Dave describes a phishing attempt to infiltrate U.S. election systems. Joe shares a story of government agencies receiving malicious CDs in the mail. University employees are lured by greed. And David Baggett from Inky joins us to describe phishing techniques they are seeing and offers ways to best protect yourself and your organization.
Links to stories mentioned in this week's show:
David Baggett: [0:00:01] The problem is in the context of these kinds of emails where there isn't much of a visual indication, it is very difficult to expect a user to perfectly discern whether it's a forgery or not.
Dave Bittner: [0:00:13] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [0:00:34] Good morning, Dave.
Dave Bittner: [0:00:35] As always, we've got some interesting stories to share. And, later in the show, we speak with David Baggett from Inky, and we'll be discussing phishing and other social engineering techniques. But before we jump into all of that, a quick word from our sponsors, the good folks at KnowBe4.
Dave Bittner: [0:00:53] Step right up and take a chance. Yes. You, there, give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you? Or, B, please read - important message from HR? Or, C, a delivery attempt was made? Or, D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [0:01:33] And we are back. Joe, we've got midterm elections coming up, and I think people are understandably concerned about election hacking. We have a recent story that came by from The Intercept written by Sam Biddle. And the folks at The Intercept used the Freedom of Information Act to obtain a copy of one of the emails that was used by the Russians to try to access U.S. voting machines. And this is according to NSA that these are some of the emails that they used. So there's a company in Florida called VR Elections.
Joe Carrigan: [0:02:05] Right.
Dave Bittner: [0:02:05] They're a provider of voting machines. So there was an email sent out to states around the U.S. who used these machines.
Joe Carrigan: [0:02:14] I'm already getting angry, Dave.
Dave Bittner: [0:02:17] Getting wound up, huh?
Joe Carrigan: [0:02:19] Right.
Dave Bittner: [0:02:19] (Laughter) OK. This was from VR Systems, Inc. The email address was firstname.lastname@example.org. Because if you're a major provider of election systems, why have your own domain system?
Joe Carrigan: [0:02:29] Right. Right. Just use Gmail. It's free.
Dave Bittner: [0:02:32] Right. Exactly (laughter). And the subject was new user guides. And the email is pretty straightforward, very basic. It's got the VR Elections logo. And it says, dear customers, please take a look at the instructions for our modernized products. Best regards, VR Systems, Inc. And it had an attachment, which, of course, the attachment was an Office document.
Joe Carrigan: [0:02:54] Was it a malicious Office document?
Dave Bittner: [0:02:56] It was, indeed.
Joe Carrigan: [0:02:57] Didn't see that coming.
Dave Bittner: [0:02:59] No. It was a DOCM file extension, which automatically executes code when you open it. Of course, the actual VR Elections system sent out a follow-up to this when they heard that this was going on, telling their customers, please, do not open the attachment. As far as they know, they're not aware of any customers actually having opened it. They said because of the simplicity of this phishing attempt, it's likely that most people's spam filters and so on would have caught it.
Joe Carrigan: [0:03:30] Right.
Dave Bittner: [0:03:31] And so they don't know of any specific incidences where they were successful with this. But what strikes me about this - obviously, we talked about the Gmail account, but also, I think this is a great example of how less is more.
Joe Carrigan: [0:03:42] Right. It's very short and to the point and...
Dave Bittner: [0:03:44] All business.
Joe Carrigan: [0:03:44] ...Just has a link.
Dave Bittner: [0:03:45] Yep. So it appears as though what they were after here was trying to get on the computers of state voting officials.
Joe Carrigan: [0:03:54] OK.
Dave Bittner: [0:03:54] So sort of coming at it from the top, I suppose. And those state voting officials would have access to all sorts of information about the voter rolls and passwords and things like that.
Joe Carrigan: [0:04:05] Right. And then once maybe they get in the network, they can actually compromise the physical voting machines.
Dave Bittner: [0:04:09] Right.
Joe Carrigan: [0:04:10] I have been a very loud opponent of electronic voting machines and of online voting. Actually, I'm very happy with the Maryland system that we have here. It is a paper ballot that you fill out, and then that paper ballot is counted electronically. If you remember the old Scantron tests, it's very similar to that. And your ballot goes into a ballot box. And for a number of years here, we had these Diebold systems which there was no paper ballot. You had an electronic ballot, and that was it.
Joe Carrigan: [0:04:38] And I've told this story on this podcast a couple of times, how one time an election official looked at the little piece of paper that gets printed out, which has all your information on it, including your party. And he sent me to a machine that he wasn't sending other people to. Now, does that mean that he is crooked? No. It doesn't mean that. But it was odd that he didn't send anyone to that machine beforehand, and he didn't send anybody that machine afterwards. And, for all I know, they could have been just not using that machine and counting it 'cause each one of those machines was essentially its own ballot box.
Dave Bittner: [0:05:08] Right.
Joe Carrigan: [0:05:08] Plus, they were notoriously bad at their security on those things. There were a number of hacks that came out about those Diebold machines. If somebody had the Smart Card for, I think, 30 seconds, they could compromise the machine. One of our professors, Aviel Rubin, wrote a book called "Brave New Ballot," which is all about this kind of stuff. And I think he was instrumental in the new ballot system that we have here.
Dave Bittner: [0:05:29] I mean, it's a pretty straightforward phishing attempt here.
Joe Carrigan: [0:05:32] Right. Right.
Dave Bittner: [0:05:32] Nothing sophisticated about it. And it seems as though it likely would have gotten caught. But I think in the context of where we are right now, where people are sort of at a heightened alert when it comes to these sorts of things, it's interesting to see. Like we've talked about, even nation-states - they start off with the easy stuff.
Joe Carrigan: [0:05:51] Right. Absolutely. They're going to start off with the social engineering because that's going to be the easiest way to get into an organization.
Dave Bittner: [0:05:56] Yeah. And it just works. The title of the article is "Here's the Email Russian Hackers Used to Try to Break Into State Voting Systems." Again, the author is Sam Biddle. So check that out. We'll have a link to that in the show notes. Joe, what do you have for us this week?
Joe Carrigan: [0:06:09:] I have something very similar, actually. This one comes from Krebs On Security, and it's another story about state and local governments receiving a phishing attack. But it's an actual, physical mail. Several state and local government agencies have reported that they've received strange letters via snail mail that include a malware-laden CD. It was apparently sent from China because it arrives in an envelope with a Chinese postmark on it. It's very basic scam, but it preys on people who are curious to see what's on the CD.
Dave Bittner: [0:06:38] So you get a package in the mail...
Joe Carrigan: [0:06:40] Right.
Dave Bittner: [0:06:41] ...From China. There's a CD in there.
Joe Carrigan: [0:06:43] And a letter.
Dave Bittner: [0:06:44] And a letter.
Joe Carrigan: [0:06:45] Right. It's poorly worded and has some Chinese characters in it, and it contains the CD. And Krebs got a hold of an alert from the MS-ISAC, which is the Multistate Information Sharing and Analysis Center. I'm very glad to see that this exists. I didn't know this exists. All 50 states are members, so that's good. Kudos to all 50 of our states.
Dave Bittner: [0:07:06] (Laughter).
Joe Carrigan: [0:07:07] But the preliminary analysis of the CD shows that it's got some Word files on it. And, guess what? These Word files are also malicious. It's a very similar method of attack to the story that you shared. However, it's arriving in a physical package, and with a CD.
Dave Bittner: [0:07:23] Yeah. That's interesting that, first of all, how many computers still have CD drives?
Joe Carrigan: [0:07:28] That's an excellent question.
Dave Bittner: [0:07:29] Could that be part of the targeting, that you know a government agency is likely to have an older system that may still have a CD drive still built in?
Joe Carrigan: [0:07:37] That's exactly where I was about to go with that, is that these computers are very old at these government agencies because they might not have the tax revenue to support updating their systems on a regular basis. And if it works and is sufficient, then why replace it? Here's a good reason.
Dave Bittner: [0:07:51] (Laughter).
Joe Carrigan: [0:07:52] Because it's more secure if you get a new system.
Dave Bittner: [0:07:54] Yeah. It's so hard for me to imagine someone receiving all of this and putting it in the computer. I suppose, you know, curiosity killed the cat, right? So what's on this CD? What harm could there be?
Joe Carrigan: [0:08:07] If I get a CD in the mail with a poorly worded letter in Chinese characters in it, that's just going right in the trash. I mean...
Dave Bittner: [0:08:13] (Laughter).
Joe Carrigan: [0:08:13] ...Maybe I'll hold it to put it into a malware analysis lab. Maybe we should take a look at this. But I am certainly not putting that on any machine that isn't just disposable.
Dave Bittner: [0:08:21] Yeah. I mean, it's interesting that they go to the expense and trouble of - it's more expensive than sending out emails.
Joe Carrigan: [0:08:26] It is. And they've sent it to a number of people. They've sent it to some state archives organizations, some historical societies, some cultural affairs offices. And the letters are specifically addressed to them. So they're going through the publicly available information and sending these people snail mail. Krebs says a few rules of internet security. He reminds everybody about the first rule that if you didn't go looking for it, don't install it, you know?
Dave Bittner: [0:08:48] (Laughter).
Joe Carrigan: [0:08:49] That's a great rule. That's a great way to say it. If you didn't go looking for it, don't install it.
Dave Bittner: [0:08:53] Yeah. I guess it's a bit of a head-scratcher, but maybe they're just testing the waters to see could this possibly be an effective avenue to go after folks who may be in situations where they have older machines.
Joe Carrigan: [0:09:05] Right. The story that Krebs has written here says that it's not clear if anybody has installed this software - right - put this thing in and it looked at it. If I had to guess, I'll bet somebody did it.
Dave Bittner: [0:09:14] It's always a numbers game, right?
Joe Carrigan: [0:09:16] Yep.
Dave Bittner: [0:09:16] Time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [0:09:23] Joe, what do we have this week?
Joe Carrigan: [0:09:25] So we have an email that was sent to us from Georgetown University, and its phishing attack focused on the GU faculty.
Dave Bittner: [0:09:33] OK.
Joe Carrigan: [0:09:34] The first dead giveaway here is that it comes from GU/HR, and their email address is email@example.com.
Dave Bittner: [0:09:41] (Laughter) OK.
Joe Carrigan: [0:09:45] Now, maybe there's a guy over in Georgetown HR named Jose.
Dave Bittner: [0:09:49] Could be.
Joe Carrigan: [0:09:50] And maybe everybody knows Jose, and they know that he is in charge of these kind of things. But the email has a very official-looking seal on it, and it says Georgetown University. Probably just copied directly from their webpage and then inserted into this email.
Dave Bittner: [0:10:04] Right.
Joe Carrigan: [0:10:04] And here's how it reads. Hello. Sequel to last week's notification. Find enclosed here under the letter summarizing your 14.89 percent salary increase starting June 2018. In red letters - for authentication purpose, ensure your log in information are correctly entered. All documents are enclosed here under. And then in the blue link, it says, access documents here. And then back to black text, it says, employee relations and payroll department, Georgetown University.
Dave Bittner: [0:10:38] Hm.
Joe Carrigan: [0:10:40] So it's an email, and the bait on the hook is greed, right?
Dave Bittner: [0:10:44] Right (laughter).
Joe Carrigan: [0:10:45] So we're going to find out that we just got a big raise. I mean, that is a significant raise, 14.89 percent.
Dave Bittner: [0:10:52] It's a very precise number.
Joe Carrigan: [0:10:53] Right. I work at a university and have never gotten a pay raise in that amount.
Dave Bittner: [0:10:58] (Laughter) Right. Right.
Joe Carrigan: [0:11:01] If I saw this come through from Hopkins, I'd be initially very excited, but then I'd be like, wait a minute. This hasn't happened before. Hopefully...
Dave Bittner: [0:11:08] (Laughter).
Joe Carrigan: [0:11:08] You know, I say this...
Dave Bittner: [0:11:09] Right. Right.
Joe Carrigan: [0:11:09] …Sitting here, as I'm thinking about it, inoculating myself to this kind of attack...
Dave Bittner: [0:11:13] Admit it, Joe. You're already spending the money.
Joe Carrigan: [0:11:15] Right. Exactly.
Dave Bittner: [0:11:16] (Laughter).
Joe Carrigan: [0:11:16] I'm finally getting that Tesla.
Dave Bittner: [0:11:19] Right. Yeah.
Joe Carrigan: [0:11:20] (Laughter).
Dave Bittner: [0:11:20] Yeah. So pretty straightforward here - again, short and sweet but playing on greed.
Joe Carrigan: [0:11:25] Right.
Dave Bittner: [0:11:26] ...And, it's obvious, to get your login information.
Joe Carrigan: [0:11:28] Sure.
Dave Bittner: [0:11:29] And they got you.
Joe Carrigan: [0:11:29] It's just a way to steal your credentials.
Dave Bittner: [0:11:31] Yup.
Joe Carrigan: [0:11:31] Attackers go after universities frequently because that's where a lot of cutting-edge research is done.
Dave Bittner: [0:11:36] Yeah. So it's not just going after, you know, your typical financial things. There's actually intellectual...
Joe Carrigan: [0:11:43] Yeah. That's usually what these...
Dave Bittner: [0:11:44] ...Property to go after.
Joe Carrigan: [0:11:44] ...Things are going after, is the intellectual property and the research. They want to get in and get - and find out about papers before they're released and just get a jump on things.
Dave Bittner: [0:11:52] That is our Catch of the Day. Coming up next, we've got an interview with David Baggett. He's from Inky. But first, a word from our show's sponsors, KnowBe4.
Dave Bittner: [0:12:05] And what about the biggest, tastiest piece of phish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam, but most people don't. If you chose door B, please read - important message from HR, well, you're getting warmer, but that was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No. Sorry. That's what space aliens say. But it's unlikely you'll need that one, unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [0:13:10] And we are back. Joe, I recently spoke with David Baggett. He is the founder and CEO of Inky. They're a company that uses artificial intelligence, machine learning and computer vision technology to fight phishing attacks. Here's my conversation with David Baggett.
Dave Bittner: [0:13:27] When it comes to people being fooled by email, where do we find ourselves today?
David Baggett: [0:13:31] Right now, the No. 1 cybersecurity vector - so by vector, I mean way people get into your system, way people convince you to wire money, way people get identity theft to happen. So it's a huge, huge problem, and it's completely rampant. And just one stat I can share is the FBI does a report on this every year, and the last report, I think they said it's a billion and a half dollars of wire fraud caused by various kinds of email scams per year. And that's - if you think about it, that's what's been reported, so there's probably a lot more that hasn't been reported. So it's a massive, massive problem still.
Dave Bittner: [0:14:06] Why is this such an effective vector?
David Baggett: [0:14:08] Well, there's a bunch of reasons. I mean, one reason is that it's very easy and very cheap - ultimately zero-cost - to send lots of emails. So the transport mechanism of email is very appealing to attackers because it's cheap. The other reason it's appealing is because emails are really old standard, right? So email's been around since 1971, and if you think about email in terms of the timeline, HTML is a new, exciting feature in the history of email, right? So HTML mail came around the '90s. Before that, you couldn't even send HTML or text or graphics in emails at all. And so that sort of gives you a sense of how old it is. And one of the problems is when you have an old protocol like that, it was designed before security was a consideration at all, and so it's very easy to make a mail look like it's from somebody else.
David Baggett: [0:14:55] And for example, I can send you a mail that says it's from firstname.lastname@example.org. I can put anything I want in the from line, and that's because there's no authentication of mail built into the standard. And so it's appealing to attackers because it's easy; it's cheap; it's pretty much devoid of any security mechanisms. Now, of course, we've retrofitted some security mechanisms onto email over the last decade or so. It's still pretty easy to exploit, though. And, of course, if you can convince somebody to wire a bunch of money, you only need to get one of those emails to work for it to be profitable.
Dave Bittner: [0:15:27] So it really is a numbers game and taking advantage of human nature.
David Baggett: [0:15:32] Absolutely. And the thing is, too, the time when you're the most harried and busy is probably when you're going through your inbox - right? - because everyone's getting bombarded by 800 messages a day. So the people know that you're not giving your full attention to your inbox. It's just impossible to do it. And so it's a point of vulnerability for the human recipients, which is one reason why we focused on trying to make the machines able to recognize fraudulent mails and block them before they get to the humans.
Dave Bittner: [0:15:59] Can you take us through the spectrum of the kinds of things you see? Is there such a thing as a typical phishing attack? And what is the most effective? What usually gets through?
David Baggett: [0:16:08] Yeah. There's a few different types. I mean, and they tend to vary based on the target. So some targets are consumers, and some targets are companies. In the consumer category, we see a lot of things that are fake Amazon gift cards or, take this survey and get $50 off Amazon. And as a public service announcement, anything like that you get is not real.
David Baggett: [0:16:30] No one ever gives you $50 to take a survey ever. And their goal there - the attackers' goal is often credential harvesting. So they're trying to get you to log into the fake Amazon site, which captures your password. You know, because once you realize it's not Amazon, you already have typed in your password. And I talked to an FBI agent about this because I was sort of asking her, well, why do people want Amazon account passwords? There's some reasons why you might imagine that. But she said, oh, they don't just want your Amazon password; they know most people use the same password on every site, so that also may get them into their bank or it may get them into their email account, and then they have access to an email account from which they can send phishing mails. So that's a really common one. You know, we call it a brand forgery, where the mail appears to be from a well-known, trusted brand, it has all the visual indicators that look perfect for that brand, but it's really from the attacker. And that's usually, again, to get credentials - somebody's password or other credentials.
David Baggett: [0:17:19] When companies are targeted, the targeting's a little different. There, it's often things like trying to get someone in the company to wire money or pay a fake invoice or send a bunch of W-2s out for identity theft, so it's often more targeted. And, in fact, those are really insidious because the recipient receives a mail. They think it's from their CFO. The mail says, I'm going to be out this afternoon; make sure this wire goes through. And the person assumes it's really their CFO because that person's name is in the from line. It looks like something - and a lot of times, the attackers will go on social media and study the CFO's profile, so they'll include little tidbits like, I'll be at the beach with Sally and the kids - right? - and actually say something that will resonate with the recipient to make them believe it really is that person.
David Baggett: [0:18:07] So a lot of that is more what we call spear-phishing, where they're targeting a specific individual, and their objective is wire fraud, identity theft. Sometimes it'll be to get malware installed. So, for example, you get a message that appears to be from the CEO saying, hey, can you review the results in this spreadsheet? You open the spreadsheet, and all of a sudden, it's installed malware on your network. So that's another kind of attack. Those are really, I guess, the broad strokes of these scams.
Dave Bittner: [0:18:33] Now, in terms of the service providers, how good a job are they doing of protecting us against these sort of things? If I have a Gmail account, or a Microsoft account or, you know, one of those big providers, are they effective at filtering?
David Baggett: [0:18:46] Well, they're not great. And here's the problem. So mail protection, really, has been around, obviously, for 20-plus years, and it kind of evolved out of spam filtering, right? So we all know - I'm sure we all get some spam, but it's mostly a solved problem. And about 15 years ago, people developed some simple algorithms that allowed them to filter out spam. And really, the mail protection systems that all the mail providers run are based on these original spam filtering models. And the problem is that that doesn't work very well for phishing.
David Baggett: [0:19:17] And there's a couple reasons. You know, one is that the smart attackers are actually trying to fool two different entities. They're trying to fool the recipient, who's a person, into believing, wow, that really is a mail from Bank of America - so trying to make it look really convincing to the human recipient. But, simultaneously, they're trying to fool the mail protection software. And they'll do all kinds of things to cloak the true intention of the mail from the simple mail protection software that's sort of built on the spam filtering paradigm.
David Baggett: [0:19:48] So they'll do things like instead of putting the word Bank of America in the subject or the from line, they'll put a Greek letter alpha in place of the lowercase A's. So it doesn't actually say Bank of America anymore, it says B-alpha-N-K. And that's to hide from the mail protection software because that software may be looking for the brand terms. So they've sort of hidden the brand term from the mail protection software, but to the human, it just looks like the font is kind of funny. So the human doesn't see it any differently, and the mail protection software's fooled. And so it - they're really, really insidious because they've sort of developed countermeasures against the spam filtering model.
David Baggett: [0:20:26] Another thing they'll do is they want the mail to look like it's a conversational mail, not a transactional mail, so they'll stuff a bunch of words, literally from things like Yelp reviews into the body of the mail, but they'll make the text white on white. So the human recipient doesn't see anything except white space, but the mail protection software is going to see all these words that look like narrative, English narrative. And that tends to induce the spam filtering models to say, OK, well, it must be a conversation between two people.
David Baggett: [0:20:56] It's really tough to get these right. And I would say the state of the art, prior to what we've been working on at Inky, is there's sort of a whack-a-mole approach of, if I see a URL that points to a phishing site, I can report that, and then there are various threat feeds that you can subscribe to - and all the major mail providers do - that basically are just giant lists of URLs that are bad. And then if they - if - so if the mail provider sees a bad URL in a mail, they can block that mail.
David Baggett: [0:21:23] The problem is, you know, obviously, someone has to report the URL in the first place. And until it's reported, that - everyone's going to be victimized by it. The other problem is not all these mails even have URLs because some of them, like a spear-phishing mail, might just say wire money here. And then finally, again, using a technique from spammers, the smarter attackers will send everybody a different URL. So they'll put a little code in the URL that makes it unique, so you get a different URL than I do, and the fact that you reported your URL doesn't help me. So there's a whole problem with what we call zero-day phishing attacks where nobody's ever reported them; they look really convincing; they don't have a lot of the traditional signals that a spam filtering model would look for.
Dave Bittner: [0:22:02] What is your philosophy when it comes to how organizations should treat their users? You hear it bandied around a lot where people say, well, if - this would be an easy job if it weren't for the users, or, you know, you want to shame the users...
David Baggett: [0:22:16] (Laughter) Right.
Dave Bittner: [0:22:16] ...Or, you know, that sort of thing. I mean, is that helpful? What's your take on that?
David Baggett: [0:22:20] Yeah. I feel like there's a certain, if not pervasive, a common psychology here, which is, you know, my job as an IT professional would be a lot easier if it weren't for these stupid users. And I think there's a comforting psychological component to that. But obviously, you know, it doesn't really help the users much if your view of them is just that they're too stupid. On the other hand, I do think - you know, there have been a number of companies – like, Cofense is one of them - KnowBe4 - these companies have made a tremendous amount of not just money, but also improved the security posture of many, many companies through purely simulated phishing training. And so it's not that we believe those things aren't useful. They are. It's just we believe that you should really be blocking as much as possible with software before it gets to the end users, so you don't have to rely on the users being trained and not making mistakes.
Dave Bittner: [0:23:14] Right.
David Baggett: [0:23:15] So I do think that the narrative of stupid users is unhelpful. But at the same time, I think it is useful to try to teach people, hey, look for these obvious signs of forgery or phishing. Now, ultimately, the problem is the attackers aren't stupid. They know everyone's running phishing awareness training now. And so they're developing techniques to get past these trained users. In other words, they make the phishing mails look exactly like the real mails.
David Baggett: [0:23:42] And one of the insights that I had a while ago - but it was really after I'd been working on this problem for quite some time. It's sort of embarrassing. It took me a long time to realize this. But it's obvious in retrospect. Let's say you're an attacker and you're lazy, and you want to send a mail that looks exactly like a Bank of America mail. What do you do? Well, what you do is you take a real Bank of America mail, save as HTML and resend that.
Dave Bittner: [0:24:07] Right.
David Baggett: [0:24:07] (Laughter) Of course, it's going to look exactly like a Bank of America mail because it is. It's the same HTML, right?
Dave Bittner: [0:24:11] Right.
David Baggett: [0:24:12] And you also didn't have to do any work. You didn't make a new logo or anything. You just resend something you've already got. So the problem is in the context of these kinds of emails, where there isn't much of a visual indication, it is very difficult to expect a user to perfectly discern whether it's a forgery or not. And one of the nice things is the software, on the other hand, is able to prove using cryptography whether that mail really is from Bank of America or not. So actually, the software has an advantage over the human in determining the veracity of the mail.
Dave Bittner: [0:24:46] So lots to unpack there, Joe - really interesting to see how they're coming at this phishing problem using technology.
Joe Carrigan: [0:24:53] Right. You know, email is still the No. 1 vector. And it's still the No. 1 vector because it's cheap, easy and old. Old, I think, is the key. And when we started slapping HTML on top of email, I didn't think that was a good idea. And actually, I say this frequently. One of the easiest things to do in a security position is to say, that's going to end badly, and then wait for it to end badly.
Joe Carrigan: [0:25:17] Hey, look at me. I was right. I'm like Nostradamus here.
Dave Bittner: [0:25:19] Right, right.
Joe Carrigan: [0:25:21] It's pretty easy to do that. But, you know, this was back even before I was in security – actually, even before I was in this tech field. A friend of mine sent me an email that looked like it came from the White House. And it was remarkable. This is before - like I said before, this was back in the '90s - very easy to spoof it.
Joe Carrigan: [0:25:36] Everything Dave is saying here is completely correct, particularly about when he talks about people being harried and under the gun looking through their inboxes. Dr. Dahbura and Dr. Li, who are faculty at ISI, the Information Security Institute, published a paper this year on spam filtering by humans. And they found that multitasking has a negative effect on the user's ability to correctly classify emails. And the paper's been published. And we're going to put a link in the show notes, right?
Dave Bittner: [0:26:06] Yeah.
Joe Carrigan: [0:26:06] So everybody can take a look at that. But when you're doing your email, when you're working with your email, take the time to dedicate some time to it and just pay attention to it - don't - you know, especially if someone's asking for some information, or it's time to click on links. Spend the time to focus on your task at hand.
Dave Bittner: [0:26:23] Yeah, that's an interesting thing because I think there are some people who set aside time to focus on going through their emails.
Joe Carrigan: [0:26:30] Right.
Dave Bittner: [0:26:30] And I think other people kind of address them as they come in, on the fly.
Joe Carrigan: [0:26:33] Yes. I cannot do that.
Dave Bittner: [0:26:35] I can't.
Joe Carrigan: [0:26:36] I find that as a great exercise - I'm not going to go into it here. But it turns out that multitasking is just a terrible way to do your job. Whenever I talk to people about it, I say, you don't want multitaskers; what you want is people who are able to switch from one task to the next with relative ease. That's not multitasking. Multitasking is a bad idea all around. You're not devoting 100 percent of your attention to one task. You're trying to complete two or three tasks at once, and none of them are getting done well.
Dave Bittner: [0:27:02] Yeah, I find I just can't do it. I think it leads to a certain level of anxiety if I'm trying to keep too many things in my head at once. I need to - switch and focus works better for me. And that's just how - that's just me.
Joe Carrigan: [0:27:15] I don't think it's just you. I think it's the vast majority of the human population.
Dave Bittner: [0:27:20] Yeah.
Joe Carrigan: [0:27:20] One thing he said that I really thought was very clever on these attackers' part is by putting text in white on white to fool spam filters. That's a great idea.
Dave Bittner: [0:27:28] Yeah, yeah.
Joe Carrigan: [0:27:30] It's very clever.
Dave Bittner: [0:27:31] All right. Well, our thanks to Dave Baggett from Inky for joining us. You can of course check them out online to learn about all the stuff they're doing to fight phishing attacks. So we thank him for joining us. And, of course, we thank you for listening.
Dave Bittner: [0:27:44] And we thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about what they're up to at isi.jhu.edu.
Dave Bittner: [0:28:09] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [0:28:26] And I'm Joe Carrigan.
Dave Bittner: [0:28:27] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.