The CyberWire Daily Podcast 3.4.21
Ep 1282 | 3.4.21

Happy Slam the Scam Day. Indian authorities continue to investigate grid incidents. CISA tells US Federal agencies to clean up Exchange bugs by noon tomorrow. Supply chain compromise.


Dave Bittner: Indian authorities say October's Mumbai blackout was human error, not cybersabotage. CISA directs U.S. civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More effects from the Accellion FTA supply chain compromise. Some trends in social engineering. Andrea Little Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany Allen from Sift on a new Telegram fraud ring. And happy National Slam the Scam Day.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 4, 2021. 

Dave Bittner: We open with a brief follow-up to the story of alleged Chinese cybersabotage attempts against India's power grid. The Indian government has said that while some hacking incidents remain under investigation and that there seems to have been some malware in some load dispatch centers, the big Mumbai blackout in late 2020 wasn't caused by saboteurs. India's Union Power Minister R.K. Singh has said that October's blackouts in Mumbai were the result of human error and not cybersabotage, the Times of India reports. He did confirm that there were attacks on load dispatch centers, but these were successfully contained and caused no outages. Against the backdrop of Recorded Future's report on RedEcho, Singh resisted offering attribution for the attempts, saying, quote, "We don't have evidence to say that the cyberattacks were carried out by China or Pakistan. Some people say that the group behind the attacks is Chinese, but we don't have evidence. China will definitely deny it." As, indeed, China has, with accompanying declarations of Beijing's general opposition to cyberattacks in all of their forms. The mention of Pakistan, by the way, is to be expected. Pakistan and China are India's two principal regional rivals. 

Dave Bittner: Anywho, maybe someone in Beijing should communicate that opposition to cyber misbehavior to whoever is running their Hafnium threat group. The U.S. Cybersecurity and Infrastructure Security Agency yesterday afternoon issued Emergency Directive 21-02, requiring federal civilian agencies to take immediate action to remediate the Microsoft Exchange on-premises product vulnerabilities currently under active exploitation. Agencies are directed to report completion by noon tomorrow. Microsoft has attributed the ongoing exploitation campaign to a Chinese government threat actor it tracks as Hafnium. 

Dave Bittner: The Accellion supply chain compromise has found its way into a security company's operations. Qualys disclosed yesterday that it had deployed Accellion's FTA server in a segregated DMZ environment as part of its customer support system. While the incident remains under investigation, Qualys is confident there was no effect on its production environments, codebase or customer data hosted on the Qualys Cloud Platform. 

Dave Bittner: Two current trends in social engineering are worth noting. Agari finds that capital call scams are growing more common in business email compromise attempts. And the pandemic is still with us, and so, Barracuda Networks reports, are scams using COVID-19 vaccine information as phishbait. 

Dave Bittner: And finally, today, Thursday, March 4, 2021, we're happy to celebrate National Slam the Scam Day, as proclaimed by U.S. Social Security Administrator (ph) Inspector General Gail S. Ennis. What's all this about? Well, have you ever been called by the U.S. Social Security Administration and been threatened with arrest? Don't be shy. Raise your hand. We have. Once upon a time, they called one of our people and demanded to know his street address so they could show up and, quote, "put you behind bars," unquote, for abusing his Social Security number in illegal activity. Weird, right? You'd think if you are an American taxpayer living on the grid that the Social Security Administration wouldn't need you to tell them your address. Maybe you're wondering what kinds of crimes you might have used your Social Security number to commit. We were, too. 

Dave Bittner: Perhaps we shouldn't have said that the Social Security Administration threatened a no-knock raid on us. More correctly, we should have said that someone claiming to be the Social Security police called to schedule the kicking-down of our front door. The background noise sounded sort of like a boiler room in a suburban Mumbai strip mall, but the guy said he was Special Agent Evan McCarthy, which sounds totally legit despite all the ringing and hollering in the background. Anyway, our guy is still waiting for Special Agent McCarthy to put the bracelets on him, but so far, no joy. He says, Special Agent McCarthy, come and get me. And that our local Social Security number perp remains at large - rested, tanned and ready, we might add, despite social distancing and sheltering in place - actually isn't surprising because, of course, Agent Evan McCarthy - and our apologies to any real Evan McCarthys who might be listening - is totally bogus. 

Dave Bittner: Apparently, the boys in the boiler room - and oddly, it occurs to us that we've never spoken to any of the girls from Social Security. The ladies seem to call us mostly about extending the warranties on our car. Apparently, the boys in the boiler room are encountering some skepticism, and they've hit on a new wheeze. The U.S. Social Security Administration - the real one, with a major office right on Security Boulevard here in greater Baltimore - warns that scammers are using fake government IDs to gain their marks' trust. They're texting or emailing images of the phony badges to potential victims. We thought at first these would be like a sheriff's badge you can buy in the dollar store's toy aisle, but turns out they're better. They're laminating themselves up some photo IDs with government logos on them, the kind you'd wear to gain access to an office building around D.C. that houses, say, the Bureau of Land Management or the Fish and Wildlife Service. But don't be fooled. 

Dave Bittner: We should say, by the way, that the police in India take these crooks seriously. Indian police regard these kinds of scammers as pernicious losers and sweep them up as resources and the rule of law permit. But there are relatively low barriers to entry in this particular criminal sector. And as one petty hood goes away, another tends to step up to the phone bank. 

Dave Bittner: And in fairness, it's not just India that spawns this kind of scam. Opportunity is everywhere, although fluency in English is a bit of a subcontinental specialty. So Slam the Scam and hang up on these jokers. You'll make Inspector General Ennis proud. And Inspector General Ennis, unlike Special Agent McCarthy, is totally legit. 

Dave Bittner: Brittany Allen is a senior manager and trust and safety architect at digital trust and safety firm Sift. I spoke with her over on our "Hacking Humans" podcast about a new fraud scheme her team is tracking on Telegram, taking advantage of food delivery apps. 


Brittany Allen: We've spent a lot of time learning about fraud in order to fight fraud. And one of the resources that we had been looking at before had been looking into dark web activity, seeing what happens with information that ends up there due to a data breach, see what's happening within these fraud groups. But there's an easier layer to access, and that is within these apps such as Telegram that are secure messaging apps or are privacy focused. And there is a lot of fraud activity within those groups. 

Brittany Allen: But basically, we were able to go into those groups, sort of learn the language, learn what they're talking about when they say that they have freshly spammed fools for sale, learn all of that info. And then we were able to find this emerging pattern of fraudsters who would agree to order food on behalf of other fraudsters at a heavily discounted rate. And we learned that that was just another little glimpse into the part of the fraud ecosystem - was that specific role. 

Dave Bittner: Well, let's go through the specific case here that you tracked. This is having to do with some on-demand food delivery services. Take a - walk us through this step by step. How does it work? 

Brittany Allen: Absolutely. So as I mentioned before, with the fraud ecosystem, all of the fraudsters have different roles to play. It's not like they do everything all of the time. And so there are these fraudsters who have advertised their service of, I will buy food for you on your behalf. They say what restaurants or what food delivery apps are their specialty. And then they say, at this rate, you can pay me via Bitcoin. It'll be a substantial discount. So maybe you're only paying 25- to 30- or 40% of the value of the food, so it's therefore pretty exciting or pretty attractive to you so that you can not have to spend a lot of effort on this ordering of the food and then also save a little money along the way. 

Brittany Allen: But what they do is they advertise what they've got available. You, as this prospective diner, will reach out to the fraudster with a screenshot of what you want from that website. So you would pull up that food delivery app, let's say, add a whole bunch of things to your cart, take a screenshot, send it to the fraudster, make your payment via Bitcoin or whatever else they accept and then they will place that order on your behalf. And the next thing you know, you'll have your food delivered to you. You'll have pretty good plausible deniability just in case the food delivery app does catch on or try to investigate you because you won't have been the one that placed the order, but you'll still benefit in the end from getting the food. And it's just a sort of another level of service. And the fraudsters that are running the scam are the ones who specialize in knowing what are the current vulnerabilities with the delivery apps and the restaurants that I know are popular and will help me make money by facilitating these orders. There's a lot of variables behind that that you'll just see through these advertisements that are repeated again and again and again and again throughout these fraud channels on Telegram. 

Brittany Allen: And as more and more and more people are using these apps or as the membership of these fraud groups grow, that just takes more casual fraudsters and increases their comfort level with committing fraud and defrauding companies. And that is a emerging pattern that merchants really should be keeping an eye on because the barrier to entry of fraud is definitely dropped by the explosion of activity in these fraud channels. 

Dave Bittner: That's Brittany Allen from Sift. There's more to our conversation. You can find that over on the "Hacking Humans" podcast. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it's always great to have you back. I want to touch base today on a project that you are a part of. This is with RSA. Of course, the big conference is virtual this year. And you're helping them out with some things with their Supply Chain Sandbox. What's going on there? 

Andrea Little Limbago: Yeah, I know. Dave, thanks for allowing me to talk about this. This is some great work. It's organized by Beau Woods, who just does a ton of amazing works across the community. And you know, the mission of the Supply Chain Sandbox at RSA is really to up-level (ph) a participant's willingness and capabilities to - in addressing cybersecurity issues via the supply chain. And so the goal, though, was to make it fun, immersive, practical, all those aspects that you don't actually necessarily always associate with supply chains. Normally, when people think about supply chains, it kind of seems a little bit dry. 

Dave Bittner: (Laughter). 

Andrea Little Limbago: You know, probably - that's probably an understatement. But really, you're trying to make it fun and informative. And I know SolarWinds has definitely heightened the awareness or concern over supply chain risk. But you know, they had it last year for the first time, and I'm helping hop on and organize that with a really great cross-section from industry and government as well. So it's, you know, nice - public, private sector working together. So it's always a nice example of that. But really, the goal is to make it a fun, entertaining experience for folks that are attending RSA. And it's - so it's part of RSA. And a different way that you'll be going in is all through virtual. But we'll have a variety of things from virtual Jeopardy. We've got some trivia games. We'll have some resource centers in case you want to read more and take a lot of that information home. So it's really - I think, hopefully it should be a really impactful and informative time that the community can learn from and then also provide a means for people who are interested in this kind of area to network and connect as well 'cause I think we're all missing connecting with people across community and meeting new people. And so this will also hopefully provide a way for folks who are increasingly concerned about supply chain security to connect as well. 

Dave Bittner: Yeah. Well, and as you mentioned, I mean, with SolarWinds - couldn't be more timely. And I suppose this particular exercise will get a lot more attention than it probably otherwise would have, thanks to what was happening in the news. 

Andrea Little Limbago: I think so. And you know, it's something that happened last year. The planning for this year is - you know, was - been in the works for a while. SolarWinds has just elevated it. And you know, honestly, we already have seen several different supply chain attacks since then that haven't been quite as elevated in awareness or making the headlines but still very much impactful. And you know, it'll be the digital supply chain but also looking at just the third-party risk as well. I mean, I think we all have heard everything from, you know, how fish tanks were the mode of compromise to HVAC systems to subcontractors. So it's really looking at the whole range of supply chain security risks that need to be aware of and then - in addition to, you know, keeping on top of what the various government policies are doing and then taking as well a global perspective in what's happening around the world in this area, too - so should be a lot of fun, should be really informative. For folks who are attending RSA, I strongly encourage them to swing by. It's going to have a lot of good interactive components and going to be a good way to interact and meet folks within the industry. 

Dave Bittner: What's the spectrum of expertise that you're hoping to attract here? I mean, is there something for the broad range, everyone from students through people who may have expertise in this area? 

Andrea Little Limbago: Yeah, I think so. And that's what we're - we're aiming to build it so that everyone at every level, both with professionally, whether you're a new student in the area to someone who's been in the community for a while and whether you're super technical or you're more on the policy side, really, it should be something for everyone there. At the end of the day, I mean, it's such a broad area of concerns that fall under the umbrella of supply chain risk and supply chain security that I think there'll be something for everyone there that - one, it'll expose them to areas that may be outside their wheelhouse, which I think is always a good thing. But there'll be - also be plenty of areas for those who are experts - so, you know, to highlight their expertise - and those that are, you know, more new to it to really learn a lot and see sort of what the range of opportunities might be for them if they want to work in this area. 

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Great, thank you so much. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - made to be strong. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.