Hacking Humans 7.2.20
Ep 105 | 7.2.20
Because they deserve the money!
Transcript

Aviv Grafi: That email was a UPS invoice that was sent to them. And that suspicious invoice actually looks completely normal.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Aviv Grafi from Votiro. He's going to be describing a multistage attack that uses a zero-day exploit to deliver a Trojan, so be sure you stick around for that. 

Dave Bittner: All right, Joe, we've got some follow-up here to start today's show with. Let me go and read this here. We had a gentleman named Rodney (ph) wrote in, and he said, (reading) on the podcast today, you were discussing the reuse of phone numbers and how someone inadvertently took over someone else's WhatsApp account. Joe mentioned that he felt there was some technology that WhatsApp was not utilizing that could avoid this from happening on reused numbers. I would say that I agree based on my recent experience with changing iPhones. Work recently issued me a new, upgraded iPhone. I restored the new phone from a backup of my old phone and moved the existing SIM card to my new phone. Even with all of that, Facebook Messenger deregistered my phone number, as well as some other products, such as Duo, knew I had a different phone. I had to go back and reregister my number with those applications. Therefore, I believe Joe is correct in saying that there's something they could do to keep this issue from recurring on phone numbers that are recycled. Just wanted to let you know I believe Joe was right. 

Dave Bittner: Oh, my. 

Joe Carrigan: I think we should get stickers printed up that say, Joe was right. 

Dave Bittner: (Laughter). 

Joe Carrigan: This is interesting. I use Duo occasionally. Duo is the video chat application for Android. Facebook Messenger is my main communication channel with a lot of my family members. I've often said that I would get rid of Facebook tomorrow if I didn't have all this stuff going on with my family that I keep on Facebook Messenger. In fact, I've uninstalled Facebook, the actual app, from my phone and only have the Messenger app just to stay in contact. 

Joe Carrigan: But it's interesting that Facebook and Duo both recognize that it's a new phone, probably because they - when he signed in to these apps, they downloaded some kind of key that was not backed up, and when you come on with a new phone with the same phone number, that key is not present, and Bob's your uncle. There's your solution, right? 

Dave Bittner: Yeah. 

Joe Carrigan: But WhatsApp apparently is not doing that. 

Dave Bittner: Yeah, yeah. Interesting. 

Joe Carrigan: Or at least allowing the user the ability to disable it, which they should not do. 

Dave Bittner: Well, thanks to our listener Rodney for writing in, despite everything I'm going to have to endure for the next few weeks... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Now that someone has told Joe that he was right about something. But we do appreciate everybody writing in and sending us things, so thanks for that. 

Dave Bittner: Let's get started with our stories this week. Mine comes from an online site called Security Affairs, and it's titled "New Shlayer Mac Malware Spreads Via Poisoned Search Engine Results." I have to say the name of this reminds me of, like, an old '70s impersonation of Sammy Davis, man. It's the Shlayer Mac malware. This is from researchers at the security firm Intego. They've seen a new variant of this malware that's targeting Mac folks. 

Dave Bittner: Let me just start that, you know, as a Mac user, I'd say that I'm certainly guilty, as many of us are, of smugly reminding anyone who will listen about how comparatively safe we are over on Planet Mac that... 

Joe Carrigan: Yes. 

Dave Bittner: ...You know, fewer bits of malware target us. And this is a good reminder that we're not in the clear. There are some types of malware that target us. This one is interesting because what it does is it convinces the user that they need to update their Flash Player. Side note, Adobe is end-of-lifing Flash Player at the end of this year, so you will not be able - it will be unsupported. You will not be able to download it. They basically said... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, this is it for that. 

Joe Carrigan: It's about time, too. 

Dave Bittner: But in this case - it is. It is, yeah. The time has come. They convince you to download Flash Player, and a disk image mounts, and it displays instructions on how to install it. From a user point of view, you don't know that this isn't a legit copy of the Flash installer. But when you launch the installer, it opens a fake installer that's actually a bash shell script. Joe, can you give me a quick explanation what that is? 

Joe Carrigan: Yeah, absolutely, Dave. A bash shell script in the Mac world - you've got to remember that Mac is based on a distribution of BSD called FreeBSD. Years ago, they forked it off of FreeBSD and then put all their own stuff on it. And a lot of companies do this. Like, PlayStation is built on FreeBSD as well. And the license lets you do this. But because that means it's essentially a variant of Linux because the BSD lineage goes all the way back to Linux, you can run these scripts on there, which are just essentially an order of commands. So if you think of it in the Windows world, it's the same thing as a .bat file. And in Linux, they're also called bash shell scripts as well because the shell is ported over to Linux. It works exactly the same. 

Dave Bittner: Yeah. 

Joe Carrigan: Basically, all it is is it's just an automated list of commands that the computer runs. And if you're logged in as an administrator, it runs them as an administrator. 

Dave Bittner: Well, so what this script does is it installs this Mac app into a hidden temporary folder. Then it launches the app. It quits the terminal. Meanwhile, it is actually downloading and executing a legitimate Flash Player installer from Adobe. 

Joe Carrigan: Really? 

Dave Bittner: So when you're - yeah. So while you're on your Mac, this Flash Player installer is basically serving as misdirection, right? It's in the foreground. And in the background, this script is running to install the malware. 

Joe Carrigan: That's interesting. 

Dave Bittner: Yeah. Now, the malware - it seems as though that this is mostly going to install adware, which it's another interesting part of this story. It's been my experience, and the folks I've checked with who know about malware on the Mac side - it seems as though the vast majority of the stuff going on on the Mac side is adware. 

Dave Bittner: We talk about my dad fairly often here, but... 

Joe Carrigan: Yep. 

Dave Bittner: ...He fell victim to this one time. He had adware on his Mac. It was hard to remove. It did not want to let go. It didn't want to remove its hooks from his system when I discovered that it was on there. 

Joe Carrigan: Yeah, I imagine they could be difficult to get rid of sometimes. 

Dave Bittner: Well, and another detail about this is that, evidently, they're finding victims by poisoning search results. If you're searching for the name of a particular YouTube video or - they've got many search terms that they've put in there, and you could accidentally find yourself being hooked by this fake Flash Player installer. 

Joe Carrigan: Yeah. Yeah, it's scary. Yeah, they're using search engines like Google, Bing, Yahoo, DuckDuckGo, Startpage and Ecosia. They're reaching far and wide with this, which is impressive. 

Dave Bittner: Yeah. 

Joe Carrigan: And these ads are not free. They're cheap, but they're not free. 

Dave Bittner: Yeah, so they must be getting a return on that investment. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. So I would say, you know, recommendations here is just if anything - anything having to do with Flash Player, at this point, move on. Don't install. 

Joe Carrigan: Yeah, move on. HTML5 does a lot of what Flash did, and we're pretty much, I mean, to the point where Adobe recognizes it's no longer a necessary product. It doesn't do anything. It doesn't add any value. It's gone. It's time to stop using Flash. But don't worry. Once Flash is gone, these guys will come up with another thing that you need to update and... 

Dave Bittner: (Laughter) Right, right. That is my story this week. Joe, what do you have for us? 

Joe Carrigan: My story this week comes from Naked Security, and it is called - we'll put a link in the show notes. It's called the "Anatomy of a Survey Scam - How Innocent Questions Can Rip You Off." Now, Dave, we spend a lot of time on this show talking about various ways that people get hooked. You know, obviously spend a lot time about phishing. But these surveys - you know, early on in my internet usage - I kind of have a special, dark place in my soul for these things because I used to say, oh, wow. Look; I can get some kind of benefit from this. And very quickly, I realized this was just a scam. And they were almost always scams. 

Joe Carrigan: And this is from Paul Ducklin, and he is talking about one of these survey scams that he examined. Now, normally, they - a survey will offer you something like $5 off your next purchase - right? - or some free product of modest value when you order next. 

Dave Bittner: Yup. 

Joe Carrigan: But scammers, he says, have much bigger goals. So watch out for the catch. There's always some kind of catch. 

Joe Carrigan: And the survey that he's working on here, this fake survey, was from Bunnings Warehouse, which is essentially like a Home Depot in Australia. It starts off as an email, and it has a unique code and might have your name in it, I guess, but that's blacked out here. But it says you're going to get up to a 95% discount, which is great. And then when you start the survey, sure enough, you're going to a fake website that looks exactly like the Bunnings Warehouse website. And there's even some Bunnings employees with their hands raised up, and they're talking about you're going to get up to a 95% discount. And you start the survey. You click start. Then they start asking you questions - right? - like, are you male or female? How many times do you shop at a grocery store? Which of the following would you expect to improve customer service the most? And depending on how you answer the question will actually dictate whether or not you get further questions. But at one point in time, there is a message where it says that the server is compiling the survey results, right? And we've talked about this before, where you see something on a website where it says, computing, computing, right? And there's a little progress bar that's going across. 

Dave Bittner: Right, right. 

Joe Carrigan: There is absolutely nothing on the internet that takes that much time to compute or to find. If you go to Google and you type in whatever you're going to search for, those results come back instantaneously. And computers are very good at figuring stuff out really, really fast. So this is just something to get you to sit around and wait and build suspense. 

Joe Carrigan: And then one of my favorite parts of this is that at the bottom of the screen, while it's doing that, it says, there are 38 visitors on this page but only six rewards left, right? So now you're thinking, oh, I hope I get one of these rewards. There's, like, a 1 in 6 chance - a little bit worse than a 1 in 6 chance of me getting a reward. And then, at the very end of this, it tells you you're one step away from getting your iPhone 11 Pro for $1, which is interesting that an Australian company would be selling an iPhone 11 Pro for $1 instead of AU$1, right? But they are. They're selling it for $1. And then if you come back - they came back again, and they were giving away a Samsung Galaxy S20 for $1 as well. They even let you pick your color of the device, despite the fact there's only one of them left, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: So you could pick the black, the pink or the blue, but they only have one, so how do they do it? 

Joe Carrigan: Well, of course, Naked Security is saying this is, of course, a scam. Nobody gives away a $1,000 phone for free for taking a survey. It just doesn't happen. And when you get down to the bottom of it, you find out what they're after, right? They want your first name, your last name, your address, your phone number, and then they want your credit card number, right? So it's really just a way to get some information that's marketable and then steal your credit card information. 

Dave Bittner: Wow. 

Joe Carrigan: That's the endgame here for these guys. 

Joe Carrigan: And, of course, Naked Security has some advice here. Watch out for obvious telltales of fakery. Genuine surveys do exist. I say don't even take the genuine surveys. That lets people build profiles of you. Don't do that. Just avoid surveys altogether. Bait-and-switch tricks like this one here where they say you're going to get 95% off and all of a sudden, you're going to get a free cellphone, that should set off red bells. And there is no free iPhone, Android, tablet or laptop. It's just a scam. 

Joe Carrigan: Interesting that it comes through with a phishing email first and then takes you to a website that is a clone, you know, or a well-designed website. I'm looking at the actual website pictures they have here, and it really does look like it could be believable as a Bunnings Warehouse website. I've been to the actual Bunnings Warehouse site, and it looks very similar to this. So it's a good scam. It's a well-set-up scam, but it is just that - just a scam. 

Dave Bittner: Yeah. And I suppose part of why it works is they spend so much time stringing you along and building that anticipation, and building and building and building that when the time comes for them to make the ask to provide your credit card information, you feel like you've got something invested here and you may get a great reward from it. Well, it's a good story. Of course, we'll have links to all of the stories in the show notes, but now it's time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Our Catch of the Day this week comes from someone who goes by the name Laura (ph). They sent this to us. And I tell you what, Joe. I will play the part of the scammer. You can play the part of the person who they're trying to hit up here, who I suppose is Laura. 

Joe Carrigan: Right. 

Dave Bittner: Let's see. In terms of voices this week - I'll tell you what. I'll let you choose, Joe. What shall I do this week? 

Joe Carrigan: Old man, Dave. 

Dave Bittner: All right, here we go. 

Dave Bittner: (Imitating old man) Hello. 

Joe Carrigan: Hello. 

Dave Bittner: (Imitating old man) How are you doing today? 

Joe Carrigan: I'm doing all right. You? 

Dave Bittner: (Imitating old man) Same here. Hope you're staying safe over there. 

Joe Carrigan: Thank you. Same to you. 

Dave Bittner: (Imitating old man) I always stay safe. I have good news to share with you. 

Joe Carrigan: Oh, yeah? 

Dave Bittner: (Imitating old man) Have you heard about the good news about the WCAB? 

Joe Carrigan: No. 

Dave Bittner: (Imitating old man) I got $150,000 U.S. cash from the federal government of Workers' Compensation Appeals Board. That's the WCAB. They're helping the old - that's me - the young, the disabled, retired - also me - citizens workers, and I also saw your name there as well that you are also entitled to the money. Did you get the money, too? 

Joe Carrigan: I bet I have to pay money to get it though, huh? 

Dave Bittner: (Imitating old man) Just the delivery money - that's all. You will get it delivered to you within three to four hours. 

Joe Carrigan: What kind of delivery am I paying for, a postage stamp? 

Dave Bittner: (Imitating old man) No, just delivery and certificate, too. 

Joe Carrigan: Can you clarify? 

Dave Bittner: (Imitating old man) Just text the agents and follow their instructions. 

Joe Carrigan: I'm not a big fan of money, but texting seems like an odd way to contact a legitimate government agency, don't you think? 

Dave Bittner: (Imitating old man) Yes, I know, but you're free to call them. 

Joe Carrigan: How do I know I can trust you? 

Dave Bittner: (Imitating old man) Oh, don't worry. Just text the agent. Everything will be good, I promise you. 

Joe Carrigan: That doesn't answer my question. 

Dave Bittner: (Imitating old man) They will just send you a - info to fill. Just follow their instructions and keep me updated. 

Joe Carrigan: I bet they'll ask for my credit card info. 

Dave Bittner: (Imitating old man) No, not at all. 

Joe Carrigan: What will they ask for? 

Dave Bittner: (Imitating old man) Just know that you will pay for delivery money. That's all. 

Joe Carrigan: And then there's, like, three pictures that look like they may be from an FBI seizure site or something - just bundles of cash. 

Dave Bittner: Stacks of cash. 

Joe Carrigan: All $100 bills, yes. 

Joe Carrigan: I need you to tell me all the steps you went through before I do it. I can't trust that this is real otherwise. 

Dave Bittner: (Imitating old man) They just said I should fill some info and I get my money delivered to me after I send all the info. 

Joe Carrigan: What info? 

Dave Bittner: (Imitating old man) Just your address info, et cetera. 

Joe Carrigan: Address and what else? 

Dave Bittner: (Imitating old man) Well, a full name, full home address, date of birth, married, single, form of payment, nationality, occupation, Facebook email, password, worth of income, do you own house, rent or credit report (ph), name of next of kin - that's what they sent me. 

Joe Carrigan: Why would they need my Facebook password? Seems like they'd try to break in, steal my photos, then set up an Instagram to try to scam people I barely know from high school. 

Dave Bittner: (Imitating old man) Just give them your email. They only need all those information for security reasons. 

Joe Carrigan: Why is this so much more complicated than getting the stimulus checks? Those didn't require all this information. 

Dave Bittner: (Imitating old man) Yes, I just inform you if you have interest. 

Joe Carrigan: But I don't understand. 

Dave Bittner: (Imitating old man) But saw your name on the list of people entitled to get the money when I got mine. You can get the money, also. It's not a loan, and you don't have to pay it back. 

Joe Carrigan: Yeah, but why is the process different from the process of getting a stimulus check? I didn't have to text anyone or give them my Facebook password. 

Dave Bittner: (Imitating old man) Try this. Is not how you think is complicated, I promise you. 

Joe Carrigan: That doesn't answer my question. 

Dave Bittner: (Imitating old man) If you can't fill the info, just contact the agent and send them your address. Only they will deliver it to your doorstep. 

Joe Carrigan: The government is so busy dealing with the pandemic right now, but they're going to hand-deliver me money? 

Dave Bittner: (Imitating old man) The FedEx will deliver it to you. 

Joe Carrigan: That seems unsafe to send wads of cash through the mail. What if it gets stolen or lost? 

Dave Bittner: (Imitating old man) No, nothing will do your money. It's well safe from the FBI. 

Joe Carrigan: Wait; is the FBI working for FedEx now? 

Dave Bittner: (Imitating old man) Yes, they're helping them with the WCAB money. Should I share the agent contact with you now? 

Joe Carrigan: No, I have more questions. 

Dave Bittner: (Imitating old man) What's that? 

Joe Carrigan: I'm so mad that the FBI is working with FedEx. Don't you think it's a waste of taxpayer money? 

Dave Bittner: (Imitating old man) Not that they're working with them. They'd like that much, but they will just escort them to the winner's doorstep so your money can be deliver without any errors. 

Joe Carrigan: Wait; am I a winner? I thought everyone was getting this money. Is the government doing raffles now? 

Dave Bittner: (Imitating old man) No, it's for those who qualify for the money. 

Joe Carrigan: But why'd you call them winners then? 

Dave Bittner: (Imitating old man) Because they're entitled for the money. 

Joe Carrigan: Why am I entitled to the money anyway? 

Dave Bittner: (Imitating old man) Why are you asking so much question? I am tired. 

Joe Carrigan: Because I need to have all the information before I go through with this. It's so weird that they had you tell me about the money rather than contacting me themselves. 

Dave Bittner: (Imitating old man) They can't text you by themselves. They only contact you through friends, though. 

Joe Carrigan: Why can't they contact me some other way? I haven't even heard about this on the news. 

Dave Bittner: (Imitating old man) Let me know if you don't have interest - OK? - because I'm tired. All my friend who got their own money without stressing me at all. 

Joe Carrigan: Yeah, I'll bet you didn't. Scamming people isn't cool. You probably should've realized I was onto your little scam, like, 30 messages ago. 

Dave Bittner: (Imitating old man) Bye. 

Joe Carrigan: Bye. 

Dave Bittner: (Laughter). 

Joe Carrigan: Well, thank you, Laura. 

Dave Bittner: Yeah, thank you, Laura. That was a fun one. 

Joe Carrigan: That's right. 

Dave Bittner: Obvious what's going on here - an advance-fee scam. 

Joe Carrigan: An advance-fee scam, exactly. It's the same as the Nigerian prince scam, except now they're saying it's from the U.S. government, and all they're going to do is ask you for money. If you give them money, all they're going to do is ask you for more money and continue to promise your money. 

Dave Bittner: Yeah. 

Joe Carrigan: It is another sunk cost-type scam where people sadly fall for this. Don't fall for it. It is never real. The government does not give out wads of cash as payments. 

Dave Bittner: (Laughter). 

Joe Carrigan: They will - if they're going to give out large amounts of money, they're going to send it to you in the form of a check or deposited directly into the bank account that you have with - registered with the IRS. 

Dave Bittner: Yeah. 

Joe Carrigan: They do not do this, ever. 

Dave Bittner: All right, well, our thanks to Laura for sending that in. That is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Aviv Grafi. He's from an organization called Votiro, and he joins us to describe a multistage attack that's using a zero-day exploit to deliver a Trojan. Here's my conversation with Aviv Grafi. 

Aviv Grafi: We found a suspicious email on one of our partners' environment that looks weird. It flagged some alert in environment, and we took a look into that. And we actually - we found it wasn't a one-off. And as long as we started to investigate more, we found this to be a recurring pattern that we found to be very, very exciting. 

Dave Bittner: Well, let's dig into it together. Can you take us through it step by step? What did you discover? 

Aviv Grafi: First, there was a report from one of our partners and users saying that he got a suspicious email that bypassed all their detection system, and that email was a UPS invoice that was sent to them. And that suspicious invoice actually looks completely normal. In fact, he couldn't say that this was a malicious one. And when he first sent that to us, we said, yeah, actually, this looks genuine at first sight. 

Aviv Grafi: Once we got that first sample of that suspicious email, we started to look into that. And we found that after analyzing the exact payload that it was an invoice with attached Excel spreadsheet. That Excel spreadsheet's something that we never saw before because it actually contained a hidden payload, hidden Macro for any detection system out there that's trying to analyze that. In fact, when you're running the standard tools in the industry, you get an error saying there's nothing there. And that actually brought our interest even more. 

Dave Bittner: Well, how were they going about that? How were they able to hide something from these tools that were looking for it? 

Aviv Grafi: So, in fact, they were reutilizing a technique that was introduced in the industry last year in Black Hat event back at Asia called Evil Clippy. And Evil Clippy - and credit to the author that made that - you could find it online. That's a technique that actually leveraged the fact that Macros that can be hidden in a certain way that Excel and Word in Office can still open those, but any detection system are confused because of the malformed structure of those Macros. 

Dave Bittner: I suppose there are people out there with a history with Clippy who would say that all Clippys are evil. 

(LAUGHTER) 

Aviv Grafi: Yeah. 

Dave Bittner: But - so someone falls for this. They're convinced by the misdirection. The bad guys convince them to click on things, thinking that they're going to be paying an invoice, or they've piqued their curiosity. This script goes into action, and then what happens? 

Aviv Grafi: So what we found, actually, that was interesting, that the hacker or the group of hackers that are behind this, they try two specific way to try to lure the user to open that document. So one, it enabled an auto-execution Macro, meaning a Macro that auto-execute and download the actual malware from the internet. But the second way - if the user won't be enabling those Macros, there was a button there that actually do the same thing. So if you suspect and say, you know what, I'm not going to enable that Macro, there is a button say, click here to pay your invoice. So once you click that, same thing happened. So there are two... 

Dave Bittner: Wow. 

Aviv Grafi: ...Ways to get the same result, which is the dropper or the actual payload being downloaded from the internet. 

Dave Bittner: And so that dropper, that payload gets loaded on their machine. And then what is that out to do? 

Aviv Grafi: So when we analyzed that URL or that server that was hosted in one of the servers in Russia, when we got to that, it was not very active. We found that domain that - we posted that online. And that was a Dridex banking Trojan that - if our audience is familiar with Dridex, it aimed to steal credentials and do transactions. 

Dave Bittner: Was there a ransomware component here as well? 

Aviv Grafi: So from our analysis, we didn't find any ransomware. The main goal was to steal banking credentials and actually using that for fraud or identity theft. We haven't seen evidence for ransomware, but, of course, this can still happen using the same techniques. So it might be an option for other incidents with those specific hackers. 

Dave Bittner: Did you have any sense for how targeted these folks were, how specific the people they were going after were? 

Aviv Grafi: So from what we've seen, it wasn't very specific. They did use novel techniques, I should say, but it wasn't very specific. Now, what's interesting that we found when we got that first sample, we found that none of the antiviruses and traditional detection out there on VirusTotal could detect any malicious component of that document. So when they were sending that first batch, nothing could stop them at that point. So that was actually the most interesting part. 

Dave Bittner: And has that been updated since then? Where do we stand today with it? 

Aviv Grafi: So, yes. So that specific sample is being flagged by most of the detection system out there, but we actually - we know that it took more than two days - actually 2 1/2 days - for that specific sample to be flagged. And after that, we saw more samples are using the same technique that, again, couldn't be found by the detection systems out there. Because if the audience is familiar with VirusTotal, VirusTotal is the database for all those detection systems or detection techniques to grab signatures from each other. So once one AV can find such sample, the rest are following. So it took at least 2 1/2 days for the first one to find it in the UPS sample and more than half a day on the FedEx sample to be found by the detection system out there. 

Dave Bittner: Well, let's explore that a little bit. I mean, these folks were using different lures. They had a variety of things they were sending out to people. 

Aviv Grafi: Yes, that's right. So we found three different samples. One was a UPS invoice that looked very genuine. Actually, when our team look at that, they were struggling to understand whether this is legitimate one or not. The from address was perfectly forged. In fact, also when we looked at the email headers, we found that it went through one of the - potentially, we thought that it went from one of the UPS servers. So the hackers put a lot of effort in mimicking a real, genuine - close-to-genuine experience. And this is one of the masterpieces I saw recently, to be honest. 

Dave Bittner: So they sent out things from UPS, from FedEx and from DHL... 

Aviv Grafi: That's right. 

Dave Bittner: ...As well, trying to, I guess, cast a wide net. 

Aviv Grafi: That's right. And we saw those techniques, actually - very interesting. As I mentioned, the emails would look exactly as the emails that you will get from those vendors. There was no typos - nothing. The addresses were exactly the same. So, I mean, we're all familiar with those emails that are suspicious or emails that sometimes we get and then they not look exactly as it should be, so we said, OK, we can flag that. Maybe the human eye can detect that. But not for these kind of batches and not for these kind of hackers that actually did a great job, to be honest. 

Dave Bittner: Well, what are your recommendations then? For folks who are looking to protect themselves against this sort of thing, what do you suggest? 

Aviv Grafi: So I would say that detection is getting much harder, even sometime impossible - detection on time. So I would try to look for two things. One is technologies that are more advanced and doing more proactive approaches, like filtering, trying to select only the good stuff out of those emails. I would try to focus on remediation - detection and remediation solutions like we're all familiar with. And, of course, awareness is always a good thing, although we know that it just complements what the technology should provide as protection. 

Dave Bittner: Yeah. I mean, it strikes me as really being a challenging situation here where you might not know that you have a bad situation until you click that button. 

Aviv Grafi: Yes, that's right. That's why some technologists today in the market, they're coping with that by doing a proactive approach. And for example, instead of trying to detect the bad parts in a document, they know what are the good parts and delivering on the good parts. And such technologies exist and evolving. And this is one part of the equation, as I mentioned, for a solution for that. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: That is an interesting story, Dave, and there's a number of things I want to talk about here. First, the first-contact phishing email looks very real. It's from an address that is perfectly formed that comes from UPS. There are no typos. It's visually perfect. And somehow, they actually managed to route this message through a UPS server... 

Dave Bittner: Yeah, that's remarkable. 

Joe Carrigan: ...Which - yeah, it is. And then the Excel spreadsheet that it comes with includes a well-obfuscated malicious Macro that was obfuscated using something called Evil Clippy. And you made the observation that all Clippy is evil. 

Dave Bittner: (Laughter). 

Joe Carrigan: But I don't know. Clippy was a little paperclip that would come up and try to help you with your writing when - I think it was Office 95 that came out, right? It was... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Clippy was a miserable experience. 

Dave Bittner: (Laughter). 

Joe Carrigan: But this was released at, I think, Black Hat Asia last year or something. I think Aviv said that. But it - what it does is it does something called code obfuscation. And what code obfuscation is is - it's a field of study, actually. We have some professors who do some work with code obfuscation at Hopkins. And what it is, it's a way to change the code so it still performs the task it needs to perform, but if you analyze the code, you can't really tell what it's doing. And there are different ways of doing this. One of them is cryptologically, so with cryptography. And that's kind of what we study at - or what our professors study at Hopkins. I don't study it. I'm not involved in it. And the other one is just by rearranging the code, and there are other products that actually do this for your code commercially, so it makes it difficult for it to be reverse engineered. Well, that's another useful tool that is being used maliciously here, and it's actually creating a - essentially, a zero-day because this malicious code passed right through every single detection device that was looking at it. Nothing... 

Dave Bittner: Wow. 

Joe Carrigan: ...Picked it up. And then when you get the Excel spreadsheet opened up, even if you disable Macros, you can still run it - run the malicious code by clicking the link. 

Joe Carrigan: So it is a multistage attack. So the step one is you send the phishing email. Step two is the user is hooked by the phishing email, and then they run the malicious dropper. So that's what the Excel spreadsheet Macro is. It's just a malicious dropper. This could actually deploy any kind of malware it wanted. A dropper is something that is a class of malware that goes out to the web and pulls down the malware that the attacker actually wants to install. It's a commodity kind of thing, but this is actually more than a commodity because it's actually well-crafted. The dropper then calls out to the website to get the request to get the software, and then the malicious software does its job. 

Joe Carrigan: And presumably, somewhere along here is some profit that the malicious actor is going to make because a sizable investment has been made in this campaign. I'm not sure what they're going after - maybe just credit card details. Maybe they're actually making fraudulent credit card transactions. What's most concerning to me about this is that it took a couple of days for all the protection software to run through the process of validating this and then pushing out the signatures so that this kind of attack would not victimize their customers. So that means that while that was happening, this attack, for two days, could run unchecked in the wild. 

Dave Bittner: All right, well, we certainly want to thank Aviv Grafi. He's from Votiro. We want to thank him for taking the time to join us and share that valuable information. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: A quick program note - if you're a listener of this show, we bet that you will enjoy our new "CSO Perspectives" podcast that's hosted by the CyberWire's Rick Howard. He is our chief analyst. He's got a recent episode where they explore the dark web. And if you're a listener to this show, I think you'll enjoy that as well. You can check that out on our website, thecyberwire.com. It's called "CSO Perspectives." 

Dave Bittner: Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.