Drowning in spam? A study presented at Black Hat USA 2021 examines if sharing your personal information with major companies contributes to the deluge of nuisance emails, texts and phone calls.
Every day my inbox seems to receive more and more spam. Understanding what generates it and how to avoid it is essential in the fight to limit my personal data from being overshared. A team of researchers at Virginia Tech Hume Center have dedicated a significant amount of time to find out if sharing your personal information with major companies causes an unwanted proliferation of spam. Presenting their research at Black Hat USA 2021, Alan Michaels, Director or Electronic Systems, and Kiernan George, Graduate Research Assistant, explained how their experiment unfolded and the conclusions that can be drawn from it.
They, along with a team of 15 undergrad students, created 300 fake profiles that impersonated real consumers with some background data such as street address, typical demographics and, in some instances, a political viewpoint. 150 virtual phone lines were configured to record inbound spam phone calls and text messages. Each identity was used for one single transaction or interaction with a major company and the team then sat back and waited nine months to see what emails, phones calls and text messages were generated from these single interactions and whether companies are sharing or selling personal information.
A whopping 16,346 emails and 3,482 phones calls were generated by the companies involved, the most prolific for email was Fox News accounting for 2,356; it was an election year. Most of the companies did slow down sending spam over time, probably due to the lack of interaction from the recipient as email messages were not opened in regular email programs to avoid further tracking that would indicate an active email address. Topping the phone call ranking was silence, and then the very annoying scam that offers fake car warranties.
There is good news – 290 of the 300 companies appeared not to share personal information with any other party. In some instances, it was apparent that cookie scraping had taken place and preferences had been stolen from the end user and abused by other parties. No malware-laden emails were detected, but the team concluded that the university’s own systems may have deleted them, and thus this part of the experiment is not conclusive.
Facebook topped the chart of social media companies able to detect fake accounts being setup, either blocking them at setup or within a few weeks. This may, in part, be due to the virtual phone numbers used to create the accounts. WeChat, the China-based social network, did not allow accounts without a Chinese number.
The Virgina Tech research team has produced a white paper that is available from the Black Hat website, and made the data set available on GitHub. An extended research project is underway where they hope to conduct this globally with between 100-150 thousand participant – I know I will be signing up to get involved.
Great research and presentation by the team at Virginia Tech Hume Centre, well done.
written by Tony Anscombe, ESET We Live Security