Listener follow-up on a URL issue. Dave describes an elderly couple scammed out of savings. Joe wonders if it's wise to unsubscribe. Guest Andre McGregor from TLDR Capital describes his work as a former FBI agent, and his experience consulting on Mr. Robot.
Bank account transfer scam:
Andre McGregor: [00:00:00] The criminal knew exactly the right language to get to someone. And yes, it may only work, you know, 10 percent. It may even only work 1 percent. But if you hit a million people, 1 percent is a really big number.
Dave Bittner: [00:00:12] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:32] Hi, Dave.
Dave Bittner: [00:00:32] Later in the show, we've got my interview with Andre McGregor from TLDR Capital. He's a former FBI agent, and we'll be discussing some of the scams he's been seeing online. But before we get to all of that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:46] So how do you train people to recognize and resist social engineering? Here are some things people think. Test them. And if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day, or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think, carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.
Dave Bittner: [00:01:23] And we are back. Joe, before we get into our stories for this week, we got some follow-up from a listener.
Joe Carrigan: [00:01:29] Yeah.
Dave Bittner: [00:01:29] What do we have here this week?
Joe Carrigan: [00:01:30] So listener Eric (ph) sent us a correction.
Dave Bittner: [00:01:32] Yeah.
Joe Carrigan: [00:01:32] Last week, I incorrectly said that if you make a URL that is www.dhl.com @ some malicious site or Joe's malicious site...
Dave Bittner: [00:01:41] Right.
Joe Carrigan: [00:01:42] ...That that's an abuse of email. It is not an abuse of an email URL. It is an abuse of a deprecated URL-based HTTP authentication.
Dave Bittner: [00:01:50] OK.
Joe Carrigan: [00:01:51] And Eric goes on to say back when dinosaurs roamed the internet...
Dave Bittner: [00:01:54] Right.
Joe Carrigan: [00:01:54] I think it's a very clever...
Dave Bittner: [00:01:55] Right.
Joe Carrigan: [00:01:55] ...Way of saying things.
Dave Bittner: [00:01:55] Yeah.
Joe Carrigan: [00:01:56] Some websites would let you authenticate with username, colon, password @ the website name using the authentication at the HTTP level. Now, most websites don't do this. Most websites actually never did this. You would enter a username and a password, and that happened in the web application. You wouldn't be using the web server to authenticate. You'd be...
Dave Bittner: [00:02:15] Right.
Joe Carrigan: [00:02:15] ...Using the application behind the web server.
Dave Bittner: [00:02:17] OK.
Joe Carrigan: [00:02:17] But if you wanted to avoid the log-in prompt from an HTTP authentication, you could use this. Two things about this.
Dave Bittner: [00:02:23] Yeah.
Joe Carrigan: [00:02:23] No. 1, I first started learning about web development in the late '90s.
Dave Bittner: [00:02:28] OK.
Joe Carrigan: [00:02:29] OK. so this was around then. Nobody ever discussed this. We never had this. I didn't know about this until late into the 2000s when I was taking a class on, actually, just design because my web design needed work and actually still needs work but...
Dave Bittner: [00:02:43] So this methodology had already fallen out of favor...
Joe Carrigan: [00:02:46] Right.
Dave Bittner: [00:02:46] ...At that point where it wasn't even covered.
Joe Carrigan: [00:02:48] Yeah, and the second thing is that the...
Dave Bittner: [00:02:50] Either that, or you went to a substandard school for application development.
Joe Carrigan: [00:02:53] No, I think you just never...
Joe Carrigan: [00:02:54] It wasn't really school. It was me working with other people.
Dave Bittner: [00:02:58] I see.
Joe Carrigan: [00:02:58] And actually, I did take some training.
Dave Bittner: [00:02:59] (Laughter).
Joe Carrigan: [00:02:59] But in the training, nobody ever discussed it. They always discussed, here's how you build an application for authentication.
Dave Bittner: [00:03:05] OK.
Joe Carrigan: [00:03:05] It was never use HTTP authentication.
Dave Bittner: [00:03:06] Interesting.
Joe Carrigan: [00:03:07] The other thing is, this has been deprecated since 2005.
Dave Bittner: [00:03:10] OK.
Joe Carrigan: [00:03:11] OK. We both tried this in Chrome, and it worked.
Dave Bittner: [00:03:14] Right.
Joe Carrigan: [00:03:14] So a modern browser 13 years later is still susceptible to this, and this is the kind of thing hackers do. They find these obscure pieces of specifications that nobody knows about.
Dave Bittner: [00:03:24] Yeah.
Joe Carrigan: [00:03:24] And they exploit them. So I think it's time for web browser developers to stop using this in their web browsers and stop recognizing URLs with @ symbols as valid URLs for HTTP.
Dave Bittner: [00:03:35] Yeah. I wonder if there's some sort of under-the-hood reason why they still do but...
Joe Carrigan: [00:03:39] There might be.
Dave Bittner: [00:03:39] Yeah.
Joe Carrigan: [00:03:39] There might be.
Dave Bittner: [00:03:39] Yeah.
Joe Carrigan: [00:03:40] I might be calling for something that can't technically be done.
Dave Bittner: [00:03:43] Yeah. Well, Eric, thanks for sending that in. We love it when you all keep us straight or add to the conversation. So we...
Joe Carrigan: [00:03:49] Absolutely.
Dave Bittner: [00:03:49] ...Do appreciate that.
Joe Carrigan: [00:03:50] And you never stop learning.
Dave Bittner: [00:03:52] That's right. Yeah. All right. Well, let's jump in with our stories this week. My story is a variation on something we've heard before. And it's interesting 'cause it touches on a couple things that I haven't heard before. So this is pretty much the standard Microsoft tech support scam where someone calls.
Dave Bittner: [00:04:09] In this case, this story comes from a local TV affiliate, ABC11 out of Durham, N.C. And there was an elderly couple. A woman named Amelia who was using her computer. And an alert popped up, and it said don't continue to use your computer and don't shut it down. So she and her husband Al - they immediately called the phone number on the screen.
Joe Carrigan: [00:04:31] Oh, no.
Dave Bittner: [00:04:32] And here's where it gets interesting. The number said to be from the company that they subscribed to virus protection services from. So these guys were doing the right thing. They had some virus - antivirus installed on the computer. So the person on the other end of the phone says that this company was shutting down because of the fires in California, that their facilities had been lost to the fires, that they were shutting down and they were going to refund their money. So Al said that he thought this sounded legit enough.
Joe Carrigan: [00:05:03] Right.
Dave Bittner: [00:05:04] And they were going to give him a refund of $318. So Al gave the person on the phone remote access to his computer...
Joe Carrigan: [00:05:11] Right.
Dave Bittner: [00:05:11] ...So they could put the money right in his bank. This is where perhaps Al's judgment went off the rails a little bit. They got into his Chase Bank account through his computer. And instead of refunding the $318, they refunded $3,188 under the Chase account. So instead of 3-1-8, it was 3-1-8-8.
Joe Carrigan: [00:05:32] Right.
Dave Bittner: [00:05:33] And Al could see this in his account on his computer. And the person on the other end of the phone got all worked up and said, oh, my gosh, I made a mistake; this is terrible; my boss is going to be mad at me, and I'm probably going to lose my job because I put all this money in your account. And he told Al that he couldn't reverse the charges. So instead, wait for it, he asked Al and his wife to go buy some Walmart gift cards to refund the difference.
Joe Carrigan: [00:05:57] OK.
Dave Bittner: [00:05:58] So Al and his wife did this. They went to Walmart. They got $2,700 worth of gift cards. And they sent this person on the other end of the phone the numbers for the gift cards.
Joe Carrigan: [00:06:10] Right.
Dave Bittner: [00:06:11] So they thought that was that. The next day, Al sees that there's a couple more payments for the same amount - 3,188 in his account. They go back to Walmart, purchased $6,200 worth of gift cards, sent the numbers to the man who called them.
Joe Carrigan: [00:06:27] This sounds like they're being used as money mules.
Dave Bittner: [00:06:28] Well, what's interesting is they eventually realize that the money was gone, of course. And these large amounts of money weren't actually being put into their accounts. They were being shuffled around from accounts that they had. So it was all - it was all their money all the time.
Joe Carrigan: [00:06:46] Oh.
Dave Bittner: [00:06:47] And this bad guy on the other end - once he had access to their bank account, he was just shifting money from, you know, checking to savings or from...
Joe Carrigan: [00:06:54] Oh, I see.
Dave Bittner: [00:06:55] ...Retirement account to - right. So they see these bits of money showing up, and they think this is being put in here. They go and get - buy the gift cards.
Joe Carrigan: [00:07:04] OK. So the transfer is coming from inside the house.
Dave Bittner: [00:07:06] Right, exactly.
Joe Carrigan: [00:07:07] I'll use your phrase.
Dave Bittner: [00:07:08] Like that old horror movie.
Joe Carrigan: [00:07:08] Right.
Dave Bittner: [00:07:08] It's coming from inside the house. Right. So the bad guys aren't actually sending them any money. They just have control of the bank account. They're making it look like there's money being put in, but it's really just being put in from the couple's other existing accounts.
Joe Carrigan: [00:07:22] Right.
Dave Bittner: [00:07:22] And so of course once the bad guys are gone, they're gone. The Walmart gift cards - the money's spent, and this couple's out almost $9,000.
Joe Carrigan: [00:07:31] Wow.
Dave Bittner: [00:07:32] So obviously a couple of red flags here. You know, you never give over control of your computer...
Joe Carrigan: [00:07:39] Yeah.
Dave Bittner: [00:07:39] ...To someone who you don't know...
Joe Carrigan: [00:07:41] Right.
Dave Bittner: [00:07:41] ...And, goodness gracious, never your bank account information.
Joe Carrigan: [00:07:44] Absolutely not.
Dave Bittner: [00:07:45] And of course if anyone asks for gift card payments, that's a big red flag as well.
Joe Carrigan: [00:07:49] It should be. Yeah.
Dave Bittner: [00:07:50] So a hard lesson for these folks to learn, but some interesting things here. I thought both the use of the California fire...
Joe Carrigan: [00:07:57] Right.
Dave Bittner: [00:07:57] ...Was an interesting way to get in there. And then the shuffling of the money around - the existing money around, that's one I hadn't heard before.
Joe Carrigan: [00:08:04] Yeah, that's a very clever, albeit absolutely just diabolical - the person that did this to this couple is a horrible person.
Dave Bittner: [00:08:11] Yeah.
Joe Carrigan: [00:08:11] But that is an interesting way to go about getting somebody to think that you've sent them the wrong amount of money, is just use their own money to fool them.
Dave Bittner: [00:08:19] Yeah. So that's my story. Joe, what do you have this week?
Joe Carrigan: [00:08:21] So I was listening to our friends over at Smashing Security.
Dave Bittner: [00:08:24] Yeah.
Joe Carrigan: [00:08:24] And they had a guest on, Scott Helme, who talked about a tweet from somebody called InfoSecSherpa...
Dave Bittner: [00:08:30] Yeah.
Joe Carrigan: [00:08:30] ...At - on Twitter.
Dave Bittner: [00:08:32] Yeah, I follow her on Twitter.
Joe Carrigan: [00:08:33] Do you? OK.
Dave Bittner: [00:08:34] Yeah, yeah. She's good.
Joe Carrigan: [00:08:34] She had a tweet about the most diabolical phishing test ever.
Dave Bittner: [00:08:41] Yeah.
Joe Carrigan: [00:08:41] The email comes out - it's a phishing test that gets sent out to all the employees of a company. And it reads something like, are you tired of receiving all our phishing tests? Click here to unsubscribe. And if you click the unsubscribe link, you fail the phishing test because it's a phishing email.
Dave Bittner: [00:08:55] That doesn't seem very sporting of them.
Joe Carrigan: [00:08:57] No, it doesn't seem very sporting. But, you know, it is a phishing test. They're going to work how they're going to work.
Dave Bittner: [00:09:01] (Laughter).
Joe Carrigan: [00:09:01] But this got me thinking. Do you ever click on the unsubscribe links in spam emails?
Dave Bittner: [00:09:07] You know, no. I don't anymore. Now, I will click on an unsubscribe from a legit company who I have previously done business with.
Joe Carrigan: [00:09:17] Yes. I just clicked on an unsubscribe link from Google...
Dave Bittner: [00:09:20] Right. OK.
Joe Carrigan: [00:09:21] ...A couple days ago. They were sending me all kinds of stuff because I bought the Pixel phone. And it was getting annoying, so I turned it off.
Dave Bittner: [00:09:27] Right.
Joe Carrigan: [00:09:27] But I have never advocated clicking on the unsubscribe links because I've always thought that this was just an opportunity for somebody to, 1, validate that the email is correct...
Dave Bittner: [00:09:38] Right.
Joe Carrigan: [00:09:38] ...And, 2, validate that it's in use...
Dave Bittner: [00:09:39] Yeah.
Joe Carrigan: [00:09:40] ...Right? - that this is a valid email, and I use it.
Dave Bittner: [00:09:42] That is exactly the rationale that I use for not clicking on them myself.
Joe Carrigan: [00:09:46] It would be very easy for a spammer to generate their own email list by using this technique. They could just generate random email addresses for a domain or follow a pattern that they know about a domain and then spam the entire domain. And whoever clicks on the unsubscribe link, I know that those people are willing to listen to me. And then I have a list of really high-quality email address.
Dave Bittner: [00:10:08] Right. These are hot addresses that are in use.
Joe Carrigan: [00:10:10] Exactly.
Dave Bittner: [00:10:10] Yeah.
Joe Carrigan: [00:10:11] And people care about them.
Dave Bittner: [00:10:12] Right.
Joe Carrigan: [00:10:12] So I've always assumed that this was the case for 20 years or so...
Dave Bittner: [00:10:15] Yeah.
Joe Carrigan: [00:10:15] ...And never actually looked into it (laughter).
Dave Bittner: [00:10:17] Yeah, why would we do that (laughter)?
Joe Carrigan: [00:10:18] So I did some digging. I mean, a simple Google search.
Dave Bittner: [00:10:22] (Laughter).
Joe Carrigan: [00:10:23] I found this article from Naked Security at Sophos.
Dave Bittner: [00:10:27] Oh, yeah.
Joe Carrigan: [00:10:27] And they said five things about the unsubscribe link, and the first one is what I just said - that you confirmed that the email is valid and in use. The second one is, you've confirmed that you opened the email - right? - because you have to open the email to get to the link.
Dave Bittner: [00:10:40] Right.
Joe Carrigan: [00:10:40] If to unsubscribe you have to send an email - the message says, if you want to unsubscribe, reply with the word unsubscribe.
Dave Bittner: [00:10:47] Yeah.
Joe Carrigan: [00:10:48] Well, that contains all kinds of metadata that you might not want to disclose to somebody.
Dave Bittner: [00:10:51] Yeah.
Joe Carrigan: [00:10:52] If you click on an unsubscribe link and it opens a browser, that allows them to set cookies on your browser. So now they have tracking information on your browser about you. And finally of course - and this is the one that is, you know, the elephant in the room - the link can, of course, be just malicious. It could just...
Dave Bittner: [00:11:06] Right.
Joe Carrigan: [00:11:06] ...Start some kind of bad chain of events for you. The important thing is to remember that the unsubscribe link is just that. It's just a link. It could do anything. Your best bet is to just mark the email as spam, which automatically deletes it. Almost all the web-based email providers now have this feature. If you have a good corporate email, then they have that feature as well. Maybe you don't, but just delete the emails. Don't unsubscribe from it.
Dave Bittner: [00:11:29] It's remarkable to me what a good job that the email providers do with spam. Very little of that generic spam really makes it through anymore. It seems like...
Joe Carrigan: [00:11:39] That's true. They...
Dave Bittner: [00:11:39] They really upped their game on that.
Joe Carrigan: [00:11:40] Spam filtering is pretty good right now.
Dave Bittner: [00:11:42] Yeah, it really is. It really is. All right. Well, it's good advice, so let's move on. It's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:52] Joe, this week's Catch of the Day was sent to us by a listener named Jacob. And he says, hey guys. My roommate was applying for a job. She submitted her application through the process, and then she got a response telling her that the job she applied for was filled, however, there was a different one available. How convenient. She didn't fall for it. Jacob says, I've never seen this particular type of scam attempted before, so I thought I'd forward it to you guys. Love the show. Cheers from Canada.
Dave Bittner: [00:12:20] And the email goes like this. Dear applicant, we received your application regarding the available job at Yukon Business School Canada job, but the initial position has been taken, as you have not made the short list. But there is an urgent personal assistant position at this time with one of our directors. Director says, as a director at Yukon School of Business with focus on other international business, the majority of my clients are out of the country. I need help with my errands because I am constantly out of town. As a matter of fact, I am currently on a business trip to Tokyo, Japan, at this time. I will prepay you in advance to do my shopping, bill payments and have the items sent to my P.O. box. I will pick the items up from the post office when I return from Japan second week in December. How soon can you start? I will email you the list and pictures of what to shop for so you can do the shopping at any leading store close to you. I'll pay you $400 for your service for 10 flexible hours every week. I am prepared to pay for mileage and travel expenses. Clear set of instructions for each task and sufficient funds to cover all errands will be provided. I would love to meet with you upon my return to discuss the possibility of making this job long-term under me with a better pay packet, as this is a trial period, and not an office position, to see how competent you are until my return. Let me know if you can do the job.
Dave Bittner: [00:13:39] What do you think, Joe?
Joe Carrigan: [00:13:42] (Laughter). Well, the broken English here says volumes to me.
Dave Bittner: [00:13:47] (Laughter). Yeah. It's not - we've certainly seen worse. But, yeah. There are definitely some mistakes in here.
Joe Carrigan: [00:13:51] Yeah. It is. I like how it says, director says, instead of putting the person's name. It literally says, director says.
Dave Bittner: [00:13:57] Yeah. And, of course, this person is out of town.
Joe Carrigan: [00:14:00] Of course.
Dave Bittner: [00:14:01] Can't be reached. Far away.
Joe Carrigan: [00:14:02] And they need you to spend money, which they promise they'll repay you.
Dave Bittner: [00:14:05] That's right.
Joe Carrigan: [00:14:06] Yeah. Yeah. No. No, thank you.
Dave Bittner: [00:14:07] Yeah.
Joe Carrigan: [00:14:08] I'm glad your friend did not fall for this, Jacob.
Dave Bittner: [00:14:10] But again, as we've talked about, you know, this is one of those things where they - I guess somehow they got access to this list of people who had applied for jobs.
Joe Carrigan: [00:14:18] Yeah. How did they get this information?
Dave Bittner: [00:14:20] Who knows? But they know that someone is maybe in a pickle. You know, they need work.
Joe Carrigan: [00:14:25] Yeah. If you're looking for a job then you're already in the subcategory of people that might be willing to do something. Like I said before, I spent - back in 2010, I spent time looking for a job. And, you know, it gets a little disheartening at some point in time. You start latching on to things that might not be the best thing for you.
Dave Bittner: [00:14:41] Yeah. All right. Well, thanks, Jacob, for sending that in. That is our Catch of the Day. After the break, we're going to hear my interview with Andre McGregor from TLDR Capital. He's a former FBI agent. We'll be discussing some of the scams he's been seeing online. But before we get to that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:15:02] Let's return to our sponsor, KnowBe4's, question. Carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grownups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Here more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:15:49] Joe, I recently spoke with Andre McGregor from TLDR Capital. Love that name.
Joe Carrigan: [00:15:54] Love the name.
Dave Bittner: [00:15:56] (Laughter). Yeah. So he is a former FBI agent. Had quite a successful career with them. And so we're going to be discussing some of the stuff that he's tracking online. Here's my interview with Andre McGregor.
Andre McGregor: [00:16:06] So we're still struggling to really understand the strength and, quite frankly, concern that the internet can bring us from a social engineering perspective, mainly because there's still a generational gap. When I was a FBI agent for several years out in New York, I spent a short stint at the Internet Crime Complaint Center. And that's essentially where people would go if they had a specific crime, or, type Google into the search engine and that's the first link you come to.
Andre McGregor: [00:16:37] And it was interesting because you would see there's 8 million records of people being scammed or attempted to be scammed. And the narrative was always the same, which was the adversary or the criminal knew exactly the right language to get to someone. And yes, it may only work, you know, 10 percent. It may even only work 1 percent. But if you hit a million people, 1 percent is a really big number.
Andre McGregor: [00:16:58] And so when you look at a social engineering scam, you're really just going after people and their emotions and sort of their state of mind. And in many ways, nothing's changed from the days of telephone scams. And nothing's changed from the days of mail scams, except for now it's on the internet.
Dave Bittner: [00:17:12] Now, you know, you bring up a really interesting point, which is this generational gap that, I think, certainly, there's the perception that that exists. Are we seeing that in reality? I mean, is it the older generation? Are they the ones who have the bull's-eye on their back?
Andre McGregor: [00:17:26] It's not only the older generation. I mean, you know, everyone is a target. You know, it's the same reason why spear-phishing or phishing attacks that, you know, purport to be a legitimate email when in fact it's malware or it's asking you to send something still can work to do wire fraud scams at some of the largest companies if someone is expecting a communication, someone is used to a certain process and the criminal knows that.
Andre McGregor: [00:17:49] They interject themselves, or they sort of man-in-the-middle attack and essentially get them to commit this, you know, crime unwittingly. From the generational side, what's interesting, especially during my time at IC3 having talked to victims that were north of 50 years old, I heard statements from them when they said, it just looked real. They had logos and icons that made it seem like it was exactly, you know, who they said they were in the company or the person.
Andre McGregor: [00:18:19] And so I had no reason to suspect that it wasn't real or - this was the more interesting statement that one of the older victims had said. I figured the Internet was regulated, and this was not going to be a problem if I sent money to them. And so when you think about that, we've gone away from that in-person connection for us to feel comfortable handing over a hundred dollars, right? I mean, an actual $100 bill is something that you wouldn't feel comfortable just sort of, you know, giving it to anyone because you earned that money.
Dave Bittner: [00:18:50] Right.
Andre McGregor: [00:18:50] It's one of the main reasons why casinos immediately switch that money out to be chips so that people, mentally, are not thinking about cash when they're playing blackjack. They're thinking about little plastic things that are not as important. But when you start moving over into the telephone and now you start moving into the Internet, it's just so easy to transfer money that you wouldn't necessarily do to somebody if you were - had to actually give them a thousand dollars in currency in your hand.
Dave Bittner: [00:19:16] The generation that's coming up today - I suppose we could call them the digital natives. Do you think they have a more natural skepticism toward this sort of thing? Have they been trained to be a little more careful?
Andre McGregor: [00:19:26] I would actually say that the skepticism still exists with the older generation because they've lived life longer to know that you can't trust everyone. I think the difference with the digital natives is that they understand technology better. So some of the scams that are easier to detect, they just immediately brush off, knowing that that wouldn't be legitimate because of the aspects around the actual fraud that's being perpetrated.
Andre McGregor: [00:19:54] But I do think that especially when you look at some of the social engineering Twitter scams - Wolfgang Crypto - and giving, you know, ETH away - you know, an older generation would say, well, there's nothing for free or if it seems too good, it probably is. And that's just living life, whereas the younger generation says, hey, I want ETH or I have FOMO, and I want to be part of the mix and may be more likely to actually give money. So it's interesting. Depending on the scam, the digital native might have an upper hand or the older individuals might have an upper hand.
Dave Bittner: [00:20:28] Yeah. It's a really interesting insight. And I mean, why do you suppose that places like Twitter are such a fertile ground for these sorts of schemes?
Andre McGregor: [00:20:36] Quite frankly, it's because of the reach, that you can get to, you know, millions of people very, very quickly. It's the same, again - you know, if you look at scams, very much like love, nothing really changes in, you know, the last 10 years, 50 years or a hundred years. It's still the same methodology of how a criminal needs to attack a victim, right? And I need to make the decision of am I being - making a targeted attack - and if I'm going to do a targeted attack, I want to have, you know, a high yield.
Andre McGregor: [00:21:03] So hopefully, that one person I'm targeting, I get a million or $10 million out of that. Whereas if I'm going off of volume, then I'm going to target a million people or 10 million people and hoping that I get a dollar. And hopefully, that scam works. So it doesn't matter if it's Twitter or Facebook or even email. I'm going after a large population. What's interesting about Twitter is that I can purport to be someone else - legitimate - that other people have already provided trust, whether blind or otherwise, in the words of that person and use their fame and fortune to leverage my scam.
Andre McGregor: [00:21:40] So that's, essentially, what Twitter is doing is - you know, someone that has a million followers, those followers are following them for a reason. And they're waiting for anything that they say. So if I can have the same picture, the same name and also recognize that people probably are not looking at the handle and say, oh, it's just off by a character - or they may not even be looking at the number of followers and saying, oh, wait. Why does this account only have, you know, 10 followers, whereas the legitimate account has, you know, 2.5 million followers? People - unfortunately, their eyes don't necessarily look at everything. They're used to just sort of looking at what makes sense, and that's how they get scammed.
Dave Bittner: [00:22:19] I think most of us have this natural impulse to want to trust.
Andre McGregor: [00:22:23] That is life, right? I mean, that's the idea of family. That's the idea of community. That's the idea of religion. It all comes back to trusting people. But we're trusting people in a world where we don't actually meet them. And it's not to say that we can't do it. And that's one of the reasons why, you know, blockchain has created, you know, such a fervor over the last couple of years is the idea of being able to bring trust to a trustless world of the Internet.
Andre McGregor: [00:22:47] And, you know, it's - you know, we have a global economy. What makes our global economy so strong right now is that we still have inherent trust in large companies like a Google or a Facebook or an Exxon or an IBM or even a central government because they've rooted their trust in centuries, if not of time with their people. But now you have these nascent companies, these nascent people that you want to trust. But you've never met them.
Dave Bittner: [00:23:13] Right.
Andre McGregor: [00:23:14] And so in a normal case, you'd want to meet them. But how do you meet someone that's halfway around the globe? That's inherently our problem with the Internet. And so to be able to have, you know, proper identification systems that are linked with the government, that are secure on the blockchain and allow for verification across multiple industries is a step for us to be able to start trusting people in a trustless world.
Dave Bittner: [00:23:40] Now, one of the things that you do is you're a technical consultant for the TV show "Mr. Robot." And I'm curious. When it comes to how they handle things like social engineering scams in Hollywood, do you find that they're coming at this from a realistic point of view, or do you find yourself having to correct them pretty regularly?
Andre McGregor: [00:24:02] (Laughter) Very good questions. I do enjoy the time that I get to work on the scripts and to be on set for "Mr. Robot." What's fantastic about "Mr. Robot" in comparison to some of the other hacking shows that are on TV, you know, Sam, the creator, doesn't want to cut corners. He recognizes that, you know, we got 42 minutes. So you can't necessarily show all the details of what you would do for a particular hack.
Andre McGregor: [00:24:28] But we don't want to skirt something to make it seem like it's movie magic. So it's really on us as consultants and technologists to be able to create a hack that is legitimate, that would work and then show the salient parts of that hack so that not only the viewer that just wants to enjoy the show can watch it and enjoy the scene but also the technophiles that are going to pause the screen and look at our code and...
Dave Bittner: [00:24:56] Right (laughter).
Andre McGregor: [00:24:56] ...You know, hopefully not find an errant semicolon or an extra space.
Dave Bittner: [00:25:00] (Laughter).
Andre McGregor: [00:25:00] We'll be able to say, well, yeah, like, if you did execute that, that's exactly how that would work.
Dave Bittner: [00:25:05] Right.
Andre McGregor: [00:25:05] And so it's nice because, you know, this is what we sort of need in our digital age. So if you look at - let's look at medicine, for example. The pivotal moment in television for medicine was "ER." That was a show where essentially, you know, we finally, you know, had proper medical terminology. We were not trying to skirt on process. And, you know, while, yes, there were some doctors that probably said, we wouldn't necessarily do it like that and...
Dave Bittner: [00:25:34] Right.
Andre McGregor: [00:25:34] ...Obviously you're not going to do live CPR on someone, you're still going to run through the processes as you would. And you could see that over time people started to accept the fact that, OK, now new shows like "Chicago Med" are even more realistic in medicine. So I like to think that "Mr. Robot" is like "ER."
Dave Bittner: [00:25:52] Yeah.
Andre McGregor: [00:25:52] And we're only just the beginning stages of what you're going to see other television shows show when it comes to hacking or just, you know, techniques in technology.
Dave Bittner: [00:26:00] Yeah. It's an interesting point because when you sweat the details like that, you really can have almost an educational component to entertainment.
Andre McGregor: [00:26:08] What I found interesting as well is that I will speak to audiences, you know, government officials. And the same statement I keep hearing over and over, which is, I tell co-workers or I tell my family to watch the show so that they finally either understand what I do every day or they finally start to understand some of the scams that they're seeing.
Andre McGregor: [00:26:29] And so when we spend time on "Mr. Robot" showing how to root an android phone and its kernel or, you know, a social engineering scam and being able to, you know, clone an ID card or send a phishing email - it makes it more real because you think all these people that are working in offices - they take an annual information security training.
Andre McGregor: [00:26:50] And that training - maybe they understand everything, or maybe they only understand parts of it. But to actually watch it on television to be able to say, oh, that's what that is; now I get it, only further benefits us as a society from an education perspective.
Dave Bittner: [00:27:06] Interesting guy, huh, Joe?
Joe Carrigan: [00:27:07] Yeah. I liked that interview a lot. A couple of things he said resonated with me. One, they know the language when the scam's happening. They know how to get in. And actually, I think this is indicative of what he said later in the interview when you asked him about the generation gap - that really being over the age of 50 doesn't make you any more susceptible to scams. It just changes the kind of scam you're susceptible to, right?
Dave Bittner: [00:27:30] Yeah.
Joe Carrigan: [00:27:30] The same with being younger...
Dave Bittner: [00:27:31] Right.
Joe Carrigan: [00:27:31] ...Right? So a younger person might be more susceptible to the fear of missing out - fomo (ph), that he called it. And an older person might be more susceptible to a scam that has technical information.
Dave Bittner: [00:27:41] Right.
Joe Carrigan: [00:27:41] So when he talks about the scams where they say they know the language, the reason that's the case is because these scams are the ones that are successful.
Dave Bittner: [00:27:49] Yeah, yeah.
Joe Carrigan: [00:27:50] If you have a scam that's unsuccessful, it's because some red flag has gone off maybe 'cause they don't know the language.
Dave Bittner: [00:27:54] They refine them over time.
Joe Carrigan: [00:27:55] Absolutely.
Dave Bittner: [00:27:56] They figure out what works and what doesn't, and then they share that information with their fellow scammers.
Joe Carrigan: [00:28:00] Yeah. One of the words of the victims here resonated with me. I figured the internet was regulated. Nobody should figure that. Nobody should ever think that.
Dave Bittner: [00:28:07] (Laughter).
Joe Carrigan: [00:28:07] The internet is a vast unregulated domain that is...
Dave Bittner: [00:28:10] Dumpster fire.
Joe Carrigan: [00:28:11] It's a dumpster fire.
Dave Bittner: [00:28:12] Right, right. It's a dumpster fire, Joe.
Dave Bittner: [00:28:16] It's amazing that any of us make it out alive.
Joe Carrigan: [00:28:18] Right.
Dave Bittner: [00:28:19] (Laughter).
Joe Carrigan: [00:28:19] Every day after I get off the internet, whatever I'm doing, I have to go take a shower.
Dave Bittner: [00:28:23] Yeah.
Joe Carrigan: [00:28:25] Trust is the foundation of family, society and religion, he says.
Dave Bittner: [00:28:29] Yeah.
Joe Carrigan: [00:28:29] Interesting that he points out religion because we've talked about scams or had Catch of the Day samples where people say, I'm a good Christian...
Dave Bittner: [00:28:37] Right.
Joe Carrigan: [00:28:37] ...Right? They're appealing to your religion, whatever it is, and I think this would work regardless of what your religion is, you know.
Dave Bittner: [00:28:42] Yeah. Just, I'm a person of faith, and so...
Joe Carrigan: [00:28:44] Right.
Dave Bittner: [00:28:44] Yeah, yeah. So we have that in common...
Joe Carrigan: [00:28:46] Right.
Dave Bittner: [00:28:46] ...Regardless of what your faith is.
Joe Carrigan: [00:28:48] They're trying to build rapport with you. Chris Hadnagy talks about this in his book "The Art of Social Engineering" (ph) where you try to become a member of their tribe...
Dave Bittner: [00:28:55] Right.
Joe Carrigan: [00:28:55] ...By getting in there and say, hey, look, we're in the same religion, right?
Dave Bittner: [00:28:58] Yeah, yeah. Interesting. All right. Well, thanks to Andre for joining us - a really fun, interesting conversation. And that is our show.
Dave Bittner: [00:29:05] We want to thank our sponsors, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about what they're up to at isi.jhu.edu.
Dave Bittner: [00:29:32] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:48] And I'm Joe Carrigan.
Dave Bittner: [00:29:49] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.