Podcasts
Hacking Humans
Ep 114
Hacking Humans 9.3.20
Ep 114 | 9.3.20

It's evolving rapidly and getting more furious by the minute.

Show Notes
Transcript

Max Heinemeyer: I sometimes think I live in a cyberpunk novel, right? High-tech low-life.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where, each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. This episode is for September 3, 2020. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week and, later in the show, my conversation with Max Heinemeyer from Darktrace. He's going to be sharing with us some of the threats that he and his team have been tracking throughout the onset and spread of COVID-19. 

Dave Bittner: All right, Joe. Before we get to our stories, we've got a little bit of a quick follow-up here. A recent show, you and I were talking about people having their Facebook accounts cloned, and I was saying it had happened to me. 

Joe Carrigan: Yep. 

Dave Bittner: (Laughter) And we got a kind note over on Twitter from someone who goes by the name The Computrix - @TheComputrix_. And this person said that people can slow down Facebook cloners by hiding their friends list. It's something I recommend to everyone. It's under friends, manage, edit, privacy. This is a good idea. You go in there and - so the general public can't see your friends list. You can actually make it so that only you can see your friends list, which... 

Joe Carrigan: Right, yep. 

Dave Bittner: ...Seems like a good idea. 

Joe Carrigan: It does. It does seem like a good idea. In fact, I do this, actually. What the biggest issue is here is that a lot of people do not do this. 

Dave Bittner: Yeah. 

Joe Carrigan: So they're the ones at risk of being cloned, and The Computrix here is absolutely correct. This is a great way to stop your account from being cloned effectively. Someone can still clone your account, but they will not be able to address your friends because they won't know who they are. 

Dave Bittner: Right, right. So it may make your account less valuable, so they'll move on to someone else. 

Joe Carrigan: Right. And then that other person might be one of your friends, and you might show up in their friend list. And I think there is also a setting on Facebook that says don't show me in other people's friends lists. That might be a setting. I don't know. I haven't looked at this. I try to stay off Facebook as much as possible. Like I've said before, I would totally close it down if I didn't have all the communication with so many people on that platform. But this is good advice. I would agree. 

Dave Bittner: Yeah, absolutely. 

Joe Carrigan: Also, let me give a little follow up on your Instagram cloner. I said we'd follow this as it goes on. Nothing has happened with that yet. So I checked yesterday - no communication from the person who cloned your account. 

Dave Bittner: All right. Well, let's move on to our stories. I'm going to kick things off for us this week. This is a story from the CyberNews website written by Bernard Meyer. It's titled "Boomer Outsmarts Hackers: 'Kiss Your Cash Goodbye'." And this is all happening over in the U.K. And I'm pretty sure you're going get a kick out of this, Joe, because I know you love it when the good guys pull one over on the bad guys (laughter). 

Joe Carrigan: I do, yes. 

Dave Bittner: So this is a story of a 73-year-old gentleman from North Yorkshire who was able to sort of turn the tables on some hackers who were trying to steal thousands of pounds. You know, Joe, pounds, that's what they call money over in the U.K. 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's kind of like dollars but different. 

Dave Bittner: Right, exactly. Yeah. So he got reached out to on Facebook from an acquaintance of his who asked if he could help with a transaction online. He said he was buying a camera. And he was having trouble with his PayPal account and asked this gentleman if he could help him, basically, with the money. And this guy said - wanted to be helpful - he said, OK, I'll help you with that. And then, rapid-fire, five payments came in via PayPal to this guy's PayPal account. Now, two of the five payments were blocked, but the three remaining payments, each one which was for 690 pounds - so we're not talking about insignificant money here... 

Joe Carrigan: This is - the potential victim is receiving payments from somebody. 

Dave Bittner: Correct. Right. So the first thing that happens is the bad guys send this person some money. 

Joe Carrigan: OK. And not an insignificant amount. 

Dave Bittner: No. He receives it in his PayPal account, and the scammer asks him to then transfer it to a different bank account. 

Joe Carrigan: OK. 

Dave Bittner: So they're asking him to be the middleman in here... 

Joe Carrigan: Right. 

Dave Bittner: ...Under the guise of saying that they're just having trouble using their PayPal account. Plausible, right? So far, plausible - I mean, you know. 

Joe Carrigan: Yeah. Yeah. But if you're having trouble using your PayPal account, how are you sending me money via PayPal? 

Dave Bittner: An excellent question, Joe - an excellent question. 

(LAUGHTER) 

Dave Bittner: Well, and I - but you know what? I don't think it's the person who is sending in the money via PayPal. I think it's the person who's maybe buying the camera or this alleged friend is trying to have a transaction with. 

Joe Carrigan: OK. 

Dave Bittner: Right? So you are getting paid by a buyer of something, and then you're going to take that money you got, and you're going to send that on to your friend, OK? That's - it seems to me like that's what's happening here so - what they're claiming is happening here. Of course, it's all a big scam. 

Joe Carrigan: Right. 

Dave Bittner: So the person who sent him the money starts pressuring him to transfer the money to a different account. He goes and tries to do it, and his bank flags it and recognizes that it's a scam... 

Joe Carrigan: Right. 

Dave Bittner: ...And won't do the transfer. The scammer gets more and more agitated, asks him to call the bank and try to transfer the money. And at this point, this gentleman thinks that there's something up. He thinks it's... 

Joe Carrigan: Yep. 

Dave Bittner: His suspicions have been raised. 

Joe Carrigan: Yes. When your bank flags a transaction, that's a little bit of a tell. 

Dave Bittner: Yeah (laughter). Right, right. So he tries to get his acquaintance to - on the phone. He tries to get him on the phone. 

Joe Carrigan: Sure. 

Dave Bittner: Says, let's talk about this person to person just to... 

Joe Carrigan: Yep, absolutely. Good idea. 

Dave Bittner: Great idea, right? And the alleged acquaintance refuses to do so - says, no, no, I'm at work; I can't call you right now. And the gentleman being scammed replies and said, well, why don't you take a bathroom break and call me while you're, you know, out on a bathroom break? I just need some confirmation. Confirmation never came, and so this gentleman decided to just keep the money (laughter). But here's what happened next. 

Joe Carrigan: Right. 

Dave Bittner: Turns out that, via PayPal, you can reverse a transaction. 

Joe Carrigan: Right. 

Dave Bittner: So one of the payments was reversed. Basically, the bad guys clawed back one of the 690-pound transactions. And a few days later, they tried to reverse another transaction, but this gentleman has refused to return the money to PayPal. And he's saying to PayPal, I'm not giving you this money back until you can prove to me that these were real people, not scammers. 

Joe Carrigan: Right. 

Dave Bittner: So I'm guessing what happened was - is that this gentleman had a negative balance in his PayPal account, right? PayPal returned the money. I can't claim expertise on how PayPal works, but you can link your PayPal account to a bank account. And I believe you have to link your PayPal account to a bank account, if I'm not... 

Joe Carrigan: I don't know that you have to. But - I mean, you can start a PayPal account, but you can put money in with a credit card as well. 

Dave Bittner: OK. 

Joe Carrigan: But, yes, you can link it to your bank account, and you can move money from your PayPal account to your bank account. 

Dave Bittner: Right. So to sort of look at this at a higher level - so the scam here is that the bad guys target a victim, right? 

Joe Carrigan: Right. 

Dave Bittner: They ask for their help. They send them money. The victim gets the money. The victim then transfers the money to the bank account of the scammers. And then the scammers claw the money back from PayPal, the original money that they sent. So the person in the middle, the victim, ends up being out all of that money. 

Joe Carrigan: Right. 

Dave Bittner: Because the money that they thought they had in their account to send to the scammers gets clawed back, and so now they're out that money. 

Joe Carrigan: Yeah, yeah. 

Dave Bittner: That's how the scam works. 

Joe Carrigan: That's how the scam works. So that's kind of almost like a check floating scam. 

Dave Bittner: Yeah. But in this case, this gentleman - who sounds to me might be a little bit cranky... 

(LAUGHTER) 

Joe Carrigan: Right. My kind of guy. 

Dave Bittner: ...Decided that he is not sending the money back until PayPal proves to him that this is a real person and not a scammer, that he is not going to return the money. Now, I don't know what actual legal case he has against PayPal, what agreements he made when he signed up for PayPal, what ability PayPal has to claw this money back from him or whatever. That - I don't know about that. But I have to say, my hat's off to him for... 

Joe Carrigan: Yep. 

Dave Bittner: ...The effort, anyway, right? (Laughter). 

Joe Carrigan: Yes. It looks like he didn't send any money out, right? So he's not out any money. 

Dave Bittner: Correct. Right. He's grabbed some money from the bad guys. 

Joe Carrigan: Right. 

Dave Bittner: And he's refusing to return it. 

Joe Carrigan: Yeah. Good (laughter). 

Dave Bittner: So - yeah (laughter). 

Joe Carrigan: I don't know how this is going to play out in England. In the U.K., I think there's a lot of consumer protection law that he might just get away with this. This might be fine, you know? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Somebody tried to scam you and they lost 650 pounds? Too bad. 

Dave Bittner: Yeah, yeah. Exactly. 

(LAUGHTER) 

Dave Bittner: All right. Well, that is my story this week. What do you have for us, Joe? 

Joe Carrigan: Dave, this week, I want to talk about a report out from Kaspersky's cyberthreat research organization called Secure List, and they have the 2020 Quarter 2 spam and phishing report. And we'll put a link in the show notes, and you should take a look at this report. It's an interesting report with lots of data and statistics. But here are some key points. One of the first things that stands out to me in this report is that scammers are targeting smaller companies. Now, you know, I have the ability to wildly speculate and often do. 

Dave Bittner: (Laughter). 

Joe Carrigan: But I think this is because smaller companies are actually turning out now to be better targets for these scammers because they don't have the huge budgets that large companies do. And while the payoffs may not be as large as if you target a large company, they are still there, and if you can scam a small company out of $600 to $1,000, that is a good day for a scammer, right? They are imitating email messages and websites of companies whose products or services these smaller companies may be using. 

Joe Carrigan: And a pretext is, essentially, like a cover story, you know, like, what you're going to tell people all about as your introduction to whatever you're scamming them with. But the main pretext for these scammers is a prompt to get the target to enter their login information for their email account to view an online catalog that is only available once you log in. They're obviously going after these smaller businesses where people might be less technically sophisticated and much more focused on what they do. 

Joe Carrigan: Now, if you think about a small business, Dave, working in a small business is not like working in a big business. 

Dave Bittner: (Laughter). 

Joe Carrigan: When you work in a large business, you have one or two tasks that you take care of. But when you work in a small business, you have to carry a lot of the small business load, right? 

Dave Bittner: Yep. 

Joe Carrigan: You're going to have to do a lot more things, and that may distract you from things. So if you're an office manager, you may very well do things like take the trash out when the trash gets full. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: Right? That might have to happen. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: The trash is full, and you may or may not even have housekeeping services coming in at night. 

Dave Bittner: Yep. 

Joe Carrigan: So somebody has to do it. So... 

Dave Bittner: I've done all this (laughter). 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: I've been a small business owner, and I have been there, my friend. 

Joe Carrigan: (Laughter) Absolutely. I worked for small businesses. I really enjoy working for small businesses because it's a nice close-knit group. And it's - everybody is much more invested, I think. But one of the things is you are more dispersed with your attention, thus I think you're a little more vulnerable... 

Dave Bittner: Yeah. 

Joe Carrigan: ...To these kind of attacks. 

Dave Bittner: Yeah. And, also, I think to your point, that you're less likely to have full-time staff who are paying attention to these sorts of security issues, right? 

Joe Carrigan: Correct. 

Dave Bittner: Chances are you've outsourced this to someone, or you're using some sort of big service provider. 

Joe Carrigan: Yep. 

Dave Bittner: And there's nothing wrong with that, but it just means that the odds of having an extra set of eyes or a dedicated set of eyes on this are lower for a small organization. 

Joe Carrigan: That's absolutely correct. Another point that jumped out to me is that these phishers are taking advantage of the pandemic, and they're actually going after people with a few hooks for phishing. One is package delivery notices, right? They're posing as courier delivery service employees and sending out emails that packages couldn't be delivered because of failure to pay the shipping. So they're just trying to scam people out of the shipping fees. They're sending phishing emails out pretending to be banks and offering loans and such for COVID-19-related needs. 

Dave Bittner: Right. 

Joe Carrigan: And they're also sending out tax refund notifications in the same vein. But here's the most insidious and distinctly evil way that they're exploiting the COVID-19 pandemic. They are sending fake messages from HR saying that you've been fired or terminated because of the pandemic and that the attachment, which is just a malicious attachment, is a way for you to request two months of severance pay. 

Dave Bittner: Ugh. 

Joe Carrigan: So go fill out the attachment, and you'll get your severance package. And, of course, the attachment's malicious. 

Dave Bittner: Right. 

Joe Carrigan: You know, this is despicable, of course. We've seen much worse things from these guys before, but I think this is pretty low. 

Dave Bittner: Yeah. Short-circuiting your emotions there by... 

Joe Carrigan: Right. Exactly. 

Dave Bittner: ...Coming out of nowhere and saying, you've been fired due to the pandemic. 

Joe Carrigan: Exactly. 

Dave Bittner: So now you're in a state of panic or distress or who knows what? But then setting the hook by saying, well, here's the good news - we're going to pay you for two months; all you need to do is download this attachment (laughter). 

Joe Carrigan: Fill out this form. Right. Exactly. Open the - double-click on this attachment. 

Dave Bittner: Wow. 

Joe Carrigan: And then they've got you. Take a look at this article. It's a good article. There are tons of great stats and charts in this article, if you're into that sort of thing. And I am, so I imagine that most of our listeners are as well. Go click on the link in the show notes. Take a look at it. Lots of interesting stuff. 

Dave Bittner: All right. Very good. Well, Joe, it's time to move onto our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Our Catch of the Day comes from a listener, Bob. Bob received an email that reads like this. 

Dave Bittner: (Reading) Hi, dear. Thank God that you and your families are safe, healthy and in good spirits. My name is Eddy Zillan. I'm from Ohio and attended high school senior in Cleveland. First of all, I want to admit that I was a little worried whether you would answer my request for a good relationship or not. In the recent past, I also tried a couple of times to create conversation on the email or phone, but I don't want to feel hurt and have rejected my feelings toward you. I'm looking for a serious relationship. I hope that this time I was lucky, and I don't want to waste yours and my time. I want you to honestly admit to me if you are interested. 

Dave Bittner: Please be sincere with me. I was already badly wounded five years ago, and I don't want to be hurt again. Then my woman betrayed me. He cheated on me with another man not long before we were supposed to get married. It seemed to me that my world had collapsed, and I could never trust a woman again. But time heals, and now I've found the strength to believe in love again. I did a lot in my past relationships to ensure that my woman was happy, but he did not appreciate my care and all the luxury life and expensive gifts, cars. I realized that all three years of our relationship I found out she was cheating on me with my best friend, Tom. But at the same time, I never received true love and care. 

Dave Bittner: After much thought, I decided to try to look for happiness, and I'm ready to take care of you, love you and make you happy. I think that each of us has the right to happiness, right? And who will build happiness for us if we ourselves do not do it with our own hands? Maybe everything that I write to you right now is not at all interesting for you, but I consider it very important to explain to you at the very beginning of our communication about what kind of relationship I'm looking for and why I'm looking for these relationships. My goal is to find the right woman with whom I can build a serious relationship and be happy together. I believe I have a lot to tell you, but I have to stop now until I receive your kind response. Thanks so much - Eddy Zillan, CEO, investor in cryptocurrencies. 

Joe Carrigan: (Laughter) My favorite part is that he talks about his previous woman... 

Dave Bittner: Yeah. 

Joe Carrigan: ...But doesn't use the proper pronoun until, like, two-thirds of the way through the article. 

Dave Bittner: Right (laughter). 

Joe Carrigan: Right? So... 

Dave Bittner: Right. Yeah, there's a little bit of gender confusion throughout here. So - yeah. 

Joe Carrigan: I mean, this is, obviously, just terrible English, and I don't believe this guy's name is Eddy Zillan. 

Dave Bittner: (Laughter) You think, Joe? You think? 

Joe Carrigan: I don't think this person's from Ohio. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't think they attended high school senior in Cleveland (laughter). 

Dave Bittner: Yeah. Yeah. Well, Joe, nothing gets by you. I think you're right (laughter). I think you're right. 

Joe Carrigan: Right, yeah. I'm a little dubious of this Eddy Zillan fellow. 

Dave Bittner: Yeah (laughter). So I think we - pretty straightforward what's going on here. This is your standard, run-of-the-mill romance scam. 

Joe Carrigan: Right. It's interesting that they sent it to Bob. 

Dave Bittner: (Laughter) Right. Right. Yeah. 

Joe Carrigan: That Eddy's out there looking for a woman and sent it to a man. Actually, probably what happened here is Eddy has a - "Eddy" with air quotes - you can't see me because this is a podcast. But this person has a big list of email addresses, and they just composed this and sent it out to everybody. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And Bob was good enough to sell it to us. Thank you, Bob. If you get something like this, please send this to us. We love reading them on the air. 

Dave Bittner: Yes. We do. All right. Well, that is our Catch of the Day. 

Dave Bittner: All right, Joe. So I recently had the pleasure of speaking with Max Heinemeyer from a company called Darktrace, a security company, and he and his team have been tracking some things from the onset and spread of COVID. And Max joins us to share some of the things that they've been following. Here's my conversation with Max Heinemeyer. 

Max Heinemeyer: It's an interesting threat landscape these days. It's evolving rapidly, as surely everybody in cyber will attest, and it's getting more furious by the minute. We've seen such a huge increase in what we call fearware, spear phishing, phishing, scamming, spoofed emails that piggyback off the corona crisis. It's not only the phishing and the social engineering; there's also a lot happening in the old-school, almost, like, early 2000 remote code execution exploits against internet-facing infrastructure. But, overall, it's just getting worse and worse, I would say. 

Dave Bittner: Can you take us through some of the specific things that you're tracking? I mean, some of these things are new to me. For example, I'm not familiar with the term dynamite phishing. What's going on with that? 

Max Heinemeyer: So dynamite phishing is something the Emotet botnet introduced to the broader threat landscape, I think, two years ago or something. It's basically when a threat actor steals the inbox emails from hack victims to use them later on for further infections. And we know this, right? We know that threat actors use compromised inboxes to send more scam emails and phishing emails. 

Max Heinemeyer: But the interesting part here is that they take existing email chains that exist between legitimate senders and recipients, and they send these off and add a little bit at the end like, hey, see attached, or thanks for talking, look at the attached document. And that, normally, is malware. So the dynamite bit is that it uses existing legitimate email conversations to lure the victims into clicking on either phishing links or opening malicious attachments. 

Dave Bittner: Right. So this is an established conversation that I may have had with a colleague or a co-worker, so there's no reason for either me or the technology I may have protecting myself to suspect that there's anything going wrong here. 

Max Heinemeyer: Exactly. It's really difficult for humans and also for machines to identify this. Especially for machines, if it's an existing trusted relationship between two entities that have communicated before, it can be incredibly difficult to prevent this. And we expect this to be taken further in the near future as well by the incorporation of potentially malicious machine learning in some form. 

Dave Bittner: Now, I know you and your team have been doing a lot of work with artificial intelligence and some of the ways that that can be used for social engineering. Can you take us through some of the things that you're working on? 

Max Heinemeyer: Oh, absolutely. I love talking about this. 

Dave Bittner: (Laughter). 

Max Heinemeyer: So why do we look into what we call offensive AI - so using machine learning in various forms to conduct cyberattacks? Well, at Darktrace, we do all things AI and machine learning to defend people, to defend customers, defend employees. And as part of that, we introduced our email solution that used unsupervised machine learning to detect anomalies and weird communication patterns and spot never-seen-before spear-phishing emails, CFO frauds, scams and all these things. 

Max Heinemeyer: But to test that system, we wanted to push boundaries a bit and see how far we can go. So we started looking into offensive AI to autocreate spear-phishing emails, and I'm more than happy to expand on this. I think it's very exciting, and we actually think that some threat actors are also piggybacking off of this and looking into similar techniques. 

Dave Bittner: Yeah. Well, let's go into it. What sorts of things are you working on? 

Max Heinemeyer: So if you think about creating spear-phishing emails, normally what you go through - and I use spear pen test sites to conduct pen tests and have been doing it for 10 years now. Normally, you of course will get your victims, either the organization or the individuals. You understand their social media profiles, their job position, their bios, their CV if it's online, their hobbies, the things they talk about, where they live. So it's basic social engineering 101 - right? - researching your victims and doing all these things. And we thought, why can't we automate this? Why do we have to do all of these things manually, and why can't we push boundaries a bit? 

Max Heinemeyer: So instead of doing these laborious and very manual-intense tasks ourselves, we created some machine learning bits and pieces to automate that. So instead of, you know, doing all the legwork yourself and going to social media, creating LinkedIn profiles, understanding situations and topics and all these things, we used some machine learning of various forms, some supervised and some unsupervised, to basically go through social media, understand profiles, understand job positions, understand topics that people talk about, and then drive it further - not just understand these things, but understand the topics they talk about, the positions they're in, the hierarchy levels of organizations, and then autocreate, based on that information automatically gathered, suggestions for spear-phishing attachments and emails. So all the legwork, all the boring tasks, almost, that you have to do as a social engineer, we basically automate to the furthest degree possible, we think. That's just a prototype, and we used it for internal testing to test our own systems, but we were astonished how effective it is. 

Dave Bittner: Yeah. I mean, I have to say that's kind of a chilling possibility to think about - that if I'm a social engineer I can have this, I suppose, sort of a cheat sheet given to me that gives me the recommended ways to go at spear phishing someone. 

Max Heinemeyer: Exactly. Everything you need to do, basically, is point the tool at a victim organization, and a few minutes later, you are presented with directed spear phishing emails, the victim's being spoofed, the attachments are there, topics they talk about on social media are selected and piggybacked on. It's very powerful. We have not open sourced it and probably won't do it because it's quite dangerous, obviously. 

Dave Bittner: (Laughter). 

Max Heinemeyer: But if folks want to get an idea and a taster, there's an open-source tool out there which does the same thing for spear tweeting. It's called snap underscore R, SNAPR, and it's a prototype from, I think, two years ago or something. Really interesting. It does a few of those things I mentioned but just based on Twitter - understand conversations, natural language processing and autocreates spear phishing tweets. 

Dave Bittner: Are there any practical defenses against these sorts of things? I mean, if they're just gathering information that's out there in the open, I suspect this is a difficult thing to defend against. 

Max Heinemeyer: I think anything so early in the kill chain, the OSINT part, the early reconnaissance part that doesn't even touch the victims, is really hard to defend against, right? I mean, we always want to defend as early as possible in the kill chain, but that's just outside of most people's possibility realm to do this. We think that the machines need to do a better job - the right tools, vendors, email gateways. 

Max Heinemeyer: And it's very important to have security awareness programs and have so-called the human firewalls. You know best here on this podcast, right? But we think from the vendor perspective and the tech perspective, we have to push the boundaries. We can't push too much responsibility, especially now that it gets harder to spot these fakes, and they can be created more rapidly and at scale. We can't push the responsibility down to the humans all the time. We still have to be aware, but we need to be doing a better job as the security industry 

Dave Bittner: You know, here in the U.S. we've got an election coming up, sort of bearing down on us sooner than later. And something that has a lot of people concerned is the possibility of folks using deepfakes for misinformation. And I know that's an area that you and your team have been taking a look at as well. 

Max Heinemeyer: Oh, absolutely. And it doesn't even have to be a specialized AI research team to utilize these technologies for evil or for good purposes. If folks take a look at websites like thispersondoesnotexist.com, you can just get deepfake pictures from people that don't exist and don't flag up on any OSINT tools and use them in your spear-phishing examples and similar things. 

Max Heinemeyer: So we fully believe that the problem with fake news and with disinformation campaigns will just be exacerbated with the upcoming election in the U.S., obviously, and other countries. But it doesn't even have to be that technologically advanced, right? I sometimes think I live in a cyberpunk novel, right? High-tech, low-life. 

Dave Bittner: (Laughter). 

Max Heinemeyer: And it doesn't need deepfakes to have a successful disinformation campaign. It's certainly useful to make attribution harder and detection harder. But even with existing tools and just amplification on Twitter and other social media, botnets and troll farms, there can be a lot of damage done. 

Dave Bittner: Yeah, I think that's a really good point and a valuable insight, that I think it's very easy for us to be attracted to or maybe even distracted by these very shiny things like deepfakes that capture the imagination. But, really, those simple things, those low-level things, those phishing campaigns, those disinformation campaigns - they still work. They're still highly effective. 

Max Heinemeyer: Absolutely. And that's what we see all the time. And we at Darktrace, we're fully believing in that phishing is used so much by threat actors because it's low-cost and high-efficiency, right? It lowers the barriers to entry to many threat actors. 

Max Heinemeyer: And, again, we think it's super important to use advanced defenses so we don't shift the responsibility on the poor employees, you know, who just want to do their jobs. So it's quite an important point for us to not overcomplicate things and scare people into thinking "Terminator" is two clicks away and is going to hack everybody, and everybody is going to use deepfakes. It's certainly a tale of our times, that it's often discussed in the media. But we have to be skeptic around the latest types. And that comes from a company who does machine learning and AI, right? 

Dave Bittner: Right (laughter). Right. Well, what are your recommendations, then? For folks who are looking to best protect themselves against these sort of things, what sort of advice do you have? 

Max Heinemeyer: Just a couple of things. And I always think about individual advice and organizational advice. But on the individual level, just be aware and take your best practices into action. These can be things - as everybody knows, might affect authentication, good password management, mnemonic techniques, password managers. And I've got some very paranoid friends who don't even use social media at all and say, I don't even want to appear. But keep in mind that might open you up for fake attacks, where somebody takes over your nonexistent profile because you just don't have a footprint and use that to attack other people. 

Max Heinemeyer: From the organizational perspective, I think there's a lot of interesting and great tech out at the moment. So as an industry, we've been struggling with the traditional approach of, you know, predefining evil using blacklists and threat intelligence and signatures. And that's great. We still need this, absolutely, probably more for retrospectively finding attacks. And there's a lot of really good tech out there. For example, cloud email security supplements, and obviously, Darktrace provides something like this as well with Antigena email that can do a lot of the heavy lifting and prevent phishing, spear phishing - all from getting through. 

Max Heinemeyer: So to boil it down, I think it's best practices that we all know cyber hygiene topics, but also looking a bit ahead and using great, evolving technology to your best purposes. We often think about paradigm changes and why all this offensive AI talk seems quite far away, why people still get hacked by a malicious link. 

Max Heinemeyer: I like to think about paradigm changes. And what I mean by this is, we saw that WannaCry and NotPetya were paradigm changes. We knew that ransomware existed, and we knew that laterally moving malware existed, but nobody had put it together. And these two things coming together really changed the landscape of security and still does. 

Max Heinemeyer: And we anticipate the same happening once the genie is out of the bottle with offensive AI. So introducing some clever machine learning to some faces of the tech life cycle to hacking. So it's early to say, but something folks should think about because we think it's an associated topic. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: I think that was a great interview, Dave. I like what Max had to say. A couple of key points here. I like his term fearware. That's a great term. Remember, we said this earlier in the show, but fear is a tool that scammers use to short-circuit your thinking. It's one of the biggest tools that they have; the other tool being greed. Those are the two things that they use - fear and greed. They also use loneliness, love, isolation, other tools as well. But for setting the hook, the two biggest emotional triggers they're going to capitalize on are fear and greed. 

Joe Carrigan: So when someone's trying to scare you via email, slow down, relax. An attacker inserting themselves into an email conversation by compromising an email account strikes me as a great way to get the target to open your malicious attachment. If you think about this, getting an email from somebody going, hey, take a look at this attachment, you're immediately like, no, no, I'm not going to take a look at that attachment, right? But if you're in a conversation with somebody and they go, oh, by the way, here, I found this, why don't you look at it? Your guard may be down, especially if they're coming from a compromised inbox. 

Dave Bittner: Right, it's a trusted source. 

Joe Carrigan: Yeah, exactly. 

Dave Bittner: If I got an email from you that said, hey, Dave, check out this thing I saw, this is hilarious... 

Joe Carrigan: Right. 

Dave Bittner: ...I'd probably just open it up because I consider you to be a trusted source, and I wouldn't think twice about it. 

Joe Carrigan: Absolutely. 

Dave Bittner: Fool that I am (laughter). 

Joe Carrigan: Right. Well, fortunately for you, Dave, I use multifactor authentication on all the email accounts I use to communicate with you. So the chances of that account being hacked by somebody else are very low. 

Dave Bittner: OK. Good (laughter). 

Joe Carrigan: Lucky you. Machine learning is the future of security, but it is also the future of malicious activity. That is definitely going to be out there. These machine learning tools are readily available for anybody. They are developed in Python, which is a language that's very easy to learn and pick up. And if you - all you have to do is just start learning about it, and you can develop these tools. And, of course, malicious actors know that, and they're doing it as well. 

Joe Carrigan: Darktrace has used machine learning to automate the recon phase of a social engineering attack. And once again, here's some more wild speculation from me. Darktrace said they are not going to release their tool because they think it's too dangerous, but someone is going to release something similar. In fact, Max was talking about one tool that already does this for Twitter accounts. But somebody is going to release something similar, like what they've developed. And I would suspect that there are already organizations that have similar tools - malicious organizations. 

Dave Bittner: Yeah. Yeah, for sure. 

Joe Carrigan: Max talks about things early in the kill chain being difficult to defend against. And if you're not familiar with the term kill chain, you know, that's one of those sexy computer security terms, right? We've got to get them in somewhere along the kill chain. 

Dave Bittner: Right. 

Joe Carrigan: The process of performing any kind of malicious activity is just that; it's a process, right? And it starts with recon and surveillance, and then it moves along this process. And the first kinetic action is usually an email. And then after that, there's a malicious installation of some software or a compromise of a machine. Then after that, there's lateral movement. And that's the list of opportunities that you have to stop this attack, and they call that the kill chain. So it's a nice, concise way to explain that. 

Joe Carrigan: And he's right. Defending against the recon part is really not that easy, I mean, because all that information is out there. And as Max is talking, he makes me want to just get rid of all my social media accounts - right? - which is something I already want to do, but I can't. But then he says something that's really interesting, and that's, if you're not there, somebody is going to fill that void with you; that's a risk that you're running. And, again, we see that with you. You've shut down your Facebook account and your Instagram account, and somebody has filled that void... 

Dave Bittner: Right. 

Joe Carrigan: ...That Dave Bittner void that was in my Instagram followers. 

Dave Bittner: (Laughter). 

Joe Carrigan: Thankfully, now - thanks to this malicious actor - I have that Dave Bittner void filled. 

Dave Bittner: Yes, yes, that's right. You had a Dave Bittner-shaped hole in your heart. 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: All right. Well, our thanks to Max Heinemeyer from Darktrace for joining us. We do appreciate him taking the time. 

Dave Bittner: We want to thank all of you for listening. That is our show. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.