Joe describes a law firm impersonating a rival to funnel business away from them. Dave has a story of pontiff impersonation. Our guest is Joe Gray from Advanced Persistent Security.
Links to stories mentioned in this week's show:
Joe Gray: [00:00:00] Are they doing this ethically, or are they going underhanded to try to manipulate? Because I see a distinct difference between influence and manipulation.
Dave Bittner: [00:00:08] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:29] Hi, Dave.
Dave Bittner: [00:00:30] As always, we've got some great stories to share. And later in the show, we've got Joe Gray. He's from the “Advanced Persistent Security” blog and podcast. He's going to share some of his experiences with social engineering. But before we get to all that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:49] So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor, KnowBe4, that puts it all into perspective.
Dave Bittner: [00:01:12] All right, Joe. We are back. Before we jump into our stories this week, we've got a little bit of follow-up. We've got a gentleman named Chris who sent us some feedback on Twitter. You know, recently, we were talking about real estate fraud.
Joe Carrigan: [00:01:23] Right. That was in last week's episode.
Dave Bittner: [00:01:23] Yeah, I believe so. And you mentioned to be wary of companies asking for money over a wire transfer...
Joe Carrigan: [00:01:32] Correct, I did.
Dave Bittner: [00:01:34] ...That you had not experienced that before.
Joe Carrigan: [00:01:36] Never seen it before in my life.
Dave Bittner: [00:01:37] I agreed. Well, Chris wrote in. And he said, when I bought my house in Virginia, my closing company did ask for a wire. I called them up rather than replying to the email and asked them to validate the wire account number. On their part, they did send the information at the beginning of the process and said that it would not change later. It seems that they chose to do wires due to fraudulent certified cashier's checks.
Joe Carrigan: [00:02:01] Oh.
Dave Bittner: [00:02:01] (Laughter) So Chris says, it's a double-edged sword of both people and businesses looking to stop fraud.
Joe Carrigan: [00:02:06] That's right.
Dave Bittner: [00:02:07] So there you go, right? (Laughter).
Joe Carrigan: [00:02:09] I guess the solution here is maybe an escrow company.
Dave Bittner: [00:02:11] Big stacks of cash, Joe. That's the - a briefcase...
Joe Carrigan: [00:02:15] Just come in with a briefcase full of cash.
Dave Bittner: [00:02:16] ...Handcuffed to your wrist. Yeah, they would love that. Can you imagine the flurry of activity that would cause? So...
Joe Carrigan: [00:02:22] Now, we could do it with an escrow company, I guess. So, you know, like 10 days before closing, you get the cashier's check, deposit it into the escrow account. That gives the check time to clear. But that involves yet another party that can be impersonated in this process.
Dave Bittner: [00:02:36] I guess as long as you're doing your due diligence, like it seems Chris did here, following...
Joe Carrigan: [00:02:39] Right. No, I think what Chris did is exactly right.
Dave Bittner: [00:02:39] ...Up by phone and just double-checking before you just go off and wire that money.
Dave Bittner: [00:02:45] Correct. And I like what the settlement company said, that - here is our account number. This will not change during the process.
Dave Bittner: [00:02:52] Right. Right. Yeah. That's good. All right. Well, Chris, thanks for sending in the feedback. We always like hearing from folks on Twitter. You can also check out over on the website, thecyberwire.com, you can reach out to us there. So let's get to our stories this week. Joe, what do you have?
Joe Carrigan: [00:03:07] I've got a story from Shaun Nichols over at The Register. There is a law firm in Illinois called Motta & Motta.
Dave Bittner: [00:03:14] (Laughter) OK.
Joe Carrigan: [00:03:14] I think that's how it's pronounced.
Dave Bittner: [00:03:15] All right.
Joe Carrigan: [00:03:16] M-O-T-T-A. They are suing a rival firm called Dolci & Weiland.
Dave Bittner: [00:03:22] OK.
Joe Carrigan: [00:03:22] I think I'm saying that right. But - It's D-O-L-C-I. And Weiland, I'm pretty sure I got that right.
Dave Bittner: [00:03:26] Yeah.
Joe Carrigan: [00:03:27] And Motta & Motta is alleging that Dolci & Weiland was impersonating them online in an attempt to steal clients. Motta & Motta says that Dolci & Weiland had set up a website and a phone line designed to redirect Motta & Motta criminal and family law clients to the Dolci firm. I'm just going to call them Dolci and Motta from now on.
Dave Bittner: [00:03:47] OK. All right.
Joe Carrigan: [00:03:47] OK. So Motta is the people making the allegations. Dolci is the people...
Dave Bittner: [00:03:50] OK.
Joe Carrigan: [00:03:51] So Motta alleges that Dolci built a site that looked very similar to Motta's site and then did some search engine optimization to get the fake page to show up in search results before Motta's site.
Dave Bittner: [00:04:04] The actual Motta site.
Joe Carrigan: [00:04:04] The actual Motta site.
Dave Bittner: [00:04:05] OK.
Joe Carrigan: [00:04:06] And, of course, the plan was to get people in the Chicago area who were looking for an attorney go to Dolci instead of Motta.
Dave Bittner: [00:04:12] So I'm out there looking for an attorney.
Joe Carrigan: [00:04:14] Right.
Dave Bittner: [00:04:15] This Motta & Motta comes up as a possibility, but the people at the other law firm have set up a fake site that looks like Motta's site.
Joe Carrigan: [00:04:23] Right.
Dave Bittner: [00:04:23] Wow (laughter).
Joe Carrigan: [00:04:23] So not only did they copy the look and feel of this website, but they actually went so far as to just totally copy articles that Motta's attorneys had written in law journals for years.
Dave Bittner: [00:04:38] Just scraping the contents of that site.
Joe Carrigan: [00:04:40] Yeah and plagiarizing the journal entries that these people have made available online.
Dave Bittner: [00:04:43] And then funneling the people who land there via the SEO...
Joe Carrigan: [00:04:48] Right.
Dave Bittner: [00:04:49] ...To their own site.
Joe Carrigan: [00:04:50] Exactly. So you're a guy that is going through something. You need you need a family lawyer.
Dave Bittner: [00:04:53] Right.
Joe Carrigan: [00:04:54] Right? Maybe do some estate planning. So you go to good old Google, which is where everybody goes first.
Dave Bittner: [00:04:59] Right.
Joe Carrigan: [00:05:00] And you type in family estate planning lawyer. So the first thing that comes up is a site that looks like Motta & Motta. But you click on the link, and everything is - looks like Motta & Motta. But when you call the numbers, you'll get in touch with somebody at the Dolci firm - Dolci & Weiland.
Dave Bittner: [00:05:15] So everything looks like Motta, except the actual contact forms take you to their competitor.
Joe Carrigan: [00:05:21] Sure. And here's one more thing. In the event that somebody had actually gone through and done the effort to look up Motta's phone number somewhere...
Dave Bittner: [00:05:30] Right.
Joe Carrigan: [00:05:31] ...Motta claims that Dolci had compromised somebody on the inside of their law firm.
Joe Carrigan: [00:05:37] Of course they did (laughter).
Joe Carrigan: [00:05:38] And that they will be redirecting phone calls to Dolci & Weiland from inside the Motta & Motta organization.
Dave Bittner: [00:05:45] Wow. The call's coming from inside the house.
Joe Carrigan: [00:05:48] Right (laughter).
Dave Bittner: [00:05:50] Wow.
Joe Carrigan: [00:05:51] This is a pretty advanced technical attack.
Dave Bittner: [00:05:53] Now, the question is...
Joe Carrigan: [00:05:54] There's a huge social engineering portion here because, No. 1, they've compromised somebody on the inside.
Dave Bittner: [00:05:59] Right. Right.
Joe Carrigan: [00:06:00] And No. 2, they've taken all this technology and made it so that when people look at it, they think they're looking at one thing, but they're looking at another. Motta & Motta alleges that they've lost $2 million over the past two years to this practice.
Dave Bittner: [00:06:14] I wonder how it first came to their attention.
Joe Carrigan: [00:06:17] That's an excellent question.
Dave Bittner: [00:06:18] Yeah.
Joe Carrigan: [00:06:18] The article doesn't discuss that.
Dave Bittner: [00:06:19] Right. That must have been an interesting staff meeting when - at Motta & Motta when somebody...
Joe Carrigan: [00:06:25] They noticed something was wrong when they stopped getting as many incoming calls.
Dave Bittner: [00:06:28] Yeah.
Joe Carrigan: [00:06:29] Their lead generation dropped off somehow. So I think that was probably the trigger that said, why are we not getting any calls? And then they went out and looked into it would be my guess. They're suing to get control of the fake website. And they want a trial for damages.
Dave Bittner: [00:06:43] Well, and to the customers of the other website that was up to no good, I suppose - allegedly, of course.
Joe Carrigan: [00:06:48] Sure.
Dave Bittner: [00:06:49] Is that who you want representing you? I guess for some people, it is. That's just the kind of clever out-of-the-box thinking that - right. I want...
Joe Carrigan: [00:06:56] This is how these guys get business? You're hired.
Dave Bittner: [00:06:59] Wow. All right. Of course, there's no shortage of lawyer jokes, so...
Joe Carrigan: [00:07:03] Right. No. Yeah, that's like shooting fish in a barrel.
Dave Bittner: [00:07:07] Right. Right. So a friend of mine who is a lawyer says, everybody hates lawyers until you actually need one.
Joe Carrigan: [00:07:12] Right.
Dave Bittner: [00:07:12] And then we're your best friends.
Joe Carrigan: [00:07:15] Then we love them.
Dave Bittner: [00:07:15] Right. Right. All right. Wow. That's an interesting one. Hard to imagine the moxie too, the brazenness.
Joe Carrigan: [00:07:23] Right. Well, this is all still alleged right now.
Dave Bittner: [00:07:25] Yeah.
Joe Carrigan: [00:07:25] But let's say they did this, right?
Dave Bittner: [00:07:27] Right. And again, that staff meeting. All right, gentlemen. Here's my new marketing plan. (Laughter). Like, I love it. Capital idea. Let's go.
Joe Carrigan: [00:07:38] It doesn't - I don't think it was a marketing plan. I think it was, you know, one of these guys sitting in a room with his nephew who's a techie guy and says, hey, can you do this? And the guy goes, yeah, I can do this. It's real easy.
Dave Bittner: [00:07:47] Yeah.
Joe Carrigan: [00:07:47] Go ahead and do it.
Dave Bittner: [00:07:48] Yeah. Let's just see what happens.
Joe Carrigan: [00:07:50] Yeah. I don't know that lawyers have the expertise to do this. I think they know somebody. I think they probably had help.
Dave Bittner: [00:07:54] (Laughter).
Joe Carrigan: [00:07:54] 'Cause lawyers, you know, they just - the thing about lawyers is there's a lot of work involved in being a lawyer, right?
Dave Bittner: [00:08:01] A good one.
Joe Carrigan: [00:08:01] Yeah, a good one.
Dave Bittner: [00:08:02] (Laughter).
Joe Carrigan: [00:08:04] So they don't really have time to develop the technical expertise to do this. So they had help.
Dave Bittner: [00:08:09] I guess. All right. Well, my story - this is one about trust.
Joe Carrigan: [00:08:12] OK.
Dave Bittner: [00:08:12] So we talk all the time about a big part of social engineering is establishing trust, false trust. And there's someone in the world who a lot of people trust - the pope. Then I would say, you know, for good reason, right? People love this pope. He seems like a cheerful, cheery guy with a positive attitude. And there's a lot to like about the current pope. And so there's been some people out there who have wound up some bot nets to impersonate the pope. And evidently, the pope's real twitter handle is @pontifex. So what these folks have done, they have a duplicate handle that is @_poontifex.
Joe Carrigan: [00:08:58] (Laughter).
Dave Bittner: [00:08:56] So close enough, I suppose.
Joe Carrigan: [00:09:00] Right, with a U?
Dave Bittner: [00:09:01] No, P-O-O-N-T - poontifex.
Joe Carrigan: [00:09:05] OK.
Dave Bittner: [00:09:06] And what do you suppose the pope is going to give away here, Joe? If there's one thing that you think Pope Francis would be into.
Joe Carrigan: [00:09:14] Oh, tons of gold.
Dave Bittner: [00:09:15] Gold? That's a good guess. He certainly...
Joe Carrigan: [00:09:18] You always see the pictures of all the wealth that the Catholic Church has and all the gold.
Dave Bittner: [00:09:22] There is no shortage of gold at the Vatican. That is right. But no, this is a modern pope, Joe. He's giving away bitcoin.
Joe Carrigan: [00:09:28] Bitcoin.
Dave Bittner: [00:09:29] Yes, he's giving away - he has entered the new century. And just to make people happy...
Joe Carrigan: [00:09:35] How silly of me to not guess that first.
Dave Bittner: [00:09:37] ...He is giving away bitcoin. The pontiff is giving away bitcoin. And it's even more sophisticated than that. They've got some other dummy accounts that have responded to this fake pope's offer to give away bitcoin.
Joe Carrigan: [00:09:49] Wait. Can I guess what they say?
Dave Bittner: [00:09:51] Go ahead.
Joe Carrigan: [00:09:51] Hey, your holiness. Thanks for the bitcoin.
Dave Bittner: [00:09:54] (Laughter) You know, not even that eloquent. They respond and they say, so cool, just sent and immediately got back. You're super fast.
Joe Carrigan: [00:10:03] (Laughter) Wow. Other people are doing it, this must be great.
Dave Bittner: [00:10:06] So it's actually working to get your bitcoin from the pope.
Joe Carrigan: [00:10:10] Has anybody looked at the blockchain address? You know, the address of this bitcoin wallet and see if anybody is sending bitcoin to it?
Dave Bittner: [00:10:16] The article does not say. This is actually an article from CCN, does not say what the follow-up is. But, you know, I think - this speaks to - I mean, as silly as it is, they do it because it works.
Joe Carrigan: [00:10:28] Right.
Dave Bittner: [00:10:29] And here is someone that people have great reverence for.
Joe Carrigan: [00:10:34] Yep.
Dave Bittner: [00:10:34] And so we laugh about it, but to some people, this could make absolutely perfect sense.
Joe Carrigan: [00:10:42] Yeah, I guess. A big part of his mission in the church is helping the poor.
Dave Bittner: [00:10:46] Right.
Joe Carrigan: [00:10:47] Right? But...
Dave Bittner: [00:10:48] He's got the resources.
Joe Carrigan: [00:10:48] I don't know that he has the resources personally. I think his...
Dave Bittner: [00:10:52] He has access. He could go to one of those we-buy-your-gold stores and pull up with a wheelbarrow from the basement of the Vatican, right? Nobody would even miss it. (Laughter).
Joe Carrigan: [00:11:02] Right. Well, I mean people would miss it because all those things have historical importance. Right? Where are poor people going to get money to buy bitcoin or the means to buy bitcoin first? So I don't know. I guess, yeah, I can see people falling for this. But at the same point in time, I mean, it's the pope giving away bitcoin. No. (Laughter) This isn't real. The pope is not giving away bitcoin.
Dave Bittner: [00:11:24] No. The pope - and, of course, obviously, the pope is not giving away bitcoin. But somebody saw that it was worth it to spin up this scam...
Joe Carrigan: [00:11:33] Right.
Dave Bittner: [00:11:33] ...And spin up bots to respond to it.
Joe Carrigan: [00:11:36] I'll bet he got at least a couple of bitcoin out of it.
Dave Bittner: [00:11:38] It works. It works.
Joe Carrigan: [00:11:39] I would like to know how much you got.
Dave Bittner: [00:11:41] (Laughter) Yeah. All right. Well, those are our stories this week. It's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:50] All right. Joe, we've got a special Catch of the Day this week. I have actually gone to the trouble of printing out this week's Catch of the Day because I didn't want you to be able to see the last part of it. I want it to be a surprise to you so that people can hear it as you experience it. This is a Facebook scam.
Joe Carrigan: [00:12:08] I've got a Post-it note over top of the last line.
Dave Bittner: [00:12:10] Right. So, you know, you get friend requests on Facebook, and sometimes you get a friend request from someone who's impersonating another person.
Joe Carrigan: [00:12:18] Correct.
Dave Bittner: [00:12:19] Right? So a friend of mine, whose name is Jamie, this was sent to him on Facebook Messenger from someone that he thought he knew. Right? So a friend, someone he has agreed to be friends with on Facebook. So...
Joe Carrigan: [00:12:31] And this looks like that someone.
Dave Bittner: [00:12:33] It had the person's picture.
Joe Carrigan: [00:12:34] Right.
Dave Bittner: [00:12:34] We're just going to call this person Ann.
Joe Carrigan: [00:12:36] Ann.
Dave Bittner: [00:12:36] All right? Just use the first name. And I will play the part of Ann the scammer...
Joe Carrigan: [00:12:42] OK.
Dave Bittner: [00:12:42] ...And you can play the part of the person, my friend, who got this message.
Joe Carrigan: [00:12:47] Jaime.
Dave Bittner: [00:12:47] Here we go.
Joe Carrigan: [00:12:47] OK.
Dave Bittner: [00:12:48] (Reading) Hello. How are you doing?
Joe Carrigan: [00:12:51] (Reading) Beautiful, as always. And you?
Dave Bittner: [00:12:53] (Reading) I'm doing good and happy with my life now. Have you heard or been told about the good news yet?
Joe Carrigan: [00:12:59] (Reading) ...?
Dave Bittner: [00:13:01] (Reading) Have you heard about the program made by Health and Human Service, HHS, for helping people, especially hearing, deaf, disable, young, old, poor and retired workers?
Joe Carrigan: [00:13:12] (Reading) No…
Dave Bittner: [00:13:14] (Reading) They are united power to ensure success and focus for the people in the community. So you haven't gotten yours or heard about this yet?
Joe Carrigan: [00:13:23] (Reading) I have no idea what you speak of.
Dave Bittner: [00:13:26] (Reading) The promotion was made by the United States of America government and Health and Human Service, and I get $150,000 from them. Did you get yours from them?
Joe Carrigan: [00:13:36] (Reading) Ah, this is a scam. I get it.
Dave Bittner: [00:13:40] (Reading) I'm very serious about this and not pulling your legs. I really got this money, and it is real and legit. I wonder why you haven't gotten yours yet?
Joe Carrigan: [00:13:49] And now I'm going to remove the Post-it note to read the last reply.
Joe Carrigan: [00:13:54] (Reading) The real Ann knows English grammar and can spell. Also, she's a judge now you're impersonating. So this goes well beyond straight up wire fraud you're trying to commit. I'm guessing this will get you consecutive life sentences...
Dave Bittner: [00:14:09] And at that point, the scammer blocked the conversation.
Joe Carrigan: [00:14:11] (Laughter).
Dave Bittner: [00:14:15] Unbeknownst to the scammer, was imitating a sitting judge.
Joe Carrigan: [00:14:19] Right. Yeah. Not - not (laughter).
Dave Bittner: [00:14:22] You know, it's funny. We talk about scammers doing their homework to do a successful impersonation of someone in a spear-phishing campaign or whatever. No. This person did not do that.
Joe Carrigan: [00:14:31] I like, I'm not pulling your legs.
Dave Bittner: [00:14:34] Yeah. I like, the promotion was made by the United States of America government.
Dave Bittner: [00:14:40] That's right. (Laughter).
Joe Carrigan: [00:14:41] Instead of just U.S. government?
Dave Bittner: [00:14:42] Yeah. Yeah.
Joe Carrigan: [00:14:43] I like the name of whatever organization she calls it within Health and Human Services. It says, they are a united power to ensure success and focus for the people in the community.
Dave Bittner: [00:14:53] Right. (Laughter).
Joe Carrigan: [00:14:56] Is that a name of an organization, or is that more broken English?
Dave Bittner: [00:14:59] I don't know.
Joe Carrigan: [00:14:59] That's the worse organization name ever.
Dave Bittner: [00:15:02] (Laughter). Yeah.
Joe Carrigan: [00:15:02] It doesn't even have a clever acronym.
Dave Bittner: [00:15:03] No. All right. So that's our Catch of the Day for this week. Look out for these Facebook scams. They're out there, people trying to impersonate your friends.
Joe Carrigan: [00:15:12] Right.
Dave Bittner: [00:15:12] All right. So coming up next, we've got my interview with Joe Gray. He's from “Advanced Persistent Security.” He's going to share some of his experiences with social engineering. But before we get to that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:15:27] Now let's return to our sponsor's question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5 percent failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:16:27] And we are back. Joe, recently I spoke with another Joe - Joe Gray. He's from the "Advanced Persistent Security" blog and podcast.
Joe Carrigan: [00:16:35] Interesting.
Dave Bittner: [00:16:35] He was also the inaugural winner of the DerbyCon Social Engineering Capture the Flag, and he was awarded a DerbyCon black badge. So here's my conversation with Joe Gray.
Joe Gray: [00:16:46] As a teenager, I loved prank calling. And, you know, I'm going to spell vishing out very easily. For those listeners who aren't aware, vishing is voice phishing, meaning it's just like a phishing email but it's going to come to via phone. It's basically a glorified prank call. You basically get into a character and you call your target. You will have things to find in advance, if you're doing this ethically, at least. If you're doing it out of a malicious motive, then you'll probably still have your objectives, but you won't have it scoped and it won't be customer-approved like it would be if you were doing it in terms of a business sense.
Joe Gray: [00:17:20] So you basically call them. You stick to the script. You'll build a pretext, which basically is a ruse, that's your character. One that I commonly like to use is, I'm operating on behalf of someone. Usually I try to find out who their head of information security is, who their CIO is. I've dealt with some quasi-government and basically, to stay as vague as possible, said I was operating under the authority of the leader of that organization or city or state or what have you just to stay vague. And that took into account, that specific phrase, I am operating under the authority of person. That is using one of the six principles of persuasion that Dr. Robert Cialdini defined in his book, "Influence: The Psychology of Persuasion."
Dave Bittner: [00:18:03] Well, let's explore that a little bit. You were self-aware that you had the gift of the gab, but how does that differ from persuasion of actually being able to influence people, to channel them in the directions you want them to go?
Joe Gray: [00:18:15] It really just depends on how you structure it. For example, if I'm hanging out with a few of my friends and I want to eat at, say, Taco Bell, and I know that they're bigger fans of Burger King - just throwing out answers - I might say something to either discredit Burger King, or I might say something to amplify Taco Bell, such as a promotion. Or I might say something about the sensory that one deals with when they're around a really tasty taco - how it smells, how it may sound - to get in their mind and really say, you know what? I want one of these. We see that concept very frequently in used car salespeople and big box retailers. Any time that commission is involved, you see those six principles used very heavily and sometimes not necessarily ethically, specifically taking a look at the car salesman.
Dave Bittner: [00:19:03] Yeah.
Joe Gray: [00:19:04] And out of car salesmen, you typically hear things like, a lot of men your age prefer the handling of this model of Volkswagen as opposed to this, or, a lot of men your age really like this two-seater BMW Z4 Roadster. OK? That's implementing social proof. When we think about this a little bit further, I would say that most people are hard-pressed to find a salesperson that didn't at least attempt to be likable. A lot of salespeople truthfully aren't, but they at least attempt to be likable, especially if they think you're going to buy something.
Dave Bittner: [00:19:34] Right.
Joe Gray: [00:19:34] So same thing with the used car salesmen. They're going to play to whatever they can try to read out of you. And then from there, there's your likability. Then also within that, if you've purchased a car from the person or that dealership before, they may try commitment and consistency, saying that we consistently do right by our customers, we've never steered you wrong with your car purchases. Something to that effect. And then reciprocity - hey, you know, if you'll pay an extra $200 for this car, I'll take you out to dinner, or something like that. Reciprocity. And that basically covers the six principles of persuasion.
Dave Bittner: [00:20:04] Now, when you're out and about, like you said, buying a car or buying a new computer or any of those interactions, I mean, do you find yourself just quietly sort of keeping tally in your mind as people are either deliberately or inadvertently using these techniques to try to persuade you?
Joe Gray: [00:20:19] I totally judge them. I totally do. I look at it from the perspective of, are they doing this ethically? Are they just trying to hit the high notes and do what they're supposed to do? Or are they going underhanded to try to manipulate? Because I see a distinct difference between influence and manipulation, manipulation being a little bit more on the malicious side, influence being more of the idea of, I'm going to give you this information and have you form the opinion of your own cognition. Where manipulation, that's going to be more of, I'm going to give you covert-type things to push you to go this direction. It's a very small, nuanced difference between the two, but in terms of manipulation, that it is to the influence world what black hat hacking is to the rest of InfoSec as opposed to white hat.
Joe Gray: [00:21:07] So I totally judge them in terms of how do they do it. Do they present me the marketing points, the high points? Do they try to pre-brief me on something - like, man, can you imagine how those heated seats are going to feel when it gets cold outside? If it's cold outside, that's really going to work. If it's hot outside, it's probably not. And I wouldn't fault them for saying that whenever it's hot. I would fault them for saying something like, a guy just came in and he went to the bank to get financing. If you can get it before him, it's yours because - let's be real - who goes to a car dealership and then leaves to go to the bank to get financing anymore? You either show up with it, or you get it at the dealership in this day and age.
Dave Bittner: [00:21:43] Yeah. I mean, it strikes me - like you said, it's that subtle difference between trying to put something in its best light versus, I guess, deception.
Joe Gray: [00:21:52] You can put lipstick on a pig, and I can see it for what it is or fall for it or whatever and not be too upset about it. If you try to sell me a pig wearing lipstick as, say, a bulldog, for the price of a bulldog, I'm going to have some problems.
Dave Bittner: [00:22:07] (Laughter) Right. Right. So, you know, with the experience you have, the deep knowledge you have on the topic, what is your advice to people out and about, day to day, to protect themselves from this? How can they have their guard up without, you know, becoming too paranoid, without going too far?
Joe Gray: [00:22:22] Be cognizant of what people are asking for. So recently, I was at Social Engineer Rhode Island, which is now known as Layer 8 Conference. It's a conference solely dedicated to social engineering. And the night before the conference and the night of the conference, all the speakers and some of the attendees went out and about in downtown Newport for the speakers' dinner and networking reception. So obviously, when you get a group of 30-some odd social engineers, basically the speakers, and about another hundred social engineers or social engineering enthusiasts in the same area, obviously, some people are going to try to do things to beat their chests, so to speak. It's just like when you get a bunch of hackers together in a Capture the Flag. Somebody is going to try to beat their chest.
Joe Gray: [00:23:04] We were basically kind of running our own Capture the Flag types of things. And we just set up a simple flag, like, what was a mother's maiden name? And obviously, mother's maiden name is a password reset question, just as, what is your high school mascot, what is the street you grew up on, what was your first pet's name, those are all reset questions. So basically, we would come up with something like that, and then we would direct whoever it is trying to capture this flag into a group of people or a person to find out.
Joe Gray: [00:23:29] So when it came my turn, I was walking about right next to a pier, and there was a couple there and they were trying to take a picture with a sailboat in the background. So I was like, hey, would you like me to take your picture? Oh, would you? Absolutely. You know what? I'll tell you what. Here's my phone. You can hang on to it so you know I won't run away with your phone. I did that just to build rapport with him.
Joe Gray: [00:23:49] I took the picture. And then there's this other majestic boat that just comes in right behind him. I was like, hey, hold on. I'll get your picture with this boat in the background. They were like, oh, that would be awesome. So I take a few more pictures. And then once I was done, I handed them their phone so that they could review them. And they're like, oh, man, that's so awesome. Thank you very much.
Joe Gray: [00:24:05] I was like, hey, you're welcome. Just out of curiosity, do you have a moment to help me out with my anthropology survey that I'm doing as part of my summer classes? They're like, Sure, what is it? I was like, well, single question. I'm doing a survey about people's migration patterns and how different ethnic groups intermingle with other ethnic groups.
Joe Gray: [00:24:23] So I'm getting information about names and where they travel and patterns and such. And I've got a ridiculous amount of information about the paternal side of the family. What was your mom's name before she was married? Notice I didn't say, what your mother's maiden name? Because that sets off alarms. I said, what was your mother's name before she was married? And they both told me.
Joe Gray: [00:24:42] And then they told me where they were from. I was like, oh, I have some friends that were - that was there. I just happened to be familiar with the area very vaguely. So I mentioned the city. I was like, yeah, they went to that school. They're like, oh, well, that was like my rival high school. I was like, that's right. What was the mascot? So they told me the mascot. And I could have kept on going.
Joe Gray: [00:25:00] To get back to your original question about, how do you defend yourself? Be cognizant of what people are asking, even if they're not truly asking. It may be something to build a rapport. I'm not saying go off and be rude to people because that does no one any good. But just be cautious about it. Like from the perspective of emails, if you get an emails that just seems too good to be true or it's unsolicited, it's out of context, it's not the right timing, misspelled words or something, forward it to your information security team or actually reach out to your information security team. Say, hey, I got this email. I'm not sure if it's a phish or legitimate. I would appreciate it if someone could take a look at it. Where do I need to send it? And have them tell you exactly where to send it, whether it be to phishing @ your company's domain or anywhere else.
Joe Gray: [00:25:42] I recommend setting up a phishing email account so everyone can just forward there and to be safe. That way you don't have to worry about non-security people reading the phish or potentially clicking anything. It's - it would be a selected group of people. From the perspective of phone calls, I would say if you get an unsolicited phone call or something that just doesn't sound right, my best recommendation would be, hey, I'm sorry. My boss just walked in. I've got to talk to him or her for about five to 10 minutes. This is very important. Can I call you back? And if they immediately say no or give you an excuse as to why you need to stay on the phone with them or give you a number that is different than the one they're calling you from, you've pretty much thwarted an attack.
Dave Bittner: [00:26:24] Right.
Joe Gray: [00:26:24] So common sense, logic in terms of, should I be receiving this? Should I be responding to this? Is this out of scope for me? Is this person who they say they are? For example, with gender-ambiguous names like Tracy, for example. If a woman calls you and claims to be Tracy, but you know Tracy is a male, that sets off alarms. So it's just something to keep in mind. For example, whenever I do phishing attacks, I tend to try to scope out the organization and look for help desk phone numbers, joint phone lines - meaning it would be a hotline.
Joe Gray: [00:27:01] Like, for example, when I was competing at the DerbyCon Social Engineering Capture the Flag last year, I found my target company's Office 365 email migration issue hotline number. And that's the number I spoofed to call everybody. But if I can't find something like that, I tend to use fax machines. That way, if someone calls it back, I don't have to worry about someone picking up on the other end and saying, I didn't call you.
Dave Bittner: [00:27:22] Oh, interesting.
Joe Gray: [00:27:25] There's a lot of moving parts to doing it.
Dave Bittner: [00:27:28] So, Joe, what do you think about what Mr. Gray had to say there?
Joe Carrigan: [00:27:31] I like a lot of things that Mr. Gray had to say. The first point that stands out, obviously, is I'm operating under the authority of. Right? I don't know. That's got to be a very powerful thing. You know, somebody calls me and says, I'm operating under the authority of President Daniels at Johns Hopkins University - right? - they're going to immediately have my attention.
Dave Bittner: [00:27:48] Right. Right. Yeah, the boss.
Joe Carrigan: [00:27:51] Exactly. Or they're calling from the office or someone I know like, say, the CISO, yeah, they're going immediately have my attention. I really like his trick for when he's spoofing phone numbers inside of a company to spoof a fax machine if he doesn't have a particular number because when somebody calls it back, they don't get someone to answer and blow his cover.
Dave Bittner: [00:28:10] Right.
Joe Carrigan: [00:28:11] But still might not add up, but it's not going to immediately be destructive to his task.
Dave Bittner: [00:28:15] Right. It's not a negative.
Joe Carrigan: [00:28:16] He spent a lot of time talking about car dealerships.
Dave Bittner: [00:28:18] (Laughter).
Joe Carrigan: [00:28:19] I hate car dealerships, Dave. But I really get disgusted when I detect that someone is trying to manipulate me. And it just gets my...
Dave Bittner: [00:28:25] Yeah. Oh, absolutely. I'm in the early stages of car shopping. And it's just miserable because you get excited about, you know, the possibility of a new car. But then you're struck with the reality that you're going to have to go through this process. Just no fun.
Joe Carrigan: [00:28:40] And it's always the same, particularly if you're buying a new car. It's always the run around. You know, wait here while I go talk to my manager.
Dave Bittner: [00:28:47] Yep. Yep.
Dave Bittner: [00:28:48] There's no manager.
Dave Bittner: [00:28:51] (Laughter) Right. Right. All right. Well, thanks to Joe Gray. His blog is “Advanced Persistent Security,” also has a podcast there. We appreciate him taking the time for us. And, of course, thanks to all of you for listening.
Dave Bittner: [00:29:03] And thanks to our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest.
Dave Bittner: [00:29:17] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:29:26] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:43] And I'm Joe Carrigan.
Dave Bittner: [00:29:44] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.