Earlier this month, the website Privacy Affairs warned about the sale of a package with data from 1.5 billion users from Facebook on an online cybercriminal forum, which took place in September. ESET, a digital threat detection company, said on Wednesday (20) that the commercialized information was acquired by scraping and the product of this technique can be used in social engineering attacks, such as sending emails from phishing for credential theft and malware download.
Also, the methodology is becoming more common and accessible, but it means that there has not necessarily been a compromise of the accounts involved.
Cecília Pastorino, a researcher at the institution, added that scraping is a methodology that extracts information from websites in bulk based on automated scripts. Typically it is used for internet address indexing or data analysis and has become popular in digital marketing actions, so many tools are available on the web and are easy to use.
Disclosure of the sale of Facebook information; the post no longer exists, but the user has not been bannedSource: Reproduction/ PrivacyAffairs
Just one example among many
In the recent case of Facebook, the seller offered the possibility to download the information in full or in small parts. He also guaranteed that he works for a company dedicated to scraping, has been working for four years and has more than 18 thousand customers.
After the offer was published, alleged customers questioned the data and stated that they were unable to access it after the acquisition. That said, the Privacy Affairs he explained that the seller denied the charges and added that he had “evidence” of legitimacy.
ESET also detected the practice on Instagram months ago. At the time, scammers used such a tool on social network followers to try to steal money from customers of different banks.
Also involving Facebook, more than 500 million users had their data sold on forums in April. A few days later, a similar event happened with LinkedIn.
“Using this data can allow attackers to use the victim’s name and other references, such as the phone number, to personalize the deception, make it more reliable and therefore more effective,” concluded Camilo Gutiérrez Amaya, head of the ESET Latin America Research Laboratory.