Hacking Humans 8.13.20
Ep 111 | 8.13.20
Flying under the radar.
Transcript

Carolyn Crandall: So it becomes so valuable to not only back up but to be aware even if you do, you still could be exposed for additional extortion.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where, each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Carolyn Crandall from Attivo Networks on why human-controlled ransomware - what they call ransomware 2.0 - is particularly threatening with remote businesses. 

Dave Bittner: All right, Joe, we got some good stories to share this week. I will kick things off for us. This is some interesting research from the folks over at Akamai, actually written by Or Katz, who is someone I've spoken to a few times over on the CyberWire. It's called "Question Quiz - The Forgotten Scam." 

Dave Bittner: The folks at Akamai are revisiting some research that they did back in 2018, which - they were looking at a phishing toolkit which they called the three-question quiz. And this is something that probably most people are familiar with. I suspect anyone who's spent a good amount of time online has come across this. And it kind of goes like this - you'll see some ad pop up or something, and it'll say - in the example they list here, it says, we are pleased to offer all our customers $100 credit, you know, in exchange for answering a few questions. And they'll be varying amounts of money. They'll offer you coupons, this, that and the other thing. 

Dave Bittner: What's interesting is that they aren't really looking for particularly valuable information. The stuff they're looking for is usually your name, your email address, perhaps your phone number. They're not going after Social Security numbers. They're not going after credit card numbers. They're not going after any of those things that are considered more valuable, but that's kind of what makes this campaign interesting... 

Joe Carrigan: Right. 

Dave Bittner: ...Is that because they're not looking for those things, it sort of flies under the radar. 

Joe Carrigan: It might not even be illegal. 

Dave Bittner: Well, that's an interesting point, now, isn't it (laughter)? 

Joe Carrigan: Yeah. 

Dave Bittner: So the folks at Akamai - they dig into the campaign, and they come up with some interesting observations. They point out how the campaign's filtering works. For example, it's looking for people on mobile devices. If you're not on a mobile device, it kind of just sort of moves you along. It doesn't really dig in and try to get information from you. 

Dave Bittner: But the other really interesting thing is that they discovered that, again, because this campaign focuses on information that is not considered highly valuable, it flies under the radar and goes undetected by many of the platforms that people count on to detect these sorts of things. 

Joe Carrigan: Yeah. 

Dave Bittner: So it's interesting to me that, despite what we've seen - I mean, we've tracked how, for example, ransomware campaigns are becoming more and more targeted. They're going after sometimes specific people. The folks who are doing the ransomware will spend time researching an organization. Or once they get access to an organization, they'll spend time within that organization, within their systems looking for particular files, trying to establish how much ransom they can charge... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, that sort of thing. What kind of data can they exfiltrate and hold hostage? But in this case, it seems as though these folks are just happy going after low-hanging fruit, really - easy stuff to get. 

Joe Carrigan: If you think about it, Dave, the information they are gathering is kind of valuable. You know, if you have a list of known good email addresses, that might be of some value to somebody somewhere. And chances are, the people that they're going to be selling that information to are unsavory people. Now, that could be legitimate businesses that we, as thinking people, find unsavory, like mass emailing. 

Dave Bittner: (Laughter). Right. Right. 

Joe Carrigan: I mean, I can't stand that. But, like I said earlier, it's not illegal. I mean, I think maybe saying, you're going to get $100 and then not giving them $100 - that's illegal in a lot of countries, right? 

Dave Bittner: Right. Sure. 

Joe Carrigan: But just collecting people's personal information that they willingly give up in a survey - yeah, I don't know there's a lot that can be done about this. 

Dave Bittner: No. And you bring up a good point that I neglected to mention, which is that you do not get $100 (laughter). There is no... 

Joe Carrigan: Right (laughter). There is no $100. 

Dave Bittner: ...There is no actual payoff here for answering these quiz questions. There is nothing. They basically pass you on to other things and then sort of dump you out into nowhere. 

Joe Carrigan: That's how they do it, but then they have that information. And that information has some kind of value. It may not be a lot, but if they - it's cheap to set these things up. And if you can get a million people to respond, you've got a million email addresses. You could probably sell that for 50 bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: You can probably sell that 100 times for 50 bucks, and that's... 

Dave Bittner: Right. And I think it's very much a... 

Joe Carrigan: ...Five thousand dollars. 

Dave Bittner: ...It's kind of a set-it-and-forget-it sort of thing. Once you get one of these campaigns running, it probably just chugs away, and if - you know, just - like we said, going after that low-hanging fruit, making money a few pennies at a time. But when the numbers get big enough, I guess it's worth it for them to do it, or we wouldn't see it. 

Joe Carrigan: Yep. 

Dave Bittner: So just another one of those things to keep an eye - I would categorize this as sort of one of those nuisances. It's not like the information they're gathering is going to be used to really do anything bad to you. You'll be disappointed that you're not going to get the promised prize, and so it is a waste of time but more a nuisance than anything. Just don't waste your time with these things. You know, spread the word with your friends and family. These quizzes - there's nothing to them. You're not going to get that free gift card. It's just not going to happen. 

Joe Carrigan: Hundred percent agree. 

Dave Bittner: All right. Well, that's my story this week. Joe, what do you have for us? 

Joe Carrigan: So, Dave, I want to talk about the Twitter hack that happened a little while ago back on July 15. Right after that happened, I said I wanted to talk about it, but I didn't have enough information. But a couple of days ago The Wall Street Journal put an article out about this guy Graham Ivan Clark and his scams. This Twitter hack ended with a big bitcoin scam where somebody had co-opted the accounts of people like Barack Obama, Kanye West, Elon Musk. I think Jeff Bezos was - also had his account hacked. 

Dave Bittner: There's a bunch of big names. Yeah. 

Joe Carrigan: A bunch of real big names - and these were actually their accounts. These were not fake accounts set up to impersonate them. And they were doing a bitcoin scam where they said, everybody that sends me any amount of bitcoin - they'll get this much money back. You know, and then I saw one of the tweets. They said there was, like, a $5 million cap on this, right? So... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: That kind of lends some legitimacy to it. Well, Graham Ivan Clark has been charged with this. He is 17 years old, and they've charged him as an adult. And he faces up to 200 years in prison. And he has pleaded not guilty to all the charges and is entitled to a presumption of innocence here, so everything I'm going to say is alleged. 

Dave Bittner: Right. 

Joe Carrigan: OK. But he gained access back in March, when Twitter employees were told to work from home. And he gained access to Twitter by using social engineering techniques. He called one employee, pretending to be from IT. Unfortunately, the article doesn't go into the technical details, and we're not really a technical show. But I imagine that at that point in time, he probably installed some reverse shell or something to get control of that person's computer. And once he was inside that person's computer, he's essentially inside the network. 

Joe Carrigan: He also did some SIM swapping with a phone company to get them to give - essentially, what that does is it lets him have the phone of a person that used to have that phone. So - and that's another social engineering attack. You have to call into a phone company and convince them you're the owner of the phone, that you've lost your phone and you have a new phone and you want to port the number over to the new phone. I assume that this was used to bypass some two-factor authentication that he encountered. And then he phished some credentials for a cloud service that was used by Twitter as well. 

Joe Carrigan: But one thing the Wall Street Journal doesn't mention here is that in order to do all these things, he had to do some open source intelligence gathering. I'm sure of that. He had to do a lot of that. In order to do the SIM swapping and in order to find the person at Twitter and pretend to be from IT, he had to be able to call that person up and convince them that he was a co-worker. And you're not doing that just by cold calling. No, he did some research on this. 

Joe Carrigan: So once he gained access inside Twitter - oh, by the way, he did this back in March. He's been inside the network since March. And the authorities found a website where someone named Kirk was selling what they call OG usernames. You know what that is, Dave? 

Dave Bittner: I do. OG is original gangster. 

Joe Carrigan: That's right. It's a username that is really short and easy to remember. Like, @Six is one of the Twitter handles that they were talking about. @Anxiety is one that they actually sold. That was an account that had been created and hadn't been used for 10 years. 

Joe Carrigan: And he was selling these, posing as an employee of Twitter on this forum. He was saying, I am an employee of Twitter. I'm inside, and I can get you control of these accounts. And he was charging as much as 10 grand to get control of these accounts, which I think is a lot of money. Then he decided to blow his cover with this bitcoin scam, and he got $120,000, which - I don't think that was a good decision. I think he had a good business model here... 

Dave Bittner: You think? 

Joe Carrigan: ...That he could've - yeah - that he could have kept going quietly and made more than a hundred thousand dollars. I mean, yeah, you're running the risk that you're going to be detected at some point in time, but a lot of this account takeover stuff flies under the radar because these accounts haven't been used in years and years and years. Chances are that the person who set that account up doesn't have the password for it anymore, can't remember it and has just walked away from the account. In my opinion, it was silly to go ahead and do this bitcoin scam because it's what got him caught. And it destroyed his business model that he had earlier. 

Joe Carrigan: Now, here's something interesting that's in the article that they mentioned in passing. I'm going to read directly from the article. It says, in an unrelated investigation, authorities searched Mr. Clark's residence last August - 2019 - seizing his computers and freezing approximately 300 bitcoin, or $3.4 million in current rates. Mr. Clark paid 100 bitcoin to authorities to resolve the matter with no admission of wrongdoing. Now, Dave, I got a question for you. How does a 16-year-old kid have $3.4 million in bitcoin? 

Dave Bittner: (Laughter) He's - that's a lot of lawn mowing (laughter). 

Joe Carrigan: Yeah, it is. 

Dave Bittner: (Laughter). 

Joe Carrigan: It is. 

Dave Bittner: Yeah (laughter). It's a lot of lemonade sold on the corner, you know? 

Joe Carrigan: Yeah, exactly. It doesn't say this in the article, but I don't know why they would be investigating him for $3 million in bitcoin outside of - maybe he didn't pay taxes on it. And that's what they asked for a hundred bitcoin - to pay the taxes. That's the only thing I can think this investigation would be - an investigation from the Treasury Department - because I can see a kid going, I'm 16. I got all this money. I didn't know I had to pay taxes on it - and the government going, OK, fine. Just pay your taxes, and we'll be done, right? 

Dave Bittner: Yeah, yeah. Still... 

Joe Carrigan: Yeah, still... 

Dave Bittner: (Laughter) Yeah. Well, I mean - and, of course, there's been lots of speculation as to how he could have gathered that much bitcoin. And I've seen articles wondering if he was involved in some of the underground markets in things like gaming and, you know, folks who go and find ways to bilk people out of fractions of their bitcoins and so on and so forth - again, you know, all alleged behavior and a lot of speculation. 

Joe Carrigan: Right. 

Dave Bittner: Hopefully, as this case makes its way through, we'll learn more about it and figure out exactly how he was able to pull some of these things off. What I'm really interested in your take on this is - you know, as you described his step by step process of getting into Twitter, none of these elements on their own strike me as being particularly sophisticated. 

Joe Carrigan: I would say that SIM swapping is kind of sophisticated. You have to put a lot of effort into that. It's a sophisticated social engineering attack. And calling into that Twitter and pretending that you're from IT - you can't do that on your first try. I mean, it's not sophisticated. It's a social engineering that we've seen over and over and over again. You know, it's not innovative, I would say. It is a skill that you have to hone and practice, and the article makes mention of that. He was involved in taking over his buddies' accounts on gaming platforms and has been doing that for a number of years, so that's probably where he cut his teeth on this. 

Dave Bittner: Well, interesting story of a - I suppose a potentially troubled youth. And we'll see how the wheels of justice turn with him. 

Joe Carrigan: Yeah, it would be interesting. I'm looking forward to seeing how this goes. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But the guy has $2 million at his disposal. I imagine he could hire some pretty good lawyers. 

Dave Bittner: (Laughter) He could hire some good lawyers. Right. Right. Exactly. Exactly. Maybe you can make yourself available as an expert witness, Joe (laughter). 

Joe Carrigan: Yeah. I'm not going to be an expert. 

Dave Bittner: For the low, low price... 

(LAUGHTER) 

Dave Bittner: All right. Well, those are our stories. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE)  

Dave Bittner: Joe, why don't you describe our Catch of the Day for us this week? 

Joe Carrigan: Our Catch of the Day comes from Twitter user Joe Manna, and he's @JoeManna, J-O-E M-A-N-N-A. And it's a pretty standard phishing email. So, Dave, why don't you read this email? It's not funny, but it is interesting. 

Dave Bittner: All right. Let's see. Here we go. 

Dave Bittner: (Reading) Domain account google.com has exceeded the limit. Dear bluehost.com client, domain account has exceeded the limit load available for the existing pay rate plan. Methods of load analysis and elimination - in order to prevent your account from being locked out, we recommend that you change the existing rate plan into a more powerful one or limit the server load by means of code optimization. Thank you, Bluehost support - bluehost.com. 

Joe Carrigan: This is not from Bluehost, of course. 

Dave Bittner: (Laughter). 

Joe Carrigan: But what is absolutely fascinating in this - and we've talked about this before - is the URL in the email is printed out here in plain text. You know, they didn't do an HTML thing where they say, click here, and the here is actually the link. They actually posted the entire URL in the email, and the URL reads my.bluehost.com dot some very long hash value dot 12stcenturyleadersawards.org/account, and then it has everything leading you to the file. 

Dave Bittner: Yeah. 

Joe Carrigan: But the domain is interesting. So a lot of times, when you get these kind of emails, you get emails with these long hashes in them or these long values in them that are actually tracking information... 

Dave Bittner: Right. 

Joe Carrigan: ...For you. If you click on the link, it's a unique identifier. 

Dave Bittner: So where does it take you from there? If you click on that link, what happens next? 

Joe Carrigan: What happens next is you go to a phishing landing page that is designed to impersonate Bluehost. It's just looking for your login credentials - your username and your password. 

Dave Bittner: I see. So it looks just like Bluehost's actual login screen, and there... 

Joe Carrigan: Yeah. It probably is just copied from Bluehost's login screen. One of the problems with the web is that in order for you to have that information displayed on your web browser, I have to get all the code, all the HTML, all the cascading style sheets, all the JavaScript. I have to get that actually downloaded to my computer. So there's no way to run the worldwide web without actually showing everybody what you're showing them, right? 

Dave Bittner: Right. Right. Right. 

Joe Carrigan: So it's impossible to stop people from impersonating your website, and it's very easy to impersonate a website. 

Dave Bittner: Right. Right. It's a bug and a feature (laughter). 

Joe Carrigan: Right. Exactly. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I wouldn't even say it's a bug. It's just the nature of the beast. 

Dave Bittner: Right. 

Joe Carrigan: It's the way it is. 

Dave Bittner: It's a design element. Yeah. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. All right. Well, that is our Catch of the Day. Again, thanks to user Joe Manna - @JoeManna - for sharing that with us and with the world - an interesting one and something to look out for. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Carolyn Crandall. She is from Attivo Networks, and our conversation is centered on this notion of this next wave of ransomware. What they're referring to as ransomware 2.0 is so dangerous to businesses that have gone to remote working. Here's my conversation with Carolyn Crandall. 

Carolyn Crandall: The history or evolution of ransomware has been quite interesting to track, especially if you look at the window between about 2014 and 2020. And what you've seen is a massive shift from very small - you know, kind of hit a computer, demand a small ransomware, and then stop your attack at that point. But what we've seen is that ransomware has gotten a lot more sophisticated. It's not targeted at the consumer as much anymore. It's more targeted at businesses, where the attack methods are much more focused on being able to take the initial system, compromise that but then expand throughout the network to be very strategic in going after the targets that you want for either financial gain or data theft. 

Carolyn Crandall: And so with that, you've seen an explosion of hundreds of different variants of ransomware that's out there, different levels of tactics and different levels of sophistication - and very aggressive and very targeted in many ways. And then on the flipside of the coin, we've seen ransomware arise as ransomware as a service, which makes it very inexpensive even for a basic attacker or cybercriminal to get into the business. 

Carolyn Crandall: So we've seen a lot of changes but things materializing on both sides of the spectrum - very entry-level to get in and very sophisticated bubble for the big ransomware payouts that we're starting to see today. 

Dave Bittner: So if I'm someone who is tasked with protecting my organization against ransomware, what sorts of things should I have in place? 

Carolyn Crandall: Well, I think there is a belief that you can build a perimeter defense and keep the ransomware attackers out. And that's really difficult to do if you think about the aggressiveness that you're seeing today. If you take the stats for face value or what they're worth - attacks happening every 14 seconds, things saying that 71% of companies that are targeted get infected and ransomwares make it through multiple systems before they're able to get detected. 

Carolyn Crandall: And so you start to look at that, and you go, OK. Well, what are my layers of defense that I have? I have my endpoint with an endpoint protection, maybe an EDR system. Maybe I'm using a SEM and some network monitoring or other tools, but they have gaps. They're very good to do the things that they're designed to do. However, they're not great at detecting things like lateral movement, which is the spread from one system to the second. They're not good at detecting credential theft or forms of privilege escalation. 

Carolyn Crandall: And so what I think organizations need to do in order to better protect themselves is to appreciate if they keep using the traditional tool sets, they will have gaps and holes. And so they have to look for new technology innovation that is out there to be able to detect all these different forms of ransomware that are out there using these different tactics that their other tools are not designed to detect. And a perfect example of that would be cyber deception, which has grown quite a bit based upon the need to keep ransomware and other sophisticated types of attacks out of the network. 

Dave Bittner: So when we're talking about the state of the art when it comes to being able to defend yourself against things like ransomware, what sorts of things are we talking about? Is the software - are the systems looking for certain behaviors? How do they go about the business that they do? 

Carolyn Crandall: Well, if you think about it, the typical attack will start - will compromise the initial endpoint. And that can happen in a wide variety of ways, you know, phishing probably being the most common. But there's lots of other tactics. 

Carolyn Crandall: So let's assume that one of those various types of tactics - they are going to get into the system, and the attacker, in order to get the payout that they want, are going to use APT-style methods to move forward. And so that's going to be stealing credentials. They're going to do active directory reconnaissance, trying to get the GPS and the lay of the land. They're going to look for network shares to be able to find them and encrypt them. They're going to look for default and dictionary passwords or the misconfigurations. And then they'll look for other things in their network reconnaissance to find those configurations and be able to exploit known vulnerabilities in the systems that are out there. 

Carolyn Crandall: So they're going to look for ways to advance their attack. And there's some really clever things that are out there today that will derail these, deception being part of it. Another is these new forms of being able to hide and deny access to things like file shares or active directory. And those are some of the more interesting innovations that are out there because if you think about what a ransomware attacker has to do - is they have to get access to those files, folders, drives, the map (ph) shares, maybe the cloud shares. 

Carolyn Crandall: But what if they can't find them? What if you hide them from being visible to the attacker and instead only give them a fake drive? They believe it's real. It'll look and move like a real drive would look as they do their command line to find these things, but they'll get back the fake information. And when they try to use that information, it'll lead them back into a decoy where now the defender can actually pick up some telemetry. Well, who's attacking me? How are they attacking me? What are their TTDs and IOCs? 

Carolyn Crandall: And so this innovation is quite effective because it actually moves up from the typical detecting an attack when the exploit happens to being able to do it so early on, you're doing it at the point of attacker observation. And it becomes a very effective preventative tool. And the cool thing is you can do this not only for files and shares that are out there today, but you can also do this for active directory. And a lot of the red team testing that we do as a proxy for attackers today, people want to go straight to active directory - right? - because you can get a lot of valuable information very quickly and it's not as well-protected as many organizations would like it to be. And so this is another way of hiding the real things, tricking the attackers' tools, feeding them back fake information and, again, steering their path away from the production pieces and into a deception environment. So these are some of the things that I like for derailing these types of ransomware or other attacks that are out there today. 

Dave Bittner: Is it still good advice to make sure that you have up-to-date, tested offsite backups? 

Carolyn Crandall: Absolutely. I would - and I would recommend testing them. That's a key word in there, too. So many people think that they have - you know, hey; I'm backing up. I have a great backup. I'll just restore. But there's two things I'd encourage people to think about - is, one, test them least monthly. I mean, more often would be better, but at least test your backups monthly to make sure that you can actually restore them. 

Carolyn Crandall: And then the second thing is to be aware of what's being termed as double extortion, and that is that - not only will they exfiltrate your data - right? - so at least 10%. They're taking the data out and not just encrypting your drives. So they could give you back your encryption key. But the downside is they still have your data. 

Carolyn Crandall: And in these cases, they could do further extortion with that data. They could extort your customers if you're carrying personal or confidential information. But you can't assume that you're done even in just getting your encryption back, so it becomes so valuable to not only back up but to be aware even if you do, you still could be exposed for additional extortion. 

Carolyn Crandall: So you really want to get ahead of the whole thing and prevent the attacker from being successful in the first place. I would encourage people to, again, escalate this given the destructiveness of the attack, not rely on backups, not rely on insurance but instead take a look at some of the new innovation that's out there for preventative defenses and also to study things like the MITRE ATT&CK framework and really understand how an attacker attacks. And then map your tools to that framework to see where your gaps and holes are so that you can find the technologies you need to add into your security staff and prevent that attacker from being able to be so trusted (ph). 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: That was a good interview, Dave. I like what Carolyn had to say. Ransomware has gotten more sophisticated. It did start, you know, attacking individuals and then moving on to corporations. 

Joe Carrigan: One of the things that Carolyn said that's very important is that if you don't test your backups, then you really don't have backups. We always say back up your data to protect you against a ransomware attack. But part of that process has to be testing the restoration of that data on a regular basis. 

Dave Bittner: Yeah. Yeah. It's also - you know, I was talking to somebody just this week that people often neglect to consider how restoring systems at scale, how much time that takes. You know, if you've got hundreds of machines or thousands of machines that all need to be restored, that can take a lot of time. And that time is time you might not have. 

Joe Carrigan: Right. Absolutely. That is a huge issue. So there are ways you can mitigate that. You can actually buy insurance that allows you to just hire masses of people for a short period of time in the event of a cyberattack. But yeah, you're right. If you don't stop these things early and you have all of your computers on your network are now essentially locked and the operating system has been destroyed, even if you do have good backups, you're still hosed. (Laughter) You still have... 

Dave Bittner: Right. 

Joe Carrigan: You still have a lot of problems that you're going to have to overcome. 

Dave Bittner: All right. Well, again, our thanks to Carolyn Crandall from Attivo Networks for joining us. We do appreciate her taking the time. 

Dave Bittner: And that is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.