We've got followup on bank scams and ransomware. Joe describes a highly sophisticated multinational business scam. Dave shares a story about private school parents falling for a Bitcoin discount scam. Our guest is Jordan Harbinger, host of The Jordan Harbinger Show, with insights on influence and social engineering.
Links to this week's stories:
Jordan Harbinger: [00:00:00] If you're tricking people, the cognitive dissonance will eventually wear you out. And you'll become depressed. And you'll hate yourself. That much I promise you.
Dave Bittner: [00:00:09] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey there, Joe.
Joe Carrigan: [00:00:28] Hi, Dave.
Dave Bittner: [00:00:29] We've got some great stories to share. And later in the show, we've got my interview with Jordan Harbinger. He's host of "The Jordan Harbinger Show." He's going to share some of his expertise with social influence and social engineering. But first, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:47] Step right up and take a chance. Yes, you there, give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they A - my late husband wished to share his oil fortune with you, or B - please read; important message from HR, or C - a delivery attempt was made or D - take me to your leader. Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [00:01:26] And we are back. Joe, we've got some quick follow-up on a couple of stories.
Joe Carrigan: [00:01:30] OK, good.
Dave Bittner: [00:01:31] A couple weeks ago, we had a story about some folks in the U.K. who were being scammed out of money. And the bad guys were tricking them into transferring funds by entering special codes on devices - basically authorization devices...
Joe Carrigan: [00:01:45] Correct.
Dave Bittner: [00:01:45] ...In order to transfer them.
Joe Carrigan: [00:01:47] Yes.
Dave Bittner: [00:01:47] And the banks were claiming that the banks were not responsible for the funds because the customers had authorized the transfer.
Joe Carrigan: [00:01:53] Right.
Dave Bittner: [00:01:54] Well, the U.K.'s Financial Ombudsman Service - that's the FOS. They've ruled that the banks must refund the money in those cases. So...
Joe Carrigan: [00:02:02] That's interesting.
Dave Bittner: [00:02:02] Yeah, so a regulatory decision there.
Joe Carrigan: [00:02:05] Yep.
Dave Bittner: [00:02:05] That's great news for the consumers...
Joe Carrigan: [00:02:07] It is.
Dave Bittner: [00:02:07] ...Not so much for the banks.
Joe Carrigan: [00:02:08] No.
Dave Bittner: [00:02:10] (Laughter) So - we also got a nice note from Tim Otis. He's on Check Point's incident response team. They're a security company. He said, Hi. I'm a huge fan of the CyberWire. And I appreciate all the free info you folks put out. You've become a staple in my morning routine.
Joe Carrigan: [00:02:24] Excellent.
Dave Bittner: [00:02:24] Just following up on the story we had - I think it was last week - about ransomware.
Joe Carrigan: [00:02:28] Right, and backups.
Dave Bittner: [00:02:30] Yeah, ransomware and backups - and he said, while I do feel opportunistic ransomware delivery to every email address on the internet has subsided, we see an ongoing and, perhaps, more dangerous trend in ransomware attacks, where enterprises instead of individuals are targeted. The adversaries get inside enterprise networks, establish some level of persistence, conduct reconnaissance then deploy ransomware manually to hundreds or more machines within the enterprise. And Tim goes on to describe some specific cases of this. He wraps up by saying, unfortunately, our hotline is still ringing in 2019 with customers having these advanced manually deployed ransomware attacks.
Joe Carrigan: [00:03:09] Right.
Dave Bittner: [00:03:09] So Tim's pointing out here that, I guess, the shotgun approach to ransomware has died down. But these folks are getting more sophisticated.
Joe Carrigan: [00:03:17] Right, yeah. Last week, I guess something you said at the beginning of the segment could've been taken to say that we were saying ransomware is less prevalent than it - or, you know, not really a risk anymore.
Dave Bittner: [00:03:27] Yeah.
Joe Carrigan: [00:03:28] If we said that, that certainly wasn't what we meant. It's just that it's not as prevalent as it used to be or, perhaps, these shotgun attacks are going down...
Dave Bittner: [00:03:34] Yeah.
Joe Carrigan: [00:03:34] ...Not necessarily that the problem is going away. No, it's not a problem that's going away. You're going to have to keep your guard up against ransomware.
Dave Bittner: [00:03:41] Yeah, and the cryptomining had really...
Joe Carrigan: [00:03:42] Cryptomining, yep.
Dave Bittner: [00:03:42] ...Overtaken it as the hot technique for the year, I guess. So thanks to Tim for sending that in. Joe, let's move on to our stories. What do you have for us this week?
Joe Carrigan: [00:03:51] I have an amazing story, Dave. This one comes from Nicole Lindsey over at CPO magazine. And we'll put a link in the show notes. There's an Italian company called Maire Tecnimont. I believe I'm saying that right. I'm probably butchering it.
Dave Bittner: [00:04:04] (Laughter).
Joe Carrigan: [00:04:05] It is a huge global conglomerate made up of over 50 companies.
Dave Bittner: [00:04:09] OK.
Joe Carrigan: [00:04:10] And it seems that some Chinese hackers convinced the head of a subsidiary in India to wire money to a bank account in Hong Kong.
Dave Bittner: [00:04:18] All right.
Joe Carrigan: [00:04:19] So first, the attackers did some groundwork.
Dave Bittner: [00:04:22] Yeah.
Joe Carrigan: [00:04:23] It looks like they got into the company's email system and studied the writing and communication habits of top executives. This is remarkable because one of the red flags we always see in these phishing attacks or in these other business email compromise is that the style doesn't match the person that it's coming from or...
Dave Bittner: [0:04:41] Yeah.
Joe Carrigan: [0:04:41] There's other things wrong that...
Dave Bittner: [0:04:43] Typos and...
Joe Carrigan: [00:04:43] Right.
Dave Bittner: [00:04:44] ...Broken English or whatever - whatever the language - the native language is. Yeah, yeah.
Joe Carrigan: [00:04:47] Right. And these guys have studied how these people communicate in order to impersonate them better to eliminate those red flags, which is pretty smart.
Dave Bittner: [00:04:56] Yeah. And a good writer would be able to do that, would be able to imitate someone's style or...
Joe Carrigan: [00:05:01] Yes.
Dave Bittner: [00:05:01] ...Come close to it. Yeah, interesting.
Joe Carrigan: [00:05:02] Absolutely.
Dave Bittner: [00:05:02] Yeah.
Joe Carrigan: [00:05:03] It also looks like they impersonated the company's chairman and forged some documents to set up a bank account in Hong Kong, which is important as we'll see here in a minute.
Dave Bittner: [00:05:11] Yeah.
Joe Carrigan: [00:05:12] The attackers start the attack with a fraudulent email spoofed to appear if it were coming from the CEO of a company in Italy - one of the executives from this company in Italy. I don't know at what level this executive is.
Dave Bittner: [00:05:24] Yeah, high enough he'd be handling large amounts of money.
Joe Carrigan: [00:05:26] The message was written in his style, of course, and raised the prospect of a secretive and highly confidential acquisition that could only be pulled off if they wired funds to bank accounts in Hong Kong, which is where the, of course, fraudulent bank account was set up.
Dave Bittner: [00:05:42] Right.
Joe Carrigan: [00:05:43] After follow-up emails, there are teleconferences between India and Italy with these fraudsters impersonating executives and top lawyers.
Dave Bittner: [00:05:52] Wow.
Joe Carrigan: [00:05:53] So not only are they impersonating them in email, but they're actually impersonating them on the phone and getting these people to believe what's going on. They convinced the folks in India that regulatory rules prevent direct payment from corporate HQ in Italy. And it's on the Indian subsidiary to fund the operation and the acquisition. These guys send three payments to this bank account in Hong Kong. And before they send a fourth payment, the actual CEO for the company shows up for an annual visit. And that's when the cat gets let out of the bag.
Dave Bittner: [00:06:26] He's just there as luck would have it...
Joe Carrigan: [00:06:27] As luck would have it...
Dave Bittner: [00:06:28] ...Not related to any of this.
Joe Carrigan: [00:06:29] ...Not related to any of this, he shows up. And, of course, they're talking. And they're saying - I imagine that something happened, where, hey. We're working on that great acquisition. And the guy said, what acquisition?
Dave Bittner: [00:06:40] Working hard for you, boss. Yeah (laughter).
Joe Carrigan: [00:06:41] Right.
Dave Bittner: [00:06:42] So - oh, no.
Joe Carrigan: [00:06:45] In all, this company lost $18.6 million...
Dave Bittner: [00:06:48] Wow.
Joe Carrigan: [00:06:49] ...To this scam. $18.6 million - that's a big one.
Dave Bittner: [00:06:53] Well, and think about - I mean, $18 million will pay for a lot of impersonators, right?
Joe Carrigan: [00:06:59] Yes. Yeah, it will. If you look at this as a business or an organized crime thing, which it probably is...
Dave Bittner: [00:07:04] Yeah.
Joe Carrigan: [00:07:04] The organization has, first off, gotten linguists, people that are linguistically talented into it...
Dave Bittner: [00:07:10] Right.
Joe Carrigan: [00:07:10] ...So that they can not only impersonate them in writing but also in speech. And then, of course, they carry on these conversations. And they dupe these people out of almost $19 million.
Dave Bittner: [00:07:19] And they do their homework.
Joe Carrigan: [00:07:20] And they do their homework. That's right.
Dave Bittner: [00:07:22] And it was successful.
Joe Carrigan: [00:07:23] Yeah.
Dave Bittner: [00:07:23] Wow. I'm not sure how you defend against this. I guess you have to have...
Joe Carrigan: [00:07:27] I don't know.
Dave Bittner: [00:07:28] Well...
Joe Carrigan: [00:07:28] I would say an outbound phone call to the CEO would be one way you could defend against it.
Dave Bittner: [00:07:33] And I guess, like we say, you know, layers of verification.
Joe Carrigan: [00:07:36] Right.
Dave Bittner: [00:07:36] Before any money is transferred like this, just have checks and balances in there...
Joe Carrigan: [00:07:41] Yeah.
Dave Bittner: [00:07:41] ...To make sure that...
Joe Carrigan: [00:07:41] If somebody like this targets your organization, I'm not sure what you can do aside from having those checks and balances in there...
Dave Bittner: [00:07:47] Yeah.
Joe Carrigan: [00:07:47] ...Where when somebody says, I need you to wire this much money to Hong Kong, that you actually go ahead and make a phone call to that person and say, I want to make sure before I do this that you are authorizing this transfer. Aside from that, no, there's really not a lot they can do. This is a subsidiary relationship that seems like it might be a legitimate process.
Dave Bittner: [00:08:06] Right.
Joe Carrigan: [00:08:07] It seems plausible. It's tough.
Dave Bittner: [00:08:09] Yeah. When (laughter) someone takes that much effort...
Joe Carrigan: [00:08:11] Right.
Dave Bittner: [00:08:11] That is hard to defend against.
Joe Carrigan: [00:08:13] It is.
Dave Bittner: [00:08:13] Yeah. Oh, it's a good one.
Joe Carrigan: [00:08:15] Yeah.
Dave Bittner: [00:08:15] All right. Well, Joe, my story this week has to do with some folks being scammed out of money. And they were targeting people who went to private schools. You went to private school, didn't you?
Joe Carrigan: [00:08:25] Briefly.
Dave Bittner: [00:08:25] Yeah. I did not. I never went to private school. But I certainly know plenty of people who did. This is actually private school in the U.K. And what happened was the scammers sent some phishing emails to the parents of students who were attending this school. This is the Royal Grammar School in the U.K. And they offered a 25 percent discount on school fees if parents would pay in Bitcoin.
Joe Carrigan: [00:08:50] (Laughter) OK.
Dave Bittner: [00:08:51] Now - (laughter) yeah. This is sort of, I guess, a red flag, right?
Joe Carrigan: [00:08:54] Yeah.
Dave Bittner: [00:08:54] But the emails were sent from an email address of the school's financial administrator. So they'd gotten access to that account.
Joe Carrigan: [00:09:02] Right. So they've compromised the business email again.
Dave Bittner: [00:09:04] Right.
Joe Carrigan: [00:09:05] Yeah.
Dave Bittner: [00:09:05] They went in and sent out to all the parents of the students, so they had access to that list.
Joe Carrigan: [00:09:10] Right.
Dave Bittner: [00:09:11] And they got a bunch of - folks went for it. Despite - the story here talks about - this is from the BBC, by the way. This story talks about how the message itself was full of grammatical errors, which is interesting coming from the Royal Grammar School.
Joe Carrigan: [00:09:27] (Laughter).
Dave Bittner: [00:09:27] But it was filled with grammatical errors. There are a lot of misspellings and things like that. But enough parents went for it and lost some money. So, again, be careful - an interesting target here.
Joe Carrigan: [00:09:40] Right. Well, if I'm going to target somebody, I'm going to target somebody who can afford to send their kids to a private school.
Dave Bittner: [00:09:46] Yeah.
Joe Carrigan: [00:09:46] Right?
Dave Bittner: [00:09:47] I don't know how many students there were here but enough that it make - it's worth their time to target a couple hundred people, probably.
Joe Carrigan: [00:09:55] Sure.
Dave Bittner: [00:09:55] You know, I could see the parents saying, a 25 percent discount on school fees because...
Joe Carrigan: [00:10:01] I'll take it.
Dave Bittner: [00:10:01] Private school ain't cheap.
Joe Carrigan: [00:10:02] No, it isn't.
Dave Bittner: [00:10:03] (Laughter).
Joe Carrigan: [00:10:04] No. I don't know what it costs in the U.K., but...
Dave Bittner: [00:10:06] Right (laughter).
Joe Carrigan: [00:10:06] ...It ain't cheap here.
Dave Bittner: [00:10:08] No, that's for sure. That's for sure. So another one to be aware of. I guess parents had followed up on this. Like we say, a phone call to the actual administration office before making the payment probably would've done it.
Joe Carrigan: [00:10:20] Yep.
Dave Bittner: [00:10:21] You know, so...
Joe Carrigan: [00:10:21] Absolutely.
Dave Bittner: [00:10:22] But just verify. Verify, folks. Verify.
Joe Carrigan: [00:10:25] Trust but verify.
Dave Bittner: [00:10:26] Yeah. All right. Well, those are our stories this week. It's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:10:34] Joe, our Catch of the Day this week comes courtesy of a listener named Umberto (ph). He teaches a security class.
Joe Carrigan: [00:10:40] Ah.
Dave Bittner: [00:10:41] And one of his students provided him with the following text message exchange and said he could send it along to us for the show. So I'm going to read the - I'll be the person who sent the text message. And you can be Umberto's student here. And it goes a little like this.
Joe Carrigan: [00:10:57] OK.
Dave Bittner: [00:10:58] Hello. I received your number from South African hospital. I need to send you $5 million of diamonds.
Joe Carrigan: [00:11:05] Oh, wowzers. I'm so lucky.
Dave Bittner: [00:11:07] Please send me your social security card, credit card and address.
Joe Carrigan: [00:11:11] Okie-dokie.
Dave Bittner: [00:11:12] Don't try to trick. I am army intelligent Lieutenant Bendu (ph).
Joe Carrigan: [00:11:16] You got it, pal.
Dave Bittner: [00:11:17] So what do you do for living?
Joe Carrigan: [00:11:19] I'm an executive bank manager. Here is the phone number for my banking information - 609-555-1212. Ask for Jameson. That's me.
Dave Bittner: [00:11:28] Jameson, I'm not sure you be a real man. I call number and they say they don't know you. They even advised me that you might be doing scam.
Joe Carrigan: [00:11:36] I'm sorry, Mr. Bendu. How can I prove to you that I am real? How can you prove that you are real? In fact, how can any of us prove that we are real?
Dave Bittner: [00:11:45] You do a f-ing with me. I do f-ing with your family. I'm army intelligent. I have connections.
Joe Carrigan: [00:11:51] Your mother was a goat (laughter).
Dave Bittner: [00:11:54] And that's it (laughter). I think - I don't think there's really much more to be said here. No.
Joe Carrigan: [00:11:59] No. That's awesome.
Dave Bittner: [00:12:01] So thank you, Umberto, for sending it in. Your student is clearly wise beyond his or her years.
Joe Carrigan: [00:12:08] Yep.
Dave Bittner: [00:12:09] So thanks for sending that in. That is our Catch of the Day. Coming up next, we've got my interview with Jordan Harbinger. He's host of "The Jordan Harbinger Show." But first, a word from our sponsors KnowBe4.
Dave Bittner: [00:12:23] And what about the biggest, tastiest piece of fish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B, please read important message from HR, well, you're getting warmer. But that one was only number 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader. No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing’s twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:13:27] And we are back. Joe, I had the privilege recently of speaking with Jordan Harbinger. He is a host of one of the top podcasts out there. It's "The Jordan Harbinger Show." Before that, he was the host of "The Art of Charm" and interviewed some really high-level people but also has a strong background in social influence, interpersonal dynamics and social engineering, does a lot of training for private companies, as well as law enforcement, to help them with these things. So here's my conversation with Jordan Harbinger.
Dave Bittner: [00:13:56] I'm curious. You know, you have a lot of experience with persuasion and teaching people to be more persuasive. How much of this is science and how much of it is art?
Jordan Harbinger: [00:14:04] Actually, I'm always thinking about this, and I don't have an exact percentage, but I will tell you that there's a lot of art to it, and there's a lot of pseudoscience to it, especially when you start getting into the realms of things like NLP and persuasion and things like that where people are like, it's science, and it's like, well, not totally. But that doesn't mean it doesn't work. And so I often find myself going, well, this is not exactly science. It's a lot of art. Well, look; at the end of the day, it still works. So you kind of rub up against these academic folks that are like, yeah, this is all garbage. And I'm like, yeah, except for scoreboard. I still manage to do this or look at these attackers - still managed to do that.
Jordan Harbinger: [00:14:45] So there might not be any peer-reviewed studies that say social engineering is some sort of science, and if you try this this many times, you get this result. But at the end of the day, this is one of the greatest vulnerabilities that we have. So I'm going to throw out there, like, 80-20 in favor of art, but that includes pseudoscience, so that includes principles of influence and persuasion for which we don't have a lot of empirical data but that have been employed successfully for as long as humans have had language.
Dave Bittner: [00:15:13] Yeah. I wonder if a better word for it is craft rather than science.
Jordan Harbinger: [00:15:17] I think that's probably accurate, yeah, because if we walk around and we say, well, there's no science behind this, it's like, well, how did you meet your wife? What science did you use to get along with her? What science did you use to meet the girlfriend that turned into the woman that you married? Or, you know, what science are you using to make sure your kids don't turn out to be horrible people? People would look at you - even a scientist would be like, what are you talking about? What science am I using? Parent science? No.
Dave Bittner: [00:15:40] Right (laughter).
Jordan Harbinger: [00:15:41] Right? But we're still doing things that involve this, and nobody says, well, there's no science, so I'm just going to let my kids grow up feral and, you know, live in a dirt trench outside my house.
Dave Bittner: [00:15:50] Yeah. Now, when you're setting off with someone to help them improve their skills of persuasion, where do you begin? How do you take stock? How do you measure where they're starting out?
Jordan Harbinger: [00:15:59] We teach a lot of military intelligence. Some civilians, especially people in positions of - like, security positions. So we'll teach, like - we don't use this term, but people know it - body guards, you know, personal protection specialists. When we teach those guys, often what we'll do is we'll videotape them, and we'll show them where they are and give them an assessment, as well, of their nonverbal communication. We - sure, we look at the verbal, but, really, it starts with nonverbal communication. And the reason we film it is because if I'm working with you and you think that you're the Jason Bourne, you know, James Bond, whatever, incarnate, it's hard for me to then say, look; there's some nonverbal signals and communications issues that you're having because you're like, yeah, yeah, yeah, my boss made me take this class, but I'm special.
Jordan Harbinger: [00:16:43] But if I show you a videotape and you think, yeah, I walked up and I was smiling and calm and collected and I show you a video where you look the opposite, we can kind of start at least on the same page where your delusions have at least slightly evaporated, and I can also say, OK, you're a close talker. All right, you slouch a little because you've been on a computer for 20 years or 30 years, like the rest of us. OK, you've got this handled correctly, but you've got these other areas to work on. You're no longer in denial, and I'm able to sort of check a reference. And then, at the end of the course, I can say this is where you started and here's where you are now.
Dave Bittner: [00:17:16] So coming at it from the opposite direction, how do you help people protect themselves from falling victim to folks who are trying to persuade them?
Jordan Harbinger: [00:17:24] Right. So if you're familiar with Derren Brown, which many people might not be, he's done "The Push," "Sacrifice" on Netflix. He uses compliance persuasion influence. He's not quite a mentalist, not quite a illusionist, not quite a magician, but he creates these shows where people through compliance, hypnosis, et cetera, will - in "The Push," he convinces somebody who's normal essentially - you know, a guy like you and I - to kill someone else and throw them off a roof. And they think they're doing it. Of course, the person's harnessed in, but they don't know that. And then in "Sacrifice," he convinces somebody who is, essentially, kind of a racist to jump in front of a bullet for somebody who he thinks is an illegal immigrant and, of course, is an actor. And so I asked him the same thing. I said, how do we defend against this sort of thing? And he said that for most of us, we're not necessarily going to be suggestible enough to be completely thrown through the loops. Right? It's going to be very difficult for us to gain compliance in somebody to that degree because most people aren't that suggestible. That said, even for those of us that are, we would have - there's a tremendous amount of work that has to go into these sorts of things. You know, you've got sound, audio, light cues that people are using. You've got all kinds of persuasion that takes days, weeks, months to create.
Jordan Harbinger: [00:18:43] So you don't have to worry too much. This isn't, like, you and I are going to be like, hey, we're out of Coca-Cola. Go to 7-Eleven. And then suddenly, you're throwing someone off a roof. It's not going to be like that, thankfully. But we do end up with little tricks that can create victims. My wife was telling me a story about how when she was younger, she told her grandma that she had gotten some mustard squirted on her, and then somebody at a, I don't know, train station or airport robbed her grandma because of the distraction. So at some level, we're all subject to these little human hacks. Being a - primary defense, according to Derren Brown and, frankly, according to experience, right? If you know that there are pickpockets, and one of the most common scams is they squirt ketchup all over a kid and then the kid says, Mom, there's ketchup on me, and then you get pick pocketed, if your kid ends up with ketchup all over them at a train station, you go, wait a minute. My kid's not carrying a ketchup packet. What happened? You know, what's going on here? And the first thing you do then is grab your bag. You don't, you know, throw it behind you or set it down and then start wiping ketchup off your kid.
Jordan Harbinger: [00:19:45] So aware - that's a very simplified example. But awareness of this really works. You know? If you start feeling confused while you're talking to a salesman, you back up and go, wait a minute, I've sort of heard that this is a thing that happens. What's going on? Or if you start going, wait a minute, how did I end up almost getting into a - why do I have my wallet in my hand? What's happening right now? You're not being hypnotized. You're being run through a well. And you can sort of step back, pause, do a reality check and say, is this what I want to be doing right now? I'm not sure this is what I want to be doing right now. And you'll be able to defend yourself against those sorts of things.
Jordan Harbinger: [00:20:17] Just like with social engineering, if I'm performing a social engineer attack and I'm saying something like, well, you know, we're going through this, and I really need to make sure that you reset this or that you install this file, or something like that, you might stop and go, huh, I was warned about this, but this person seems quite credible. Well, what's the cost-benefit of me asking my manager if I should install this file? What's the cost-benefit of me saying, hey, let me call you back at your internal extension? Right? The cost-benefit is pretty high because somebody legitimate would say, yeah, sure. My internal extension is 42665. Talk to you in 30 seconds.
Dave Bittner: [00:20:50] Right.
Jordan Harbinger: [00:20:50] Right? But a scammer will say, my eternal extension? Those aren't working. It's part of the same problem. You know, I can call you back, though, in five minutes, if you need a minute. It's like, that's suspicious. Let me throw another test and see what happens. What's your employee ID number? Pardon me for being suspicious. I'm worried about this 'cause I've had some training that said this might be the type of attack that we're expecting. Yeah. No problem. Here's my employee ID number. But the scammer says, I'm so new, I don't have an employee ID. Is that on my card? Let me find that real quick. You know? And you think, what? We use this every day to eat lunch in the cafeteria and have it taken out of our spending account. This person's fake. Right?
Jordan Harbinger: [00:21:27] So that awareness is the best sort of defense because it lets you say, how would a real employee act? Or what sort of test can I run? What sort of simple question can I ask that a regular employee would know the answer to in two seconds but that a scammer would say, hold on, I need to think about? You know? And that's the kind of thing that really makes or breaks it. When we were doing social engineering attacks, real or fake - maybe at DefCon, you know, where we have, like, the social engineering village and we're doing these little contests and things like that - we found that a lot of times what made an attack successful was how relaxed the person was and how much they knew, of course. But what broke even really well-executed attacks wasn't, like, some super-suspicious, old curmudgeon who never cooperates with anything. It's the person who says, huh. Yeah, I heard that we might be dealing with stuff like this or, they send an article around and they made us read it or, we talked about this a couple of weeks ago - mind if I called you back on your internal extension? Like, that was kind of the - every single time defeated the person. Because you don't have an internal extension if you're calling from Skype. Right?
Dave Bittner: [00:22:35] Right.
Jordan Harbinger: [00:22:35] So little bits of awareness that create just that 1 percent suspicion, whereas we normally might just trust anybody that comes in on our phone, that was what made the biggest difference. And that's what will make the biggest difference in our lives, as well. You know, someone calls you and asks you for your bank routing number, and they say they're from your bank and they seem to know a lot about you? No problem. Call your local bank branch. Call the guy you know there, and say, could you transfer me to this person? They were asking me for some personal information, and I just want to make sure it's legit.
Dave Bittner: [00:23:05] Yeah. Nobody's going to begrudge you for that.
Jordan Harbinger: [00:23:07] Nobody's going to begrudge you for that. And if they do, get a new bank because they should be saying thank you for being at least suspicious enough to make sure that I'm actually working here. Because remember, you're saving them and their security department a lot of work. If you get scammed, they've got to investigate, figure it out, reimburse you, change their systems. So nobody in their right mind would be upset that you asked for verification. That is what you are supposed to do. They should be training their customers to do this in the first place.
Dave Bittner: [00:23:35] I'm curious on your thoughts when it comes to the intersection of ethics and influence. You know, someone like yourself, who has what I would describe as advanced powers of persuasion, how do you make sure that you're using those powers for good and not for evil and not taking advantage of people who don't know better?
Jordan Harbinger: [00:23:52] You know, that's funny. We were just talking about this in the course here in London. We were talking about, we want to make sure that we're only teaching this to people that are using it for good. And part of that is, you know, when we're teaching our courses, for example, it's like, OK. We teach military and intelligence. Often, when we teach civilians, we run them through a federal background check. We don't really have that luxury, for most of us. Most people, it's kind of like, if you're learning this stuff, you're learning it on your own. What I will say is, even though I started off as a teenager doing some of this black hat stuff 'cause it was exciting and fun, as I got older I realized, well, yes, there's risk involved. You can go to jail. You can hurt people, and it feels bad.
Jordan Harbinger: [00:24:31] Not only that, but even if you're a complete sociopath, at some level, right, scamming people and you can sleep at night even though you're a proper bastard having done things like this, actually, when you do the math, when you look at the amount of effort it takes to create something - like, maybe you're really, really persuasive, and maybe you can just get anybody to do anything. The excitement of tricking someone wears off pretty quickly. It would be - if you're a master persuader, you will make far more money, sleep better at night, help a lot more people and really build something that lasts if you just become a salesman that sells a product you believe in. You know, it's much easier to do something like that and much more rewarding long-term to do something like that than it is to trick random elderly people out of their life savings. It's just more profitable, and it's easier, safer and better all around to build something legitimate.
Dave Bittner: [00:25:27] You know, you've had the opportunity to interview some really high-level people from many, many different walks of life. Are there any common traits that you've seen when it comes to their powers of influence?
Jordan Harbinger: [00:25:38] What I've noticed is in interviewing people for "The Jordan Harbinger Show," one of the things that I've noticed particularly is that great performers and great businessmen, and women, for that matter, have charisma in common. But charisma is actually just kind of one element of persuasion, right? We know that charismatic people lead well because people want to follow them. And so what I've noticed is that level of charisma. They're all really good at getting people to trust them, but not just that. They're also really great at getting people to like them.
Jordan Harbinger: [00:26:10] And yes, those could be misused. But I think people don't want to. People want to be liked for who they are really, not liked for who they are pretending to be. Because if you're just pretending to be somebody and that creates other people liking and trusting you, whatever, it really creates cognitive dissonance, which at the end of the day makes you feel horrible. So and that sort of goes to your previous question, which is, how do we know we don't want to - we're not misusing this?
Dave Bittner: [00:26:37] Right.
Jordan Harbinger: [00:26:38] It's actually better to be authentic because then you can go to bed going, wow, people like and trust me, and that feels good and I like that. And it allows me to be charismatic and lead and build something. And, you know, it feels really good to have that. If you're tricking people, the cognitive dissonance will eventually wear you out, and you'll become depressed and you'll hate yourself. That much, I promise you.
Dave Bittner: [00:27:00] All right. Joe, what do you think?
Joe Carrigan: [00:27:01] I have an observation. In the beginning of the interview, Jordan talks about how it's difficult to scientifically quantify these kind of things. I think there's an opportunity for some psychology research here. This is definitely more of an art, but I'll make the following conjecture. This can be quantified in the field of psychology. Not necessarily in cybersecurity or in computer science or in natural language processing, but I'll bet you can quantify this in psychology. We keep hearing this over and over and over again as we do this podcast. We are all susceptible to something. And the example he gives is a great example that would've worked on me when I had younger kids, somebody squirting ketchup on my kid. That would completely distract me and make me susceptible to being pickpocketed.
Dave Bittner: [00:27:41] Right.
Joe Carrigan: [00:27:41] That absolutely would have worked on me, and probably will be something in the future. I'm glad I heard about this now.
Dave Bittner: [00:27:47] Yeah. Kind of short circuits everything that you're thinking.
Joe Carrigan: [00:27:49] Exactly.
Dave Bittner: [00:27:50] You've got to take care of your kid.
Joe Carrigan: [00:27:50] You've got a kid that you need to take care of.
Dave Bittner: [00:27:52] Kid's in distress.
Joe Carrigan: [00:27:52] Right. I like Jordan's suggestion that he says throw tests. You know, like, asking for their employee ID or, here's something you as an insider would know. Tell me the answer to this question. Or even best, just ask for verification. Or say, hey, can I call you back?
Dave Bittner: [00:28:06] Right.
Joe Carrigan: [00:28:06] That's what we keep saying, can I call you back? The other thing is when he talks about if you feel confused, that's a moment to realize something's going on. That should be a red flag to everybody. Take a moment. Take a breath and just think about how you got to this situation. And if you're being persuaded by somebody at that point in time, just say, you know what? I'd like to think about this for a little bit.
Dave Bittner: [00:28:23] Yeah.
Joe Carrigan: [00:28:23] And just walk away.
Dave Bittner: [00:28:24] And don't let them put the heat on you that you must make a decision right now.
Joe Carrigan: [00:28:27] Right. You know what? For me, that's one of those things that just irritates me.
Dave Bittner: [00:28:31] Yeah? (Laughter).
Joe Carrigan: [00:28:31] Like, whenever a salesman says, you got to make this decision now 'cause somebody else is coming to buy it, I say, go sell it to them. Goodbye.
Dave Bittner: [00:28:36] Right. (Laughter).
Joe Carrigan: [00:28:38] You know? And I turn around and walk away.
Dave Bittner: [00:28:39] Yeah (laughter).
Joe Carrigan: [00:28:40] And I just will not allow myself to fall for that one. But that's just me. There's people out there that - there are other things that will work on me, but that one won't.
Dave Bittner: [00:28:47] OK.
Joe Carrigan: [00:28:47] That one irritates me because I actually get offended by it.
Dave Bittner: [00:28:50] Yeah.
Joe Carrigan: [00:28:51] I do take a small bit of solace in Jordan's statement that scammers will eventually hate themselves.
Dave Bittner: [00:28:57] (Laughter). Right. Right. Thanks very much to Jordan Harbinger for joining us. And certainly, check out his podcast. It's "The Jordan Harbinger Show." Definitely worth your time. And thanks to all of you for listening. That is our podcast.
Dave Bittner: [00:29:09] We also want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:29:31] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik; technical editor is Chris Russell; executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:49] And I'm Joe Carrigan.
Dave Bittner: [00:29:50] Thanks for listening.
Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.