Joe shares a story on the market economy of phishing. Dave explains how gamers are being taken advantage of on popular chat app Discord. The catch of the day included a little bit of showbiz razzle-dazzle. Our anonymous guest this week shares his efforts to keep his father from falling for online scams.
Links to stories:
Bill: [00:00:00] The groups of people that do this - majority are criminal organizations, and they know how to social engineer elderly very, very well.
Dave Bittner: [00:00:09] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:27] Hello, Dave.
Dave Bittner: [00:00:28] We've got some good stories this week. And later in the show, we got a guest coming into the studio. He prefers to stay anonymous, but he's going to be sharing some stories of his attempts to keep his father safe online.
Dave Bittner: [00:00:43] But first, a word from our sponsors at KnowBe4 - so what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:12] And we are back. Joe, before we dig into our stories this week, we've got some follow up.
Joe Carrigan: [00:01:16] OK.
Dave Bittner: [00:01:17] We've got a note from Perry Carpenter. He's a friend of the show.
Joe Carrigan: [00:01:20] At KnowBe4.
Dave Bittner: [00:01:20] Yep, from KnowBe4. And of course, Perry is the author of the book "Transformational Security Awareness." He wrote in. He says, hey, guys. Loved last week's show - fun and informative, as always. Thank you, Perry. He said, I wanted to give a bit more information about one of the items you covered last week. Joe mentioned a creative ad on Instagram that was designed to trick a user into clicking on an ad by making them think they had a hair on their phone. Well, guess what? There's actually a name for that kind of ploy; it's called a dark pattern. And as you can imagine, the use of such tactics has sparked quite a few debates in the design and UX communities over the past few years.
Joe Carrigan: [00:01:55] Interesting.
Dave Bittner: [00:01:56] I briefly discuss dark patterns in my book on Pages 108, 109 - for those of you keeping track at home. They are a way that designers and malicious actors can weaponize nudge theory or even create anti-nudges. At the end of the section, I list a few links for more information - very interesting stuff. Keep up the great work. So if you're interested in that sort of stuff, check out Perry's book "Transformational Security Awareness." This sounds like he digs into it with a little more detail.
Joe Carrigan: [00:02:21] Right. Thank you, Perry.
Dave Bittner: [00:02:21] Well, let's dig into our stories this week. Joe, why don't you kick things off for us?
Joe Carrigan: [00:02:26] Dave, today, I want to talk about a blog post from Or Katz over at Akamai. He has a good blog post on the economy of phishing.
Dave Bittner: [00:02:33] OK.
Joe Carrigan: [00:02:33] OK? So we're going to take a look behind the scenes at phishing. When you get that email, something has happened before you've gotten that email, and today we're going to talk about it. We'll put a link to the article in the show notes.
Dave Bittner: [00:02:44] OK.
Joe Carrigan: [00:02:44] I talk about the economics of the hacking community frequently because the hacking marketplace is an economy with all the same market forces in effect; supply and demand still have a very real impact in those illicit markets.
Dave Bittner: [00:02:58] Yeah.
Joe Carrigan: [00:02:59] Just like in any illicit market, right? It's no different from any other economy, even a legitimate one.
Dave Bittner: [00:03:04] Right.
Joe Carrigan: [00:03:05] And there are two clear groups in this economy on the supply side of this operation. And one of them are the developers, and these are the people who actually develop these kits and templates, right?
Dave Bittner: [00:03:16] OK.
Joe Carrigan: [00:03:16] Now, you think of kits and templates - these are templates for emails and templates for login pages. I have a template of an email allegedly from a bank or from an online service, and then I'm going to also match that up with a fake login page to harvest credentials.
Dave Bittner: [00:03:29] So I send you an email that's from - you know, allegedly from your bank.
Joe Carrigan: [00:03:33] Right.
Dave Bittner: [00:03:33] You get that email, you click through, and you go to the website that's also pretending to be from the same bank.
Joe Carrigan: [00:03:38] Correct. And it looks the same. And the website actually logs your username and password. It's actually a pretty simple thing to develop, but there are people out there who can't develop it because it does require a little bit of know-how about HTML forms and things of that nature.
Dave Bittner: [00:03:50] Right, right.
Joe Carrigan: [00:03:51] You have to make it look right, first off.
Dave Bittner: [00:03:53] Yeah.
Joe Carrigan: [00:03:53] And then you have to actually make it record the username and password. It's fairly trivial, but it does require some skill.
Dave Bittner: [00:03:59] Yeah.
Joe Carrigan: [00:03:59] So people develop these things, and then they hand them off to the sales organizations, right? Now, the sales organization provide the phishing kits, which includes the templates and the login pages and all that stuff, but they also provide other services, right? These guys - we're a full-service company. You need a place to host your fake login page? Well, we can provide you with hosting services. What about a script to send out all these emails? Do you need that? You know, you can write the email and develop it from our template, but then you're going to need help sending out these emails. Who are you going to send them to? We got an email list right here.
Dave Bittner: [00:04:31] (Laughter).
Joe Carrigan: [00:04:32] That's a full-service shop, Dave. There's a business behind this.
Dave Bittner: [00:04:37] Yeah.
Joe Carrigan: [00:04:37] Right? The article has a picture of phishing kits for sale. Guess how much a phishing kit costs.
Dave Bittner: [00:04:43] Oh, my goodness - $20?
Joe Carrigan: [00:04:44] $10.
Dave Bittner: [00:04:45] Wow.
Joe Carrigan: [00:04:45] You were within an order of magnitude, so that's good.
Dave Bittner: [00:04:48] OK.
Joe Carrigan: [00:04:48] It's amazing how cheap these are because you can - I guess you can sell these kits to, you know, a thousand people a month or something, and you make $10...
Dave Bittner: [00:04:55] Volume.
Joe Carrigan: [00:04:56] ...That's $10,000. Or maybe a year, I don't know. This phishing kit has a list of templates that it comes with. It can target RapidShare (ph). Interesting - it can target DeviantArt. Somewhere out there, somebody wants to buy and sell DeviantArt credentials. MySpace, Nationwide, PayPal, of course.
Dave Bittner: [00:05:11] Yeah.
Joe Carrigan: [00:05:11] All kinds of different stuff is on here.
Dave Bittner: [00:05:12] What's interesting to me is the sophistication that's growing with these.
Joe Carrigan: [00:05:17] Right.
Dave Bittner: [00:05:17] How polished these sites are.
Joe Carrigan: [00:05:20] Yeah. Yeah, these templates are getting better and better, right?
Dave Bittner: [00:05:22] And like you say, it's sort of a turnkey kind of thing. It's like buying a franchise, right? (Laughter).
Joe Carrigan: [00:05:27] Exactly. That's exactly right. It's like buying a franchise. It's like you're going to McDonald's.
Dave Bittner: [00:05:31] Right.
Joe Carrigan: [00:05:31] And you're going to say, I want to set up a McDonald's restaurant.
Dave Bittner: [00:05:34] Right.
Joe Carrigan: [00:05:34] You're just going to these guys and saying, I want to set up a phishing operation.
Dave Bittner: [00:05:37] Right. You need a French fryer? We got that.
Joe Carrigan: [00:05:38] Right.
Dave Bittner: [00:05:39] You need a big golden arches for out front? Yeah, what size do you need? We got that. Yeah (laughter).
Joe Carrigan: [00:05:49] Right. It's exactly the same thing, except you don't have to pay them a residual. Maybe it's even better than McDonald's.
Dave Bittner: [00:05:49] Maybe, except, oh, there's the whole illegal thing. But (laughter)...
Joe Carrigan: [00:05:51] Oh, yeah, yeah, yeah. That's right. There's always a chance of going to jail.
Dave Bittner: [00:05:53] Whatever. Yeah, you know - details.
Joe Carrigan: [00:05:55] Right, right. There are even criminals within this marketplace, right? And they're called rippers. And what they'll do is they'll go out and they'll buy a phishing kit, and then they'll rebrand it as their own and sell it for less...
Dave Bittner: [00:06:06] (Laughter) OK.
Joe Carrigan: [00:06:06] ...Those dirty rats.
Dave Bittner: [00:06:07] Yeah. Oh, boy.
Joe Carrigan: [00:06:08] You're breaking my heart, right? So the fact that there are these guys out there called rippers leads Katz to his next point, which is that branding is key. And these guys focus on their branding and how they manage their branding through signature development, right? So it's really the development style that is the branding on these things.
Dave Bittner: [00:06:25] So they build a reputation for...
Joe Carrigan: [00:06:27] Right.
Dave Bittner: [00:06:28] ...Quality, reliability, effectiveness, I guess.
Joe Carrigan: [00:06:31] Right. Yeah.
Dave Bittner: [00:06:31] Yeah.
Joe Carrigan: [00:06:32] They do that.
Dave Bittner: [00:06:32] Interesting.
Joe Carrigan: [00:06:33] Katz talks about one phishing kit called Chalbai...
Dave Bittner: [00:06:36] OK.
Joe Carrigan: [00:06:37] ...Which looks like a foreign word to me, so I did some work. I plugged that into the Google Translate, and it comes up as the Gaelic translation of Calvary...
Dave Bittner: [00:06:46] OK.
Joe Carrigan: [00:06:46] ...Which is the hill outside of Jerusalem where the Romans would crucify people...
Dave Bittner: [00:06:50] Right.
Joe Carrigan: [00:06:50] ...Right? - including Jesus.
Dave Bittner: [00:06:51] Poetic.
Joe Carrigan: [00:06:52] So I guess there's something in there. Akamai has seen this phishing kit on more than 1,700 domains since December. And then they have a chart that goes from, like, December to February of the finding of these domains because domains are really how you can find a more accurate count. It's a more stable metric.
Dave Bittner: [00:07:09] OK.
Joe Carrigan: [00:07:10] And it looks like if you were to do a linear regression on this, it would be a flat line maybe with a little bit of a slope up, right?
Dave Bittner: [00:07:16] Yeah.
Joe Carrigan: [00:07:16] And what does that mean? Well, that means that just about every day, on average, there is, like, somewhere between 10 and 15 of these domains being stood up with this one phishing kit on it, and that number is slowly increasing over time. So they're either gaining market share or they're growing with the market. It's an interesting look into the entire economy of these things. Phishing is not going away, right?
Dave Bittner: [00:07:37] No.
Joe Carrigan: [00:07:37] It's remarkably effective, and it works. And that's why it's being made into a commodity here that you can buy for essentially 10 bucks. And if you need additional services, they'll be happy to provide it for you.
Dave Bittner: [00:07:48] (Laughter) Yeah. All right. Well, that's interesting - interesting stuff, like you said. We'll have a link in the show notes to that one. My story this week was sent in by a listener named Mikaela, and it's about scammers taking advantage of people using Discord. Are you familiar with Discord?
Joe Carrigan: [00:08:04] I am on Discord.
Dave Bittner: [00:08:04] Oh, OK. So describe for our listeners what Discord is.
Dave Bittner: [00:08:08] Discord is a chat client much like Slack, if you use Slack for development purposes. I know Slack's very popular. Discord, however, requires one login for all of your different channels that you're on. You can be on different channels for different topics. It's used heavily by gamers. Discord also has a voice option, so you can just join a voice chat or create a voice chat. People can come in and talk on their headsets, and that's why it's popular with gamers because you can talk with each other while you're gaming. You don't have to text.
Dave Bittner: [00:08:34] I see. So for games that don't have the built-in chat capability, this is a way for you to do that...
Joe Carrigan: [00:08:39] Right.
Dave Bittner: [00:08:40] ...Sort of side-channel.
Joe Carrigan: [00:08:41] Yep.
Dave Bittner: [00:08:41] This was sent into us - it's actually a series of tweets by someone who goes on Twitter by the name @Splatter_Shah. And we'll have a link to this series of tweets, but they explain people who are getting scammed using the Discord app, and I'm going to sort of run through the description here. You'll get a DM from someone on your friends list in a group chat or someone on mutual servers. They say, don't click the link. And these DMs are coming in multiple forms. It comes to you from a friend, and it says, hey, you know, here's a way for you to get some free stuff.
Joe Carrigan: [00:09:14] Right.
Dave Bittner: [00:09:14] Click here, and you're going to get some free stuff, right? And like many of these scams, it uses a URL that looks similar to Discord. Instead of an actual Discord URL, it's discordgg.ga.
Joe Carrigan: [00:09:28] So it's like credential harvesting is the first step.
Dave Bittner: [00:09:31] Correct. Well, and I think that's really what they're after here. And they say you're going to be able to redeem some Nitro, which is, I guess, an online gaming currency...
Joe Carrigan: [00:09:41] OK.
Dave Bittner: [00:09:41] ...Kind of thing.
Joe Carrigan: [00:09:41] I'm not familiar with Nitro.
Dave Bittner: [00:09:42] Yeah.
Joe Carrigan: [00:09:43] I know that Discord has a client, and it also has a web version.
Dave Bittner: [00:09:45] Yeah.
Joe Carrigan: [00:09:45] So I guess they're trying to take you into a copy of the web version.
Dave Bittner: [00:09:48] Well, what it does is it takes you to a fake login page, and it looks exactly like Discord's actual login.
Joe Carrigan: [00:09:56] OK.
Dave Bittner: [00:09:56] So if you fall for this, you log in and presto change-o, they have your credentials.
Joe Carrigan: [00:10:02] And let me guess what happens next.
Dave Bittner: [00:10:03] Please. Yes.
Joe Carrigan: [00:10:04] Everybody - all your friends and connections start getting the same message.
Dave Bittner: [00:10:07] Exactly. Right.
Joe Carrigan: [00:10:09] I'm good at this, Dave.
Dave Bittner: [00:10:10] Yeah, yeah. You've been around the block once or twice.
Joe Carrigan: [00:10:13] (Laughter) Right.
Dave Bittner: [00:10:13] Yeah. So this is driven by a bot, and it goes through all your friend - basically everyone you know. It sends out the same message promising free stuff, and they get your account information. They change your username and password so you can no longer get into your...
Joe Carrigan: [00:10:27] Oh.
Dave Bittner: [00:10:28] Yeah.
Joe Carrigan: [00:10:28] Really?
Dave Bittner: [00:10:28] Yeah. Bad form, right? (Laughter).
Joe Carrigan: [00:10:30] Dirty. These - yeah, that is bad form.
Dave Bittner: [00:10:33] And they're gathering up these credentials to sell the credentials - big groups of credentials to sell online. So the recommendation here is - as we always say, what's the easiest way to prevent this, Joe?
Joe Carrigan: [00:10:44] Well, first off, don't click on the link.
Dave Bittner: [00:10:46] Yeah. Right. Yep. Good advice.
Joe Carrigan: [00:10:47] And here's my other advice. Discord offers two-factor authentication.
Dave Bittner: [00:10:50] Ding, ding, ding, ding, ding, ding, ding, ding, ding.
Joe Carrigan: [00:10:52] Use it. I use it. You should use it.
Dave Bittner: [00:10:55] That's right.
Joe Carrigan: [00:10:55] It's really simple.
Dave Bittner: [00:10:56] Yep. That is it. So if you are a Discord user, please, please, please go in and enable your two-factor authentication. That'll pretty much make sure that you're not going to be victimized by this sort of thing.
Joe Carrigan: [00:11:11] And their form of two-factor authentication is not SMS message. It's one of those time-generated codes with, like, Google Authenticator that...
Dave Bittner: [00:11:17] Oh, yeah.
Joe Carrigan: [00:11:17] ...You can use.
Dave Bittner: [00:11:18] OK.
Joe Carrigan: [00:11:18] So it's a little bit more secure than - actually, it's significantly more secure than an SMS message.
Dave Bittner: [00:11:23] Yeah.
Joe Carrigan: [00:11:23] When I give talks and I tell people, if you're going to do one thing now, I used to say use a password manager. That's - if you're going to do two things, I say use a password manager. But always - if you're going to one thing, I say just enable two-factor authentication.
Joe Carrigan: [00:11:36] Yep.
Joe Carrigan: [00:11:37] Whatever form of two-factor authentication is available to you - it'll make you much more secure. Knowledge-based two-factor authentication is not very good. But if it's an SMS message, that's a lot more secure than not having it.
Dave Bittner: [00:11:49] Yeah. Yeah, absolutely. All right, well, those are our stories. It's time to move on to our Catch of the Day.
0:11:55:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:58] Our catch of the Day this week is courtesy of a friend of the show named Mickey (ph). This is the transcript of a Facebook Messenger exchange. This was started by a handsome man. It's one of those attempts at a romance scam.
Joe Carrigan: [00:12:10] Ah.
Dave Bittner: [00:12:11] And he is targeting a woman named Lily. So, Joe, I want you to play the part of the would-be scammer. And I'm going to play the part of Lily. The scammer is using the name Micheal William. It looks like he meant to type Michael, but...
Joe Carrigan: [00:12:25] Right, misspelt it.
Dave Bittner: [00:12:26] ...Got the E and the A wrong there.
Joe Carrigan: [00:12:27] Yup.
Dave Bittner: [00:12:28] Handsome, middle-aged, good-looking guy in the picture there, and kind of goes like this.
Joe Carrigan: [00:12:33] Hello. How are you doing?
Dave Bittner: [00:12:35] Micheal, is that the French spelling?
Joe Carrigan: [00:12:38] It's Arabic. How are you doing?
Dave Bittner: [00:12:40] Did Faza send you? Does he miss me?
Joe Carrigan: [00:12:42] Tell me where you are from.
Dave Bittner: [00:12:43] Oh, Micheal, I don't like to think about the past.
Joe Carrigan: [00:12:46] If you don't mind me asking, are you married with kids?
Dave Bittner: [00:12:48] I came close. I was once almost the queen of the United Arab Emirates before Faza's heart turned cold.
Joe Carrigan: [00:12:55] Oh, sorry to hear that. So tell me, where do you live now?
Dave Bittner: [00:12:58] Do you know what I do when I'm sad?
Joe Carrigan: [00:13:00] No. Tell me what you do when you are sad.
Dave Bittner: [00:13:02] I sing a song and do a dance.
0:13:04:(SOUNDBITE OF MUSIC)
Joe Carrigan: [00:13:05] OK, why do you skip my questions? I ask where you are from. You didn't answer. Why?
Dave Bittner: [00:13:11] OK, here I go. (Singing) The minute you walked in the joint I could tell you were a man of distinction. I'm doing a little coochie-coo now.
Joe Carrigan: [00:13:21] What the (expletive) you talking about?
Dave Bittner: [00:13:22] (Singing) A real big spender.
Joe Carrigan: [00:13:24] Why can't you answer my questions?
Dave Bittner: [00:13:25] So good-looking, so refined.
0:13:27:(SOUNDBITE OF FEET TAPPING)
Dave Bittner: [00:13:28] Now I'm tapping my way across the floor making circles with my top hat.
Joe Carrigan: [00:13:31] Can you (expletive) stop the joke?
0:13:33:(SOUNDBITE OF MUSIC)
Dave Bittner: [00:13:33] Wouldn't you like to know what's going on in my mind?
Joe Carrigan: [00:13:36] No, not until you stop skipping my questions.
Dave Bittner: [00:13:39] It wasn't a question. That's the lyric to the song. OK, anyway, I'm doing a triple-time step with a quick ball change. And I'm about to hit you with my razzle-dazzle.
Joe Carrigan: [00:13:47] Maybe I won't chat you again.
Dave Bittner: [00:13:49] (Singing) So let me get right to the point.
Joe Carrigan: [00:13:51] That will be nice. Where are you from?
Dave Bittner: [00:13:53] For God sakes, Micheal, that's another lyric to the song. Can you stop interrupting my number? I don't pop my cork for every man I see - arm circles, jumping splits, quick costume change.
0:14:03:(SOUNDBITE OF MUSIC)
Dave Bittner: [00:14:03] (Singing) Hey, big spender, spend a little time with me. Jazz hands, jazz hands, confetti.
Joe Carrigan: [00:14:11] When you are done with your (expletive) song, can you tell me...
Dave Bittner: [00:14:14] OK, I'm done with the song.
Joe Carrigan: [00:14:15] OK, where are you from?
Dave Bittner: [00:14:16] Where am I from, or where is the character in my next song from?
Joe Carrigan: [00:14:22] What the (expletive). Where are you from?
0:14:22:(SOUNDBITE OF MUSIC)
Dave Bittner: [00:14:23] Yentl is from a small village in Poland.
Joe Carrigan: [00:14:25] I won't chat you again.
Dave Bittner: [00:14:26] OK, so picture me with short hair, wrestling with my love for a deeply spiritual man and my own love of forbidden learning. (Singing) Papa, can you hear me?
Joe Carrigan: [00:14:35] I promise you that.
Dave Bittner: [00:14:36] (Singing) Papa, can you see me - emoting and Barbara.
Joe Carrigan: [00:14:39] Are you done?
Dave Bittner: [00:14:40] Yes.
Joe Carrigan: [00:14:41] Sure?
Dave Bittner: [00:14:41] Mmm hmm.
Joe Carrigan: [00:14:42] So tell me where you are from.
0:14:44:(SOUNDBITE OF MUSIC)
Dave Bittner: [00:14:44] Just kidding. I'll never be done with Broadway, and Broadway will never be done with me. (Singing) Papa, can you find me in the night?
Joe Carrigan: [00:14:52] OK, continue and never end. And forget chatting me.
Dave Bittner: [00:14:55] Razzmatazz.
Joe Carrigan: [00:14:57] (Expletive) you.
Dave Bittner: [00:15:02] (Laughter).
Joe Carrigan: [00:15:02] (Laughter) This is awesome. Mickey, you're brilliant.
Dave Bittner: [00:15:06] Yeah.
Joe Carrigan: [00:15:07] I love this a lot.
Dave Bittner: [00:15:09] (Laughter) I don't think Mickey can take credit for the actual interaction here. I think she found this and sent it on because somehow she knew we would appreciate it.
Joe Carrigan: [00:15:16] Right.
Dave Bittner: [00:15:16] And boy do we.
Joe Carrigan: [00:15:18] Yes, we do. I will tell you this. If you - it doesn't matter if you copy and paste this. Just doing this is brilliant. You're my hero of the week, Mickey.
Dave Bittner: [00:15:28] (Laughter) All right, well, that is our Catch of the Day. Coming up next, we've got a guest here in the studio. He prefers to be anonymous because he's going to be sharing some stories about his dear father and some of the ways that he's fallen victim to some scams. So we'll be talking to him next.
Dave Bittner: [00:15:47] But first, a message from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:16:37] And we are back. Joe, we've got a guest joining us in the studio today. Would you like to introduce him for us?
Joe Carrigan: [00:16:43] Yes, this is Bill. Not his real name, but we're going to call him a Bill for the sake of this interview.
Dave Bittner: [00:16:47] And he is a colleague of yours.
Joe Carrigan: [00:16:49] He is, yes.
Dave Bittner: [00:16:49] All right. And, Bill, what brings you here today?
Bill: [00:16:52] Well, I'm here to talk a little bit about scamming the elderly...
Dave Bittner: [00:16:55] Yeah.
Bill: [00:16:55] ...Which is something that actually happened to my father. My stepmom died after 26 years of marriage to my dad. And he's one of those that just didn't want to be left out, wanted to be involved, likes women.
Dave Bittner: [00:17:05] Ah.
Bill: [00:17:07] So, you know, he started looking at porn sites and things like that, but then somehow got involved with falling for, like, the Nigerian princess schemes and things like that. And so far, it has cost him somewhere between $50,000 and $100,000.
Dave Bittner: [00:17:22] Wow.
Bill: [00:17:22] He won't give the actual number, but based on how long he told me it would take him to get solvent again, it was at least $50,000.
Dave Bittner: [00:17:31] Wow. Let's dig into some of the actual events here. I mean, first of all, I think this is something that concerns many of us - most of us.
Joe Carrigan: [00:17:39] Right.
Dave Bittner: [00:17:39] You know, if - when your folks are still around and they start to get up there in years, and they have online internet connected devices...
Joe Carrigan: [00:17:46] Correct.
Dave Bittner: [00:17:46] ...And they're not digital natives, you know?
Joe Carrigan: [00:17:49] Yeah, this is all new to them.
Dave Bittner: [00:17:49] Yeah.
Joe Carrigan: [00:17:49] The territory is new territory.
Dave Bittner: [00:17:51] And they're trusting.
Bill: [00:17:52] Yes, they're very trusting. And quite frankly, the groups of people that do this, majority are criminal organizations and they know how to social engineer elderly very, very well.
Joe Carrigan: [00:18:04] Right.
Dave Bittner: [00:18:04] So take us through. How did this first come to your attention? At what point did he come to you and say, I need to have a conversation with you?
Bill: [00:18:12] Well, I actually had an incident a year prior before we had a second incident. I was seeing some of these emails, and I tried to explain to him what scamming was because he had asked some questions about some money he had sent. And I tried to explain to him on this one scenario, which was in Australia - so a couple of things were he's trying to help out these women that - you know, they're supposedly talking to him and everything like that because that's filling his need. And there's always a male intermediary somewhere in there.
Bill: [00:18:42] And this particular one was a case of, supposedly, an American woman who found out that her father that she did not know happened to be a multi-millionaire from the U.K. and had died in Australia. And what the issue was is that she was trying to get some of the assets transferred, and there were some costs involved from transferring it from Australia to the U.K.
Bill: [00:19:06] So in this case, they actually used the name of the actual attorney. But as I was trying to point out to my dad as we're going through this whole thing - because he had sent already several thousand dollars for her hotel rooms and things like that - is - all right, dad. So let's go to his web site in Australia, and look. His mobile phone number is there. So if he is a businessman talking with you, why would he be using a different phone number? Well, that's his personal cell. Well, if he's a lawyer representing someone, why would he use his personal cell? Now, you have to understand my dad has been a businessman at his own company. He's been in the family business that he took over since 1942 - pretty intelligent guy.
Dave Bittner: [00:19:43] Right.
Bill: [00:19:43] When it comes to legal stuff, he's very familiar with the legal stuff. But I'm laying all this stuff out here why this is not right or sounding right because I said, listen, dad. If someone had $10 million in cash assets in Australia and they had to transfer it to the U.K., they're not going to - if they had 10 million cash, they're not going to charge you additional to send it. If you don't have the money, they'll subtract the charge off of that 10 million, so you're only going to get nine million nine hundred thousand - whatever. I said, there's no reason you have to give money up front for this stuff.
Dave Bittner: [00:20:14] Right. Well, your point, though, that he's not someone who just fell off the turnip truck - he's not a rube. Your dad's an intelligent guy with experience in business, and yet here he finds himself.
Bill: [00:20:25] Right, exactly. And that's the hard part because I'm like, this is so obvious. Why is he falling for this? And it's not just him because I'll go into the next scenario later. I laid everything out there for him to see that this wasn't - you know? And one of his comments, like - son, there's nothing wrong with helping people. And I'm like, dad, you're right. There's nothing wrong with helping people, but there's people you could help locally that you can actually meet in person...
Dave Bittner: [00:20:48] Right.
Bill: [00:20:48] ...Versus someone over the internet.
Dave Bittner: [00:20:49] So he feels good about himself that he's helping people out, and I guess that's the narrative he wants to believe in his mind.
Bill: [00:20:57] Yes, and I also think that there's a sexual portion of this because he thinks he's going to get something out of this from the females that he's helping.
Dave Bittner: [00:21:05] Right.
Joe Carrigan: [00:21:05] So it's got a romance scam element to it as well.
Bill: [00:21:07] Exactly, which is - being a lonely guy who is now, you know, 76 years old...
Dave Bittner: [00:21:12] Yeah.
Bill: [00:21:13] That's attractive to him.
Dave Bittner: [00:21:14] Yeah, so they're coming at him from that direction. OK, so you sort of work that through with him. And time passes, and then what happens next?
Bill: [00:21:23] Then what happens is I get a phone call on my phone from a detective in Texas who is trying to track down my father due to a scam that they've seen. They arrested someone down there. On his telephone, they found a bunch of contact information from a whole bunch of different people that had sent money. And that money, when it arrived, was turned around and sent to Nigeria.
Dave Bittner: [00:21:45] Wow.
Bill: [00:21:45] And so they were building a case on this.
Joe Carrigan: [00:21:47] If I get this phone call, the first thing I'm thinking is, oh, this is a follow-on scam, right?
Bill: [00:21:52] Correct. That's exactly what I did. So...
Joe Carrigan: [00:21:54] Right.
Bill: [00:21:55] ...Because, as you know, some of my connectivity and some of my special accounts that I have on government systems...
Joe Carrigan: [00:22:01] Right.
Bill: [00:22:02] I had the detective contact me at one of my government entities that I support through that because I kind of know that this entity - if they thought there a scam running, they would jump in there.
Joe Carrigan: [00:22:13] Right.
Bill: [00:22:13] But sure enough, the detective followed on through with his business email that was legitimate with a telephone number and everything like that. And we started exchanging information that way, so that is how I kind of verified that this was actually a no-kidding detective in Texas versus, you know, another scam trying to...
Joe Carrigan: [00:22:29] And you can always call the person in Texas, too. You can look up the Texas - this was a police detective or a private detective?
Bill: [00:22:34] No, this was a police detective.
Joe Carrigan: [00:22:35] So you can look up the police department and call them directly.
Bill: [00:22:38] Right. Exactly. And he also was able to track down my brother - left messages there. My brother thought it was a scam, so he never bothered responding.
Joe Carrigan: [00:22:45] Right.
Bill: [00:22:45] So when he started adding - saying all these things that he had done, and then he was going to contact through a government - sending an email to a government entity, especially the three-letter one...
Joe Carrigan: [00:22:55] Right, right, right (laughter).
Dave Bittner: [00:22:57] Yeah. And so, again, if not for these scammers being caught, your father could have continued down the path even farther with them.
Bill: [00:23:07] Yeah, because this was one situation, and the other one where he actually called me up again was talking about a gold shipment. And before they were willing to release the gold shipment, they had to pay the storage costs. And I just listened to these things. I'm like, this is just not how trade works in the commodities market.
Joe Carrigan: [00:23:24] Right.
Dave Bittner: [00:23:25] And so what happens this time when you confront your father with this information? How does he respond?
Bill: [00:23:30] This time, he finally admitted how stupid he was.
Dave Bittner: [00:23:33] OK.
Bill: [00:23:33] But I will have to say, though, that based on some of his behavior, I actually called adult services in the state of Minnesota to see if they could launch an investigation into him, which they did. However, because he's not at threat for physically hurting himself, the state would not get involved. But they did come back and say, we think that you need to have a family intervention with him because obviously, we saw some things that are concerning, but we don't believe he's a threat to himself physically. And as such, we cannot get involved.
Dave Bittner: [00:24:04] So we're talking about just some mental health issues, things with - aging process, those sorts of things, where maybe he's not as with it as he was when he was younger.
Bill: [00:24:15] He has mentioned that. He said he doesn't feel his mind is as sharp as it used to be. But at the same time, I think it's that overriding fear of being depressed, being lonely, that he is getting something out of this, whether the person he's communicating is really a woman or not.
Joe Carrigan: [00:24:32] Right.
Dave Bittner: [00:24:32] Right.
Bill: [00:24:32] But he's getting something out of that that is driving him to continue on. And, you know, he's willing to take risks and send large amounts of money out there.
Bill: [00:24:42] In the case of the Texas thing, since this was being sent to Nigeria, you know, I started pointing them out and said, Dad, you're making yourself liable for potential criminal activity because if this is going to Boko Haram, which is an ISIS affiliate, I said, you have a choice. You either can go up there and tell them what an idiot you are for falling for this. Or if you try to - not try to say you're an idiot, you might be facing some potential time for supporting a terrorist organization. So I recommended to him he say that he's an idiot.
Joe Carrigan: [00:25:10] (Laughter).
Dave Bittner: [00:25:11] (Laughter) Yeah, I would imagine so.
Joe Carrigan: [00:25:13] I fell for a scam.
Dave Bittner: [00:25:14] Right, right.
Joe Carrigan: [00:25:15] I'm not supporting terrorists.
Dave Bittner: [00:25:16] So where does it stand now? I mean, you've been through multiple incidences with him. I'm sure you must be a little nervous that it's going to happen again.
Bill: [00:25:26] Yes. And, you know, my brother and sister and I all had a sit-down and a talk because how part of this came to light is he got himself financially strapped, and so he started going to my sister asking for the money for the mortgage that she owed him. That's another family situation, but essentially...
Dave Bittner: [00:25:45] Yeah.
Bill: [00:25:45] ...In 2006, my sister wanted to save money and so decided to stop paying him back for the loan on the house that - he loaned her money to build a house. She decided on her own to not pay it back anymore.
Dave Bittner: [00:25:57] Family stuff.
Bill: [00:25:58] Yeah, family stuff.
Joe Carrigan: [00:25:58] Right, right, right.
Dave Bittner: [00:25:58] Right, right (laughter).
Bill: [00:25:58] And so he wanted his money now.
Dave Bittner: [00:26:01] Yeah, and he needed his money now.
Joe Carrigan: [00:26:03] Right.
Bill: [00:26:03] Exactly. So...
Dave Bittner: [00:26:05] So - these scams have potentially burned through his nest egg...
Bill: [00:26:10] Yeah.
Dave Bittner: [00:26:12] ...His buffer, his comfort.
Joe Carrigan: [00:26:13] Yeah.
Dave Bittner: [00:26:14] So even that adds, you know, stress to members of the family that otherwise wouldn't have been there.
Bill: [00:26:19] Correct. And my brother and I at least are on the same sheet of music. We just said, you know, Dad, we love you. If this is what you want to do with your money, well, it's your money. I said...
Dave Bittner: [00:26:28] Yeah.
Bill: [00:26:29] ...So if you want...
Dave Bittner: [00:26:30] It's expensive entertainment.
Joe Carrigan: [00:26:31] Right.
Bill: [00:26:31] Yeah. And if you really want to get this - I mean, my brother and I at least we're pretty much on the same length because my brother said, well, Dad, did you actually get anything out of any of this stuff? And he's like, no. I'm like - and I just looked at him and said, well, Dad, you know, you can go to Nevada.
Joe Carrigan: [00:26:46] (Laughter).
Bill: [00:26:46] And you can pay and actually get something out of it if that's what you really want to do.
Dave Bittner: [00:26:50] (Laughter) Right, yeah.
Bill: [00:26:50] So there are opportunities of doing something like this without, you know, wasting all this money.
Dave Bittner: [00:26:55] Yeah.
Bill: [00:26:56] But we just said, you know, if you want our help, we'll offer our help. But if this is how you want to live your life, we're not going to stop you.
Dave Bittner: [00:27:01] What are your recommendations for, you know, friends and family and colleagues based on what you've been through? Do you have any tips for folks to check in on their own loved ones, to try to be proactive about these sorts of things?
Bill: [00:27:17] Your first sign is that they're spending lots of time on the internet communicating with other people. That's your first clue. And my dad, I could say, was probably a little bit internet addicted. I had seen - in the past, he'd had me come in to fix his computer. And I'd be cleaning off malware and stuff like that because of sites he had gone to. So I knew he was into that portion. How he actually started getting involved, I'm guessing through - he just started to decide to answer some of these emails that they sent out, you know, whether it be the Nigerian princess scam or...
Dave Bittner: [00:27:43] Right.
Bill: [00:27:44] ...You know, whoever. Once you start responding to those things, they're very good at - again, we talked about social engineering. They're very good at working the people over and, you know, creating them to be what they want them to be.
Dave Bittner: [00:27:57] Yeah.
Bill: [00:27:58] And I saw some of the emails. And they go between praise to almost threatening. So they really go across the different gamut of emotions.
Joe Carrigan: [00:28:06] Amazing.
Dave Bittner: [00:28:07] And there's no real hope of him getting any of this money back.
Bill: [00:28:11] There is zero hope of getting any of the money back, yeah.
Dave Bittner: [00:28:13] Yeah. All right, well, thank you for coming in and sharing these stories. I mean, it's obviously - it's heartbreaking that you and your family had to go through this. But I think it's a good cautionary tale for our listeners, first of all, to know that they're not alone if they've been through these sorts of things themselves, but also to get in there and check on your loved ones, to ask those questions. Make sure that they're not falling for these sorts of scams.
Bill: [00:28:40] Yeah, and it's not only just this scam. I mean, we've seen it with - I've done some talks with real estate brokers on that and how people have lost their entire nest egg because the title agency has been compromised. They get an email from the title agency. Hey, we have a change. You need to go ahead and send the money to this account versus the previous account. And so then they follow on through and follow those directions. And then they find out they sent it to the wrong people, and there's no hope of getting it back. So now they're out all this money as well.
Dave Bittner: [00:29:07] Yeah, yeah. Well, thanks again for coming in. It's a really an interesting conversation. We do appreciate it.
Bill: [00:29:12] You're welcome. Thank you.
Dave Bittner: [00:29:13] And that is our show.
Dave Bittner: [00:29:14] We want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:29:30] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:38] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:56] And I'm Joe Carrigan.
Dave Bittner: [00:29:57] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.