthday information
As I said, some level of protection against phishing attacks is available for you by default from your vendor or ISP, but there is not much to do if you become a victim of Identity theft.
I recommend you to read this article to learn more in-depth about this threat.