Hacking Humans 8.2.18
Ep 10 | 8.2.18

Luring unsuspecting money mules.


David Shear: [00:00:00] If it sounds too good to be true, it almost always is. You should not be taking checks or packages or anything like that. If they do very little to really verify your identity, I would always say that's suspicious.

Dave Bittner: [00:00:12] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire, and joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:32] Hi, Dave.

Dave Bittner: [00:00:33] As always, we've got some fun and interesting stories to share. And later in the show, we speak with David Shear. He's from Flashpoint, and he's going to tell us about people getting drawn into money laundering schemes. But before we jump into all that, a quick word from our sponsors at KnowBe4.

Dave Bittner: [00:00:54] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary doughnuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate. But you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.

Dave Bittner: [00:01:30] And we are back with some interesting stories to share. Joe, you're up first this week. What do you got?

Joe Carrigan: [00:01:34] That's right. I got something from Kaspersky. Kaspersky Lab has discovered the distribution of an unusual fraudulent scheme that tricks users into parting with their time and their data for nothing.

Dave Bittner: [00:01:47] OK.

Joe Carrigan: [00:01:48] So here's how this works. They create fake websites that purport to generate free gift card codes for major sites like Amazon, Google Play, iTunes and Steam, right? Those are all big places that have gift cards that are highly sought after. And there are some places out there that will legitimately reward you with this. But this is a scam, where it comes across - they say, here's an opportunity for you to get free gift cards; just follow this link.

Dave Bittner: [00:02:14] OK.

Joe Carrigan: [00:02:14] So when you get to the link, when you follow the link, the very first thing you're asked is, hey, you're here. What kind of gift card do you want? And you go, oh, I like Amazon stuff. I'll pick an Amazon gift card.

Dave Bittner: [00:02:25] Right.

Joe Carrigan: [00:02:25] And that's when the fraudulent mechanism is set into motion, and the game is on.

Dave Bittner: [00:02:30] All right. What happens next?

Joe Carrigan: [00:02:31] What happens then is in order to get the code, you need to prove that you're not a robot, right?

Dave Bittner: [00:02:39] OK.

Joe Carrigan: [00:02:39] So we're going to start sending you through places. And every time we send you through someplace, you're going to start clicking on things, and you're going to start providing me with your information. You're browsing stuff. You're going to start getting linked to third party sites, which is collecting this data.

Dave Bittner: [00:02:53] So just so I'm clear - so they're saying that we're looking forward to giving you this gift card, but first, in order to do that, we need to prove that you're not a robot.

Joe Carrigan: [00:03:02] Right. That's the first step. Then it gets on to where you have to go through a whole matter of web gymnastics, right? Like, you might be asked to fill in a form, leave a phone number or maybe an email address, subscribe to a paid SMS service or, maybe even install some adware, right?

Dave Bittner: [00:03:17] And all this is under the guise of proving you're not a robot.

Joe Carrigan: [00:03:20] Right, and getting the free gift card.

Dave Bittner: [00:03:21] OK.

Joe Carrigan: [00:03:22] Yep, as a reward. So here's what happens. Either the victims get tired of this and they just terminate it and go, the gift card isn't worth this much trouble.

Dave Bittner: [00:03:31] Right.

Joe Carrigan: [00:03:31] Right? But even if you've clicked on it and you've started going through, you've already given up some of your data in terms of cookies and things like that. Not a lot but, you fill in a form, you actually have given them data, right?

Dave Bittner: [00:03:42] Right.

Joe Carrigan: [00:03:42] If you leave an email address or a phone number, this is all data that's valuable that they can sell. And they're monetizing this by selling this data or, actually, collecting commissions for this data that they collect - or the adware installs. That's what makes them the most money. An adware install can make them a couple-dozen dollars.

Dave Bittner: [00:04:00] So even before they have gotten to the point of turning over the code for the gift card, they're already making money off of you because of the hoops they're making you jump through.

Joe Carrigan: [00:04:09] Right. Even if you terminate this process halfway through, they've still made a profit, right? So either people stop and they say, this isn't worth it, or, they continue on until they get a code. And, guess what? The code is just a made-up series of characters that looks like a code from these different providers.

Dave Bittner: [00:04:26] So the gift card doesn't work.

Joe Carrigan: [00:04:27] It does not work. So you get nothing...

Dave Bittner: [00:04:29] (Laughter).

Joe Carrigan: [00:04:29] ...At the end of the day.

Dave Bittner: [00:04:31] You lose, sir.

Joe Carrigan: [00:04:32] (Laughter) Right.

Dave Bittner: [00:04:32] You lose.

Joe Carrigan: [00:04:32] (Laughter). Right, you get nothing.

Dave Bittner: [00:04:36] (Laughter) OK. Well, I can imagine all sorts of people who would go down this path.

Joe Carrigan: [00:04:41] Sure. Sure, just about anybody. And this is like what we were talking about last week - or two weeks ago - with the allure of free stuff trumping the need for people to be careful. In the story a couple weeks ago, it was how the police are using it to arrest people with outstanding warrants...

Dave Bittner: [00:04:55] Right, right.

Joe Carrigan: [00:04:55] ...But here it is happening to just about everybody - you know, anybody that wants free stuff. Hey, come get a free gift card. All you've got to do is fill out a couple of forms and verify that you're not a robot.

Dave Bittner: [00:05:05] I could really see, for example, like, my kids falling for this.

Joe Carrigan: [00:05:08] Oh, absolutely.

Dave Bittner: [00:05:09] Yeah. Anybody who has spare time...

Joe Carrigan: [00:05:11] Right.

Dave Bittner: [00:05:12] ...Who has more time than money.

Joe Carrigan: [00:05:13] Yes.

Dave Bittner: [00:05:13] Right?

Joe Carrigan: [00:05:14] Yes.

Dave Bittner: [00:05:14] I mean, why not? What's five minutes of my time to fill out some things?

Joe Carrigan: [00:05:18] And get some - yeah, and get a free gift card, which won't work.

Dave Bittner: [00:05:21] And, I guess, also they're taking advantage of the fact that there are some legit organizations who will give you a gift card in exchange for viewing an ad or trying out a product, or something like that.

Joe Carrigan: [00:05:33] Yeah. There are survey companies out there that you can - you know, if you fill out enough surveys, you actually get a gift card. But those are marketing companies, reputable marketing companies.

Dave Bittner: [00:05:41] Yeah. So they're taking advantage of that, that they're - that's sort of a cover. This notion of getting a gift card for doing something isn't, on its face, illegitimate.

Joe Carrigan: [00:05:49] Right.

Dave Bittner: [00:05:50] Yeah.

Joe Carrigan: [00:05:51] It's got - that model has legitimate practice out in the real world.

Dave Bittner: [00:05:54] It's good. I mean, it's one of those things. It's a good reminder to tell your kids, your family members. Remind them that these things - like we always say, you know, you can't get something for nothing. There's no free lunch.

Joe Carrigan: [00:06:07] Right. I think even the survey sites that actually reward you with gift cards are probably not worth the amount of time you put into it.

Dave Bittner: [00:06:13] All right.

Joe Carrigan: [00:06:14] That's my opinion.

Dave Bittner: [00:06:15] Yeah. Yeah, it's a good one. It's a good one. All right, well, my story this week is actually a bit of a follow-up from last week's story. One of our listeners, Ron, sent this in. Ron has written to us before. Thanks, Ron. So last week, if you recall, we proposed some sort of system where you could waste scammers' time...

Joe Carrigan: [00:06:29] Right.

Dave Bittner: [00:06:30] ...By forwarding the call to some sort of automated system that would listen and string them along. Well, Joe - good news.

Joe Carrigan: [00:06:37] Excellent. I'm very happy to hear this.

Dave Bittner: [00:06:39] Someone has already done it.

Joe Carrigan: [00:06:40] Perfect.

Dave Bittner: [00:06:41] This is in The Washington Post, courtesy of Matt McFarland. He's the one who wrote the article here. And there is a man in Los Angeles. His name is Roger Anderson, and he started the Jolly Roger Telephone.

Joe Carrigan: [00:06:53] (Laughter).

Dave Bittner: [00:06:55] And it...

Joe Carrigan: [00:06:56] Yar.

Dave Bittner: [00:06:57] Right.

Joe Carrigan: [00:06:57] (Laughter). He's a pirate.

Dave Bittner: [00:06:57] Exactly.

Joe Carrigan: [00:06:58] (Laughter).

Dave Bittner: [00:06:58] And it lets users start a three-way call with the service so you can listen in. And he's generated a bot that just rambles on. It provides positive responses to questions. He recorded himself. Mr. Anderson recorded himself saying a variety of lines. And the system chooses them based on whatever situation it senses is going on. It's programmed to be agreeable with the telemarketer. And then, if it senses that the telemarketer might be getting suspicious, it says something inane and asks for the pitch to be restarted.

Joe Carrigan: [00:07:30] (Laughter).

Dave Bittner: [00:07:32] So this service has been very successful. According to the article, in the past 10 days, the number received over a hundred-thousand calls.

Joe Carrigan: [00:07:41] Awesome. (Laughter).

Dave Bittner: [00:07:43] Anderson said, never in my wildest dreams did I anticipate this kind of interest in it. There's been so much support. Everybody really hates telemarketers.

Joe Carrigan: [00:07:51] Well, thank you, Mr. Anderson.

Dave Bittner: [00:07:53] There is a Kickstarter campaign, so...

Joe Carrigan: [00:07:56] That guy's getting 10 of my dollars.

Dave Bittner: [00:07:57] All right. Well, we'll have a link to this story from The Post in the show notes of the episode. But, fun to see that, you know, we thought of it, but I guess somebody else had thought of it first and, even more important, executed on it.

Joe Carrigan: [00:08:09] That is more important.

Dave Bittner: [00:08:10] (Laughter).

Joe Carrigan: [00:08:11] I am definitely giving to this guy's Kickstarter.

Dave Bittner: [00:08:13] Yeah. Follow-up is more - ideas are a dime a dozen, right? It's execution that matters. So check it out. It's this week's feel-good story.

Joe Carrigan: [00:08:20] (Laughter).

Dave Bittner: [00:08:22] All right, Joe. It's time for our Catch of the Day.


Dave Bittner: [00:08:28] All right, Joe. This one comes courtesy of someone near and dear to my heart. That would be my wife.

Joe Carrigan: [00:08:33] Aw.

Dave Bittner: [00:08:34] (Laughter) Yeah. She forwarded me this email and said, hey, this might be interesting for that podcast that you do with Joe. And so, you know, a few weeks ago, we had a ridiculous phishing email from someone claiming to be Apple. This is another one that claims to be from Apple. But this one is actually quite plausible. It looks like an email you would get from Apple. I would say the graphic design is quite tasteful - the font choice, the spacing, all that sort of stuff.

Joe Carrigan: [00:09:02] Looks good.

Dave Bittner: [00:09:03] The logo looks correct. So let me read it to you here. It says, (reading) your Apple ID was just used to purchase from Apple Store on a device that hadn't previously been associated with Apple ID. You may be receiving this email if you reset your security password since your last purchase. If you placed this order, you can disregard this email. It was only sent to notify you in case you didn't make the purchase yourself.

Dave Bittner: [00:09:25] And then there's a link. It says, view details here.

Joe Carrigan: [00:09:28] Hmm.

Dave Bittner: [00:09:28] Now, what do you think's in that link, Joe?

Joe Carrigan: [00:09:30] I don't know.

Dave Bittner: [00:09:31] Well, I hovered over the link. And I copied and pasted the link.

Joe Carrigan: [00:09:35] Right.

Dave Bittner: [00:09:35] And the link is a whole series of seemingly random characters. But in the middle of the cavalcade of random characters, there are the words dryerventwizard.net.

Joe Carrigan: [00:09:44] (Laughter).

Dave Bittner: [00:09:48] Now, I'm going to go out on a limb here and say that Apple is not promoting dryerventwizard.net. So, chances are, this is just linking to some adware. This is, you know, someone making some money for promoting whatever this Dryer Vent Wizard is, which I'm sure is a completely legitimate product that will change a life for the better. However...

Joe Carrigan: [00:10:08] Right. Clean out my dryer vents.

Dave Bittner: [00:10:10] Right, exactly. So I actually loaded this link into VirusTotal and did a scan on it. You can load links over there for free. And, sure enough, a couple of the virus-scanning systems brought this link up as being either phishing or malware. Remarkably, lots of them had it come up as being clean. But, anyway, the lesson here is always hover over that link if it - because this one looked legit. This - you know, by all - certainly first glance, second glance, this one wasn't as absurd as the previous one.

Joe Carrigan: [00:10:40] Right.

Dave Bittner: [00:10:40] The folks here did a better job doing their homework of making it look like a legit Apple email.

Joe Carrigan: [00:10:45] It's missing a couple articles.

Dave Bittner: [00:10:46] You mean grammar articles.

Joe Carrigan: [00:10:47] Grammar articles, right.

Dave Bittner: [00:10:48] Yeah.

Joe Carrigan: [00:10:48] Like, the is not in front of Apple Store. And with Apple ID, instead of with - like, with your Apple ID.

Dave Bittner: [00:10:55] Right.

Joe Carrigan: [00:10:55] Other than that, it looks pretty good, though. It is well-crafted.

Dave Bittner: [00:10:58] Yeah, yeah. So beware. Like we always say, don't click the links. All right, well, that is our Catch of the Day. Coming up next, we've got my interview with David Shear from Flashpoint. But first, a word from our show sponsors, the good folks at KnowBe4.

Dave Bittner: [00:11:15] And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent, simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:12:17] And we're back. Joe, I recently spoke with David Shear. He's an intelligence analyst at Flashpoint, and we spoke about some of the research that he and his team have been doing, specifically about how unsuspecting people are being recruited into being money mules. Here's my conversation with David Shear.

David Shear: [00:12:34] For most people, I'll say that a lot of these things that, you know, are involved in these schemes - they seem like an obvious, like, it-was-too-good-to-be-true situation. But for a lot of these job-seeking applicants, you know, they're in a place that they need a job and, at times, you know, usually pretty quickly. So they're more willing to accept something that you might find suspicious.

David Shear: [00:12:52] So for a lot of these things - Craigslist has always been a big one. But we've seen kind of a few individuals looking more for the recruitment platforms to leverage a - let's say a big job posting for any type of company you can think of, right? And when they reach out to these individuals, they actually don't need to go out and proactively, you know, send out emails or anything like that. If they have a phony listing that they set up, they have people already coming to them. And that trust is already established.

David Shear: [00:13:19] So if Flashpoint had a fraudster running their own little campaign of making fake open positions at our company and were soliciting for individuals, the individuals that go to this fraudster then are giving information almost too easily and are willing to accept things like - most of the schemes involve - receiving checks is what happens a lot. They'll say that, you know, you're a processor. We're going to send you this check. We need you to send it off here. And to a normal person, that should ring bells. No job typically has you just work at home and receive money and then send the money out. Unfortunately, when people receive these checks and they do get paid, they feel like, wow, OK, this is happening. You know, you receive the check. It seems about right. It's deposited into your account. You'll see the money show up.

Dave Bittner: [00:14:03] Now, is the check made out to them?

David Shear: [00:14:05] Typically, yes, because what they're going to do is that person is then going to send the money on. And now, what happens is - 'cause of the time it takes for checks to actually go through, the age-old thing is that when they realize it's a fraudulent check and the transaction is cancelled, you're actually on the hook for that money. So if it was, you know, you got $2,000 in your account and they say, OK, keep the 500 but send the rest on, well, you sent money from your account. And now you're on the hook because once it's all come back around, you actually lose all that money. And your financial institution, it's not like a credit card or anything like that. They're still going to work to fix that, but it's much different when it's actual checks and money in an account, like a debit account.

Dave Bittner: [00:14:48] So they're receiving this money, and then they're sending it on. And what does this do in terms of opening them up to, you know, a legal liability?

David Shear: [00:14:59] So essentially, this is putting you right in the middle, at times, of a money laundering scheme. You know, and these are very common. And there's a lot of victims that are affected by this, not even realizing sometimes that they're affected until it's too late, is - this is just one of the many schemes. If you're involved in that money laundering - a lot of times, you know, there's reshipping services that leverage these mules that do the same thing. You know, you're sending off a package for this, you know, company that you think is legitimate. Well, now you're part of a reshipping scam that is sending stolen goods off to buyers who are unaware that they're buying from a cybercriminal. So you effectively become part of a cyber campaign without even fully realizing it until, again, it's far too late.

Dave Bittner: [00:15:39] Yeah, and it's fascinating. I guess put in this situation of needing to make money quickly, people sort of lower their guard or lower their standards and perhaps think, you know, well, maybe I'll just do this for a little while until I get my feet under me. And off they go.

David Shear: [00:15:54] Well, and absolutely. And I think it plays onto the - you know, when you're having people search for you, it means that they're looking and they need a job. So if someone's trying to social engineer one individual, it's much easier when they've already looked for you. They feel comfortable because, wow, this job - you know, they're interested in me. And, you know, it's a great feeling, right?

David Shear: [00:16:12] Well, they play off of that, and they know that you want the job. They know that you want to make money, especially when you can hear that you're going to make money quickly. And it sounds easy. Hey, we just need you to send this money on. You're going to be - maybe they mess up and say, you know, you're going to be a bookkeeper or something silly like that.

David Shear: [00:16:28] It feels, you know, like, again, one of those things that I'll say. It sounds too good to be true, and it is. But when you are looking for a job, when you need money and, at times, you know, quickly, this sounds like such a great solution. It sounds almost, you know, like, thank goodness - I-can't-believe-how-lucky-I-am type of scenario. So they're much less willing to question it because, why give up a good opportunity when you can believe, in your mind at least, you're making $1,000 every time, you know, you do this or that or - why ruin that opportunity for yourself? So a lot of these people will actually put those questions away and just kind of proceed with it. Even maybe sometimes knowing something's up, they'll kind of go, well, you know, it's from this legitimate company, so it can't be a scam.

Dave Bittner: [00:17:09] Now, from the scammers' side, what is your sense in terms of the amount of churn that's going on here? How quickly are they burning through these victims?

David Shear: [00:17:18] It can be as quick as, you know, two weeks or as long as maybe a couple of months. These typically aren't long-term operations because of the fact that, after a while, they're trying to either take so much money or the activity gets discovered by whatever platform they're using, that it's not a long term for one person.

David Shear: [00:17:36] But I could say that easily in a month - right? - if you have a whole month of activity from the scammer, that's perfect. I don't need a whole year of this victim. I can get a lot of benefit from a month or even just two weeks. If I can get you to make transactions, I can get you to send stuff - that's probably just one mule per dozens or maybe even hundreds. It's hard to know.

David Shear: [00:17:56] So I think for the spammer, the scammer - they're typically OK with just a month-long campaign because that's about how long - someone starts realizing something's fishy. But a lot of them do act quickly, too. In just a matter of a couple of weeks, the bank stops, you know, sending the money. They go, hey, you owe us money or something. They get in trouble because a police officer or whatever they - the campaign's discovered, and them go, why are you sending off packages? Things like that happened pretty quickly (laughter). So I'd say they're very relatively short-term campaigns.

Dave Bittner: [00:18:24] So it's a volume play rather than being a sophisticated sort of thing. It's sort of getting in and out quickly because - knowing that eventually, law enforcement is going to catch on.

David Shear: [00:18:35] I think essentially, yes. That would be the big thing to go with here. It's just get as much as you can from that compromise, and go with it.

Dave Bittner: [00:18:42] I want to dig into some of the details of what's going on in these dark web forums. That's an area of your expertise. Can you describe to us, what is the sharing mechanisms for folks who are sharing tips with each other on how to best accomplish these social engineering crimes? How are they communicating with each other and sharing what works and what doesn't?

David Shear: [00:19:04] Yeah. So it's actually quite a massive ecosystem that has many parts that involve it. First thing, a lot of times, is how people can carry out these campaigns. There's a fair amount of tutorials out there that we've seen, you know, where it's very simple how to carry out a money mule operation. But I would say nowadays, most of these individuals are in very quiet groups. And they're not as open to sharing on deep and dark web forums because they know that researchers and law enforcement are consistently watching. So they're not always happy to give away those techniques.

David Shear: [00:19:33] Most times when they are discussing it, they're discussing a single part of that campaign. So if they're trying to gain access to a recruitment platform, they'll solicit for those accounts or ask how to maybe bypass any protections that recruitment platform has.

David Shear: [00:19:49] Similarly, if they're trying to carry out, you know, the bank transfer fraud, you know, they'll typically follow forums that handle that type of stuff without giving away what their campaign is in asking, how can I, you know, get money from here to here? - type of thing. So I think that when you look at it, it's actually broken up into smaller pieces without revealing the whole operation just because of the fact that that would be counterintuitive to what they would want, especially in terms of OPSEC. You don't want to give away everything you've got before you've even truly started.

Dave Bittner: [00:20:19] Now, in terms of innovation, what do you all see there? When a new technique comes up - when someone figures out a new way that works, do you find that it spreads quickly through the ecosystem?

David Shear: [00:20:32] Actually, I'd say that it holds pretty quietly amongst a small group of individuals. Not to say that some of these things don't spread quickly through some of the groups, but a lot of times, if there's a really good method, it'll typically be between one and just a few, maybe five individuals, that have a little group, a working group of how they carry this stuff out.

David Shear: [00:20:51] And we've actually seen a lot of these groups go to things like Telegram because they can make their own private little group and talk day in, day out about some of their campaigns and techniques that they'll typically hold within those groups as opposed to, again, the forums. So it's much easier to quickly put that information out there and kind of keep that technique hidden with only the people they know - or at least they feel - are legitimate fraudsters.

Dave Bittner: [00:21:13] Describe to me what goes on in terms of reputation-building on these forums. Is there a hierarchy?

David Shear: [00:21:19] It depends. Forums, you're going to see a lot of people that - if they contribute a lot to the forums, they're typically more respected and have - they'll be part of that higher hierarchy. You know, people will respect them more. They know that this person contributes, so they have good information. And that usually works for them in a business capacity. You know, people are more willing to work with them. People are going to take what they say more often. And that person is often going to receive techniques and good information more often just because of how much they contribute back to that community.

David Shear: [00:21:50] For groups, it depends. I would say that there's always definitely a hierarchy based on skill set. If someone has been doing this for five years and they can quickly set up a campaign, they're typically in more of a leadership position. But I think a group also has this interesting dynamic of, many a times, there's multiple actors that all kind of specialize in their own little area. So it's not just a one person's the leader and everyone else kind of scrambles to do the bidding, it's that this kind of cohesive group works together to flesh out a campaign and that each member can have their own kind of little leadership capacity.

Dave Bittner: [00:22:26] So what is your advice for people to protect themselves against these sort of social engineering attacks? What do you recommend?

David Shear: [00:22:34] I think it's kind of a multi-step process. You know, the first one is - so if you're looking for a job, it should really be through official platforms, bare minimum. And this isn't to say anything against regular platforms like Craigslist, and I know there's a few others. But a lot of companies don't normally advertise on those platforms if they're looking for a regular position - assuming you're not just looking for a part-time, quick paid gig. A lot of them are going to have on their website where their official job postings are.

David Shear: [00:23:00] And on top of that, I don't believe I've ever heard of a recruiter who's miffed by you wanting to talk more, you reaching out. And I think you can reach out to other recruiters in that platform, if possible, or reach out to any type of support line. And you'll know very quickly if these are valid employees.

David Shear: [00:23:19] And I don't find that you'll be in too much of a bad situation to just go and ask for more clarification. You know, if you're so quick to accept that the person you're talking with is an actual employee of this company, you know, they should always be talking to you from a company email. How many people are willing to accept a Gmail address for an enterprise is kind of astonishing sometimes. So, you know, the things that should add up should always add up - again, email, the person is someone that's maybe on LinkedIn, that you can verify their identity really quickly without the concern of - just hoping because they came to you from this platform and say that they're that person, that it's a legit thing.

David Shear: [00:23:53] But if it sounds too good to be true, it almost always is. You should not be taking checks or packages or anything like that. If they do very little to really verify your identity, I would always say that's a suspicious thing to me. And I would never, ever, ever go forward with that. Most jobs will at least fly you out or want to discuss more with you - see your face. And even in a very digital world, you know, most organizations still want to verify your identity.

David Shear: [00:24:17] And that's kind of the concerning part - is if someone's so willing to just kind of push all that aside and give you a job right away with very little onboarding, very little process, you know, you can probably rest assured that many times that's - it's a fraud. It's a scam. Just use your instincts. I think people know better. They just want to push those instincts aside sometimes.

Dave Bittner: [00:24:36] It's sort of a sad double whammy in that, you know, these folks are targeting people who are kind of hitting them when they're down - when they're weak, perhaps desperate, for some quick money.

David Shear: [00:24:46] Unfortunately, I think that's the best way to describe it. A lot of these cybercriminals know that it's not a nice thing to do. They don't wake up going, oh, you know, I'm going to be a great guy and scam someone out of their money or their job or whatever it may be. Unfortunately, it's always the good people who get caught up in things like this - and for very little recourse, a lot of times. This happens to a lot of people. And there's just too many cybercriminals doing this type of activity that sometimes it is nauseating that, you know, people are so greatly affected by it without sometimes as much coverage as I believe it deserves.

David Shear: [00:25:17] The best target for most of these types of cybercriminals that are carrying out these campaigns are actually enterprises. Many people think that it would be easier to maybe fool a small business because maybe they don't have a web presence and so on. But actually, enterprises are so diverse nowadays, so spread out, that a recruitment office in Florida for a company may not ever talk with their recruitment office in Georgia.

David Shear: [00:25:41] So it's easy for some type of fraudster to kind of go and start making fraudulent postings. And, you know, if the security team is not up to par, not always looking for this type of recruitment fraud, it's very easy for them to get away with this without a company ever realizing realistically just because they're so spread out. And they don't know what their other offices are doing. So I think that's kind of been the weird thing to witness - is a lot of spread-out activity with very little oversight and very little detection because of that, you know, large-scale-enterprise type of environment.

Joe Carrigan: [00:26:17] That was a great interview, Dave.

Dave Bittner: [00:26:18] Thank you.

Joe Carrigan: [00:26:18] I really thought one of his most salient points was that trust is established when you post the ad - right? - that just by seeing the ad, somebody has already started to trust you once they start responding to them - responding to these ads.

Dave Bittner: [00:26:34] Yeah.

Joe Carrigan: [00:26:34] So if I'm a scammer and I post these ads, and somebody sends me an email responding to it, then I know I've already got some kind of clout with this guy or girl.

Dave Bittner: [00:26:44] The fact that they're responding means that the ad was good enough to hook them.

Joe Carrigan: [00:26:47] Right, right. And have you ever been on a job hunt?

Dave Bittner: [00:26:51] Oh, it's been a long time.

Joe Carrigan: [00:26:52] I was laid off from a defense contractor a number of years ago. And I remember the looking for a job part. And I spent, you know, probably two months looking for a position. And the rejection is just an overwhelmingly depressive force in that process.

Dave Bittner: [00:27:10] Right.

Joe Carrigan: [00:27:10] So when you reply to one of these ads and you get somebody coming back who is telling you, hey, you might be just what we're looking for - we're really happy to hear from you - and they start giving you all this positive feedback, they have your undivided attention.

Dave Bittner: [00:27:25] That emotional aspect is...

Joe Carrigan: [00:27:26] That's right. It is - it is very powerful. I can easily see how people would fall for this and be willing to suspend a lot of disbelief for themselves. It is a sickening - a sickening occurrence. I will agree with David on that one.

Dave Bittner: [00:27:39] Yeah.

Joe Carrigan: [00:27:39] It's kind of just depressing and sad that this happens. You know, these people who are in a condition like this get exploited through their weaknesses. But like he says, you know, pay attention. Pay attention. Are you responding to a well-known company and sending email to a Gmail address? That's probably not the right thing to do. And how do these companies actually go about monitoring all these different platforms for these kind of fraudulent postings?

Dave Bittner: [00:28:03] Well, and if you are a company, just a reminder that it's something you need to keep an eye on.

Joe Carrigan: [00:28:07] Yeah, it is.

Dave Bittner: [00:28:08] All right, well, thanks once again to David Shear from Flashpoint for joining us. I appreciate him taking the time. And thanks to you for listening.

Dave Bittner: [00:28:15] And, of course, thank you to KnowBe4 for sponsoring our podcast. For help inoculating your organization's employees against social engineering with their new-school security awareness training, talk to KnowBe4. And be sure to sign up for their Cyberheist News at knowBe4.com/news. That's knowBe4.com/news. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:28:47] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:04] And I'm Joe Carrigan.

Dave Bittner: [00:29:05] Thanks for listening.