Podcasts
Hacking Humans
Ep 113
Hacking Humans 8.27.20
Ep 113 | 8.27.20

Take a deep breath.

Show Notes
Transcript

Ben Rothke: Take a deep breath. Trust; Verify. Anytime you pick up the phone and get a cold call, should you trust the person? You know, same thing with emails...

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. This episode is for August 27, 2020. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Ben Rothke from Tapad. We're going to be discussing a Medium piece that he wrote. He had a conversation with an iTunes card scammer. 

Dave Bittner: All right. Joe, let's get going here. Why don't you kick things off for us? 

Joe Carrigan: Dave, I have a story from Jake Moore at welivesecurity.com. And Jake was wondering about the effectiveness of cloning on social media - account cloning. So Jake is a security professional. The first thing he did was he went out and tried to find people who would let him clone their accounts. But much to his chagrin, he couldn't find anybody that was willing to let him do that. 

Dave Bittner: OK. 

Joe Carrigan: So he decided he was going to clone one of his accounts. And on the 'Gram, as the kids call it, or Instagram, he is jakemooreuk. And he created a clone account called jakemoore_uk - very similar account. And then he took some pictures that were on his Instagram account, and he took screenshots of them and posted them to the new account. He said the most difficult part of setting up the account was setting the profile picture because if somebody hasn't put that profile picture in their feed - if that picture is actually unique and not in the feed, then it's kind of hard to create a copy of that's of good enough quality. Once he had this new account set up, he set the first line of the bio to read, new account after losing access to the original. 

Joe Carrigan: Now, Dave, I've gotten a number of cloned account requests on Facebook from people. They frequently clone family members' accounts and send me and my wife friend requests on Facebook. 

Dave Bittner: Yeah. 

Joe Carrigan: And if somebody did this and put at the top, new account after losing access to the original, the first thing I thought about that was, you know, that might just get me to blindly accept the friend request. That - they have an explanation here. So this is, I think, a very effective social engineering tool, that you preempt the question of - hey, why is Jake sending me another Instagram request? I'm already friends with him or connected, whatever it is, on Instagram. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And at the top of his faked account, he has already answered that question for you. So you go, oh, OK - well, that makes sense. I think that's a really good social engineering technique. So he starts by following 30 of the original followers on the new account. Ten of these people had private accounts. Now, on Instagram, if you have a private account, you have to give permission for people to follow you. I do have an Instagram account. I don't use it very much. That's about the extent of my Instagram knowledge (laughter). 

Dave Bittner: OK (laughter). 

Joe Carrigan: But within three minutes, three of these people accepted his follow request, and two of them had followed him back with no other communication. 

Dave Bittner: Yeah. 

Joe Carrigan: Nobody reached out to him and said, is this really you? He was rebuilding his follower base very quickly and was shocked to see that nobody asked about it. So after he's got this up, he decides he's going to try to test the effectiveness of this fake account. And he starts messaging his friends under the new account. And he says, thanks for accepting my new follow request. I can't believe I lost access to my account. I've lost all my followers. Anyway, I hope you're good, and I hope we can catch up sometimes. I miss coffee shop coffee. 

Joe Carrigan: He says he received eight replies from 13 of his new followers. And one of the people responded, oh, my God. What happened? I literally hate that. And he decided he was going to start a conversation with this person. He goes, I know. The worst bit is I got hit pretty bad with my online accounts. They even cleaned out my bank account. I feel like such an idiot - right? And then, of course, this person says, that's terrible. Hope you're OK. And he says, no, I'm properly skint now. Well, I guess that means he's broke. Then this person says, oh, my God. Let me know if you need any help. And he says thank you so much. If you could put 50 pounds into my Paypal account - then he puts up a new fake PayPal account that he established. This person agrees to send it to him. Now, he contacted this person before they deposited the money into his account. 

Joe Carrigan: And I got to tell you Dave, if I tried this at Hopkins, I'd be in real trouble because... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...I have to go through IRB approval before I start doing testing on human subjects. 

(LAUGHTER) 

Joe Carrigan: But I don't really have a problem with this. He's doing a social engineering experiment. He probably doesn't have an IRB at his organization. 

Dave Bittner: What's IRB? 

Joe Carrigan: IRB stands for institutional review board. It prevents a lot of atrocities. 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: So it's really good to have them. But I think it's interesting that nobody reached out to him through a second means to say, hey, do you really need this money? Is that what's going on? It worked so well. It was remarkably effective for such a simple attack. 

Dave Bittner: Yeah. I had this happen to me recently. 

Joe Carrigan: Oh, did you? 

Dave Bittner: Yeah, yeah. Someone cloned both my Facebook account. I'm not active on Facebook anymore. I basically put my Facebook account in hibernation, you know? 

Joe Carrigan: That's right. I got an Instagram follow request from you, but I haven't... 

Dave Bittner: Yep. 

Joe Carrigan: ...Been on Instagram since then. I just saw it come up... 

Dave Bittner: Well, that was (laughter) - that was the fake. Right? So they did both Facebook and Instagram, and they scraped some pictures of me and just, you know, spun up some fake things and went out after my followers. And it was really interesting to watch it play out because I had a bunch of people reach out to me and say, is this you? This doesn't seem right. 

Joe Carrigan: Yeah, I'd reached out to you as well. 

Dave Bittner: Yeah. And it looks like they were trying to get folks to go down the path of some sort of insurance scam or something. There's no question it was scammy. But what the other side of it was that there were a handful of people who just accepted the friend requests and, you know - just without second thought. So that was interesting to see as well - you know, who would go along with this. And, of course, I asked everyone who reached out to me to report the account, and they did. And eventually it was shut down within a few days. But... 

Joe Carrigan: I'm looking at it now, Dave, and it's still active. 

Dave Bittner: Is that right? 

Joe Carrigan: Yeah. I'm going to - can I - I can report the user. But maybe it'd be more interesting if I follow the user and see what happens. 

Dave Bittner: (Laughter) OK, well, you can report back to us. 

Joe Carrigan: All right. 

Dave Bittner: But I know plenty of people have reported it. It's one of those things. It's hard to combat. It is kind of a whack-a-mole game. But it feels strange when you're on the other side of it, especially when you aren't on the platform anymore and... 

Joe Carrigan: Right. 

Dave Bittner: ...Someone's on a platform that you're not on, pretending to be you. 

Joe Carrigan: Because your Instagram account is shut down. Correct? 

Dave Bittner: I think so. I mean... 

Joe Carrigan: So how did they even access this profile picture? - because this is the profile picture you had. 

Dave Bittner: Well, I think they got it from Facebook. 

Joe Carrigan: But that account is shut down. This must have been archival. 

Dave Bittner: Well, but I think you can still see stuff. In other words, the account is there. I'm just not using it. I've put it to sleep. But who knows? I don't know. Honestly, I did not spend a whole lot of time on it. 

Joe Carrigan: OK. 

Dave Bittner: It wasn't something that really rose to, you know - it wasn't - they weren't trying to steal money from me, you know (laughter)? 

Joe Carrigan: Maybe I'll do a little detective work, and this will be a story for next week. 

Dave Bittner: There you go. There you go (laughter). So it was, at best, a nuisance to me. 

Joe Carrigan: Yes. 

Dave Bittner: That is how I approached it - put the word out to everyone. My wife, who is still active on Instagram and Facebook, sent out a message to everyone on my behalf, saying, hey, everyone. If you get something from Dave, it is not Dave. And so we did that sort of stuff. So I guess the best thing to do is just make people aware of them - that if you do get a friend request from someone you're already friends with, check in with them on the original account or somewhere else and say, is this you? 

Joe Carrigan: I say it's time for a phone call. 

Dave Bittner: (Laughter) Right. Yes. 

Joe Carrigan: That's usually what I do. 

Dave Bittner: Yeah, phone call is probably best. 

Joe Carrigan: I'd sent you a text, actually - is what... 

Dave Bittner: Right. Connect with them outside of the platform. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Absolutely. 

Dave Bittner: Use an alternative way to reach out to them. 

Dave Bittner: All right, well, that is an interesting story for sure. My story this week - boy, I really like this one. This is a fascinating story. This is from the folks over at Duo. They are part of Cisco. And it's a blog post written by Eric Daniel. It's titled "A Game of Phones" - haha (ph) - "Fighting Phone Phreaks in the 21st Century." This is a story about toll fraud. Now, Joe, are you familiar with toll fraud at all? 

Joe Carrigan: Is this where you get someone to call you back on a number that charges you a lot of money? 

Dave Bittner: It's kind of like that, yeah. So the way that the telephone business works globally - there is something called international revenue sharing, which is where the different phone carriers agree to pay each other toll charges. Those of us who are of a certain age - that would be you and me, Joe... 

Joe Carrigan: Right. 

Dave Bittner: We remember when phone calls - there were things called long distance. 

Joe Carrigan: Yes. 

Dave Bittner: Right? And so some phone calls cost more than others... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Depending on how far the phone call was. And an international call was really expensive... 

Joe Carrigan: Oh, yes. 

Dave Bittner: ...And still can be. But there were also things - they started up back in the - I want to say it was the '80s when they started up with 900 numbers, which is where... 

Joe Carrigan: Yes. 

Dave Bittner: If you called a 900 number, you would actually get billed by the minute. And it could be quite pricy. It could be several dollars per minute. And 900 numbers were used for everything from calling in to get hints for your favorite video game to porn... 

Joe Carrigan: Right. Yes. 

Dave Bittner: ...And everything in between. 

Joe Carrigan: Call now, Dave. 

Dave Bittner: Right. Exactly. And the way that it works is that the carrier would split the fee with the person who had set up the 900 number so that everyone could profit from it. 

Joe Carrigan: Right. 

Dave Bittner: Well, these sorts of things still exist. There are telephone carriers who set up these numbers that - when you call one of these numbers, you get billed. And what they do is they put out a bounty to try to encourage other people to get people to call these numbers, right? So basically, they're paying a commission to get people to call these numbers. 

Joe Carrigan: I think bounty is a better term... 

Dave Bittner: OK. So (laughter)... 

Joe Carrigan: ...Because it sounds like they're - you know, they're having people go out and hunt other people to fall for this. 

Dave Bittner: Yeah. So this is where Duo comes in. Now, one of the many services that Duo offers is multifactor authentication. And one of the methods of multifactor authentication they offer is a phone call, right? 

Joe Carrigan: Oh, boy. 

Dave Bittner: Right? You see where this is going (laughter)? 

Joe Carrigan: Yeah, I do see where this is going. 

Dave Bittner: (Laughter) So the good folks at Duo found themselves on the receiving end of this, where they would allow people to set up free accounts. As a marketing method, they would allow people to set up free accounts. And you could go in, set up your free account. And as part of your free account, you could enable multifactor authentication using a phone call. Well... 

Joe Carrigan: Right. 

Dave Bittner: The bad guys would come in, set up a free account. They'd have the phone number to call, B, one of these scammy phone numbers that... 

Joe Carrigan: Right. 

Dave Bittner: ...Bills you lots of money. 

Joe Carrigan: And then they'd just go log into the account over and over and over again. 

Dave Bittner: Right. Right. 

Joe Carrigan: Step 3 - profit. 

Dave Bittner: Yes. Now (laughter), the folks at Duo were getting hit hard with this. 

Joe Carrigan: Yeah. This could be devastating. 

Dave Bittner: Yeah, it was really bad. They were getting tens of thousands of dollars a month in fees. So they were sort of playing a whack-a-mole game with this where their engineers would block certain banks of phone numbers. They would try to block IP addresses. And eventually, what they did was - they felt like they were in good control over it, and then the bad guys pivoted. And the bad guys started paying for Duo accounts. They signed up for paid accounts, which they purchased with - wait for it - stolen credit cards. 

Joe Carrigan: Stolen credit cards? Come on. You guys have already bilked Duo out of tens of thousands of dollars. 

Dave Bittner: Right. 

Joe Carrigan: Just reinvest that. You don't... 

Dave Bittner: (Laughter) Right. So... 

Joe Carrigan: God, these... 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: I can't (laughter). 

Dave Bittner: Right. Now, for Duo, this makes it even worse because now they've got folks out there who are getting fraudulent charges on their credit cards because... 

Joe Carrigan: Right. 

Dave Bittner: ...Their credit cards have been stolen, and they're seeing Duo show up on their credit card. The folks who are paying attention are going back to their credit card provider and saying, I did not buy this. Please charge this back. 

Joe Carrigan: Right. 

Dave Bittner: And if you're a provider like Duo and you get too many charge-backs, you can lose your ability to use credit cards. 

Joe Carrigan: Absolutely. Yeah, that's part of the PCI stuff. 

Dave Bittner: Right. So this sort of peaked with Duo getting charged over $180,000 in one month for fake phone calls. 

Joe Carrigan: Oh, man. 

Dave Bittner: The scammers got 30 grand in one day. 

Joe Carrigan: Wow. 

Dave Bittner: Yeah (laughter). Yeah, yeah. So what Duo ended up doing was, they disabled the ability for you to sign up online to get a phone call as a multifactor authentication. They still offer it, but in order to enable it, you have to call Duo and talk to their tech support people and have it enabled because what the Duo people figured out is that the most valuable resource the scammers have is their time. 

Joe Carrigan: Yes. 

Dave Bittner: And if they can add friction to this transaction, that's what slows the scammers down. That's what frustrates them. That's what gets them to move on to someone else. 

Joe Carrigan: I don't know that this is going to work, though. 

Dave Bittner: What happens is, when they call in, the folks in tech support at Duo are very good at figuring out who they are. 

Joe Carrigan: OK. 

Dave Bittner: Right? 

Joe Carrigan: All right. 

Dave Bittner: And this has been very successful. They said... 

Joe Carrigan: Ok, so they've had success with this? 

Dave Bittner: Yes. In January of 2020, the scammers costed them a total of $7. 

Joe Carrigan: OK, good. 

Dave Bittner: (Laughter). 

Joe Carrigan: All right, so they have significantly reduced. 

Dave Bittner: Yes, so it's working. And they say that, you know, for the folks who want to use phone calls for multifactor, they don't consider it to be a big deal to call in to request that. So it really hasn't hurt them on the business side of things. 

Joe Carrigan: Well, that's good. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I'm glad this story has a happy ending. 

Dave Bittner: Now, the folks at Duo say that they assume that the story is not over, that the bad guys could continue to pivot and find new ways to do this. But... 

Joe Carrigan: I will tell you, Dave, these guys made $30,000 in one day. They haven't just walked away from this. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: This is not something they're going to give up on so easily. I mean, Duo has beaten them for now. But, yes, they - of course, like we always say, security is a constant battle. 

Dave Bittner: Yeah, so a really interesting story. This is not one that I was familiar with, and hats off to the folks at Duo for sharing this story. I really learned something here. This is an interesting one. All right, well, that is my story this week. Of course, we'll have links to all of our stories in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from Reddit, but the Reddit user who posted this would like us to plug his Instagram account, underscore Arsh - A-R-S-H - Jassal - J-A-S-S-A-L - underscore (ph). 

Dave Bittner: OK. 

Joe Carrigan: So he was good enough to agree to let us use this, and this is somebody who reached out to him with a bitcoin scam. So why don't you play the scammer, and I will play _ArshJassal_? 

Dave Bittner: All right. Here we go. 

Dave Bittner: (Reading) Hello, are you interested in earning? 

Joe Carrigan: (Reading) Yes. 

Dave Bittner: (Reading) All right, I'm an expert in bitcoin investment. I'll help you earn lots of money from investing in my company. 

Joe Carrigan: (Reading) Is this a scam? Because my friends warned me about this stuff. 

Dave Bittner: (Reading) It's legit. 

Joe Carrigan: (Reading) Can you just send me a picture of yourself so I can know I'm not being scammed and talking to a robot? 

Dave Bittner: (Reading) I'm a professional trader with 10 years experience as an account manager. I've been helping people earn from my company. I'm a citizen of the United States. I can send you my trading license and also my ID. 

Joe Carrigan: (Reading) No need. I'm just asking for a pic of your face with you covering one eye so I know it's a real person and not a scamming organization. Because if I invest in your business and put money into it, I might not get my money back. 

Dave Bittner: (Reading) Covering one eye? Sir, madam, is this a joke? 

Joe Carrigan: (Reading) No, no. It's not, just for validation. I'm serious. 

Dave Bittner: (Reading) I'm not here for play. If you don't want to invest, please go away. I have more important people who need my help to chat with. 

Joe Carrigan: (Reading) I'm sorry if I sounded immature. 

Dave Bittner: (Reading) You're not serious, asking me to cover one eye. 

Joe Carrigan: (Reading) No, I'm desperate. 

Dave Bittner: (Reading) How old are you? What are you giving me, a command or what? 

Joe Carrigan: (Reading) No? 

Dave Bittner: (Reading) You're so unprofessional. Please, whoever you are, if you don't want to earn money, I won't force you. Just stop chatting with me. 

Joe Carrigan: (Reading) How do I know this is real? You understand. 

Dave Bittner: (Reading) I'm here for straight business only. 

Joe Carrigan: (Reading) I'm serious, and it can be fake and so can a license. 

Dave Bittner: (Reading) If you don't believe this is real, please don't reply to my message. 

Joe Carrigan: (Reading) I hope it's real. 

Dave Bittner: (Reading) I don't work with people who don't have faith. 

Joe Carrigan: (Reading) Just asking for proof. I have faith. I just don't want to be scammed again. 

Dave Bittner: (Reading) If you're asking for proof, you won't ask me to cover one eye and send you a photo of it. That's childish. My company is 100% legit. I can't be here to scam people of their hard-earned money and not at the critical time of pandemic. I have a heart. 

Joe Carrigan: (Reading) OK, fine. Just send a pic of yourself. It's just to make sure you aren't imaging someone you know. I was scammed by some guy I don't even know halfway across the world, so I'm taking precautions. I lost $4,000 to that guy. 

Dave Bittner: (Reading) Sir, I won't send you a photo. Go to my profile. You'll see my picture there. If you're willing to earn money, I can help you recover your lost $4,000 within five days without no charges, just my commission of 15% deducted from your profit. I'm not a baby trader. 

Joe Carrigan: (Reading) You could just be taking screenshots of someone else's page. 

Dave Bittner: (Reading) Why would I do that? 

Joe Carrigan: (Reading) You may be a scammer. Sorry if that's rude, but I'm just worried about getting scammed. 

Dave Bittner: (Reading) Sir, madam, don't come to my page and say stuff about me. This is the last SMS I'll send you. Do you need my help or not? 

Joe Carrigan: (Reading) Bro, there's an earthquake. Feels like your mom just walked into the room. /rscambating is where I found this post. Look there. 

Dave Bittner: (Reading) How old are you? 

Joe Carrigan: Then _ArshJassal_ sends him send him a meme that says, you just got burgered. And the scammer asks Arsh to send a picture of himself, and he sends the cover of the "Wolverine" movie with Hugh Jackman. 

Dave Bittner: (Laughter) It's like looking in a mirror, Joe. 

Joe Carrigan: Right. 

Dave Bittner: The six-pack abs. 

Joe Carrigan: At which point in time, the scammer says, I'm blocking you. And our hero goes, OK, nice. See you. 

Dave Bittner: And scene. 

Joe Carrigan: Right? 

(LAUGHTER) 

Joe Carrigan: Thank you very much for for posting that on Reddit, and thank you for giving me permission to use it on the show. That's a great one. My favorite thing is, I'm not a baby trader. That indicates a misunderstanding of the English language because that comes off as somebody who does something horrible. 

(LAUGHTER) 

Joe Carrigan: I'm sure he meant to say, I'm not new to this business. 

Dave Bittner: Right, right. Yeah, yeah, yeah. 

Joe Carrigan: It sounds like he's actually in the business of trading babies. 

Dave Bittner: Right, right. Why would you even bring that up? 

Joe Carrigan: Right, exactly. 

(LAUGHTER) 

Dave Bittner: Yeah, yeah. Right, I'm totally not a baby trader. 

Joe Carrigan: Right. 

Dave Bittner: All right, well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Ben Rothke from Tapad. He wrote a Medium piece where he described a conversation he had with an iTunes card scammer. Here's my conversation with Ben Rothke. 

Ben Rothke: You know, I've seen these email scams for the longest time. And, you know, there's a community mailing list I'm part of - like, you know, thousands of email lists, you know, around the country. And so I got this email from a person who I sort of know, and I knew in seconds it was a scam. And so on one side, I, you know, alerted the moderator. I reached out to the person. And then a few months ago, I started getting all these, you know, scam calls, also. And I recorded those. I also put those in a separate article. 

Ben Rothke: But I thought, you know, I'd just play along with it to use and put and alert people because it's as low-tech as they are successful. And it's just a fascinating sort of a social engineering experiment because you get this email from someone who's supposedly a friend. You know, people have a natural instinct to help people. And so, you know, I wrote about it and try to use it to alert people because, you know, everything comes down to, you know, sort of awareness. 

Ben Rothke: You know, when you go to Rome and you go near the Colosseum, you know, these guys who want to take your picture dressed as gladiators, you know, they're going to come after you for a nice tip there. You know to be aware for it. You know, if you go anywhere in the world where they can sell you a, you know, a $20 Rolex, you know that's not really a Rolex Oyster. You know, people know that in the real world, per se, and try to, you know, give them some awareness to do that in the digital world. 

Dave Bittner: Before we go through your response to the scammers, which is quite entertaining, can you describe for us what exactly is behind this scam? I mean, what's going on here? 

Ben Rothke: Yeah. It's pretty, you know, straightforward. You know, they want your money. If a person wants to shake you down, you know, you have to be next to them and shake them down. You know, with the internet, you know, they could do this from, you know, remote locations. And the key has always been, you know, how do you get the money, et cetera? So there's a lot of variances. 

Ben Rothke: And the iTunes cards are easy resale. There's a whole network to do that. So they have you buy these cards. You give them the PIN and the card number, and within, you know, minutes, they're able to monetize it. There's a huge supply. There's, you know, hundreds of millions - I forget the number - maybe billions of iTunes users. And so they're getting these cards. And they put it on the resale market. 

Ben Rothke: In this case, they asked for $300. In the third world, they could take $300, and even with the various cuts, you know, paying the middleman, you know, $150 is a lot of money, you know, when it comes to average income might be $3,000 a year. So it's highly profitable. 

Dave Bittner: And as you say, I mean, this initial message came from someone who was on your email list or someone that you previously knew, but, you know, perhaps not very well. And so what's behind them being able to reach out to you from that direction? 

Ben Rothke: Well, you know, so they somehow compromised an email account, and it's very simple. As you know, if I have access to your email account, I'm going to send this message to everyone in your address book. So obviously, one of the entries in this person's address book, you know, was the, you know, mailing list who they posted to. So if you've used email for, you know, a few years, you know, your address book has - could have, you know, hundreds, thousands of entries. And, you know, you blast it - you know, everyone out. And what the end is - if - even if you have, you know, a 1% return rate, even a half a percent, you know, you're making serious money there. 

Ben Rothke: And in this case, suppose the person's address book had a thousand entries, in this case, a few mailing lists. It's going out to, you know, a lot more than just a thousand people. So this mailing list maybe goes to, like, a thousand households in my northern New Jersey community. So, you know, it's - exponentially, it is very, very quick, you know, very, very profitable. 

Dave Bittner: Let's go through your interaction with the scammers themselves. So - and it's very interesting here how it both reveals what they're after, but also, you do quite an entertaining job of sort of stringing them along. 

Ben Rothke: Yeah. And with it, you want to keep it. And suppose you, you know, were really stuck in somewhere, you wanted to send it, you know, you'd at least, you know, give some personal information. You know, hi, this is Dave. You know, my niece in Salt Lake City - blah, blah, blah. But what you see is (ph) this is, you know, very generic. 

Ben Rothke: And at the beginning, I make up a - you know, is this for Tammy, your niece? And then you throw in these little things there, you know, ask for personal questions - you know, wife's name, you know, where are you? You know, I throw these, you know, personal names in and, you know, he has no idea - the scammer. And since, you know, he's trying to, you know, reply as, you know, short, to the point, you know, without giving as much, and obviously he knows nothing, so he doesn't answer the questions even though I asked, you know, numerous times - you know, makes up excuses, you know, et cetera. 

Dave Bittner: It's really fascinating to watch the interplay, where there's just - every now and then, it seems like the scammer takes the minimum amount of bait, you know, and gives you some little sliver of response that ties into anything that you specifically ask for. But you're right. It's mostly all business. 

Ben Rothke: Yeah, you know, 'cause one thing is he can't answer this because, you know, he doesn't have the answer, so he just tries to keep it short. And usually after five, six, seven, eight emails - you know, you have this even in the business world, you know, people you interact with on a daily basis. Email is a imperfect communication, so you may have to go, you know, sometimes, you know, two or three emails to get a question - not that they're trying to not answer. It's just the nature of it. But after, you know, the second, third, I keep asking, he just doesn't reply. So that's - it's suspicious. 

Ben Rothke: But, you know, most people will not reply to an email like this with a suspicious head on. They will reply, you know, how can I help? You know, that's so terrible. You know, I feel sorry for your niece. And those are the type of victims they're hoping for because on the one side is, you know, we do have a natural tendency to help people. It's the proverbial, you know, you go into your office, you know, you hold the door open. You see someone, you know, carrying a heavy load, you know, you're going to hold the door open for them. That's fine for the most part. But if they want access to a place where they should have a, you know, ID card or magstripe reader, what you do is - hey, you know, let me hold those three pieces for you. You get your card out. But at the end of the day, you know, most people aren't confrontational like that. 

Ben Rothke: You know, in the military, you know, they do a great job of that. My - was at a - when I was consulting, I was at a branch of the military. And, you know, they enforce it because that is really built into their mindset from Day 1. In the corporate world, you know, you want to help people, and that's exactly what they're exploiting. 

Dave Bittner: Yeah, one of the things that you do here in your exchange is that you keep pushing for a phone number, you know, trying to get them off of email. 

Ben Rothke: Yeah. You know, 20 years ago, where international phone calls were, you know, $3 a minute, you could understand why a person didn't want to speak. But now, you know, with smartphones, you know, WhatsApp, it's a no-brainer. So, OK, maybe he doesn't have international calling plan, maybe he doesn't have wireless. So, you know, when you get back to the hotel in Paris, you know, you're - let me call you there. So of - you know, once again is - he's going to make up every excuse in the book. And once again, are there hotels that are having telco problems that day? You know, perhaps. But, you know, he's got... 

Dave Bittner: (Laughter). 

Ben Rothke: If that's the case, he's got really, really, you know, bad luck. 

Dave Bittner: Right. Well, one of the things you outlined in your article here is - you have a really good list of tips for how folks can avoid being scammed here. Can you share a few of those with us? 

Ben Rothke: There's two aspects, you know? The beginning is common sense, you know? You look at this email, and there's so many, you know, red flags there, meaning it's - you know, there's no real detailed information. And then, you know, you follow up, you know, ask a few questions. 

Ben Rothke: But even before that, how was this account compromised? You know, often, a - you know, people use easy-to-guess passwords. And often, they'll use the same password on multiple email accounts, on multiple areas. So if - you know, there was a Morgan Stanley breach a few years ago. So if a person's using the same password there, you know, they're going to use it on your Gmail account. You know, multifactor authentication, you know, once again, it's nothing is - that's a good solution. Nothing is perfect. But you put all of these together and, you know, you're going to be about as safe as you can. 

Ben Rothke: At the end, it's, you know, just use common sense. It's - you know, you take a breath. It's not like, you know, you witness a car accident and the person's seriously injured so you just run like crazy and do whatever you can. I mean, this guy wants $300 for niece's birthday, meaning if she doesn't get it in time, you know, the world is not going to stop. So once again, you know, take a deep breath, trust, verify. Anytime you pick up the phone and get a cold call, should you trust the person? You know, same thing with emails. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: That's a great interview, Dave. I like listening to these stories. I really never get tired of them. I like one of the things he said. They are as low-tech as they are successful, and it's straightforward. They want to get your money. That's pretty much what it is. 

Joe Carrigan: I like what Ben said here. He was making a correlation to the con artist that you run into when you're out at some venue or something, like in a foreign country or even here in the U.S. It happens here a lot. We have an instructor, Tim Leschke, Dr. Leschke at Hopkins, who teaches our forensics course. One of thing she says at the beginning that course is that the internet doesn't create new crimes itself. It just provides a new way for people to commit old crimes, and that's what we're talking about. 

Joe Carrigan: The other issue with it is that it opens the door to the world from the scammer's point of view. If you're a scammer and you're at the - like we talked about a couple months ago, at the Eiffel Tower doing the ring drop scam, where I walk up to you and then I - my audience of potential victims or marks is just the people that happen to walk up near the Eiffel Tower. On the internet, it's everybody that has an internet connection. That's billions of people now. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: That's really what we're looking at. We're not looking at anything new. We're just looking at the same thing amplified. 

Joe Carrigan: An interesting note that he pulled out that I want to pull out this conversation is that Ben said, in this gift card scam, these guys may get $150. But these people work full-time at this because if you can get $150 out of someone and you live a developing nation where the average annual income is around $3,000, you only need to do that 20 times a year in order to make the average income - right? - the median income. So it is a real business, and we've talked about this before, how there are absolutely just corporate structures around these criminal enterprises. 

Joe Carrigan: I like what Ben did with the scammer. He starts probing and asking personal information, and he knows that it's a scammer, so that's why he's investigating. And the scammer just dodges the question, and he eventually stops answering, which I thought... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Was interesting. They're going to try to pressure you into something, and they're going to stop answering the personal questions as you're probing. Your observation is great. They do minimize that kind of interaction and get right back to business. 

Dave Bittner: Right. 

Joe Carrigan: They don't have time for that. They are in a business environment, if you - you know, it's an illegal business, but it is a business. And they have their own goals to make. So they're trying to minimize that amount of time. So any amount of time you can spend talking with them about stuff that doesn't get them to their goal is a cost to them... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Which is I'm in favor of this. We haven't said this in a while. This is something we used to say a lot on the show. But really, what these guys are preying on is your desire to help other people. It's part of our human nature to try to help each other. 

Dave Bittner: Yeah. 

Joe Carrigan: And he was talking about tailgating as a way of gaining entry into classified facilities or secure facilities, and he has a great way to stop someone from tailgating. When you see someone walking up with a big batch of boxes, don't hold the door for them. Offer to hold the boxes. You're still being nice, and now the person has to do something else. They can't tailgate in. 

Joe Carrigan: Another thing that Ben says that's really great is, just take a deep breath and verify. This is something we've been saying for a long time now. We would say, go make a cup of tea or a cup of coffee and talk to somebody about it. That's the other thing I would say, is talk to somebody about it. Because once you... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Start talking about it, even just verbalizing it to somebody else helps you realize, oh, this is probably a scam. 

Dave Bittner: Yeah, absolutely. All right, well, again, our thanks to Ben Rothke for joining us. And, of course, we want to thank all of you for listening. 

Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.