Dave warns of scammers taking advantage of hurricane Florence, both on the phone and in person. Joe shares a scheme targeting the kindness of local churchgoers. A cosmic variation on the Nigerian email scam. Joe interviews his Johns Hopkins University colleague Chris Venghaus, who leads a tech support scammer on a wild goose chase.
Links to stories mentioned in this week's show:
Chris Venghaus: [00:00:01] I tell him, like, I know you're running a scam. We're done with this conversation here. And he got super defensive because he just realized that all the time that he had spent trying to get me to talk to him and do all this stuff was a complete waste of time.
Dave Bittner: [00:00:14] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me as always is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:34] Hi, Dave.
Dave Bittner: [00:00:35] As always, we've got some great stories to share. And later in the show, Joe talks with Chris Venghaus, also from the Johns Hopkins University Information Security Institute. But before we get into all of that, we've got a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:53] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided. But a little bit of your soul seems to die every time the trainer says, next slide. Well, OK. We exaggerate. But you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.
Dave Bittner: [00:01:29] And we are back. Joe, this past week, the news has been dominated by the story of Hurricane Florence, which is...
Joe Carrigan: [00:01:36] It sure has.
Dave Bittner: [00:01:37] Yeah, it's been beating down on the Carolinas here in the U.S.
Joe Carrigan: [00:01:40] Yep.
Dave Bittner: [00:01:41] Now, we sort of dodged this bullet up here in Maryland. We were afraid that it was going to come at us.
Joe Carrigan: [00:01:46] Right.
Dave Bittner: [00:01:47] But it seems like it zigged when we thought it was going to zag. And it seems like it's going to stall over the Carolinas.
Joe Carrigan: [00:01:53] We're very lucky here, but our gain is someone else's loss, I guess.
Dave Bittner: [00:01:56] Yeah. That's right. And as we record this, the storm has just made landfall, so we don't know the extent of the damage to come. But you know, this is a serious life-threatening situation...
Joe Carrigan: [00:02:06] Right.
Dave Bittner: [00:02:06] ...Evacuations, potential for flooding, wind damage, all those things that hurricanes can bring.
Joe Carrigan: [00:02:12] Right.
Dave Bittner: [00:02:12] So of course, as it always happens it seems, scammers are stepping in to take advantage of the situation.
Joe Carrigan: [00:02:18] Well, you can always count on them to do that.
Dave Bittner: [00:02:20] Yeah. So 13News Now, which is the local newscast out of WVEC-TV there in Norfolk, Va...
Joe Carrigan: [00:02:28] OK.
Dave Bittner: [00:02:29] ...They covered this, some of the scams that were hitting folks in the Carolinas. And there were two specific scams they focused on. The first was a telephone scam. And the victims would get a call from someone who is claiming to be from one of the organizations that provides emergency services after a natural disaster.
Joe Carrigan: [00:02:46] So it's, like, a call from FEMA or maybe the American Red Cross...
Dave Bittner: [00:02:49] Exactly, exactly.
Joe Carrigan: [00:02:50] ...Or something like that.
Dave Bittner: [00:02:51] And they would tell the victim that they just needed to verify some personal information in order to ensure that they would receive their disaster recovery funds.
Joe Carrigan: [00:03:00] To cover their expenses for the disaster.
Dave Bittner: [00:03:02] Uh-huh.
Joe Carrigan: [00:03:03] I haven't applied for any disaster recovery funds yet because the storm is still coming in.
Dave Bittner: [00:03:07] Yeah, yeah. So I think a standard let-me-get-your-information because, later on, you'll be getting money. And if you don't give us this information, you will be ineligible...
Joe Carrigan: [00:03:17] Right.
Dave Bittner: [00:03:17] ...To receive...
Joe Carrigan: [00:03:18] There it is. There's...
Dave Bittner: [00:03:19] ...The money that you get.
Joe Carrigan: [00:03:19] ...The call to action immediately. Yep. I'll bet they say, if you don't give us this information now, then you will not be able to apply later.
Dave Bittner: [00:03:27] That's right.
Joe Carrigan: [00:03:27] Yep.
Dave Bittner: [00:03:28] So they gather up the personal information from the people - their names, things like Social Security numbers, all the typical things that scammers tend to go after. And...
Joe Carrigan: [00:03:36] Right 'cause these things have a retail value on the black market.
Dave Bittner: [00:03:39] That's right. And of course, you know, calling in a time when people are busy with other things - they're securing their home, packing up, you know, those sorts of things - so hitting them at an emotionally fragile time.
Joe Carrigan: [00:03:51] Sure. They're very busy and probably focused on exactly what you're saying...
Dave Bittner: [00:03:54] Yeah.
Joe Carrigan: [00:03:54] ...Getting out of Dodge.
Dave Bittner: [00:03:55] The second scam involved people actually going door to door dressed up in orange vests, you know, the sort of official don't-hit-me-while-I'm-working-on-the-side-of-a-highway vest.
Joe Carrigan: [00:04:04] Right.
Dave Bittner: [00:04:05] Right?
Joe Carrigan: [00:04:05] Yep.
Dave Bittner: [00:04:05] And they were going door to door telling people that they had to evacuate - that it was a mandatory evacuation - and that they had to do it now. And it seems as though these folks were just casing the joints...
Joe Carrigan: [00:04:19] Right.
Dave Bittner: [00:04:19] ...For later robbery. So they were sort of building a database of - who's here? Who's not? Who's planning on leaving? What's their timeline? - so they could figure out - well, here's a cluster of homes where everyone's gone.
Joe Carrigan: [00:04:32] And they all had nice TVs inside.
Dave Bittner: [00:04:34] That's right. While - when you opened your door for me, I was able to take a quick look around and take a little quick inventory of what's going on inside.
Joe Carrigan: [00:04:42] Yep.
Dave Bittner: [00:04:48] But these people were not actually from any organization. In fact, they did interview an actual official. The TV station interviewed someone. And they said - this sort of puzzled me a little bit. They said, mandatory evacuations are a personal decision. No one can tell you that you have to leave. And I was thinking, well, that doesn't...
Joe Carrigan: [00:04:58] Then it's not mandatory.
Dave Bittner: [00:05:01] ...Sound very mandatory. Right?
Dave Bittner: [00:05:01] So I'm not sure what's going on with that - but at any rate, something to keep an eye out for. If one of these things is heading your way, unfortunately, one of the things you have to worry about on top of everything else is that...
Joe Carrigan: [00:05:12] Yeah.
Dave Bittner: [00:05:12] ...There may be people who are trying to take advantage of the situation.
Joe Carrigan: [00:05:15] Is that people - there are people out there that are just horrible people.
Dave Bittner: [00:05:18] Yeah. Yeah.
Joe Carrigan: [00:05:18] That's one of the things you've got to worry about all the time. It's just terrible.
Dave Bittner: [00:05:22] Yeah. All right. Well, that's my story this week. What do you have, Joe?
Joe Carrigan: [00:05:25] That's kind of a risky thing to do in the South, don't you think?
Dave Bittner: [00:05:27] What's that?
Joe Carrigan: [00:05:28] To go door to door and purport to be a government official.
Dave Bittner: [00:05:31] I would probably choose my neighborhood carefully. But...
Joe Carrigan: [00:05:34] Right (laughter).
Dave Bittner: [00:05:34] ...I don't know. I mean, you know, it's the old thing. Crooks are stupid. Right?
Joe Carrigan: [00:05:37] Yeah. So my story this week is kind of a carry-on from last week. Remember, last week we were talking about the pope giving away bitcoin.
Dave Bittner: [00:05:44] That's right.
Joe Carrigan: [00:05:45] Right? Whew - that's great. But the pope actually, of course, is not giving away bitcoin.
Dave Bittner: [00:05:49] No, he's not.
Joe Carrigan: [00:05:49] We're going to get to a more local level. In this story, I've changed the names of everybody to protect the innocent. So I'm not going to name any parishes or anything like that.
Dave Bittner: [00:05:57] Sure.
Joe Carrigan: [00:05:58] But I recently heard about a scam affecting a local church. So I called the pastor of that church, and I talked to him about it.
Dave Bittner: [00:06:03] OK.
Joe Carrigan: [00:06:03] And I asked his permission to talk about this on the show.
Dave Bittner: [00:06:05] Right.
Joe Carrigan: [00:06:06] But parishioners will get an email that reads something like this - hi, this is Father Steve, and I need your help with something. Right?
Dave Bittner: [00:06:12] Right.
Joe Carrigan: [00:06:13] So it's the standard social engineering request. I need help with something.
Dave Bittner: [00:06:18] Right. Yep, we all want to be helpful.
Joe Carrigan: [00:06:20] Yep.
Dave Bittner: [00:06:20] And certainly to a church leader.
Joe Carrigan: [00:06:23] Correct.
Dave Bittner: [00:06:23] That would get my attention.
Joe Carrigan: [00:06:24] Now, the first thing that pops into people's mind that's a red flag is, this person does not go by Father Steve.
Dave Bittner: [00:06:31] Right.
Joe Carrigan: [00:06:31] He goes by his last name, and he uses a different honorific.
Dave Bittner: [00:06:34] OK.
Joe Carrigan: [00:06:35] Now, you were raised Catholic.
Dave Bittner: [00:06:36] I was.
Joe Carrigan: [00:06:37] And do you remember the name of the priest where you went as a kid?
Dave Bittner: [00:06:40] I do.
Joe Carrigan: [00:06:41] Do you know his first name?
Dave Bittner: [00:06:42] I do not.
Joe Carrigan: [00:06:43] I don't. I don't remember either.
Dave Bittner: [00:06:45] (Laughter) Certainly not from when I was a kid, no.
Joe Carrigan: [00:06:47] Right.
Dave Bittner: [00:06:47] (Laughter).
Joe Carrigan: [00:06:47] Not very many priests go by their first name.
Dave Bittner: [00:06:49] No.
Joe Carrigan: [00:06:50] If the recipient actually replies to the email - how can I help? You know, what can I do? - ...
Dave Bittner: [00:06:55] Right.
Joe Carrigan: [00:06:56] ...They receive another email back that says, I'm very busy right now. But I'm trying to raise money for a woman that needs an operation, and she doesn't have any money. So can you please get 3 $100 iTunes gift cards and send me the codes?
Dave Bittner: [00:07:10] Hmm.
Joe Carrigan: [00:07:10] Right? So it's just an iTunes gift card scam.
Dave Bittner: [00:07:13] Right.
Joe Carrigan: [00:07:14] Right. The scam works because it's easy to monetize. If I can trick somebody into sending me a $100 iTunes gift card, then I can quickly turn around and sell it for 80 bucks. And I make 80 bucks. Somebody else makes 20 bucks in profit by buying a discounted iTunes card. And the person who spent the money is out the money.
Dave Bittner: [00:07:30] (Laughter).
Joe Carrigan: [00:07:31] And nobody is helped but me and some random person I sell it...
Dave Bittner: [00:07:34] Right, right. When did hospitals start taking iTunes gift cards in exchange for...
Joe Carrigan: [00:07:39] (Laughter) Right.
Dave Bittner: [00:07:39] ...Surgical services? All right.
Joe Carrigan: [00:07:41] It's a very far-fetched scam.
Dave Bittner: [00:07:43] Yeah. But it works.
Joe Carrigan: [00:07:44] But it is working. Some parishioners have even actually received phone calls from a person purporting to be the pastor of this church. However, the person on the other end of the phone has an accent that the pastor does not possess. So it's quickly recognized as a scam as well.
Dave Bittner: [00:07:57] Wow.
Joe Carrigan: [00:07:58] Some of the things that make you go hmm about this story - the email comes from a very plausible Gmail address.
Dave Bittner: [00:08:05] OK.
Joe Carrigan: [00:08:05] Right? It's so plausible, in fact - I was talking to this pastor - he said when he tried to apply for an email address, he actually applied to get this email address. And he was informed that it was already taken. So he had to pick a different email address. So I don't know how these people have gotten control of this email address. Either they've, you know, bought the credentials somewhere, or they've broken the credentials somehow.
Dave Bittner: [00:08:31] Right. More likely, they scammed somebody out of it.
Joe Carrigan: [00:08:33] Right, exactly, they scammed somebody out of it. Or they were actually playing the long con and set this up before he set it up.
Dave Bittner: [00:08:41] (Laughter) Yeah, that's a long con.
Joe Carrigan: [00:08:42] That is a long con 'cause, you know, he set that email address up a couple of years ago.
Dave Bittner: [00:08:46] OK.
Joe Carrigan: [00:08:47] And just now they're starting to see this. Now, it is possible...
Dave Bittner: [00:08:49] It's - yeah. Sure.
Joe Carrigan: [00:08:49] He may have been the pastor of this. But I think the more likely solution is that they went out and scammed their way into this email address.
Dave Bittner: [00:08:56] Right.
Joe Carrigan: [00:08:56] Another interesting fact about this is that the pastor told me that he was discussing this with another pastor at another parish. And they're going through exactly the same scam. So this looks like an organization that is targeting churches. They're going in. They're getting access to the parish directory or the parish email list somehow. They're probably...
Dave Bittner: [00:09:15] Right.
Joe Carrigan: [00:09:15] ...Getting into that with some kind of, like, a phishing email on somebody's computer. And then they just look around the computer for the directory, get the directory and get out. Right?
Dave Bittner: [00:09:23] I can imagine a parish email list wouldn't be something that would have a lot of locks around it, you know?
Joe Carrigan: [00:09:30] Right.
Dave Bittner: [00:09:30] Like, among the parish themselves, they would probably...
Joe Carrigan: [00:09:32] They'd probably...
Dave Bittner: [00:09:32] ...Encourage the sharing of it...
Joe Carrigan: [00:09:34] Yep.
Dave Bittner: [00:09:34] ...To share - yeah. That's interesting.
Joe Carrigan: [00:09:35] I would imagine that you're exactly right. The church...
Dave Bittner: [00:09:38] For lots of good reasons - you know, there's lots of goodwill reasons.
Joe Carrigan: [00:09:41] Exactly.
Dave Bittner: [00:09:41] Yep.
Joe Carrigan: [00:09:41] And I'm not saying the church is negligent here in any way, shape or form.
Dave Bittner: [00:09:44] Right.
Joe Carrigan: [00:09:44] They need to communicate with their parishioners who have asked to be communicated with in this way. A lot of parishes will have directories of all the parishioners. If they have online, that could be a goldmine for this type of scam.
Dave Bittner: [00:09:55] Well - and I don't know what the average size is of a parish these days. But I guess the scammers have figured out that the possible return on this investment is worth it.
Joe Carrigan: [00:10:04] Right.
Dave Bittner: [00:10:04] You probably got a few hundred people. Those big parishes are probably a few thousand.
Joe Carrigan: [00:10:08] Yeah. If you can canvass everybody that has an email address and you can hit them all up for $300 in iTunes gift cards and you get maybe five or 10 people to do it, you've made a significant amount of money in a day. I think we're going to see a lot more of this. I think this is going to become a more frequent thing. And in talking with this pastor - he was happy to have me talk about it on this podcast because what our mission here is is to make sure that people are inoculated against this kind of a scam.
Dave Bittner: [00:10:32] Right.
Joe Carrigan: [00:10:32] So if you get something from your religious leader, if you're one that goes to a church and you have a pastor or some other analogous person, and they start - they hit you up for money, it might be worth making a phone call.
Dave Bittner: [00:10:41] Well, yeah. And I think, also, nobody's going to ask you for iTunes gift cards.
Joe Carrigan: [00:10:46] Absolutely not, no.
Dave Bittner: [00:10:48] I mean, that...
Joe Carrigan: [00:10:48] This harkens back to the story you were telling me, about the guy that went into CVS and bought, like, a thousand dollars' worth of iTunes gift cards...
Dave Bittner: [00:10:54] Right.
Joe Carrigan: [00:10:55] ...You know? And nobody along the line goes, why do you need a thousand dollars' worth of iTunes gift cards?
Dave Bittner: [00:11:00] Uh-huh.
Joe Carrigan: [00:11:00] Right.
Dave Bittner: [00:11:00] That should be a signal flare...
Joe Carrigan: [00:11:01] Right.
Dave Bittner: [00:11:01] ...Sent up (laughter)...
Joe Carrigan: [00:11:03] Yeah.
Dave Bittner: [00:11:04] ...With the maximum brightness. If someone - if you see that, chances are it is a scam.
Joe Carrigan: [00:11:09] Yeah. Maybe you, as a fellow citizen, should intervene there and say, why are you buying those?
Dave Bittner: [00:11:13] Right. All right. Well, it's a good story - something to keep an eye out for. Joe, it's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:23] Joe, our Catch of the Day this week - this is an oldie but a goodie.
Joe Carrigan: [00:11:26] OK.
Dave Bittner: [00:11:26] This is one from a few years back. I had not seen it, but this is a fun one. So this is an email that was being sent around a little bit of a variation on your standard Nigerian prince scam.
Joe Carrigan: [00:11:40] OK.
Dave Bittner: [00:11:40] The subject is Nigerian astronaut wants to come home. It starts off...
Dave Bittner: [00:11:46] (Reading) Dear Mr. Sir, request for assistance - strictly confidential. I am Dr. Bakare Tunde, the cousin of Nigerian astronaut Air Force Major Abacha Tunde. He was the first African in space when he made a secret flight to the Salyut 6 space station in 1979. He was on a later Soviet spaceflight, Soyuz T-16Z, to the secret Soviet military space station Salyut 8T in 1989. He was stranded there in 1990 when the Soviet Union was dissolved. His other Soviet crewmembers returned to Earth on the Soyuz T-16Z, but his place was taken up by return cargo. There have been occasional progress supply flights to keep him going since that time. He's in good humor but wants to come home. In the 14 years since he's been on the station, he has accumulated flight pay and interest amounting to almost 15 million American dollars.
Joe Carrigan: [00:12:42] Well, of course. I mean, he's been in space since 1990.
Dave Bittner: [00:12:48] Yeah (laughter).
Dave Bittner: [00:12:48] (Reading) This is held in a trust at the Lagos National Savings and Trust Association. If we can obtain access to this money, we can place a down payment with the Russian space authorities for a Soyuz return flight to bring him back to Earth. I am told this will cost 3 million American dollars. In order to access his trust fund, we need your assistance.
Joe Carrigan: [00:13:07] Wait. Three million? That's a lot less than 15 million - isn't it, Dave?
Dave Bittner: [00:13:09] It is. It is a lot less than 15 million.
Joe Carrigan: [00:13:11] And 15 million is what he has in the bank?
Dave Bittner: [00:13:13] I think so.
Joe Carrigan: [00:13:13] All right.
Dave Bittner: [00:13:14] There's a possibility for profit here.
Joe Carrigan: [00:13:15] I see.
Dave Bittner: [00:13:16] I continue.
Dave Bittner: [00:13:17] (Reading) Consequently, my colleagues and I are willing to transfer the total amount to your account or subsequent disbursement since we, as civil servants, are prohibited by the Code of Conduct Bureau from opening and/or operating foreign accounts in our names.
Joe Carrigan: [00:13:32] Of course you are.
Dave Bittner: [00:13:33] (Reading) Needless to say, the trust reposed on you at this juncture is enormous. In return, we have agreed to offer you 20 percent of the transferred sum while 10 percent shall be set aside for incidental expenses between the parties in the course of the transaction. You will be mandated to remit the balance, 70 percent, to other accounts in due course. Kindly expedite action, as we are behind schedule to enable us down payment in this financial quarter.
Joe Carrigan: [00:14:00] You're 28 years behind schedule.
Dave Bittner: [00:14:01] (Reading) Please acknowledge the receipt of this message via my direct number - yours sincerely, Dr. Bakare Tunde, astronautics project manager.
Dave Bittner: [00:14:12] Joe, we're going to be rich.
Joe Carrigan: [00:14:14] (Laughter) Right. Again. A couple things, there is no such thing as a secret space base.
Dave Bittner: [00:14:20] (Laughter).
Joe Carrigan: [00:14:20] You cannot put anything in orbit...
Dave Bittner: [00:14:20] Oh, yeah. That's just what you want me to think.
Joe Carrigan: [00:14:24] ...That everybody else can't see, right?
Dave Bittner: [00:14:27] Yeah.
Joe Carrigan: [00:14:27] It...
Dave Bittner: [00:14:28] That's what they want you to think, Joe.
Joe Carrigan: [00:14:30] Right. This is awesome. This is a good catch of the day.
Dave Bittner: [00:14:33] Moon phase alpha - yeah - ground control to Major Tunde.
Joe Carrigan: [00:14:35] (Laughter) He's been in space since 1990.
Dave Bittner: [00:14:41] Yeah.
Joe Carrigan: [00:14:41] And the Russians just left him there.
Dave Bittner: [00:14:43] Well, you know...
Joe Carrigan: [00:14:44] We'll back for you.
Dave Bittner: [00:14:45] It's like "Home Alone" in space.
Joe Carrigan: [00:14:48] "Home Alone" in space.
Dave Bittner: [00:14:48] Yeah.
Joe Carrigan: [00:14:48] Right.
Dave Bittner: [00:14:48] (Imitating Russian accent) Comrade, I feel as though we have returned to Earth and we may have forgotten something. What could it be? Wait, has anybody seen our pal, Abacha recently?
Joe Carrigan: [00:14:59] And somebody sits up in the spacecraft and goes, Abacha...
Dave Bittner: [00:15:03] (Laughter) Right.
Joe Carrigan: [00:15:04] ...Instead of yelling Kevin.
Dave Bittner: [00:15:05] Right, right, exactly. They all smack their foreheads - oh, oh, oh, silly us. This is a wonderful variation. I really hope this is real (laughter).
Joe Carrigan: [00:15:13] There's no way any of this is real, but remember...
Dave Bittner: [00:15:16] No, no, I mean, I hope this is a real.
Joe Carrigan: [00:15:18] Oh, a real...
Dave Bittner: [00:15:19] ...This is a real Nigerian scam email.
Joe Carrigan: [00:15:22] Yeah, you hope this is a real scam, right.
Dave Bittner: [00:15:22] Yes. I really hope...
Joe Carrigan: [00:15:23] I don't doubt that it is.
Dave Bittner: [00:15:24] ...Because it's creative writing.
Joe Carrigan: [00:15:25] Here's the thing, though, remember - I can't remember where we were talking about this. Somebody's going to look me up and tell me where. But the reason these things are so outlandish is because you're targeting people that you want to give you money. You're looking for gullible people to begin with.
Dave Bittner: [00:15:38] Right.
Joe Carrigan: [00:15:38] So you send them this outlandish story and hopefully anybody that responds you've already screened out people that go this is ridiculous.
Dave Bittner: [00:15:47] Yeah. Makes sense to me, right (laughter).
Joe Carrigan: [00:15:49] (Laughter) Right, right.
Dave Bittner: [00:15:50] (Laughter).
Joe Carrigan: [00:15:51] You want the people to go, oh, my God, we've got to help this guy.
Dave Bittner: [00:15:53] Yeah, this poor guy out in space, I'm going to be able to make a lot of money, and I'm going to be an international hero.
Joe Carrigan: [00:15:59] It's a win-win.
Dave Bittner: [00:16:02] (Laughter) That's right. All right, well, that is our Catch of the Day. Coming up next, we've got Joe's interview with Chris Venghaus, one of his colleagues at the Johns Hopkins University Information Security Institute. But first, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:16:19] And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:17:20] And we are back. Joe, you took the duties of doing the interview this week. Who'd you speak with?
Joe Carrigan: [00:17:25] I spoke with my co-worker at the Information Security Institute, Chris Venghaus, about the time a Microsoft supports gamer called into our organization.
Dave Bittner: [00:17:33] All right. Here's Joe's conversation with Chris Venghaus.
Chris Venghaus: [00:17:37] For a while, I was getting these phone calls that were coming in from people basically claiming that they're Microsoft saying, hey, you've got a virus, and we need to talk you through getting rid of it.
Joe Carrigan: [00:17:48] Right.
Chris Venghaus: [00:17:48] And, you know, obviously to anybody who knows any little bit of information about computers, you know, like, all right, well, this is obviously a fake. You know, this person has to be trying to scam me into something. So this one time, like, all right, well, you know what? Let's see what they're actually trying to get me to do because I was curious. It was a slow day. And I wanted to see what this would all lead into. And it was actually super interesting and a lot of fun.
Chris Venghaus: [00:18:14] Originally, he's like, all right, well, you know, you got a virus in your computer, and we need to walk you through steps in doing this. And I'm like, oh, no, I have a virus. Really? Wow, that's not good. Like, how do I get rid of this? And then he's like, oh, don't worry. I'm here to help you with that. So he's like, all right, well, first thing we need to do is have you log into your computer and download some software for me to be able to help you clean your computer for you. And immediately, I'm thinking to myself, all right, this is going to be great. So first things first, I didn't actually have a system to be able to do this with because, of course, I didn't want to do with my own personal laptop that I use for my everyday work.
Joe Carrigan: [00:18:54] That's an Apple laptop as well, right?
Chris Venghaus: [00:18:56] Yeah, exactly. (Laughter) So I was like, I don't actually have a Windows system around here anywhere that I can use. I'm like, all right, well, let's make one. So I told the guy, like, hey, you know, hold on just a minute. I'm booting up my computer. It's been super slow these days. It must be because of this virus that you're talking about. And the whole time, I'm sitting there creating a new virtual machine on my computer to be able to set something up that the guy can touch. After about, like, five minutes of basically talking about how slow my computer is, these days the, you know, Windows installs are superfast. So I get this thing set up, and it's a brand-new, fresh installation of Microsoft Windows 7 and never been touched before. I immediately connected to the internet. I'm like, all right, what do I do now? And the guy sends me to this URL, which has nothing to do with Microsoft whatsoever.
Chris Venghaus: [00:19:48] I proceed to download the software that he asks me to download. And we go through and I set this whole thing up. He gets access to it. It's some kind of, like, GoToMyPC, TeamViewer kind of thing where he's got full access to my computer. He can move the mouse around, see what's on my screen, that sort of thing. He then proceeds to start doing a scan of my computer. And by scan, what I mean is he opens up a command prompt and then just starts typing random commands that show a bunch of junk. Like, first thing he does is run the tree command. If you don't know what that is, that actually shows you, you know, a file system tree on your computer. So it's just going through listing all my files and he's like, oh, here it is scanning it. And I can hear him typing in the background. And then it runs through after a minute or two of scanning, you know, quote, unquote, "scanning" all of these files and at the end shows the command prompt again, and it shows the words a virus has been found.
Joe Carrigan: [00:20:44] And all it was, was him executing a tree command and then typing the words a virus was found, right?
Chris Venghaus: [00:20:49] Correct. He just typed a virus was found on your computer. It says that a virus has been found and says you've been infected with the Koobface virus. I'm like, all right, what's happening here? How does anybody fall for this? Because obviously - like, it even says right there, like, command, a virus has been found. Koobface virus does not exist on this system.
Joe Carrigan: [00:21:08] Right.
Chris Venghaus: [00:21:10] It's like - it's clearly obvious that this guy is preying on people who have no idea anything about computers.
Joe Carrigan: [00:21:17] Right.
Chris Venghaus: [00:21:17] I'm like, oh, no, there's a virus. What do I do now? How do we get rid of it?
Joe Carrigan: [00:21:21] Help me, Mr. Scammer, help me. Help me so much.
Chris Venghaus: [00:21:24] (Laughter) Yeah. He starts opening up the registry and looking at keys and things like that. I mean, I can tell he's just randomly clicking around. He just clicks on a few keys, looks at some numbers and then finds some, like, arbitrary thing. And he's like, oh, this right here. And he opens up the command prompt again and types, like, a random string of characters and hits enter and it's like, all right, that should do it. And I'm, like, wow, I wish it was that easy.
Joe Carrigan: [00:21:52] Right.
Chris Venghaus: [00:21:53] (Laughter).
Joe Carrigan: [00:21:54] And what was he trying to tell you he had just done?
Chris Venghaus: [00:21:56] He had just cleared my computer of my Koobface infection.
Joe Carrigan: [00:21:59] Oh, OK (laughter) so he fixed it for you.
Chris Venghaus: [00:22:02] Yeah. So I'm like, oh, thank you, Mr. Microsoft man. And he's like, this is only a temporary fix. It looks like your computer is infected with a bunch of other things as well. But unfortunately, we can't fix that for you here. You need to be able to sign up with our support plan to be able to make sure that we remove all of this. And I'm like, here's where - here's where it all boils down. This is the catch.
Joe Carrigan: [00:22:26] This is where he says shows me the money.
Chris Venghaus: [00:22:28] Yes.
Joe Carrigan: [00:22:29] Right.
Chris Venghaus: [00:22:30] So he goes through and pulls up a website. It's his own company's website, of course, and, you know, tells me to enter my credit card number and everything like that right here. And I am thinking myself, all right, you're still watching me. And so I make up a little dialogue and tell them, all right, cool, let me sign up for this. So you have access to my screen right now. Does that mean you can see my credit card number? Isn't that not safe? And he's like, oh, no, it'll block it out for me.
Joe Carrigan: [00:22:58] (Laughter).
Chris Venghaus: [00:23:00] And I'm like, oh, wow, that's super cool.
Joe Carrigan: [00:23:03] Right, which it won't do that.
Chris Venghaus: [00:23:05] No, it's obviously not going to do that. He's trying to steal my credit card right here.
Joe Carrigan: [00:23:09] Right.
Chris Venghaus: [00:23:09] So I'm like, all right, at this point, we're, like, probably about an hour into this call because all this time taking - you know, trying to convince me that my computer is infected, he's wasted, like, an hour of time already and now here's the final moment where, all right, enter your credit card and this will all go away.
Joe Carrigan: [00:23:27] Right.
Chris Venghaus: [00:23:27] I'm like, all right. So I start entering basically a fake credit card number into the thing. And then, you know, I have to fill out my information with it, so my name. I wrote the Johns Hopkins University Information Security Institute.
Joe Carrigan: [00:23:38] (Laughter).
Chris Venghaus: [00:23:41] And then he's like, is that your name? And I'm like, is what my name? And he's like the Information Security Institute. And I'm like, I thought you couldn't see my screen (laughter).
Joe Carrigan: [00:23:54] Got you.
Chris Venghaus: [00:23:58] So he's like, oh, no, I can see the information that you enter on your form here. It's a - you know, that's not right. And I'm like, here's what - like, all right, I'm done. I'm like, I tell him, yeah, this is definitely not right. You know, I'm - I work for Johns Hopkins University. I know what you're doing here. I've just been trying to see what exactly you were doing with my computer here. And I tell him, like, I know you're running a scam. We're done with this conversation here. And he got super defensive because he just realized that all the time that he'd spent trying to get me to talk to him and do all this stuff was a complete waste of time.
Joe Carrigan: [00:24:34] Right.
Chris Venghaus: [00:24:34] Because what these people are doing are trying to get easy catches.
Joe Carrigan: [00:24:37] Sure.
Chris Venghaus: [00:24:37] They're trying to talk to somebody who knows nothing and is very easily convinced that there's a problem and will just give them everything that they want. For the most part, like I mentioned earlier, most people are going to see this and just be like, oh, I want nothing to do with this. I know it's a scam. I'm just going to hang up the phone. So having somebody talk to them for that long probably cost him a lot of time and money because he wasn't able to scam somebody. I'm sure anybody who's made it past the point of, oh, just, you know, you've got a virus, we've removed it, here, just enter your credit card number - I'm sure if you get to that point, you're probably going to have somebody who is going to enter their information.
Joe Carrigan: [00:25:16] Right.
Chris Venghaus: [00:25:16] So he just starts insulting me and telling me that, oh, he's going to get his lawyers to sue me for defamation because, you know, they're not scamming people at all. And I'm just like, all right, well, have a nice day.
Joe Carrigan: [00:25:29] Right. That's great. Chris, you've done a humanitarian service by wasting a scammer's time on this one. Keeping him on the phone was keeping him out of somebody else's hair who may have fallen victim to that. That's a fantastic story. Thank you so much for joining us today.
Chris Venghaus: [00:25:42] Yeah. Thank you.
Dave Bittner: [00:25:44] Well, what a fun story. What an interesting guy.
Joe Carrigan: [00:25:46] It's one of my favorite stories to tell. If anybody has any other stories they want to tell on this podcast, I'll be happy to talk to you about it, you know, like, how you wasted scammers' time. I would love to hear it.
Dave Bittner: [00:25:56] Yeah, let us know. No, it's interesting. A couple of things stood out to me. It reminded me of, you know, like, every street corner dope dealer. You know, the first sample is free, so...
Joe Carrigan: [00:26:05] Yes, right, oh, good point. Good observation.
Dave Bittner: [00:26:07] You know, the first attempt, cleaning out your computer - out of our goodwill, we've cleared your computer of this...
Joe Carrigan: [00:26:13] Of this one virus we found.
Dave Bittner: [00:26:14] This one virus, but, oh, no, we found more.
Joe Carrigan: [00:26:17] You got to remember, this was a brand-new machine.
Dave Bittner: [00:26:19] Right.
Joe Carrigan: [00:26:20] Chris keeps images of Windows machines that he just - just so he can recreate these VMs whenever he wants to.
Dave Bittner: [00:26:27] Sure.
Joe Carrigan: [00:26:28] So it's a very quick process.
Dave Bittner: [00:26:29] Yeah.
Joe Carrigan: [00:26:29] But it's always a brand-new, clean, install when he does this.
Dave Bittner: [00:26:33] Right.
Joe Carrigan: [00:26:33] So there's no viruses on the machines.
Dave Bittner: [00:26:36] Right, right, and the other thing that I wonder while I was listening was when they got to the part about the credit card, was this going to be a one-time thing where they're just after the credit card, or are they looking for him to sign up for some sort of a subscription?
Joe Carrigan: [00:26:52] I have heard this happening in the past with other scams where they're trying to actually bill your credit card....
Dave Bittner: [00:26:58] Right.
Joe Carrigan: [00:26:58] ...As a legitimate service.
Dave Bittner: [00:26:59] Someone tried to hit my father up for that.
Joe Carrigan: [00:27:01] Right. Somebody tried to hit my mom up for that, and one of her friends actually fell for it because she thought she had a virus on her computer...
Dave Bittner: [00:27:07] Right.
Joe Carrigan: [00:27:07] ...And entered her credit card number into a website and got billed, like, a thousand dollars.
Dave Bittner: [00:27:11] Yep.
Joe Carrigan: [00:27:11] Now, they were able to call the credit card company and go that's a fraudulent charge and get the money taken off the credit card for it fortunately. But, you know, if somebody says, well, you know, if you get somebody who thinks about it and doesn't talk to anybody else about this and says, what now? I'm protected. I got this virus scan thing.
Dave Bittner: [00:27:25] Yeah, this helpful person...
Joe Carrigan: [00:27:27] Yeah.
Dave Bittner: [00:27:27] ...Kept me out of trouble.
Joe Carrigan: [00:27:29] Thankfully they called me and helped me out.
Dave Bittner: [00:27:31] Well, it's nice to see someone who has the abilities that Chris does to waste these people's time.
Joe Carrigan: [00:27:37] Right.
Dave Bittner: [00:27:38] Lucky they caught him on a slow day.
Joe Carrigan: [00:27:40] Right, exactly, it was during the summer.
Dave Bittner: [00:27:41] (Laughter) Because that's the thing. We got to change that equation and nice to hear that the scammer was frustrated that - at that opportunity lost.
Joe Carrigan: [00:27:49] Yeah, he was angry.
Dave Bittner: [00:27:52] Yeah, yeah. All right. Thanks for connecting with Chris there. And that is our podcast. Thanks to our show sponsor, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation - even more than usual this week. You can learn more at isi.jhu.edu.
Dave Bittner: [00:28:27] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:28:44] And I'm Joe Carrigan.
Dave Bittner: [00:28:45] Thanks for listening
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.