Hacking Humans 6.18.20
Ep 103 | 6.18.20

It can happen to anybody.


Kurtis Minder: The damage from the cybercrime economy specifically was around $5.2 trillion, so it's significantly more than the economy itself. 

Dave Bittner:  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan:  Hi, Dave. 

Dave Bittner:  We got some good stories to share this week. And later in the show, Joe checks in with Kurtis Minder from GroupSense. They're going to dig a little deeper into some of the topics that Kurtis discussed in his previous appearance on our show, so stick around for that. 

Dave Bittner:  Joe, I want to start things off for us this week with a story. (Laughter) So I'm sitting here at, you know, CyberWire intergalactic headquarters. And... 

Joe Carrigan:  Those are some pretty far-reaching headquarters, Dave. 

Dave Bittner:  They are. They are. I think - it's exciting. They're building a new segment of the monorail this week, so hopefully that'll be finished soon, you know, so we don't have to use our Segways to get from building to building. So I'm sitting here and my phone rings. It's sitting on my desk. And the caller ID comes up, and it's my sister. Now, it is not common for my sister to call me. I see my sister every couple weeks. I have a good relationship with my sister, but it's unusual for us to call each other. We just - we're not chatty in that way. 

Joe Carrigan:  Right. 

Dave Bittner:  So this gets my attention. And I answer the phone, and it is my father calling me from my sister's phone. 

Joe Carrigan:  I see. 

Dave Bittner:  Now, I should mention that my sister lives with my parents... 

Joe Carrigan:  OK. 

Dave Bittner:  ...And helps support them. My parents are elderly. They are in their mid-80s, and they live in an over-55 community, a lovely condo. But my sister's there, and she provides a lot of good support for them. So my father is on the line. And he says, Dave, someone called me on my phone, and they say they are from Verizon, and they say that someone has tried to purchase two iPhones on my account and that unless I give them a bunch of information, I'm going to be responsible for paying for these two iPhones on my account. He said, your sister is on the phone with them right now. What should I do? (Laughter). 

Joe Carrigan:  Right. You should hang up. 

Dave Bittner:  (Laughter) This is exactly what I said. I said, Dad, hang up. 

Joe Carrigan:  Right. 

Dave Bittner:  He said, well, really? They're trying to connect us to the legal department. And it sounds really - Dad, hang up. Just hang up. OK. And I hear him call out to my sister, hang up. Just hang up. So they hang up. So now I explain to my father what is likely going on here - that these are most likely scammers... 

Joe Carrigan:  Right. 

Dave Bittner:  ...Most certainly scammers who have called him. And sure enough, the information they're trying to get from him is the kind of stuff that you would try to get if you're trying to get into the account. 

Joe Carrigan:  Right. 

Dave Bittner:  They're asking him for the last four digits of his Social Security number... 

Joe Carrigan:  Yup. 

Dave Bittner:  ...Things like that. Right? And they're saying that they're doing this to verify the account. But of course, they're doing it to try to break into the account. 

Joe Carrigan:  Sure. 

Dave Bittner:  So now my father is worried because he doesn't know how successful they were. How far along did they get? So he wants to reach out to his bank. He wants to reach out to Verizon to check in with them. So this leads us to part two of the story, which is... 

Joe Carrigan:  This story goes on? 

Dave Bittner:  Oh, this (laughter) - we're just getting started, Joe. So (laughter)... 

Joe Carrigan:  Oh, OK. Good. Well, then I'll settle in. 

Dave Bittner:  (Laughter) No, no. Yes, exactly. Find yourself a comfortable chair. Fix yourself a lovely beverage. 

Dave Bittner:  So my father says to me, well, I want to call Verizon to see what's going on and verify that my account is indeed secure. 

Joe Carrigan:  Right. 

Dave Bittner:  And I say, all right. Well, he says, what number should I call? So what do I do, Joe? I Google Verizon technical support. And what pops up? Well, the first thing that pops up is a phone number. 

Joe Carrigan:  Right. 

Dave Bittner:  Well, as you and I have talked about, we can't trust that phone number. Right. (Laughter). 

Joe Carrigan:  No. You can't trust that phone number. 

Dave Bittner:  You can't trust that phone number on a Google search. 

Joe Carrigan:  That could very well be an ad that someone has paid for so that when you call Verizon, you get them. I've had that happen with Comcast. 

Dave Bittner:  Yeah. Exactly, exactly. So I don't trust that. But I do see several links in my Google search to Verizon tech support. Aha. OK, great. So I go to Verizon - actually, I don't click on any of the links there. I go to verizon.com... 

Joe Carrigan:  Right. 

Dave Bittner:  ...Look on tech support. And guess what I find on Verizon's support page, Joe? 

Joe Carrigan:  Scam alert? 

Dave Bittner:  Mmm, close. 

Joe Carrigan:  OK. 

Dave Bittner:  There are several options for interacting with Verizon's support people. You can live chat with them. 

Joe Carrigan:  Right. 

Dave Bittner:  All right. This is not an option for my father. He can't handle this. 

Joe Carrigan:  I detest this method as well, by the way. I'm in your dad's camp on this. 

Dave Bittner:  Yeah, it's too much for him, you know? He's not a technically savvy person. And so it'd just be - you know, it wouldn't be fair to subject him to that. But most interesting is that there's not an obvious way to call them. 

Joe Carrigan:  Yeah. 

Dave Bittner:  Now, to be fair, I later learned that from your Verizon device, you can call 6-1-1... 

Joe Carrigan:  Right. 

Dave Bittner:  ...And that will put you in touch with Verizon tech support. This was something I learned after the fact. But while I was on this tech support page, one of the options - and this is the one that sort of got my goat - was leave us your phone number, and when we're available, someone from Verizon support will call you. Well, that's just what we went through with the scammers. 


Dave Bittner:  The last thing in the world my father is going to do is accept a call from Verizon tech support. How do we know that it's them and it's not just the scammers calling back? 

Joe Carrigan:  Right. Exactly. 

Dave Bittner:  Right? There's no way to know that. I was very frustrated, Joe. 

Joe Carrigan:  That is frustrating. That is frustrating. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  There's going to have to be a new system that's developed for this. You know, we'll call you back, and we'll give you a number that you enter in a queue, right? So they give you, like, a three-digit or a four-digit number. You write that number down. Then you dial 6-1-1, and when it says enter your code, you enter your code and you go right to the representative. 

Dave Bittner:  Right. 

Joe Carrigan:  But I am sure that system does not exist right now. 

Dave Bittner:  Well, but also imagine, Joe - this is what I try to put myself in. Imagine the 85-year-old version of yourself... 

Joe Carrigan:  Yeah. 

Dave Bittner:  ...Navigating that sort of thing, right? 

Joe Carrigan:  Irritating. 

Dave Bittner:  Yeah. So here's what happens in the end. My father contacts his bank. Everything's cool with his bank. Nobody hit his credit cards or anything like that. My mother goes to the Verizon store. She goes old-school, right? 

Joe Carrigan:  Right. 

Dave Bittner:  She gets in her car. She drives to the Verizon store. And the nice person at the Verizon store is very helpful, very patient with her. They look in the account. Sure enough, they can tell someone was trying to access the account. 

Joe Carrigan:  Right. 

Dave Bittner:  Someone was trying to trigger, you know, account reset types of things. But it was thwarted. It did not go through. They hung up in the nick of time. 

Joe Carrigan:  Good. 

Dave Bittner:  In addition, the kind person at the Verizon store put a PIN on their account. 

Joe Carrigan:  I was going to go there, Dave. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  And I'm so glad that the person at the Verizon store mentioned this because this is one of the best things you can do to secure your wireless account. 

Dave Bittner:  Right, right. So now both my mother and my father, who share this account, they have the PIN with which the account is more secured. 

Joe Carrigan:  Remind them never to give that out on an inbound call... 

Dave Bittner:  Right. 

Joe Carrigan:  ...That they only give that out when they're calling Verizon, not when Verizon is calling them. 

Dave Bittner:  Good point. Now, in the meantime, my mother got a little frazzled because all of this having happened has planted the seed in my parents' minds that they are vulnerable, right? 

Joe Carrigan:  Right. 

Dave Bittner:  So my mother gets what I would consider to be routine kind of spammy text messages and things on her phone, and now she's really worried about this. 

Joe Carrigan:  Absolutely. 

Dave Bittner:  So she calls me. She calls my brother. She says, what's going on? Did someone hack my phone? Are they listening in on me? I don't know. 

Joe Carrigan:  That's interesting because... 

Dave Bittner:  Yeah. 

Joe Carrigan:  Your mom should listen to this episode because my next story is about exactly this kind of thing. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  But we'll get to that in time. But you go on. 

Dave Bittner:  So my kind brother takes my mom back to the Verizon store just to put her mind at ease. 

Joe Carrigan:  Right. 

Dave Bittner:  The two of them go to the store. They speak to another customer service person, who, again, very patient. So hats off to the people at the local Verizon store - very patient. They go back into her account. Everything's fine. Nothing's bad. So all's well that ends well. But I just - so it was a story worth sharing that - because I'm sure there are a lot of people out there who are in a similar situation where you're at that station in life where your parents need a little more help with some of these technical kinds of things. 

Joe Carrigan:  Yup. 

Dave Bittner:  And you just worry because they're kind of sitting ducks. And I feel so lucky that, you know, both my sister was there to help support and my brother was there to support, and obviously I was there to support. 

Joe Carrigan:  Right. 

Dave Bittner:  So, you know, between having three children, my parents were able to thwart this, but not everyone is in such a good position. 

Joe Carrigan:  No, that's true. Now, let me ask you a question. And maybe you don't know this, but when they called, did they address your father by name? Did they say Mr. Bittner? 

Dave Bittner:  I believe so. 

Joe Carrigan:  Really? 

Dave Bittner:  I believe so. Yeah. 

Joe Carrigan:  So they had the information. 

Dave Bittner:  Yeah, I believe so. Now, who knows? You know, my father could've very well have filled out a sweepstakes entry or something... 

Joe Carrigan:  Yeah. 

Dave Bittner:  ...That had his name and his phone number - you know, win a new car or something like that, you know, and... 

Joe Carrigan:  Right. Ooh, I'd like a new car. 

Dave Bittner:  Yeah. There's all kinds of ways to... 

Joe Carrigan:  Absolutely. That information is... 

Dave Bittner:  That information is out there. 

Joe Carrigan:  It's out there. It's floating around. It's available. 

Dave Bittner:  So that doesn't surprise me. Right. 

Joe Carrigan:  It's not surprising at all. 

Dave Bittner:  So I share the story (laughter) for our audience as just a reminder and maybe some valuable lessons. Like I say, all's well that ends well, and I think things have settled down. But it can happen to anybody. Oh, and I want to say that perhaps most importantly, one of the things - I was on the phone with my mother. 

Joe Carrigan:  Right. 

Dave Bittner:  And she shared with me - she said, your father is so embarrassed. He feels so ashamed that this happened to him. 

Joe Carrigan:  Yup. 

Dave Bittner:  And I said, Mom, you have to tell Dad - you know, get him on the phone with me - there's nothing to be ashamed of. 

Joe Carrigan:  Absolutely not. 

Dave Bittner:  This could happen to anybody. This could happen to me. It could happen to you. It could happen to any of us. So there is no shame. He did the right thing in pausing and calling, you know, me and my sister and my brother. So we'll just hammer that point home. 

Joe Carrigan:  Yeah. 

Dave Bittner:  There is no shame in this. So get that thought out of your head. 

Joe Carrigan:  Yeah. First off, he actually did what he should've done. He called somebody else. He talked to somebody else, got good advice, called you and said... 

Dave Bittner:  Right. 

Joe Carrigan:  And you said hang up the phone, and you convinced him that that was a case. That was the right thing to do... 

Dave Bittner:  Yeah. 

Joe Carrigan:  ...To reach out to somebody else for help when you're in that situation. So he didn't do anything wrong. And even if he would've gotten scammed out of things, still, you're not the one at fault here. You're being scammed by malicious actors who are actively looking to do you harm for their own benefit. I understand. I get it. Believe me; I feel stupid when I look back on things. Before the show, we were talking about an incident where I just didn't understand something was going on in a organizational relationship. 

Dave Bittner:  Yeah. 

Joe Carrigan:  And I look back on that now and I go, that was just stupid. 

Dave Bittner:  Yeah. 

Joe Carrigan:  But it wasn't stupid. It was just ignorance, you know. 

Dave Bittner:  Yeah, yeah. 

Joe Carrigan:  And these kind of things happen, and I know it's embarrassing. I know it's embarrassing, but you have to have the courage to stand up and go, this is what happened to me. There are things you can do to prevent it, but really, I don't think we need to be blaming victims on this. 

Dave Bittner:  Yup. 

Joe Carrigan:  I think we need to be blaming these scammers that are actively going out to harm people. 

Dave Bittner:  Right. All right, well (laughter), that is my long story this week. Joe, what do you have for us? 

Joe Carrigan:  My story today actually comes from a listener named Chris Concannon. And he has a blog. Chris is a solutions engineer for a tech company, and he's also studying to get his certified ethical hacker certification. And what's interesting is that this kind of ties into your story because Chris started receiving a number of curious text messages, he calls them - a few of them. And they came from different numbers in the U.S., and each one was similar, talking about an Amazon rewards card being shipped to him, right? Like, he has a quote in here - "shipped. Your Amazon package with $100 loyalty reward will be delivered June 9. Track at" - and then it has a URL with a unique identifier at the end of it, OK? Now, we often say, don't click the link, right? 

Dave Bittner:  Right. 

Joe Carrigan:  And this is one of the reasons why we say don't click the link. And even if a company you trust is actually sending you a link or a company you know about is actually sending you a link, very often, when you look at that link, there is a unique identifier in that URL that is tied directly to not just your email address but to this specific email that was sent to you. And these unique identifiers are long. They can identify everything about the event. And then when you click on it, they know, No. 1, this is a valid email. They know what kind of email you responded to. And they can kind of build a profile on you using this. 

Joe Carrigan:  So there's multiple reasons not to click the link, but one of the biggest reasons not to click the link is because it's probably malicious. The links in this story were coming from g8smv.info. So Chris had a couple of red flags. He said, No. 1, I rarely order things from Amazon. Being that he's not really a big Amazon user, $100 loyalty card is not really something in the cards for him. Now, if they were to send this to me or to my wife, we order a lot of stuff from Amazon, right? 

Dave Bittner:  (Laughter) You'd be wondering why they weren't sending you a bigger loyalty card. 

Joe Carrigan:  That's right. Only $100? Come on, Jeff. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  Mr. Bezos, up your game. But the text came from a U.S. phone number, and not a short code, right? Like, usually, Amazon sends a short code out when you get a text from them - or the number comes from one of those shortened codes, like Twitter's is 4-0-4-0-4. And I can't remember what Amazon's is, but it comes from, like, a five- or six-digit number, not a U.S.-based phone number. So he is actually getting texts from these phone numbers. 

Joe Carrigan:  And then, finally, he goes in and he investigates who owns the domain - right? - this g8smv.info. And it's registered to Namecheap, and the registrant's address is in Panama. Now, Amazon's based in the U.S., and their registration - their domain is registered to their hostmaster in Nevada. So it's not from Panama. So obviously, this is something else. Of course, this domain could be anything, but he doesn't think it's Amazon. And it isn't. 

Joe Carrigan:  So he does a little bit more digging into the website, and he finds out that the IP address is registered to Alibaba. Now, Alibaba, if you're not familiar with them, the Chinese competitor to Amazon. If you want to think of the Chinese Amazon, that's Alibaba. They have the same kind of storefront, but they also have a lot of cloud-hosting services like Amazon does. So here's what he knows so far. Somebody's registered this domain, and they're paying for services to be hosted on Alibaba's cloud services. 

Joe Carrigan:  Now, when he clicks the link or investigates the link, where does it go? It doesn't try to do anything. It's interesting. It just has a redirect. He's doing this on a Linux machine, and he's using a utility called curl. And if you just enter curl -v on it - on a Linux machine - that will show you what's going on behind the scenes, right? It doesn't just download the page for you. It actually tells you what's going on. And he finds out that there is a 302 redirect, which is just an HTTP code for, OK, you loaded this page. Now I want you to go to this other page. And it takes him to google.com. So his whole question is, what the heck is going on here? 

Joe Carrigan:  And here's what Chris is surmising is going on. He thinks somebody has gotten ahold of a list of cellphone data, and they're trying to establish which of these cellphones is active and which of these cellphone users is vulnerable to an attack and which of these users is vulnerable to a phish that uses the hook of an Amazon reward card and just tracking the reward card. What's interesting about this is if you have two-factor authentication set up with Amazon where they send you a code, then you could probably use this as a means of phishing those credentials. Now, when we talk about multifactor authentication and using two factors, we often say that using a code sent to you over an SMS is the least secure option here. But it's still many, many times better than doing nothing. So I don't want to... 

Dave Bittner:  Right. 

Joe Carrigan:  ...Seem like I'm saying this is bad. Don't use the SMS method. I do want to say, if you have another method, use that. If SMS is all that's available to you, please use that instead of nothing. I want to make that clear. 

Joe Carrigan:  So let's say I've got a live one. Let's say I know someone clicked this link. Now I'm going to send out or build a phishing kit - right? - for Amazon credentials. And I'm going to have a landing page that looks almost exactly like Amazon. And I'm going to ask somebody to log in to their Amazon account, and I'm going to show them the fake landing page. And then I'm going to, behind the scenes, actually log in to their Amazon account. And if I get the Amazon two-factor authentication screen, then I'm going to show the user, enter the two-factor code we just sent you. The user's going to get the code via SMS. They're going to enter it, and I'm going to pass it through to the Amazon page and actually log in and then have control of their account. 

Dave Bittner:  Right, right. 

Joe Carrigan:  And that's kind of what Chris is thinking is going to be going on here in the background. 

Dave Bittner:  So they're kind of - they're pre-filtering people... 

Joe Carrigan:  Exactly. 

Dave Bittner:  ...In an initial step to save time when they hit them with the larger attack, potentially. 

Joe Carrigan:  Yeah. He does a cost-benefit analysis of this attack, and he estimates that the cost of sending a single text message is 5 cents. I'll bet it's much lower than that. I'll bet it's much, much lower than 5 cents to send it. It might cost them some amount of money, but just putting these text messages out there, I think that's probably almost free. Text messaging now is so ubiquitous and so easy to send. You know, but SMS is a cheap and efficient way to send information. It's not secure in any way, shape or form. It is a good way to disseminate information quickly. And there's a very robust infrastructure for it. So I think 5 cents is a really, really high estimate. I think it's probably fractions of a penny per SMS message you're sending out overall. 

Dave Bittner:  OK. 

Joe Carrigan:  So it's a really low-cost attack. And, yeah, they're validating the accounts or the information that they bought. And at the same time, they're generating a list of people that get hooked by Amazon phishing. 

Dave Bittner:  Well, it's an interesting analysis for sure, and we will have a link to that in the show notes. 

Joe Carrigan:  Yes. Thanks to Chris for sending that to me. I appreciate it. 

Dave Bittner:  Yeah, yeah. It's a good one. Yeah. Thanks for sending that in. All right, Joe, those are our stories. It is time to move on to our Catch of the Day. 


Joe Carrigan:  Dave, the Catch of the Day comes from Reddit user DashaPotapov. That's their Reddit username. And it's from r/scambait. And it is the beginning of this person scambaiting, but it's a really funny phishing email. So my favorite part about it is it starts with the text, this message is from a trusted sender. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  That's just the text in the email, right? 

Dave Bittner:  Well, there it is (laughter). 

Joe Carrigan:  So you can trust it. Dave, I think you should read this. 

Dave Bittner:  All right. Well, let's see. Let's spice this one up a bit... 

Joe Carrigan:  OK. 

Dave Bittner:  ...Since we're winning something here. So here we go. 

Dave Bittner:  (Reading) Dear recipient of $3,899,478 - this message is from a trusted sender. Dear recipient, you've been waiting for this for a long time. Until you get the money, what stops you checking on what I sent you previously? We have credited the total amount of $3,899,478 donated to your account. But you don't have to access the platinum deposits to allow it. The account was created for the exclusive use of residents, not an account that has external amount. So we now created the ATM card to help you all during the quarantine period. Why can't you use what you have now to get the bigger one processed? Remember; you still have a brand-new car - X3 BMW 2019 - award, which is added to the file attached to your account. And the bank confirmed to send it to you in 72 hours. And multiple emails has been sent all to no response. Hope you're not infected. 

Joe Carrigan:  (Laughter). 

Dave Bittner:  (Reading) All you need now is this ATM card with a daily limit of less than $8,000 per withdrawal while the account is stored here for security reasons to prevent money laundering and all kinds of questions that may involve fees from your state government taxes. Think about this for your own good. Time waits for no one. Stop looking for advice from who is holding you back on this. The domestic enemy is everywhere. They never want you to grow but the crow. Return answer to the service option that classifies your needs as the necessary rate for the shipping. One thing assures you that you will not regret what you pay to obtain your right. I promise and also remind you to start saving money for old age because surviving on monthly wages or salary will never get you anywhere after paying your tax. Think about it. Time wait for no one. I want the best for you and will never oppose the rules and principles of any laws. I am an honest and legitimate person, just as you are. Try to convince yourself. Hope we can still talk on the mobile phone or WhatsApp. I am sure they will love us - 100% safe. Very respectful, Henry Chidke, executive vice president and promotion. 

Joe Carrigan:  This is brilliant. I mean, it's so bad. First off, the amount. Do you think the amount has anything to do with - to make it more believable? It's 3,899,000... 

Dave Bittner:  Well, I think people tend to be attracted to very specific numbers rather than just big round numbers because that makes them think that there's something more to this. The specificity of it I think is... 

Joe Carrigan:  Right. 

Dave Bittner:  ...Is a factor. 

Joe Carrigan:  Also in the middle of this, there's an attempt to isolate the person. Stop looking for advice from who is holding you back on this. The domestic enemy is everywhere. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  So, I mean, they're really trying to turn you against your family here. Don't listen to those people. They don't know what's best for you. 

Dave Bittner:  Yeah, yeah. I like that right in the middle of this, they just drop a, hope you're not infected. 

Joe Carrigan:  Right (laughter). 

Dave Bittner:  It's like, listen, guys; we've got to drop some COVID-19 stuff in here. That's the... 

Joe Carrigan:  Right, keep it current. 

Dave Bittner:  That's the hot thing right now, yeah. 

Joe Carrigan:  Keep it current. 

Dave Bittner:  Yeah, right. Exactly. Oh, boy. All right, well, that is a fun one. And thanks to that Reddit user for providing that and sharing that with everybody. That was a fun one to read. And that is our Catch of the Day. 

Dave Bittner:  Joe, you recently checked back in with Kurtis Minder from GroupSense. You had a few questions, some follow-ups. 

Joe Carrigan:  I did. When we first interviewed Kurtis in the "Wallet Inspector" episode, Kurtis said $1.5 trillion is the annual amount of cybercrime that goes on, and I thought that was a very large amount. So Kurtis and I had the opportunity to discuss that and break that amount down a little bit. It's a pretty good interview. 

Dave Bittner:  All right. Here's Joe's conversation with Kurtis Minder. 

Joe Carrigan:  I'm joined today by Kurtis Minder. He's the CEO of GroupSense, and he is a previous guest on "Hacking Humans." And during the course of that interview, Kurtis said something that kind of piqued my interest, and he said that the cybercrime economy was over $1 trillion. 

Joe Carrigan:  The report you were referencing is actually a report from Bromium, which has since been acquired by Hewlett Packard. And the report is called "Into the Web of Profit," and it came from Dr. Michael McGuire and was sponsored by Bromium, actually, from 2018. Why don't you walk us through that report? 

Kurtis Minder:  You know, it makes some broad-brush claims about the categories of where cybercrime is occurring. But the larger number that we're talking about that comes out of that report and the one that I referenced in the previous episode, I actually sort of made a conservative version of that of $1 trillion, but the number that's referenced in the report is $1.5 trillion. And again, that was in 2018. Like I said, they pull that number from several broad categories of different kinds of cybercrime. 

Joe Carrigan:  To put that in perspective, the reason I found that shocking was $1.5 trillion is larger than all but twelve countries' GDPs. So if you're a country with an economy smaller than South Korea's economy, your economy is smaller than the cybercrime economy - the global cybercrime economy. 

Kurtis Minder:  Yeah, that's - I mean, to put it into that perspective, that's absolutely mind-blowing. But, you know, seeing what we see every day, I believe the numbers. You know, I can't say it's a hundred percent accurate, but it's believable. 

Joe Carrigan:  So in the introduction of this report, there is a great table that breaks it down into some very broad categories, like you said. Number one is the illicit and illegal online markets, and that is about $860 billion a year. And that is the darknet markets that you were talking about earlier, correct? 

Kurtis Minder:  Right. And I think the point when we say broad categories, you know, the types of transactions that occur there do have what we would be, you know, familiar with as the typical enterprise data theft, monetization scams. But there's all kinds of other cybercrime that occurs there that has a monetary value attached to it, and that ranges from human trafficking to traditional crime and what I would call "kinetic threats." So it's a broad category. 

Joe Carrigan:  Right. It also includes the illicit drug market that's conducted on a lot of these marketplaces as well. 

Kurtis Minder:  Exactly. 

Joe Carrigan:  And then the next one down here is IP and trade theft. That was half a trillion dollars in trade secret and IP theft. 

Kurtis Minder:  Yeah. And we do quite a bit of this IP monitoring for enterprise clients, specifically high-tech manufacturers. And this number is - it's huge. But the amount of transactions we see in just our customer base that occurs, a lot of it occurs in illicit marketplaces in China, where it's very common for these types of transactions to occur, or they're actually either traded or sold - the intellectual property. So it's a believable number. 

Joe Carrigan:  What are they trading when they're on these marketplaces? 

Kurtis Minder:  It ranges from counterfeit to, in some cases, we have a handset manufacturer as a customer that manufactures mobile phones. Someone is basically getting high-resolution photos of components during the manufacturing process and trading those basically circuit board designs in these underground markets. 

Joe Carrigan:  So some of your customers are actually very interested in protecting themselves from counterfeit goods - right? - and that would include drug manufacturers and these cellphone manufacturers we just talked about. That information is very valuable to the people that own it, and having it leaked out can be devastating. 

Kurtis Minder:  Yeah. I mean, as you know, the mobile phone business is - just to highlight that first, quickly - is very, very competitive. And getting a device out with some surprise - the new features or the capability of the camera, all of these things are very secretive (laughter). And a lot of these folks are having these devices manufactured in a lot of the same places. And with the drug scenario, we're talking about large pharmaceuticals who certainly want to know when their drugs are being sold illegally, especially at a volume level. And even more what we care about, if the drugs that are being sold are counterfeit and have their name attached to them, that's a very important use case for them. 

Joe Carrigan:  The next big topic here that they break it down is data trading. And they lump this together with carding sites, stolen credit card data, banking login credentials, loyalty programs and all that. They estimate that market is $160 billion a year, which is remarkably big for - that is far more than I would've thought for carding. 

Kurtis Minder:  It's carding and data in general. The amount of breaches that we hear about, you can imagine the amount of data that is available for sale. Some of that is useful and some of that is not. I actually think that this number doesn't fully capture the risk associated with this, because take, for example, the SBA PPP program or the stimulus package that just came out for COVID. The fraud that will be perpetrated against that program will likely be powered by the data that people are buying from this $160 billion underground trading market of enterprise data. So that data is going to empower the fraud campaigns against the stimulus package to the banks, et cetera. 

Joe Carrigan:  So this is where trading in fullz comes into play - F-U-L-Z (ph). That is the full collection of personally identifiable information, PII, about an individual. That's going to come in really, really handy in stealing these stimulus checks or scamming somebody out of these stimulus checks. 

Kurtis Minder:  Yeah. At the individual level, those types of dumps are absolutely a weapon to commit fraud. The enterprise data is also valuable. So if you think about if you were going to apply as a business for a loan, having all of the information around an enterprise to fill out a false application and then have that money routed to another account is also a typical fraud use case. What we've actually seen as part of the fraud use cases, which is part of this underground crime economy, is they're selling fraud kits where they combine the data that is necessary to fill out, like, for instance, a loan application, and then the instructions on how to take that money and walk away anonymously. And so they'll sell the whole kit - the stolen PII or the stolen enterprise data plus the loan application instructions plus the how do you get the money where you need it sort of thing. 

Joe Carrigan:  You know, one of the things that's missing from this that I don't really see on here is the individual scamming numbers. And I'm not sure that there's any good way to capture that information. First off, it would require the capturing of information from all over the globe about everything that - about every fraudulent phone call that's going on. And I also think there's a huge portion of the scamming economy that is just not reported - that goes unreported. 

Kurtis Minder:  Yeah, and a lot of it, like you said, just gets ignored in the noise. But you're right. It's not captured in the report, at least not from a line item perspective, and it's massive. And similar to the fraud use case, a lot of the data that we're seeing traded and sold or dumped in these markets is also being used to facilitate or empower the scamming enterprise as well. 

Joe Carrigan:  You know, there's another data point on here that is kind of shocking to me, and that is that ransomware only accounts for $1 billion in annual revenues. 

Kurtis Minder:  Yeah. I suspect that that number is - that's in 2018. Again, surprisingly low, I agree. But I suspect that number is quite a bit larger in 2020 (laughter). 

Joe Carrigan:  Right. 

Kurtis Minder:  But also, a lot of the ransomware stuff, for many years, goes unreported. Almost like the scamming scenario, a lot of folks don't report it, especially if they are able to recover quickly with a backup. And a lot of times, sadly, the ransom just gets paid and no one talks about it. I think that number is going to be hard to quantify going forward. 

Kurtis Minder:  I do know that one of my theories is on dwell time is, you know, you've got all of these ransomware and phishing campaigns that are leveraging the COVID pandemic that have been carried out over the last, let's say, 30 to 45 days. So if you think about the cyber dwell time of a threat actor inside someone's network, you know, it depends on which report you read, but it's somewhere in the 80- to 85-day range I guess is what people are saying now. 

Joe Carrigan:  Yep. 

Kurtis Minder:  So I suspect, with all logic, it would say - let's say 40 days or so, we will hear about a lot more breaches in ransomware attacks all at once. 

Joe Carrigan:  Kurtis, this is a lot of money to be moving around. Do you have any idea how these guys move this stuff around without attracting attention, or do they care even? 

Kurtis Minder:  Obviously, the players who are dealing in volume dollars, they're all transacting in a cryptocurrency of some kind. The typical threat actor is laundering that money either through moving it through several different cryptocurrency platforms and/or coin systems. So they will convert from some fraction of the money from bitcoin to Monero and then bitcoin to Litecoin and then Litecoin back to bitcoin, et cetera, and they'll do this several times. And in the process, it becomes very hard to track from a digital wallet perspective. Even the most sophisticated systems would have trouble with that. 

Kurtis Minder:  The other thing that we've seen is a fair amount of traditional money laundering services being marketed to those sellers by other threat actors saying, like, look; I own a legitimate business. This is what we do. And for this percentage, we will take a purchase from you, run it through our business and then, you know, give you the net cash back. There are actual threat actors who are actually using those darknet markets to sell to the bad guys, saying, like, I'm going to help you get your cash out of the system. 

Joe Carrigan:  So what's important to note about this report is that this $1.5 trillion is just the money that these malicious actors get, right? It doesn't have any of the recovery costs associated with it, correct? 

Kurtis Minder:  Right. So this is really focused on how much money these guys are making. Like, you were referencing it to or comparing it to, like, a GDP. So it's income, if you will. What I think is important to also note is what is the impact of that cybercrime economy on everyone else. What is the cost, 'cause the cost is going to outweigh the net income from these guys by a lot. If you look at the average cost of a breach, which, you know, depending on who you are, if you're a bank or whatever, those numbers vary, but they're pretty big numbers typically. And Accenture and the World Economic Forum did a study last year that sort of illustrated that they thought that the damage from the cybercrime economy specifically was around $5.2 trillion. So it's significantly more than the economy itself. 

Joe Carrigan:  That damage number, again, putting that in GDP perspective, only the U.S. and China have bigger GDPs than that. 

Kurtis Minder:  That's mind-blowing, absolutely mind-blowing. 

Joe Carrigan:  That's a lot of damage. 

Kurtis Minder:  Exactly. 

Dave Bittner:  All right. Well, interesting stuff. And, boy, Kurtis lays it all out there. 

Joe Carrigan:  Yeah. 

Dave Bittner:  In some ways, I suppose it's as bad or worse than what we suspected. 

Joe Carrigan:  Right (laughter). It's worse than we knew. 

Dave Bittner:  (Laughter). 

Joe Carrigan:  I didn't know that was possible, but it is. It's much worse. The $1.5 trillion is a huge amount, and this report does a really good job of breaking it down. 

Dave Bittner:  Yeah. 

Joe Carrigan:  Now, the vast majority of that - more than half of it - is actually $860 billion in illegal trade. And that includes things like the buying and selling of illicit acts and illicit property - those kind of things - dark markets. And I'm surprised that that's as big as it is. Another 500 billion in IP theft, including counterfeit goods like phones and - this is absolutely terrifying - drugs - counterfeit drugs. There's a reason we have the FDA, right? And every country on the planet has something similar to it that assures that the drugs you're getting are tested and they actually have a real benefit. And a counterfeit drug is, I think, just one of the most dangerous things you can introduce to the marketplace. There is absolutely nothing that stops somebody - some malicious actor from pressing out pills that look like, let's say, my blood pressure medication, right... 

Dave Bittner:  Yeah. 

Joe Carrigan:  ...But actually aren't. They're just sugar pills. And that's a good scenario - right? - where they're harmless. 

Dave Bittner:  (Laughter) Right. They're not rat poison. 

Joe Carrigan:  They're not rat poison, exactly. They're not strychnine. 

Dave Bittner:  Yeah, yeah. 

Joe Carrigan:  And that's really a good example, is that they used to use strychnine as a heart medication. I don't know if they still do. But in the days before nitroglycerin, they had to - they used strychnine, which is a rat poison. In fact, warfarin, which is a blood thinner, is also used as rat poison (laughter). That shows one of the other risks, is that warfarin is a very effective blood thinner, and it has advantages over other blood thinners, right? I'm not going to go into the details of it, but it has a clinical, medically usable dosage. And if you exceed that dosage, you can kill rats with it, and you can actually kill people with it. And the way it kills rats is it causes them to - their blood to become so thin that they bleed out internally from any kind of contact. That's how it works. I'm not trying to scare anybody here. 

Dave Bittner:  Too late. 

Joe Carrigan:  But man, the idea of counterfeit drugs just terrifies me to no end. But let's move on - trading in printed circuit board designs. So one of the big issues with an international economy is that when you send your design to be printed up somewhere else - and printed circuit board is essentially a technique for making a - cheaply and efficiently making these devices. Now, if you've ever opened up a device - I know we try not to get too technical on this show, but if you've ever opened up any device and you see one of those big green boards inside that has all these chips printed to it, that's a circuit board, a printed circuit board. 

Dave Bittner:  Yeah. Sure, sure. 

Joe Carrigan:  And those designs are proprietary. If I have a design for, like, let's say an IoT device, and I send that to China to be manufactured, there's not a lot of ways I can prevent an employee of that manufacturing firm just taking a picture with his iPhone, which is a high-resolution camera, right? These camera phones have gotten to be remarkably good to the point where they're filming movies on iPhone cameras. And the Google Pixel cameras are also remarkably good as well. So just taking a picture on an assembly line can get me enough information to understand what's going on on this circuit board. And then that becomes valuable and tradeable in the darknet. 

Joe Carrigan:  Data trading is actually a very small amount, only $160 billion. I found that interesting. That's still a lot of money, but it kind of shows you how little our data is traded for on the market. This information, like the information that somebody bought that contains your dad's data, is cheap and easy to acquire. And then if you want to know how to do it, it costs you $20 to $30 for a full kit that will walk you through the entire process of scamming people out of money and then laundering that money. 

Joe Carrigan:  Ransomware is small but probably very unreported. Like I've said before, I'm fascinated by laundering, money laundering. And one of the things that Kurtis said here was how money is moved through different cryptocurrencies. Tracing transactions across a single cryptocurrency with a public blockchain like Bitcoin is relatively easy, right? I can see where that money goes, and I can apply banking laws to say, you know, the first piece of dirty money that comes into that account means the next money that comes out of there is dirty as well, right? And I can do that. And that kind of helps when it comes to, like, tumblers and things like that. But tumblers do make it harder. But switching between cryptocurrency, like he says, going from bitcoin to Litecoin to Monero, now it's become almost impossible to trace it. It becomes very difficult. 

Joe Carrigan:  And finally, the last point I wanted to talk about was his - Kurtis' mention of the Accenture report - I think it was Accenture - that said they're estimating that the damages from cybersecurity losses were 5.2 trillion in 2019. Now that's 3.5% of global GDP in 2019. That's a huge percentage. So it makes me think that cybersecurity spending is kind of worth it, right? Now, I might be biased, but I think it's worth it. 

Dave Bittner:  (Laughter) Yeah. 

Joe Carrigan:  But I want to thank Kurtis for coming back on and clearing up some things for me and showing me this report actually. It's the Bromium report. Bromium has since been acquired by HP, but you can still find it online. It's an interesting report. Check it out. And thanks again to Kurtis. 

Dave Bittner:  Yeah, yeah. Thanks so much to Kurtis Minder for joining us. And, of course, we want to thank all of you for listening. A quick program note - listeners of this show should check out our new "CSO Perspectives" podcast. That's hosted by Rick Howard. He is the CyberWire's chief analyst. He's got a recent episode that explores the dark web, and that should be a particular interest to the listeners of this show. You can check that out on our website, thecyberwire.com. It's "CSO Perspectives." 

Dave Bittner:  Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner:  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan:  I'm Joe Carrigan. 

Dave Bittner:  Thanks for listening.