Dave shares the story of a small community hospital dealing with a ransomware attack. Joe reviews the different types of extortion emails. The catch of the day is an inheritance scam from Canada. Carole Theriault interviews Craig Silverman from Buzzfeed about online reputation management companies.
Links to stories:
- How 4 IT technicians saved an Arizona hospital from hacker ransomware
- Extortion Emails on the Rise: A Look at The Different Types
Craig Silverman: [00:00:00] People should have the ability to push back against stuff that's not true, push back against stuff that's not fair. But the average person doesn't know how to do that.
Dave Bittner: [00:00:08] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:27] Hi, Dave.
Dave Bittner: [00:00:27] We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with Craig Silverman from BuzzFeed about organizations that do online reputation management. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:00:44] So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 before can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:11] And we are back. Joe, I'm going to kick things off for us this week. My story comes from the AZCentral news organization. They're part of USA Today. And it's from reporter Jeannette Hinkle.
Joe Carrigan: [00:01:24] Ah. Hi, Jeannette.
Dave Bittner: [00:01:25] (Laughter) This story is titled, "How Four IT Technicians Saved an Arizona Hospital from Hacker Ransomware."
Joe Carrigan: [00:01:32] Awesome.
Dave Bittner: [00:01:33] So it starts off with a gentleman named Mike Nelson. He's an IT guy working at a local hospital, Wickenburg Community Hospital - a small community, about 8,000 residents. And this is a nonprofit, community hospital. He came in one morning to work, fired up his computer, and there, in the middle of the screen was the word Ryuk.
Joe Carrigan: [00:01:57] Ryuk.
Dave Bittner: [00:01:57] Ryuk. Ryuk.
Joe Carrigan: [00:02:00] Hm.
Dave Bittner: [00:02:00] I am familiar with this word, (laughter), from the reporting that we do over on the CyberWire.
Joe Carrigan: [00:02:05] OK.
Dave Bittner: [00:02:05] And this is not a word you want to see on your computer.
Joe Carrigan: [00:02:07] Ah.
Dave Bittner: [00:02:08] This is the name of a strain of ransomware.
Joe Carrigan: [00:02:12] Ah. OK.
Dave Bittner: [00:02:12] Sure enough, the hospital's computers had been hit with ransomware.
Joe Carrigan: [00:02:17] Oh, my gosh.
Dave Bittner: [00:02:17] They suspect that they'd been hit through a phishing email.
Joe Carrigan: [00:02:21] Probably.
Dave Bittner: [00:02:22] But they weren't sure. They still haven't been able to track it down. So they had a decision to make - what to do about this ransomware? First thing they did was they did a little research about what this ransomware was, how bad it was. And most of the asks when it comes to Ryuk were about half a million dollars in bitcoin.
Joe Carrigan: [00:02:41] Huh.
Dave Bittner: [00:02:42] And they quickly decided that they didn't have that kind of money.
Joe Carrigan: [00:02:46] Right. They probably don't have that kind of money laying around for any purpose, let alone paying a ransom.
Dave Bittner: [00:02:50] Right. Small community hospital. They just couldn't pay that kind of ransom.
Joe Carrigan: [00:02:53] Right.
Dave Bittner: [00:02:54] So they started over. Gentleman said, we threw the computer in the trash and started over from a software perspective. We sat down and decided, what is most important, what was absolutely needed, both short term and long term? And when I say short term, I mean in the next hour.
Joe Carrigan: [00:03:10] Right.
Dave Bittner: [00:03:10] And long term is the next 12 hours. (Laughter).
Joe Carrigan: [00:03:13] OK. These are different time horizons than I would consider short term and long term.
Dave Bittner: [00:03:16] I suppose. Yeah. Well, I suppose when you're in a hospital situation...
Joe Carrigan: [00:03:19] Exactly. When you're in a hospital situation, I guess those are your time horizons. Those don't seem unreasonable.
Dave Bittner: [00:03:24] He said that one of the lucky things was that none of the patient care systems were affected by the attack.
Joe Carrigan: [00:03:30] That's very good.
Dave Bittner: [00:03:31] Yeah. So it was the administrative things, billing, stuff like that. So they were fortunate that they had backups on tape. Now what does this mean, Joe? When you back stuff up on tape, what's going on here?
Joe Carrigan: [00:03:45] Well, actually, it means that there's a magnetic tape, you know, like the old cassette tapes that you and I used to listen to music on in our cars.
Dave Bittner: [00:03:52] (Laughter). Right, used to watch movies on, on VHS tapes.
Joe Carrigan: [00:03:54] Right. It's the same kind of tape, except it's designed - and there are devices that will write your computer data to this tape. It is a very slow way to get your data back, in terms of, like, if you need access to something right away. It's not going to be available right away. But it is a very cost-effective and overall effective way of backing up your data.
Dave Bittner: [00:04:14] Right. And they said here that these tapes were actually stored in a safe...
Joe Carrigan: [00:04:17] Ah.
Dave Bittner: [00:04:18] ...On site. And so there's something good about that because their backups were physically separate from the entire network.
Joe Carrigan: [00:04:26] Correct. They were not just encrypted with everything else.
Dave Bittner: [00:04:28] Right. And that's the thing that these ransomware folks do, is, quite often, they will look for the backups. They'll search around on the network. If the backup systems or backup hard drives or whatever are connected to the same network, they'll search those out and look to encrypt those, as well.
Joe Carrigan: [00:04:43] Yeah. When you're doing failure planning, a lot of times you'll get vendors who say, why have a tape backup when you can just, for about the same amount of money, have an absolutely hot backup right here that's always on the network? And when your RAID array, or whatever it is, your storage device, goes down, you can just go right over to the backup and actually start accessing files. That could become your live file system.
Dave Bittner: [00:05:04] Just throw a switch, and...
Joe Carrigan: [00:05:05] That's right. And it's a great solution to eliminate downtime. But it is not a good solution when you're against an adversary who is looking to destroy your data because it is always available and always online and always being backed up, and it's live. It's essentially just another file system. It's really not a backup in terms of malicious activity, like, particularly, ransomware.
Dave Bittner: [00:05:26] So I suppose, ideally, you'd want to have both.
Joe Carrigan: [00:05:28] Right.
Dave Bittner: [00:05:29] But of course, a situation like this, a community hospital, they have limited resources.
Joe Carrigan: [00:05:34] Right.
Dave Bittner: [00:05:34] They had a grand total of four people working in IT...
Joe Carrigan: [00:05:37] Correct.
Dave Bittner: [00:05:38] ...At this hospital. So...
Joe Carrigan: [00:05:39] That's the way a lot of these organizations run, is, they don't have a lot of money for IT. But I'll say they allocated their money properly. Rather than going with a hot backup, they actually went with something that could be stored offline and even off-site.
Dave Bittner: [00:05:49] Yeah. The story says that they got hit by the ransomware on a Friday, and the IT team worked around the clock all weekend long, and by Monday morning, most of the hospital was fully functioning again.
Joe Carrigan: [00:06:01] Amazing.
Dave Bittner: [00:06:01] Yep. So...
Joe Carrigan: [00:06:02] Well done.
Dave Bittner: [00:06:03] Yeah, hats off to them. I think they learned some lessons. They said they did upgrade their systems so that they're still backing up to tape, but they have a faster tape backup system than they used to have (laughter).
Joe Carrigan: [00:06:13] OK. You know, I guess that's probably an important upgrade to make. It's working. Your system worked. I'd like to know if they had tested their system in the past. It kind of sounds like they have. If they got a slow, older tape backup system to restore all the data in a weekend, it sounds like these guys have run through the drill before.
Dave Bittner: [00:06:32] Yeah. A lot of those old tape backup systems, I mean, they're built like tanks.
Joe Carrigan: [00:06:35] Right, they are (laughter).
Dave Bittner: [00:06:36] They are designed - they are slow and steady and reliable and - but just solid.
Joe Carrigan: [00:06:42] Yeah.
Dave Bittner: [00:06:42] Solid. One of the other interesting things they mentioned in here was - in this article was the possibility of putting honeypots in your network to attract the ransomware. What - do you have thoughts on that?
Joe Carrigan: [00:06:54] I think it's a great idea. You know, a honeypot is basically just a computer that sits on the network that no one should ever access, and when somebody does access it, that should fire off an alarm.
Dave Bittner: [00:07:04] And it's called a honeypot because...
Joe Carrigan: [00:07:06] You know, you catch more flies with honey.
Dave Bittner: [00:07:07] Right.
Joe Carrigan: [00:07:08] It lures them in. Because one of the things these attackers are going to do once they get inside your network is they're going to look to spread laterally and then escalate their privileges.
Dave Bittner: [00:07:15] I see.
Joe Carrigan: [00:07:15] So in the process of spreading laterally, they run the chance of going into a honeypot. Even touching that honeypot in any way, shape or form, in terms of a network connection, should set off some kind of alarm, even if they ping it, because your normal network traffic should absolutely never be talking to a honeypot. There's no reason for it to do that. But an attacker is going to see it and go, hey, what's that? And they're going to look at it. And even if they just look at it, that should be enough to trigger - to say, hey, something's going on.
Dave Bittner: [00:07:41] I see. All right. Well, again, hats off to the folks at Wickenburg Community Hospital. Sounds like they made the most of a bad situation. They had the right things in place.
Joe Carrigan: [00:07:49] Yep.
Dave Bittner: [00:07:50] And they were able to recover in a timely manner. And so it's a good, happy ending in a difficult situation.
Joe Carrigan: [00:07:57] Right.
Dave Bittner: [00:07:57] And thanks to Jeannette Hinkle from Arizona Central for the reporting she did there. Joe, that's my story this week. What do you have for us?
Joe Carrigan: [00:08:04] Dave, recently we have seen a new thing in malicious activity; it is fake exploitation spam and phishing emails. We've started - and when I say recently, I mean within the past year or so.
Dave Bittner: [00:08:15] Right.
Joe Carrigan: [00:08:16] And Lawrence Abrams over at Bleeping Computer has an article - we'll put a link in the show notes. The bad news in this article is that these kind of emails seem to be increasing. And Symantec warns that they are stopping more and more of these messages, which would indicate an increase in more of them going out. And the article has a really nice chart based on the data from Symantec. And there's a very clear trend upwards, and there's a huge spike in February of this year.
Dave Bittner: [00:08:40] Which I suppose means they probably work.
Joe Carrigan: [00:08:43] Right. They list a bunch of these different types of attacks. First, of course, we hear about the sextortion attack, right? Which is where hackers have a video of you while you've been visiting adult websites, they install malware that films you - send us money. These scams were remarkably effective when they first came out. They raked in $50,000. In some cases, however, these sextortion emails were sending out malware. So they had a link. So maybe - I don't know. There's not an example in the article, but maybe it's like, hey, here's a video of you looking at the porn site. Click on this link - and then Bob's your uncle - you've got malware on you. It's a malicious link, right?
Dave Bittner: [00:09:18] (Laughter) Right, right.
Joe Carrigan: [00:09:19] The next one, of course, is the hitman has been hired to kill you.
Dave Bittner: [00:09:22] Oh, yeah.
Joe Carrigan: [00:09:23] We've talked about this.
Dave Bittner: [00:09:24] Yeah.
Joe Carrigan: [00:09:24] The bomb threat extortion scam has a real impact because you can't sit idly by when you get a bomb threat, right?
Dave Bittner: [00:09:31] Right.
Joe Carrigan: [00:09:31] And of course panic ensues when that happens, and everybody has to evacuate the building. The police have to be called. And then of course it gets reported in the media. I don't know that anybody made payments to these. I hope nobody did.
Dave Bittner: [00:09:43] Yeah, it's a lot of, I guess, collateral damage for a bomb threat, yeah.
Joe Carrigan: [00:09:46] Right, right. I hope this one is not very productive. Here's one I like - the CIA investigation extortion email scams. We caught you with child porn on your computer, and I have all the evidence, and if you pay me $10,000, I'll delete the evidence from you.
Dave Bittner: [00:10:02] Right. And that - doesn't that one come from a CIA insider?
Joe Carrigan: [00:10:05] Right. Yeah, CIA insider, exactly. Now, the CIA doesn't do this kind of work.
Dave Bittner: [00:10:09] (Laughter).
Joe Carrigan: [00:10:09] So - but that doesn't stop people from trying to extort you using the CIA's moniker, right? Threats that you will be infected with WannaCry, DDoSed or - and have information sent to the IRS. This is one campaign that they were talking about. It was relatively new. The attackers threatened to install WannaCry, which is ransomware.
Dave Bittner: [00:10:27] Yeah.
Joe Carrigan: [00:10:27] They threatened to DDoSed your network, and they say they found some tax documents that the IRS would like to see.
Dave Bittner: [00:10:36] (Laughter) So they're coming at you from multiple directions.
Joe Carrigan: [00:10:38] Right.
Dave Bittner: [00:10:39] Pressing that fear button.
Joe Carrigan: [00:10:40] Exactly. They're trying to push all the fear buttons. And for the small price of two bitcoins, this can all go away, right?
Dave Bittner: [00:10:46] Ah, very good.
Joe Carrigan: [00:10:47] Right. This is a fake scam. Sex tape extortion.
Dave Bittner: [00:10:50] OK.
Joe Carrigan: [00:10:51] Now, this one harkens back to years ago, when sex tapes were a big thing. You remember that? Everybody had a sex tape if you were anybody.
Dave Bittner: [00:10:58] I'm familiar with it.
Joe Carrigan: [00:10:59] Right.
Joe Carrigan: [00:11:02] The sender sends you an email saying, hey, you and I got busy years ago.
Dave Bittner: [00:11:06] OK.
Joe Carrigan: [00:11:06] And I secretly recorded it.
Dave Bittner: [00:11:08] Ooh.
Joe Carrigan: [00:11:09] And when you went to the bathroom, I stole all your passwords. And now I have your contact list and your passwords, and I'm going to send this video to all your friends unless you give me money.
Dave Bittner: [00:11:18] OK.
Joe Carrigan: [00:11:18] Now, this is where being an old guy who's been married for 25 years comes in handy.
Dave Bittner: [00:11:24] Right. Yeah, yeah. That's right.
Joe Carrigan: [00:11:26] Because I would quickly recognize this as a scam. Threats that they will ruin your site's reputation. That means they're going to start spamming using your domain as a part of the email, right? They're going to leave you negative reviews. They're going to submit nasty messages to other people's sites unless you pay approximately $2,400.
Dave Bittner: [00:11:43] I remember - the spamming with your domain name, I remember that being a thing back in the '90s...
Joe Carrigan: [00:11:48] Right.
Dave Bittner: [00:11:48] ...Where people would be - yeah. And spoofing your domain name.
Joe Carrigan: [00:11:51] You could get blackholed for that...
Dave Bittner: [00:11:53] Yes.
Joe Carrigan: [00:11:53] ...You know?
Dave Bittner: [00:11:53] Yes.
Joe Carrigan: [00:11:54] And this is the one that's most plausible to me...
Dave Bittner: [00:11:56] Hmm.
Joe Carrigan: [00:11:57] ...Because this is something that's technically very easy to do. It doesn't require a lot to do. So if somebody pays $2,400, I don't do these things. If they don't pay $2,400, then I go ahead, and I start spamming with their email. I start leaving negative reviews, and I start submitting crazy things on competitor sites with that domain. This is actually not that challenging and very plausible, actually. This might not be a fake scam. It might be real. I still say don't pay the ransom.
Dave Bittner: [00:12:23] Right.
Joe Carrigan: [00:12:24] What's interesting on this campaign that Bleeping Computer looked at, the scammers left a phone number. And they called the phone number, but it went straight to voicemail...
Dave Bittner: [00:12:31] Ah.
Joe Carrigan: [00:12:32] ...Which is funny.
Dave Bittner: [00:12:33] Yeah.
Joe Carrigan: [00:12:34] And finally, we have the U.S. State Police extortion scams, right? And this is a scam pretending to be from some state police from some U.S. state, whatever. The example they have in the article is from Tennessee. And the email recipient has been involved in another child pornography investigation. And the person who's sending you the email is retiring and offering to delete the evidence for $2,000 in bitcoin. I don't know about you, Dave, but...
Dave Bittner: [00:12:56] Another insider (laughter).
Joe Carrigan: [00:12:57] Right. Yeah, another insider. But I don't know very many police officers, but what I understand about police officers is when they get this kind of case, they don't have any mercy for the people that they're investigating.
Dave Bittner: [00:13:08] Yeah, that's true.
Joe Carrigan: [00:13:09] And it doesn't matter if you're retiring, I don't think that this is something anybody would do. It's very unlikely that somebody's going to, for $2,000, cover this up.
Dave Bittner: [00:13:18] Yeah.
Joe Carrigan: [00:13:19] This is absolutely a scam.
Dave Bittner: [00:13:20] Well, and I suppose it's more the - it's the fear of the accusation because...
Joe Carrigan: [00:13:24] Right. The fear of the accusation because it's a very serious accusation.
Dave Bittner: [00:13:27] Right.
Joe Carrigan: [00:13:27] Even the accusation can ruin your life.
Dave Bittner: [00:13:29] Right, exactly. Most people - I would hazard to say that the overwhelming number of people who would receive this scam notification have had nothing to do with child pornography...
Joe Carrigan: [00:13:41] Sure.
Dave Bittner: [00:13:41] ...In their life.
Joe Carrigan: [00:13:41] Right.
Dave Bittner: [00:13:42] So that's not the thing that scares them.
Joe Carrigan: [00:13:43] Right.
Dave Bittner: [00:13:44] It's not that, oh, I actually did this. It's that, I'm going to be accused of doing this.
Joe Carrigan: [00:13:47] Right. That's another terrible scam that can have real impact. But, you know, if you get this scam email, just relax - any of these scam emails - just relax. Slow down is what we always say. And remember, generally speaking, law enforcement will never contact you when they're coming to arrest you.
Dave Bittner: [00:14:05] Right (laughter).
Joe Carrigan: [00:14:06] They will not do that.
Dave Bittner: [00:14:07] They will not give you a heads-up, no. (Laughter). All right, well, it's an interesting list of stories, and we will have a link in the show notes. Joe, it is time to move on to our Catch of the Day.
0:14:17:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:14:21] Our Catch of the Day comes from one of my CyberWire colleagues. His name is Bennett. He came in my office recently, and he handed me a letter that had been sent to his mother via the postal service. Couple of interesting things, it was sent from Canada - Canadian postmark on it - and sadly, my colleague's mother actually passed away about two years ago. So these folks, I guess, have an outdated mailing list, yeah.
Joe Carrigan: [00:14:47] Yeah.
Dave Bittner: [00:14:47] Yeah. But this is a letter, and it goes like this. Private and Confidential. Dear Miss Smith, I'm aware that this is certainly not a conventional way of approaching to establish a relationship of trust, but you will realize the need for my action. My name is Michael Burlington, an accounts manager with TD Canada Trust Bank. I retrieved your contact address in my search for the next of kin, for someone with the same last name to a deceased customer of our bank, engineer James Smith, an engineer and co-owner of a private electrical company for 13 years. Unfortunately, this customer died intestate in a ghastly car crash, leaving his bank account with an open beneficiary status. All efforts made by our bank to locate his relatives have been unsuccessful, so I decided to write you as I have monitored this account in the bank for three years now, and no one has come forth with any claim. Before his death, he had an investment deposit with my bank totaling the sum of $47 million.
Joe Carrigan: [00:15:44] Wow.
Dave Bittner: [00:15:45] Bank law states that after three years of dormancy with no activity on an investment account and no claim by any family or heir, the money gets confiscated or reverted to the government treasury as unclaimed. I would like to present you to our bank as his next of kin to claim the money. This transaction is 100% risk free, and I assure you that this transaction would be handled under due inheritance claim procedures, and every necessary legitimate arrangement will be put in place to make you the sole beneficiary of the funds. Please take note that this transaction requires all confidentiality at this stage, and I believe that you are ready to keep this absolutely discreet until after the successful transfer of the funds to your bank account.
Joe Carrigan: [00:16:27] Shh, don't tell anyone.
Dave Bittner: [00:16:27] Also, I have worked out all modalities to complete the transaction successfully. After we transfer all of the funds to you, we shall share the funds in a ratio of 50% for me, 50% for you.
Joe Carrigan: [00:16:40] Whoa.
Dave Bittner: [00:16:41] Reply via my private email address for further clarification, or you can leave a private number where I can reach you. If you send a fax, please include your first and last name and most importantly, your email address. If your response is positive, stating you are interested to work with me, I will provide you with my private cell phone number so that we could have a confidential conversation. Please also be kind to get back to me if you are not interested. Kind regards, Michael Burlington.
Joe Carrigan: [00:17:08] So this scammer is really greedy, going for a 50/50 split...
Dave Bittner: [00:17:12] Yeah.
Joe Carrigan: [00:17:13] ...Right? Normally we see them going, like, for 10%. But this guy is saying I'm going to take half the money that I'm trying to scam you.
Dave Bittner: [00:17:20] But it's interesting because it's half of the money that does not exist.
Joe Carrigan: [00:17:24] Well, of course.
Dave Bittner: [00:17:24] So You would think that that would lower the person's...
Joe Carrigan: [00:17:28] Incentive.
Dave Bittner: [00:17:29] Right, because if I'm going to get 90% of a fake $47 million...
Joe Carrigan: [00:17:34] Right.
Dave Bittner: [00:17:34] ...That's better than half of a fake $47 million (laughter).
Joe Carrigan: [00:17:37] Right. I mean, I get this. What's half of 47 million? Let's see, that's 23.5. This isn't worth my time.
Dave Bittner: [00:17:43] No, no.
Joe Carrigan: [00:17:44] Next letter...
Dave Bittner: [00:17:44] Next offer, please.
Joe Carrigan: [00:17:45] See, now this guy, this guy's offering me 90% of $40 million.
Dave Bittner: [00:17:50] Right.
Joe Carrigan: [00:17:50] That's still more than...
Dave Bittner: [00:17:51] Right. Good day, sir.
Joe Carrigan: [00:17:53] Right.
Dave Bittner: [00:17:53] Yeah. All right, well pretty standard stuff here, but it's interesting to me this is an actual letter sent out...
Joe Carrigan: [00:18:00] Yeah, that's fascinating.
Dave Bittner: [00:18:01] ...Through the postal service from Canada. I don't know what's going on with that. Does that make them - it seems - I don't know. That makes it an international crime, right?
Joe Carrigan: [00:18:09] Yeah (laughter).
Dave Bittner: [00:18:11] (Laughter) So I don't know. But at any rate, thanks to our colleague Bennett here for sending that in. That is our Catch of the Day. Coming up next, Carole Theriault joins us. She's interviewing Craig Silverman from BuzzFeed. She's going to be speaking to him about organizations that do online reputation management.
Dave Bittner: [00:18:29] But first, a word from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing e-mails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:19:22] And we are back. Joe, it's always great to have Carole Theriault back on the show. And this week, she is speaking with Craig Silverman. He's from BuzzFeed. And they are talking about organizations that do online reputation management. Here's the story.
Carole Theriault: [00:19:37] So reputations, they are super important - always have been and always will be. And there's always been fraudsters and sharks out there who try to fool the rest of us. Craig Silverman, a media editor for BuzzFeed News, did a bit of digging on reputation management firms. And what he found out might surprise you, and not necessarily in a good way.
Carole Theriault: [00:19:59] Craig, really appreciate you making the time at short notice to come on the show.
Craig Silverman: [00:20:03] Hey, happy to be here.
Carole Theriault: [00:20:04] Perhaps we should start with setting the scene, so to speak. Tell me about Adrian Rubin, the real Adrian Rubin.
Craig Silverman: [00:20:12] Yeah, so the real Adrian Rubin is a man in his 60s from the Philadelphia area who is currently in prison. And he was someone who ran payday loan scams and was actually involved with some of those kind of most famous evil actor payday loan scammers out there. And he ended up turning on them, becoming a government witness. He also, with his two sons, ran a business that was selling worthless credit cards to low-income people. So he basically ended up getting about three years in prison after cooperating with the government a little bit. And so him and his two sons are all currently in different federal prisons right now, incarcerated and not out there, and, you know, apparently, you know, not spending much time on the internet because, of course, they're incarcerated.
Carole Theriault: [00:20:58] Right. If I Googled him, I should be able to find all this out.
Craig Silverman: [00:21:00] You should be able to. And in some cases, you know, you may find the press release from the attorney's office announcing his sentencing, announcing his plea deal. But what you're also going to find are a bunch of other results for Adrian Rubin, and not this guy. You might find in Adrian Rubin who claims to be a, you know, an entrepreneur. You may find other Adrian Rubins with different personas who have their own websites, who've done interviews on other websites, who are even in some cases placing sponsored content on reputable publications - you know, interviews with them. And what's happened is that we have, you know, I found at least three fake Adrian Rubin personas that had been created and that are now, very effectively, actually pushing down these real results of the real Adrian Rubin, replacing them with these kind of innocuous profiles of the Adrian Rubins who don't really exist.
Carole Theriault: [00:21:51] So it's kind of a bit like PR, isn't it - or public relations - where, you know, a firm might have got themselves into hot water and then try and put forward more positive news to try and bury the bad, so to speak. But in this case, what you're saying is the personas, or the things that they're putting out to try and fix their reputations are all fake or bogus.
Craig Silverman: [00:22:11] That's it. The idea here is to swamp search results on Google and elsewhere with these fake personas in the name. And all of these fake Adrian Rubin personas, they were in the Philadelphia area. So anyone searching for Adrian Rubin, Adrian Rubin from Philadelphia, the idea is that they get these fake personas. And if Adrian Rubin comes out of jail in, you know, in two years' time or so and he's looking to get started in business again and somebody goes to Google him, well, they're going to find the fake Adrian Rubins, so maybe they don't actually find the criminal history. And so the idea is to kind of suppress the real results for the real person, the negative results, and replace them with these more positive, innocuous results. So if the average person out there doesn't go past the first or second page of Google, they may never know what this person did in the past.
Carole Theriault: [00:22:57] Right. And, you know, so maybe this is a tough question here, but I understand that it can be super difficult for people who have once been incarcerated to try and find a place to live or a place to work. If you have no address, you can't get work. If you have no work, you can't get an address.
Craig Silverman: [00:23:09] Right.
Carole Theriault: [00:23:10] And it seems that reputation management here would be a useful thing to help control the hits on previous not-so-good stuff that might make people that would offer you a job, or has, uneasy. Do you have an issue with the model, the reputation management model, so to speak?
Craig Silverman: [00:23:25] No, I mean, I think there are obviously some good uses for it. And one of the ones people that I spoke to who work in this area that they often cite is, you know, what if you're running a business. And you're legitimate, and you're running a real business. But you have an interaction with a customer or a partner, and it turns sour. And that person decides they're just going to leave horrible, negative, false things about you on review sites and on your Facebook page and just, you know, start their own campaign to try and bring you down.
Carole Theriault: [00:23:51] Right.
Craig Silverman: [00:23:51] And this is something that definitely happens. And in that case, obviously, fighting back, getting those negative reviews removed if you can, making sure that good, quality, accurate results about you are higher than them is totally legitimate and totally normal. And I think there's also an argument to be made even in the case of, you know, people who got in trouble with the law. Well, you know, if it wasn't a major crime, if it's something that's happened far in the past, if you have, you know, spent years of your life building up a new reputation, doing new things, good things, positive things, you know, you should be entitled to have those things be front and center.
Craig Silverman: [00:24:25] Where it's a problem, for example, with Adrian Rubin, is, you know, he's still in prison. And this stuff is going on, wiping away what he did while he's in prison, presumably so that when he gets out, you know, he's got this clean slate. But when you've committed, you know, huge financial crimes, when you've committed other kinds of, you know, really dastardly things, should you be able to just wipe the slate clean? And this, I think, raises kind of a larger tension that a lot of us have online is so much of information out there is about us. And Google really determines what our reputation is based on what shows up. And you don't really control that. You know, you can go and live your life, but if somebody out there, you know, writes on a website with a pretty high ranking something that's, you know, not true about you or really nasty about you, you can't really control that. And there's a certain element here that people should have the ability to push back against stuff that's not true, push back and stuff that's not fair, but the average person doesn't know how to do that. And so that's why these (unintelligible) exist.
Carole Theriault: [00:25:23] Do you think these reputation management cowboys, do you think they're taking a big risk in using fake information to flood the news feed? I mean, why wouldn't they take real stuff? Surely he must have done some good things in his life at one point. Maybe that's too much work.
Craig Silverman: [00:25:40] Yeah. I mean, there's - one of the guys that I spoke to who provides this service and who, in fact, I connected to the Adrian Rubin profiles - even though he wouldn't admit it in any way - you know, he offers what he calls, you know, alter ego services as - and he said this - on his website, he says like half of his business. I think it's a shortcut, personally. I mean, yes, your reputation should be real things related to - actually to you. So to go out there and muddy the waters like this, I think on a core level, it is unethical. And when I spoke to different reputation management experts, some of them said yep, completely unethical, something I would never do. And then there are other people, like this one guy, who was like yep, it's totally a normal thing. And so there's no real industry rules. There's no real ethical regulations out there or legal regulations that really prevent this, although it's obviously against Facebook's rules for you to go out and create a fake Facebook account. So them doing this violates the terms of service on Facebook, on Twitter and on some of these places.
Carole Theriault: [00:26:36] Right.
Craig Silverman: [00:26:37] But this is happening at a level that they sort of have bigger fish to fry. So these guys are getting away with it. And at the core of it, yeah, I do think it's unethical. I don't think paying somebody to create a bunch of fake personas to suppress real things you did is a good and ethical thing to do.
Carole Theriault: [00:26:53] No, and I wonder if it falls under the making false statements legislation in the States - right? - because you're basically just lying. I don't think even the Fifth Amendment protects you or exonerates.
Craig Silverman: [00:27:03] I think in this case, unless you were using, say, these fake personas to spread libelous things about someone else, the chances of you getting any kind of legal satisfaction out of this is probably pretty slim. I mean, one, law enforcement may look at this and say, you know, this is unethical, but are they going to put resources into going after people for doing this? And so really what it comes down to in the end is are the social media networks and other places that don't allow fake accounts going to make any effort to take these down? And again, I think they're under so much pressure when it comes to, you know, information operations from either, you know, financially oriented actors or state actors that they look at this and see this as a relatively small thing. So, you know, that's good news for the shady reputation experts.
Carole Theriault: [00:27:48] I wonder, do you have any advice, or did you - do you have any findings on how to tell, you know, what this reputation management company is not ethical, not good? Because I'm guessing some of them are not sharing their shady practices with their clients.
Craig Silverman: [00:28:01] Yeah, I think that's true. Some of the questions you could ask is really about what are the rules for taking clients. And some of the people I spoke to said they don't work with people who are trying to scrub criminal histories, and that was a blanket rule for them. Others don't seem to have a problem with that. So if you think that's something they shouldn't be doing, you should just ask. You know, who will you not work with, what are your rules around clients? And then the second is, you know, really your tactics and your approach. I think now that we know this persona stuff, this alter ego stuff is out there, if you want to ask someone and say what is your policy with alter egos without sort of tipping your hand to say that you think it's something that they shouldn't do, maybe they'll answer you and tell you that. So I think getting a sense from them of what their guardrails are and their guidelines are makes a lot of sense. And of course, like with any kind of consultant you might hire, get some references and see what kind of campaigns they've done for other people and see who they're referring you to.
Craig Silverman: [00:28:50] And I think in a lot of these cases, at least the ones that I wrote about, this stuff was being done with the full knowledge of the client, and the client had sort of signed off on it. And that was sort of their argued to me. It's like hey, this is something the client knows about, that they've approved, and they're OK with. And so if you have an unscrupulous client, that unscrupulous client can certainly find some reputation management experts to work with them. So then it's a question of the consultant you're working with, have they ever done that is I guess what you want to know if it's not something you're going to ask them to do.
Carole Theriault: [00:29:18] Yeah, and maybe we can ask other aboveboard reputation management firms to call out the bad eggs in their industry.
Craig Silverman: [00:29:24] I think this is one of the things that, as an industry, they need to kind of look at. With everybody I spoke to, I said hey, are there standards? Are there ethical guidelines? Are there professional organizations that are trying to encourage good behavior? And the answer to all of those things was no. And so if you are a reputational practitioner, you know, what can you do to help improve, you know, ironically, the reputation of your reputation industry so that these bad players aren't the ones out there looking, and people can't tell the difference between the good from the bad? So I think there is an argument for these consultants themselves to really step up and do something to help consumers and the average person figure out who's good and who's bad.
Carole Theriault: [00:30:01] Yeah, I think that's excellent advice. Until they start doing that, I feel I have to tell all our listeners, keep your wits about you. You know, you never know. You don't want to be duped by these kind of people. And you do want to be duped as someone who's looking on Google to try and find information about somebody and be duped by the fake profiles that might be up there.
Craig Silverman: [00:30:20] Absolutely. One simple thing that everybody should learn to do, not just for this context but for so much online, is learn how to do a reverse image search. If that's not something you've done before, go ahead and, you know, Google reverse image search. And there's a lot of simple tools out there. It just takes a couple of clicks of a mouse in most cases. And that was one of the easy ways that I could see that these personas were not real is they were just using stock images for these people. So think about the image. Think about the context, and go past those first few pages of Google when you're trying to learn about somebody or a company or something.
Carole Theriault: [00:30:51] There we go. Craig, this was awesome. Thank you so much for all that advice and information.
Craig Silverman: [00:30:55] Awesome, thank you.
Carole Theriault: [00:30:56] This was Carole Theriault for Hacking Humans.
Dave Bittner: [00:31:00] All right, Joe, what do you make of all this?
Joe Carrigan: [00:31:01] That's interesting. I will tell you this. While we were listening to that interview, I went ahead and Googled Adrian Rubin. And the real Adrian Rubin that Craig Silverman is talking about here shows up as, like, the first two or three pages of Google results.
Dave Bittner: [00:31:14] Google has his number.
Joe Carrigan: [00:31:15] Yeah, so it sounds like after this story broke that Google investigated this or did something, I don't know. Maybe just the fact that this story breaking has pushed these other stories to the top. I don't know how this works. Nobody really knows how that works. That's...
Dave Bittner: [00:31:29] Yeah.
Joe Carrigan: [00:31:29] ...Part of the problem. One of the links on the first page is a link to one of Craig Silverman's tweets about Adrian Rubin, and it's talking about a Dr. Adrian Rubin, who is a female climatologist, obviously to throw you off the track of the real Adrian Rubin that you might be interested in. But this person doesn't exist. It's a picture from Shutterstock. It's very interesting. Here we are again in the situation where we're having technology that has far outpaced any regulation or any laws that we could possibly write. This is relegated to the field of ethics. And of course, there are differing opinions on what's ethical and what isn't.
Dave Bittner: [00:32:03] Well, I was thinking, you know, if we rewind to the good, old days...
Joe Carrigan: [00:32:08] Right.
Dave Bittner: [00:32:08] ...Would there be a problem if I put a fake listing in a phonebook...
Joe Carrigan: [00:32:13] Right.
Dave Bittner: [00:32:13] ...You know? If I put a classified ad in there for, you know, Joe Carrigan, ornithologist, you know...
Joe Carrigan: [00:32:21] Right.
Dave Bittner: [00:32:21] ...Is there any problem with that? I don't know the answer to that.
Joe Carrigan: [00:32:24] Yeah, I mean, I think it's vastly different because that's kind of temporal, right?
Dave Bittner: [00:32:28] Yeah.
Joe Carrigan: [00:32:28] It's going to be in an issue of a paper, and then it's going to be gone.
Dave Bittner: [00:32:31] Yeah.
Joe Carrigan: [00:32:32] These tend to be a little more long-lasting, I think.
Dave Bittner: [00:32:35] Well, yeah, but you have a phonebook for a year, at least...
Joe Carrigan: [00:32:38] Right.
Dave Bittner: [00:32:38] ...Right?
Joe Carrigan: [00:32:38] Right.
Dave Bittner: [00:32:38] Right, yeah. I'm just - I'm trying to think of this notion of technology outpacing the law. I guess this stuff just didn't pop up because it was a different way. You didn't need to.
Joe Carrigan: [00:32:48] Yeah.
Dave Bittner: [00:32:48] This reminds me of search engine optimization...
Joe Carrigan: [00:32:51] It is a form of...
Dave Bittner: [00:32:52] ...You know...
Joe Carrigan: [00:32:52] ...Search engine optimization.
Dave Bittner: [00:32:53] ...And all of the shadiness...
Joe Carrigan: [00:32:55] Yeah.
Dave Bittner: [00:32:55] ...That is associated with that, particularly when all these things first popped up, you know?
Joe Carrigan: [00:33:00] Right, yeah. And I think those whole organizations are shady, and they - I'll get your website to the top of the Google search results.
Dave Bittner: [00:33:07] Right.
Joe Carrigan: [00:33:08] And then this is just the exact same thing, but I'll push any news results about you to the bottom of the Google search results.
Dave Bittner: [00:33:14] Yeah, yeah, trying to understand the black magic and voodoo behind...
Joe Carrigan: [00:33:18] Right (laughter).
Dave Bittner: [00:33:18] ...How the algorithms work.
Joe Carrigan: [00:33:20] And like I said before, nobody knows how they work. But people can game them, I guess.
Dave Bittner: [00:33:24] Yeah.
Joe Carrigan: [00:33:25] Reverse image search is a great tool for trying to find these things for now. In the near future, it's going to become irrelevant because to create a fake profile, you will create a fake person, just like the site thispersondoesnotexist.com, which if you go to that site, every time you reload that page, an AI-generated picture of a person shows up.
Dave Bittner: [00:33:44] Yeah.
Joe Carrigan: [00:33:44] And it's remarkably good, you know? Sometimes you get them, they look a little weird. But it's - by and large, it's very good. And that's going to be the end of using reverse image search to find people.
Dave Bittner: [00:33:56] Mmm hmm. All right, well, again, thanks to Carole Theriault for joining us this week. And thanks to Craig Silverman from BuzzFeed for speaking to her. We want to thank you for listening to this week's episode.
Dave Bittner: [00:34:07] Our show is sponsored by KnowBe4. They are the social engineering experts and the planners of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:34:22] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:34:30] The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:34:48] And I'm Joe Carrigan.
Dave Bittner: [00:34:49] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.