A simple malware attack could expose all the data stored in a web browser, including browsing habits, online purchases and bank information, according to a new threat report released on Monday.
The major internet companies and service providers already collect encyclopedias of user data, but there's also a wealth of information stored locally in a user's web browser. That data can include a variety of personal information that is valuable to criminals, and it's there for the taking, according to a report released by Exabeam, a security intelligence company.
"All of a sudden I know where you go, at what time, what you're buying," said Barry Shteiman, director of research at Exabeam. "I know a lot of things that I, the attacker, should not know about you. It’s credit card-level information."
The report sheds light on how enterprising cybercriminals can target information people might not know exists in their browsers. The researchers looked at the popular Firefox and Chrome browsers.
After maliciously gaining access to a person's browser with software that can easily be purchased on the internet, thieves can dig into the treasure trove of information left in the browser to gain a better understanding of how users spend their time online and offline.
Modern browsers are designed to give users a customizable experience by tracking activity and collecting information that can then be used to do things like automatically enter passwords, phone numbers and other information.
Beyond personal information, browsers also track plenty of other information, including location data.
"The result is that a lot of information about you is stored deep in your browser, and it can potentially be exploited by cybercriminals in a number of ways," the report said.
Once the attackers have access to a browser, the puzzle pieces begin to come together.
Using the history of websites that a person has visited, the cybercriminal could figure out which apps they most commonly use, including sensitive work apps, and where they do their online banking.
Perhaps even more alarming, Exabeam said, researchers were able to recover some bank account numbers that were used to send money to other banks.
"Understanding someone's web browser history is one way to understand what they are thinking about, which is awesome and terrifying at the same time," said Ryan Benson, senior threat researcher at Exabeam.
There's a good reason this data is stored in the web browser. By using bits of code known as cookies, websites can recognize users and make their experience better. Users don't necessarily have to enter login credentials every time they go to a website. That option, along with a central password manager in most browsers, is essentially allowing thieves to walk through the front door without ever having to use a key.
Even if credentials aren't stolen, thieves can learn a lot about users' locations. Of the websites researchers visited, 57 recorded a user's IP address, the unique number for a person's computer, and 56 stored geolocation data about a user on his or her system. These instances were recorded on a number of popular websites, including Alibaba, Walmart, NBA.com and NYTimes.com, according to the report.
Having this level of access could allow an attacker to learn a person's daily routine, including when he is at work and when he logs on at home. It also provides the information needed to execute spear-phishing attacks, in which criminals craft highly targeted emails with the goal of gaining access to sensitive accounts.
There are ways privacy-conscious people can take precautions when browsing, but they come with trade-offs in the browsing experience.
People can browse in a private window, or "incognito mode," which can be found on the browser task bar. This will provide an internet browsing experience with less of a digital footprint, which means users must type in their go-to URLs, credentials and searches — nothing will be saved. Clearing cookies and disabling autofill can also help.
Benson said he likes to take a "tiered" approach to his internet browsing habits. If he's doing something "baseline," such as reading the news, he's fine doing that without any extra precautions.
For online banking or sensitive topics, Benson said he uses incognito mode to make sure he's staying safe online. A VPN — that's a virtual private network — can also make sure an internet connection is shielded from any prying eyes.
The bottom line, he said, is that people need to become more conscious about the online risks they might not suspect they are taking.
"It’s a balance between privacy and security on one side, and convenience on the other," Benson said.