Delivering yourself to a kidnapper.

Joe describes fraudsters taking advantage of top-level domain name confusion. Dave explains how a Google Nest security system shipped with an undocumented microphones. Our catch of the day involves a postcard missed package campaign. Our guest is Matt Devost from OODA LLC describing their work protecting high-net-worth individuals.

Links to today's stories:


Matt Devost: [00:00:00] If you are interacting with somebody, and the offer seems too good to be true, it likely is. If it is a nonstandard communication, you know, that you're receiving from your bank or a peer, it is likely to be fraudulent activity.

Dave Bittner: [00:00:11] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:30] Hi, Dave.

Dave Bittner: [00:00:31] We've got some great stories to share this week. And later in the show, we'll have my interview with Matt Devost. He's from a company called OODA LLC, and he's going to share some stories about impersonation. So stay tuned for that.

Dave Bittner: [00:00:49] But first, a quick word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:16] And we are back. Joe, why don't you kick things off for us this week?

Joe Carrigan: [00:01:19] This one comes from the Military Times, and they have a section called Rebootcamp. They had a story about one of their sites. The U.S. military has a program for servicemen and women called the Transition Assistance Program...

Dave Bittner: [00:01:30] OK.

Joe Carrigan: [00:01:30] ...Or TAP. And this is a program that helps people at the end of their service transition to civilian life.

Dave Bittner: [00:01:36] OK.

Joe Carrigan: [00:01:36] Right.

Dave Bittner: [00:01:36] Makes sense. Yeah.

Joe Carrigan: [00:01:37] Of course this program has a website. It's dodtap.mil.

Dave Bittner: [00:01:41] OK, .mil is generally the military - or that is a military...

Joe Carrigan: [00:01:46] Right, it's almost...

Dave Bittner: [00:01:47] ...Domain name.

Joe Carrigan: [00:01:47] I think it's exclusively U.S. military.

Dave Bittner: [00:01:49] OK.

Joe Carrigan: [00:01:50] If you go there, you will most likely get a certificate error because many DOD sites require the installation of their own root CA certificates.

Dave Bittner: [00:01:58] OK, what does that mean?

Joe Carrigan: [00:01:59] That means that the DOD doesn't trust people like Verisign. They have their own root certificates. They're usually installed on computers at the DOD and at a lot of contractor sites.

Dave Bittner: [00:02:07] Oh, I see.

Joe Carrigan: [00:02:08] Someone set up a website called dodtap.com This is presumably to lure in people who are going to dodtap.mil or should be going to dodtap.mil. And it then tries to collect some personal information from them and install malicious software.

Dave Bittner: [00:02:25] OK.

Joe Carrigan: [00:02:26] Right. I went there on a Chromebook...

Dave Bittner: [00:02:28] All right.

Joe Carrigan: [00:02:28] ...Right? - not on a Windows machine. And I got a voice prompt saying, to continue, click add to Chrome. It took me to a page that looked very much like the Chrome Web Store. I closed everything and walked away from this. This was obviously some kind of malicious site. I think it's still a malicious site.

Dave Bittner: [00:02:42] So they're trying to get you to install a Chrome extension.

Joe Carrigan: [00:02:45] Right. Yeah, and God only knows what that does. But the root of the problem here is the social engineering technique - that they're registering domains that look similar to other domains.

Dave Bittner: [00:02:54] Right.

Joe Carrigan: [00:02:55] And it all hinges on this thing called a top-level domain or TLD.

Dave Bittner: [00:03:00] OK.

Joe Carrigan: [00:03:01] And you all have seen TLDs. We've all seen them. But without getting technical, it's the last part of a domain name.

Dave Bittner: [00:03:08] Right.

Joe Carrigan: [00:03:09] And your computer reads these domain names backwards. So if I type in www.google.com, and my computer doesn't know where to find it, the first thing it does is it - it knows where the .com directory is. And it goes to the .com directory. And it says, where's Google? The .com directory says Google's here. And then it goes to Google and says, where's www?

Dave Bittner: [00:03:31] Oh, I see.

Joe Carrigan: [00:03:31] Right.

Dave Bittner: [00:03:32] OK, yeah.

Joe Carrigan: [00:03:32] So you can think of it as, like, the old phone books, right? You remember the old phone books - they had a...

Dave Bittner: [00:03:38] I do. Yeah, yeah (laughter).

Joe Carrigan: [00:03:38] They had three sections in them. They had the white pages. Then they had a little blue section for government pages. And then after that, there was another section of white pages that was businesses. If you wanted to look up a person, you'd look in the front; a government person, you'd look in the middle; and a business, you'd look in the back.

Dave Bittner: [00:03:52] Right.

Joe Carrigan: [00:03:52] Originally, there were only seven TLDs, top-level domains. There was the .com, .org and .net that anyone could register.

Dave Bittner: [00:03:59] Right.

Joe Carrigan: [00:04:00] There was .int - and these all still exist, by the way, of course.

Dave Bittner: [00:04:03] OK.

Joe Carrigan: [00:04:03] There's .int for international organizations that are formed by a treaty that require at least two people to be in the organization. And then there was .edu, .gov and .mil, which are pretty much only U.S. educational, government and military organizations.

Dave Bittner: [00:04:19] OK.

Joe Carrigan: [00:04:19] Then we started getting these country-level TLDs. These are all the two-level TLDs that we see. So, like, if you go to a page in the U.K., it'll usually end in .uk.

Dave Bittner: [00:04:29] Right.

Joe Carrigan: [00:04:29] And a lot of times, governments will maintain their own directory services and such so that they can allocate their own domain space within that. So a lot of times, you'll see, like, .com.uk, which is not a .com address. It's a .uk address. So your computer goes out to the .uk server, says, where can I find .com? And it goes to a different .com server that's different from the one when you enter something like google.com.

Dave Bittner: [00:04:53] I can't imagine how any of this could be confusing, Joe.

Joe Carrigan: [00:04:56] Exactly. That's kind of the point.

Dave Bittner: [00:04:58] (Laughter) Right.

Joe Carrigan: [00:04:59] Because this is so confusing and convoluted, it starts to be a great point for social engineering at times.

Dave Bittner: [00:05:04] Yeah. OK.

Joe Carrigan: [00:05:04] But there are now 1,500 top-level domains...

Dave Bittner: [00:05:08] Wow.

Joe Carrigan: [00:05:08] ...That we can all use. And let's say, for example, I wanted to spoof a military website. You know the first thing I would do?

Dave Bittner: [00:05:15] Go on.

Joe Carrigan: [00:05:15] I would register a domain using Mali's address, right?

Dave Bittner: [00:05:21] Oh.

Joe Carrigan: [00:05:21] Their top-level domain is .ml, which looks very similar to .mil. And anybody can register a domain name there. Some countries have actually monetized this. Like, Tuvalu sells all of their top-level domains because they end in .tv. And that's easy to remember, right?

Dave Bittner: [00:05:37] Oh, right. Right.

Joe Carrigan: [00:05:37] So they actually have a company that - they work with Verisign - where they've set up this thing. And they own 20 percent of the company, and they get 20 percent of the revenue.

Dave Bittner: [00:05:43] Right.

Joe Carrigan: [00:05:44] Some companies like Tanzania and Africa don't do that. You have to have a presence in Tanzania to get a .tz address.

Dave Bittner: [00:05:50] I see.

Joe Carrigan: [00:05:50] But Mali will sell it to you. So if I was going to attack a military address, I would go out and register a .ml address. If I wanted to defend a military address, I would do the exact same thing. I'd go out and buy that domain under the .ml address - top-level domain.

Dave Bittner: [00:06:06] Yeah, and we hear these stories about folks who go out and do that proactively.

Joe Carrigan: [00:06:10] Proactively. Exactly.

Dave Bittner: [00:06:10] They go and look for every possible variation that they can think of of their own domain name, buy them up so that someone else doesn't.

Joe Carrigan: [00:06:18] Exactly - so that no malicious actors can get in there. Like, to your point, Dave, Google - actually, if you put in three O's in Google, it'll take you right to google.com.

Dave Bittner: [00:06:27] Really?

Joe Carrigan: [00:06:28] Right. Yep, because Google has gone out and bought Gooogle...

Dave Bittner: [00:06:31] (Laughter).

Joe Carrigan: [00:06:31] ...And they redirected it back to their page. So...

Dave Bittner: [00:06:34] So how do you protect yourself against this, Joe? What's a...

Joe Carrigan: [00:06:37] As a user?

Dave Bittner: [00:06:38] Yeah.

Joe Carrigan: [00:06:38] You just have to make sure you're going to the right website. My best recommendation...

Dave Bittner: [00:06:41] Is it vigilance?

Joe Carrigan: [00:06:43] Vigilance...

Dave Bittner: [00:06:43] Yeah.

Joe Carrigan: [00:06:43] ...And I would say, just go to Google and search for the URL. Don't type it in yourself on this one. You know, I do this with a lot of my financial websites. If I want to go to a website and I don't have a bookmark for it, the first thing I do is I go and I search the site because they'll come up as the first hit on Google.

Dave Bittner: [00:06:59] I guess Google's pretty good at keeping the bad guys from bubbling up to the top.

Joe Carrigan: [00:07:02] Yeah, but it's not foolproof. Nothing's foolproof.

Dave Bittner: [00:07:05] Yeah.

Joe Carrigan: [00:07:05] The only solution really is vigilance.

Dave Bittner: [00:07:07] Yeah.

Joe Carrigan: [00:07:07] Vigilance on the part of the user - and if you own the domain that you think is going to get spoofed, go out and buy the spoofable copies of the domains, too. But you know, you can't buy them all.

Dave Bittner: [00:07:17] Right, right, right (laughter).

Joe Carrigan: [00:07:18] You really can't buy them all.

Dave Bittner: [00:07:19] There isn't enough money in the world to buy them all.

Joe Carrigan: [00:07:21] Right.

Dave Bittner: [00:07:21] Yeah. All right. Well, it's interesting. It's a good story. My story this week also has to do with Google. You know, Google has a home security system. By the way, I should mention this came from our friends over at Naked Security at Sophos.

Joe Carrigan: [00:07:34] OK.

Dave Bittner: [00:07:35] They have a home security system, which is part of the Nest line of products that Google bought up a few years ago. So this is a smart security system, right? You have a base station and little units around the house that you can put on windows and doors. And...

Joe Carrigan: [00:07:50] That's one that you can install yourself, right?

Dave Bittner: [00:07:52] Yes, you can. You can. You can sort of dial in how much you want it monitored or not or how much you want it to alert you - all that good stuff that these smart systems enable. So Google sent out a message to their users recently that said, good news. You can now use Google Assistant from your Nest Secure system. Now, Google Assistant, of course, is Google's smart device...

Joe Carrigan: [00:08:14] Right.

Dave Bittner: [00:08:14] ...Where you can say - you can summon the assistant, ask it a question or ask it to play a song or, in this case, you could ask it to enable the security system and so on and so forth.

Joe Carrigan: [00:08:24] Right.

Dave Bittner: [00:08:25] Well, this sounds like a good thing.

Joe Carrigan: [00:08:26] I'm not sure it is.


Joe Carrigan: [00:08:28] But old, suspicious Joe has his doubts.

Dave Bittner: [00:08:30] Yeah. So inquisitive users started wondering, how exactly does this Nest security system hear commands? It must have a microphone.

Joe Carrigan: [00:08:39] Of course. It has to have a microphone.

Dave Bittner: [00:08:40] Right. And Google said, oh, you mean this microphone...

Joe Carrigan: [00:08:42] (Laughter).

Dave Bittner: [00:08:44] ...The one we've been building into these devices, but didn't list it in any of the technical specs.

Joe Carrigan: [00:08:49] Oh, they didn't list it on the technical specs.

Dave Bittner: [00:08:51] No.

Joe Carrigan: [00:08:51] Ha.

Dave Bittner: [00:08:52] So...

Joe Carrigan: [00:08:53] Interesting.

Dave Bittner: [00:08:54] Yeah. It's active now, but good news - you can disable it if you choose.

Joe Carrigan: [00:08:59] (Laughter).

Dave Bittner: [00:09:01] So this is an interesting case here I wanted to talk with you about 'cause people are taking issue that none of the previous technical specifications for this device listed that it had a microphone built in.

Joe Carrigan: [00:09:11] Yeah. I don't know if that's an oversight or a deliberate omission, but that's not right.

Dave Bittner: [00:09:15] Well, the Google spokesperson - they said, the on-device microphone was never intended to be a secret and should've been listed in the tech specs. That was an error on our part (laughter).

Joe Carrigan: [00:09:24] OK. This is from Nest, though, right?

Dave Bittner: [00:09:26] Well, it's a spokesperson from Google, so...

Joe Carrigan: [00:09:28] Right, but is this a product that's like a legacy product from Nest?

Dave Bittner: [00:09:28] That's an interesting question, but I would say I think it's been around long enough that we can probably have Google be on the hook for this one (laughter).

Joe Carrigan: [00:09:39] Yeah, I - OK. I'm with you on this.

Dave Bittner: [00:09:41] You know?

Joe Carrigan: [00:09:42] Yeah. I'm not trying to excuse Google.

Dave Bittner: [00:09:43] No. I thought to myself, well, I'm surprised no one had discovered the microphone because what's the first thing that happens when any new device comes on the market? Somebody buys one up and...

Joe Carrigan: [00:09:54] Tears it down.

Dave Bittner: [00:09:54] ...Tears it down.

Joe Carrigan: [00:09:55] Right.

Dave Bittner: [00:09:56] I couldn't find any teardowns of this particular device. I did a couple of quick Google searches, searched on YouTube, all the usual places. And I couldn't find a teardown of this specific device. That surprises me.

Joe Carrigan: [00:10:08] There was a recent - I think it was HackerGiraffe who found a bunch of printers online, but also found Google Assistants open to the internet with Universal Plug and Play that when you connected to them, you could actually get in and look at the noise levels that the microphone was seeing.

Dave Bittner: [00:10:27] Oh, yes. That's - yeah.

Joe Carrigan: [00:10:27] You couldn't hear what was happening, but you could see the levels...

Dave Bittner: [00:10:30] Right.

Joe Carrigan: [00:10:31] ...To, you know - I guess you could extrapolate from that...

Dave Bittner: [00:10:34] Right.

Joe Carrigan: [00:10:34] ...Whether or not there are - somebody's home or not.

Dave Bittner: [00:10:35] Yes. Yes.

Joe Carrigan: [00:10:36] So...

Dave Bittner: [00:10:36] I did see a story about that.

Joe Carrigan: [00:10:37] ...I'm wondering if this has the same kind of vulnerability. I'm not sure it does. It's speculation on my part...

Dave Bittner: [00:10:41] Yeah.

Joe Carrigan: [00:10:42] ...Which are one of my favorite pastimes.

Dave Bittner: [00:10:43] Yeah, but curious, you know - part of why I wanted to include this is that I think this is kind of representative about shifting attitudes towards our privacy...

Joe Carrigan: [00:10:52] Right.

Dave Bittner: [00:10:53] ...That people are more and more feeling not OK with these sorts of capabilities being in devices without being informed about it first.

Joe Carrigan: [00:11:03] Right.

Dave Bittner: [00:11:03] Let me know that it's in there.

Joe Carrigan: [00:11:05] Right. Exactly.

Dave Bittner: [00:11:05] That way, when I'm making my purchasing decision, I can make a purchasing decision based on that - whether or not I want to include that. So...

Joe Carrigan: [00:11:12] Here's the most - I don't know if it's ironic or what, but the - I can actually see a legitimate reason to have a microphone on a home security system.

Dave Bittner: [00:11:22] Sure.

Joe Carrigan: [00:11:22] Right? Let's say that you actually have the - have a service where someone can talk to you while you're in your house...

Dave Bittner: [00:11:28] Right.

Joe Carrigan: [00:11:28] ...Or your security system goes off and then some security service provider is listening in to see what's going on in the household.

Dave Bittner: [00:11:34] Yeah.

Joe Carrigan: [00:11:35] Right? What's being said? Is somebody in danger? That's a legitimate use case to have a microphone on these things.

Dave Bittner: [00:11:40] Sure. And I think there are plenty of security systems that they sell that as a feature.

Joe Carrigan: [00:11:44] Right. Right.

Dave Bittner: [00:11:44] Also, as someone pointed out, it could be used for sensing a broken glass.

Joe Carrigan: [00:11:49] Yeah, a broken glass sensor - that's right.

Dave Bittner: [00:11:49] Sound of that sort of thing - yeah. Yeah.

Joe Carrigan: [00:11:51] Absolutely. No, I - but tell me it's there.

Dave Bittner: [00:11:54] Exactly, right.

Joe Carrigan: [00:11:54] Tell me it's there (laughter).

Dave Bittner: [00:11:55] Right. That's the point. I guess it's a tough oversight to forgive.

Joe Carrigan: [00:11:59] Yeah.

Dave Bittner: [00:11:59] When you're listing all the tech specs of something, the fact that something has a microphone...

Joe Carrigan: [00:12:04] And you don't put it in the tech specs.

Dave Bittner: [00:12:06] (Laughter) Right. Right. So that's my story for this week. It's time to move on to our Catch of the Day.


Dave Bittner: [00:12:15] Our Catch of the Day this week comes to us from a listener. His name is Kevin (ph). Kevin actually dropped off a postcard at our studios. Now that is fan dedication, Joe.

Joe Carrigan: [00:12:25] That is fan dedication.

Dave Bittner: [00:12:26] That is - he flew all the way across the country to deliver this postcard by hand. I'm kidding. He works here at DataTribe.

Joe Carrigan: [00:12:34] OK.


Dave Bittner: [00:12:37] But he brought it in and dropped it off at the studio. And this is a postcard, and it says FWT reference number, and it has a handwritten reference number on it. And it says, our attempts to reach you have been unsuccessful. Please call us at this number any time, day or night, to reschedule your delivery with our automated request system. FWT cannot accept calls from spouses, roommates or any person other than the name that appears on this notification. And on the side it says missed delivery notification. There is a - the most clip-art-looking bit of clip art that looks like a paper airplane, which I suppose is some sort of delivery thing. Here. Let me hand this to you. You can take a look.

Joe Carrigan: [00:13:15] OK. Let me look at this here.

Dave Bittner: [00:13:16] So I went and looked this up on Google. And...

Joe Carrigan: [00:13:18] Well, it's got a...

Dave Bittner: [00:13:19] Sure enough, it's a scam.

Joe Carrigan: [00:13:20] It's got a handwritten number on it, too.

Dave Bittner: [00:13:21] It does.

Joe Carrigan: [00:13:22] Yep.

Dave Bittner: [00:13:22] It's a scam. It is an attempt to get you to call them. So let's think this through. Someone comes to your house, and they miss a delivery. They're then going to leave, address a postcard and mail it to you.

Joe Carrigan: [00:13:36] Right.

Dave Bittner: [00:13:36] No.

Joe Carrigan: [00:13:37] No. They're going to...

Dave Bittner: [00:13:38] (Laughter) Going to leave something...

Joe Carrigan: [00:13:38] ...Put a Post-It note on my door.

Dave Bittner: [00:13:40] Exactly (laughter). Exactly. So evidently, this is a common scam that people are sending out these postcards. And they're trying to get a live one on the phone. You call them, and then off they go with you.

Joe Carrigan: [00:13:51] Should we call this number?

Dave Bittner: [00:13:53] Well, if we weren't in Maryland, we would (laughter).

Joe Carrigan: [00:13:55] OK. Yeah, that's right.

Dave Bittner: [00:13:56] But we can. It's not illegal here. But what's interesting to me is that there is expense that goes with this, right? They had to...

Joe Carrigan: [00:14:06] Yeah.

Dave Bittner: [00:14:06] They paid for a postcard, to have that mailed.

Joe Carrigan: [00:14:08] They paid for a postcard to get printed up. They paid for a stamp.

Dave Bittner: [00:14:11] Yeah.

Joe Carrigan: [00:14:11] They hand-wrote an address.

Dave Bittner: [00:14:14] Right. It must be worth the return that they're getting off of this. But if you go and look this up, there are lots of scams that follow this pattern of being sent a postcard that says you missed a delivery. And that's how they get you to call them back. And then once you're on the phone, then you start down the path with them. And I imagine, you know, they want you to pay something if you get a fake package delivered - or who knows? But...

Joe Carrigan: [00:14:37] Right. Well, I mean, if you call this number and then you enter this code, this reference number...

Dave Bittner: [00:14:44] Right.

Joe Carrigan: [00:14:44] I can imagine that happening first. I don't know what happens when you call this.

Dave Bittner: [00:14:47] Yeah.

Joe Carrigan: [00:14:47] But they immediately now have your telephone number as well as your address.

Dave Bittner: [00:14:50] Right. Right. And so like we've said before, some of this could just be a filtering process.

Joe Carrigan: [00:14:56] Right.

Dave Bittner: [00:14:56] They're looking for folks who are susceptible to these sorts of things.

Joe Carrigan: [00:14:59] Right.

Dave Bittner: [00:14:59] And we got a live one on the phone. Away we go. And who knows what they're going to hit you with next? But they know...

Joe Carrigan: [00:15:05] I really want to call this number, Dave.

Dave Bittner: [00:15:05] I know you do.

Joe Carrigan: [00:15:06] (Laughter).

Dave Bittner: [00:15:06] Well, tell you what. You call it. And we'll follow up next week. And you can tell us what happened. You can describe it.

Joe Carrigan: [00:15:13] I wish I knew where there was a payphone.


Dave Bittner: [00:15:17] Just borrow your wife's phone (laughter).

Joe Carrigan: [00:15:18] No. Can I borrow your phone, Dave? (Laughter).

Dave Bittner: [00:15:20] No, you may not. No, you may not (laughter). All right. Well, thanks very much to Kevin for dropping off this postcard for us. That is our Catch of the Day.

Dave Bittner: [00:15:30] Coming up next, we've got my interview with Matt Devost. He's from OODA LLC, and he's going to share some stories of impersonation, among other things. So stick around for that.

Dave Bittner: [00:15:45] But first, another message from our friends at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:16:34] And we are back. Joe, recently, I had the pleasure of speaking with Matt Devost. He is the head of a company called OODA LLC. He joins us to share some stories about impersonation and some other things that they do there at OODA. Here's my conversation with Matt Devost.

Matt Devost: [00:16:49] We've seen multiple types of impersonation take place, usually against high net worth individuals or folks that have some sort of celebrity status or influence. And it takes multiple different forms. The first is where they might set up some sort of presence or impersonation via an email address that is not affiliated with the individual. And in that instance, they're obviously trying to establish relationships, push a particular agenda. There's some kind of detailed examples I can give surrounding that as well. But it doesn't involve the compromise of any personal information. And the individual target does not know that this is happening, unless they're monitoring for it or somebody alerts it. Another type of impersonation is one that actually involves a direct compromise, typically of the email account for the individual that's being targeted, in which case they will study the habits of that person. They will study the manner in which they engage in business.

Matt Devost: [00:17:41] I've seen it multiple times in which it was used for engaging in fraud. And it was fraud around investment in international companies. So they might break into the email inbox for a person who is a high net worth individual. They see, what types of companies are they making investments in; who do they tell on their staff or in their family office to send the money in order to make those investments? And then using that person's legitimate email address, they generate a fraudulent request to that individual. They say, hey, I'm investing in this company overseas; I need you to wire money to XYZ; here's the bank account information and the transaction processes. And they continue to do that for as long as they can until they get detected.

Matt Devost: [00:18:23] In the cases that I've worked, the individuals actually spend months studying the target because what they want to do is develop a plan that has the highest probability of success. I've also seen them map it to the travel patterns of the person that they're impersonating. So if they know that they're getting ready to go on an international flight, or there might be some sort of anomalies in the way that they communicate or time zones, et cetera, they'll take advantage of that access to that person's schedule to try and time it in such a way that it might not be detected. I have also seen these attacks be persistent for months at a time before they were detected.

Dave Bittner: [00:18:56] Now, how does it happen that someone could be hanging out in my inbox and using it for these sorts of things, and I won't know about it?

Matt Devost: [00:19:04] Yeah, it's - typically, they're reading email, right? So they're studying habits and patterns. And then they are generating a message, you know, from your inbox the same way that you might via the web interface. And then any responses, they're going in and deleting them or immediately archiving them or kind of moving them out of the inbox. So it's a - dynamic monitoring is required - (laughter) right? - in order to kind of remove that message thread. But in these instances, it tends to be individuals that get high volumes of email. They don't get immediate attention. There is a window in which the attackers are able to go in and kind of manipulate the inbox to make sure that the response, you know, to a request is not being seen by the authentic individual.

Dave Bittner: [00:19:43] This notion of social engineering being used as a lure for kidnapping - can you take us through - what have you seen here?

Matt Devost: [00:19:49] Yeah. I've seen one case in particular that I'd like to highlight for folks where someone was impersonating a broker for a high net worth individual - you know, claiming to have this person in their network as a potential investor - and then also impersonating the high net worth individual themselves. It was a entrepreneur who had successful exits previously, you know, was a successful entrepreneur starting a new company that was looking to get funding. An individual reached out to them, saying, hey, I know you're trying to get funding; I'm happy to broker an introduction to this high net worth investor that I know; would you like that? They said sure. You know, anybody who's in that fundraising cycle is going to talk to anybody. The broker makes the introduction. Business plans get exchanged, et cetera. And it turns out that the attacker was impersonating not only the broker making

Matt Devost: [00:20:36] And where it gets really interesting is that the impersonator basically said, hey, I really like your business plan. This sounds like a weird request, but I've got to speak at a conference down in South America next week. How about you fly down? I've got this afternoon open. Let's spend the afternoon together. If I like your business plan, then I'll invest in your company. That individual is very, very close to buying a ticket and kind of hand-delivering themselves down to South America. Keep in mind they're already a successful business person, so a nice, lucrative target from a kidnapping perspective. Something - and this is what usually happens with social engineering - there was some gut intuition that caused the person to pause, caused them to try and reach out to this broker through an alternative mechanism and quickly discovered that the broker had not been communicating with them, had not facilitated this introduction and therefore, did not make the trip. So we didn't send a decoy down to see whether the person was, in fact, going to get kidnapped. But we felt like - that that was the intent - was to get the person kind of in country and deliver themselves to you. And then you've got them, you know, kind of under your control and are able to go through the kidnap and ransom process.

Dave Bittner: [00:21:39] Now, what sorts of preparations do you do when you're working with folks to help provide them with some resiliency when it comes to defending themselves against these things?

Matt Devost: [00:21:47] Yeah. There's a couple things that we recommend that will sound like common sense, but are not frequently implemented. The first is to have some resiliency in the processes that they use for transferring of money or authorization of funds transfer. We've seen, you know, very kind of fast and loose processes where a fund request, transfer request can be initiated via email with no callback verification, things of that sort. So when we say that, put some sort of process in place that has some resiliency that involves some sort of verbal communications where you can authenticate so that you don't have this instance where somebody just sends an email and is able to transfer $500,000 $800,000. Again, it sounds simple as encouraging these individuals to enable two-factor authentication for access to their mailboxes. In almost every instance, you know, having two-factor authentication enabled would have prevented the attacker from being able to get access to the inbox.

Matt Devost: [00:22:36] Another issue is that - you know, that is often a nexus for these types of attacks where an inbox is compromised is the reuse of passwords. One of those examples I gave you - the individual was using the same password for their email as on another social networking site. The social networking site had a compromise of credentials. The password was compromised. And the attackers were just going through the Rolodex of compromised accounts looking for individuals that looked interesting and then trying those credentials against other resources like mail accounts, et cetera. And in this instance, it was the same password on both accounts and thus, they got that unfettered access to the person's inbox. If two-factor authentication had been enabled, it wouldn't have been an issue. If they hadn't been reusing the password - wouldn't have been an issue. So it's simple steps that you can take to kind of protect your individual accounts and then some simple steps you can put in place to reduce the fraud component of this, which typically involves exploiting the wire transfer processes that these individuals have.

Dave Bittner: [00:23:33] You know, I'm curious that when it comes to high net worth individuals - and I'm thinking of high-level executives and so forth - you know, one of the most valuable resources they have is their time. And so it strikes me that they often have a lot of people who are helping them maximize the use of their time. They have people assisting them with, I guess, a lot of the things that, you know, you and I would be handling ourselves day to day. And I wonder. Does that make them more susceptible to these sorts of social engineering things to have more people involved with the things that they handle day to day? Does that provide avenues for folks to get in and take advantage of them?

Matt Devost: [00:24:07] I think it does. You know, it definitely contributes to these, what we'll call, kind of weak processes for how business interactions take place, you know, particularly around investments, where somebody is empowered to engage in a wire transfer based on email authorization alone. So that definitely contributes to it. I think also there's just also a lot of noise gets generated. I mean, we've seen other forms of impersonation, where an entity establishes a social media account for an influential individual that is not them and uses it to gather a lot of followers, then uses that to generate some sort of momentum towards a, you know, kind of work-from-home-type fraud schemes. You know, here's your best guide to becoming a millionaire like me. Click this link. And they've established, you know, 20-, 30,000 followers on this platform that all clicked the link. And that's just another instance of - for some of these individuals, there's so much occurrence of their name that takes place. There's so much activity out there that, unless they're actively monitoring, they're not likely to pick that up in the early instances of that impersonation taking place. So the busyness and the, you know, the noise that exists in the network just naturally based on who they are and the volume of mentions around their name, et cetera, certainly contributes to the problem.

Dave Bittner: [00:25:14] So what are your recommendations for folks who are just living their day to day lives, you know, not necessarily high net worth individuals? What sort of lessons can they take from the types of things that you've learned dealing with these types of situations?

Matt Devost: [00:25:25] Yeah. The lessons are relatively similar. I mean, we always encourage people to enable two-factor authentication. That's true for not only access to their mail and social media accounts but enabling two-factor authentication for access to banking accounts, et cetera. And then the other piece of it is a healthy dose of skepticism in their online interactions. If you are interacting with somebody and the offer seems too good to be true, it likely is. If it is a non-standard communication, you know, that you're receiving from your bank or a peer, it is likely to be fraudulent activity, right? - so to understand the ways in which the entities that they transact with will communicate with them, being skeptical, you know, making sure that they're not clicking on links and engaging, providing credentials into untrusted sites.

Matt Devost: [00:26:07] I mean, there's just a user awareness component of this. So there's some technical mitigations. Enable the two-factor authentication. And then there's some kind of social engineering resiliency that you can build up to make sure that you are at least applying a first order level of scrutiny on the incoming requests that are coming into your inbox.

Dave Bittner: [00:26:25] Joe, has anyone ever attempted a kidnapping on you?

Joe Carrigan: [00:26:28] No, Dave. I weigh too much.

Dave Bittner: [00:26:29] (Laughter).

Joe Carrigan: [00:26:29] That's kind of my defense against being kidnapped.

Dave Bittner: [00:26:32] I see. Just flop down on the ground.

Joe Carrigan: [00:26:34] Right.

Dave Bittner: [00:26:34] You're an un-draggable. Got it. OK, very good, very good. It's good. It's good - whatever it takes.

Joe Carrigan: [00:26:38] That is a terrifying angle to this. They were trying to lure this guy to South America, where kidnapping is, actually, kind of a business down there. And it has been for decades. We see these criminal organizations. Actually, organized crime is nothing new. But the level of organization that we're seeing in cyberattacks kind of is a relatively new phenomenon that we're - well, it's not really a phenomenon. It's natural order of things, I think.

Dave Bittner: [00:27:00] Yeah - but the ability to use social engineering to get you to deliver yourself to them.

Joe Carrigan: [00:27:04] Right.

Dave Bittner: [00:27:05] (Laughter).

Joe Carrigan: [00:27:05] Right - through business email compromise.

Dave Bittner: [00:27:07] Right. Right.

Joe Carrigan: [00:27:08] It's interesting. These things go on for months. And these attackers are studying your email-writing habits. We're seeing this more and more come up in these stories.

Dave Bittner: [00:27:16] Yeah.

Joe Carrigan: [00:27:16] And it's - you know, it's no longer amateurs doing it. Two-factor authentication helps a lot.

Dave Bittner: [00:27:21] Yeah. It also struck me. For example, like, if you're using Gmail...

Joe Carrigan: [00:27:25] Right.

Dave Bittner: [00:27:25] It will alert you if someone logs into your account from a new machine.

Joe Carrigan: [00:27:30] That's correct.

Dave Bittner: [00:27:30] Yeah. And so, to me, that seems very helpful.

Joe Carrigan: [00:27:33] Very helpful, indeed.

Dave Bittner: [00:27:34] Yeah. Yeah. But yes, two-factor - absolutely. I just think we're in an era now where if something's important to you, you can't just rely on a username and password. You have to have some sort of extra factor there.

Joe Carrigan: [00:27:45] Two-factor that.

Dave Bittner: [00:27:46] Yep.

Joe Carrigan: [00:27:47] The other thing - tighten up your processes. If you're a high-worth individual or you are in a business that's high-worth, have a process that says, whenever I'm transferring more than X number of dollars - whatever your risk level is - that that involves a phone call back to the person who requested the transfer.

Dave Bittner: [00:28:03] Right.

Joe Carrigan: [00:28:03] A simple thing like that can prevent many thousands of dollars from leaving your organization very quickly...

Dave Bittner: [00:28:08] Yeah.

Joe Carrigan: [00:28:09] ...Probably, never to be retrieved.

Dave Bittner: [00:28:10] We had a story that we talked about a few months ago, where someone was in the process of spending a lot of money for an organization. And the person who was being impersonated was just a few doors down the hall.

Joe Carrigan: [00:28:21] Right, right.

Dave Bittner: [00:28:22] (Laughter) Right. But they didn't bother to, you know - what finally put it to an end was someone walking down the hall and mentioning this request. And the person said, I didn't make that request.

Joe Carrigan: [00:28:32] Right.

Dave Bittner: [00:28:32] So yeah, absolutely.

Joe Carrigan: [00:28:33] That was the iTunes gift card.

Dave Bittner: [00:28:35] Google gift cards, I believe. Yeah. Yeah.

Joe Carrigan: [00:28:36] Google gift cards - right - because Google said - that's right because Apple would've said, we could help you. But Google said no.

Dave Bittner: [00:28:41] Something like that - I don't know (laughter).

Joe Carrigan: [00:28:41] Something like that - I don't know if Apple would've said they could help them. But the retailer wound up helping them.

Dave Bittner: [00:28:45] Right. Yeah. But your point is a good one. Almost every week we say this. Slow down.

Joe Carrigan: [00:28:48] Slow down, exactly.

Dave Bittner: [00:28:49] Yeah, yeah.

Joe Carrigan: [00:28:49] Slow down, cowpoke.

Dave Bittner: [00:28:51] That's right. That's right. All right. Well, again, thanks to Matt Devost for joining us. And we want to thank all of you for listening.

Dave Bittner: [00:28:57] And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts. And they're the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:29:14] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:29:23] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:40] And I'm Joe Carrigan.

Dave Bittner: [00:29:41] Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire