Avast Sold User’s Browsing History—Here’s Why You Should Care
Few things in life are guaranteed -- but relying on your chosen security software to not put your data at risk should be one of the few.
Sadly, however, it turns out that the death and taxes thing really is true; apparently, you can’t even guarantee that your security tool has your privacy in mind. At least, not now, since security software provider Avast was revealed to have been collecting and selling its users’ browsing history.
Avast, which also owns security giant AVG, is one of the biggest b2c security software providers in the world. Their software was, as of 2017, the most downloaded AV software, found on the computers of 435 million home users. There is a free version that’s chock full of features as well as a premium paid version which offers users even more.
But you know what they say: if you're not paying for a product, it means that in actuality, you are the product.
The Power of Data
In January 2020, Motherboard and PCmag investigated a claim that Avast was selling online user behavior data though their subsidiary, Jumpshot. Data was aggregated and anonymized, and then sold to corporations for targeted marketing purposes. Although the data was technically anonymized, that doesn't make it bulletproof. According to ZDnet.com, “It is possible to pick apart data strings to de-anonymize users and reveal their identity, tracing their online footprint, browsing habits, and purchases.” And according to online privacy experts, even though the company isn’t actually identifying people, this data can be combined with other pieces of data from other marketing research to reveal the user identity, a method known as triangulation.
Mo’ Data, Mo’ Problems
There’s so much to dissect in this situation; there's the fact that a trusted security provider used the data collected for other business purposes. But from the perspective of the world that I live in, the worrying aspect for me is that this data could theoretically be used by a hacker to understand where and how people tend to click on web pages, with the intention of optimizing their own malicious campaigns.
How Attackers use Data to Manipulate Victims
Cybercriminals are students of human behavior. They study potential victims’ web usage habits meticulously. They deliberately examine the on-page elements that compel people to click “here” rather than “there” and they learn what words cause them to take action. Then they build their campaigns around these factors. The more precise the campaign, the better the results.
Need a practical application? Let’s say an attacker created a rogue website. With a tool like Jumpshot, the attacker could use the aggregate data to understand that, for example, video players in the upper left quadrant of the page tend to get four times more clicks than players in the upper right quadrant. So a malicious actor armed with malware that can be delivered via video player, would be able to do much more damage by placing his or her player in the more fruitful location.
The same goes for all on-page elements; with the capabilities afforded by data from Jumpshot or something similar, attackers can study the specifics that compel people to click. Essentially, it enables attackers to design data-backed malware campaigns to ensure the greatest response -- and the greatest negative impact for users and organizations.
Think the premise is far fetched? In 2016 Checkpoint exposed a phishing campaign that used tracking pixels to optimize open and click rates. And attackers have been using Google Analytics to refine their attacks and understand user behavior for years. A tool like Jumpshot helps enhance that understanding.
What to Do About It
Organizations can protect their users from these highly optimized web-based threats with Remote Browser Isolation (RBI). With RBI, all web pages are opened in disposable containers that protect endpoints and networks from malware and malicious code. It neutralizes all web based threats, including zero days threats. So no matter how convincing and compelling the attack may be, it cannot cause any harm to your users.