I am new to digital privacy, but this community has helped me so much in finding good tools to use, understanding threats, and even becoming more knowledgeable about some current events.
But the missing piece for me as someone who has no background in tech is: what are the various actors behind the threats actually doing, and how?
For example. I was recently trying to help a friend set up a VPS. Their goal is to host a blog on there with some political opinions and they don’t want it to be easily linked to their name. We had to put in their full name and billing address with their payment info (a virtual card from their bank), but I used an email alias of my own to create the account. After the payment was processed I changed the address and changed the name on the account to a random fake name–an uncommon one, not like John Smith.
Today, my friend receives a phishing email at their actual personal email address, realname@commonemailprovider.com: “Hello Uncommonfakename, your Paypal account at realname@commonemailprovider.com has detected unusual activity, bitcoin, call us, blah blah.” (My friend does in fact have a Paypal account at that email address.)
I don’t understand what happened in this situation: how did the fake name used in the account creation get linked to their actual email address, and by whom? I feel like I’m not really understanding privacy unless I understand the answers to these kind of question and cannot develop a good privacy strategy for a given threat model. Any resources would be appreciated–thanks!
It is unlikely but certainly not possible that your account creation and payment for the blog was corroborated with the IP address of your friend’s place if you did not use a VPN. It may be possible that someone may be or could have been monitoring such kind of an activity to connect the dots.
Also, you changed the name after the account creation. Once a name is input and then you change your name, your original name on which the account was made does not delete itself from the service’s servers. A sophisticated attacker can connect the dots.
But these are my best guesses on what could have happened. But there could be more if we knew more about your OPSEC.
Aha, that is helpful–we were not using a VPN. And yes, I understand your point about the name being an input. But the email address was never an input, so the attacker would have to be sending the phishing emails to, like, realname[at]hotmail, realname[at]yahoo, and so on, right?
I guess I’m getting from your reply that the VPS provider’s servers could well be frequently or constantly under attack by sophisticated attackers. It’s possible that a VPN would have helped in this case. Anything else we should have done? I am not sure we really had anything in terms of opsec other than what I already described.
The relationship is the fake name. So I changed the name to something random and ridiculous, totally unconnected to anyone / either of us, like Philemon Humpback, and the phishing email said,
Hello Philemon Humpback!
A VPN could have helped but I can’t say it would have helped in this case because we don’t know how this phishing attempt with the correct info was made. Using a good VPN doesn’t hurt whatsoever so one ought be using it no matter.
As to what more you could have done? I don’t know because again, we don’t know how this attempt was made. Following all the best practices Privacy Guides and Techlore teaches is a great way to avoid this sort of things happening in the future.
The friends full name, address and virtual credit card (from their bank) was used.
An Alias-throw-away email account was used.
Changed the accounts name and address after creation to fake ones.
Somehow a Spam email was sent to the friends actual email address using the fake name.
Everything points to the VPS account itself being monitored, data collected and correlated (i.e., the friends real name and address (possibly even a linkage to the bank information on the virtual card?) could be used to find their detailed information. The fake account name would be inserted into the message.)
It could go so far as to relate to them having an actual PayPal account, or that could just be phishing.
Do I have this right?
Data brokers have been collecting our detailed information into large repositories. It is something I have heard called “surveillance capitalism” and snuck up on us.
This website is one of the best sources of “best practices” to learn from that I have found and to start clawing back simple privacy in this new world.