Podcasts
Hacking Humans
Ep 118
Hacking Humans 10.1.20
Ep 118 | 10.1.20

Cookies make for some tasty phishing lure.

Show Notes
Transcript

Alex Mosher: There's been a huge uptick in phishing on mobile devices in excess of 50%.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Alex Mosher. He's from MobileIron. And we're going to be talking about a campaign they ran recently that I was sort of part of. 

(LAUGHTER) 

Dave Bittner: It was their phishing with cookies campaign. All right. Joe, before we get going, I have a quick story to share about my mom almost being scammed again. 

Joe Carrigan: Really? 

Dave Bittner: (Laughter) So I was over at my parents' place doing a little what I call Dave's free, unlimited, lifetime tech support... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...And helping them with some issues. And as part of this, my father and I had just - we decide we're going to run out and run a little errand together. We came back to his house. And my mom was there in the kitchen. And she's staring at her phone. She says, I've got a situation here. 

(LAUGHTER) 

Dave Bittner: It's like, OK. What - all right. What's going on, Mom? Calm down. Calm down. What's the - she's all worked up. And she was at the point in a scam where she was about to call the scammers back with her PIN number for her Verizon account. 

Joe Carrigan: Ah. Now, this is interesting because this is the second time they've gone after your parents' Verizon account. 

Dave Bittner: Yes (laughter). So - and I don't know all the details because it really wasn't worth - it was more important to basically talk my mom off the ledge than it was to get all the details. But it seems as though the bad guys left a message, you know, that said it's important you return our call. Your account has been compromised, you know, that sort of thing. 

Joe Carrigan: Right. 

Dave Bittner: She called. And they said, OK, we're going to trigger this thing that's going to send you a PIN number. When you get the PIN number, call us back at this number with the PIN number. And we'll secure your account. And of course, this is a scam. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Verizon doesn't need to call you to get your PIN number. 

Joe Carrigan: No. 

Dave Bittner: (Laughter) So lucky to walk in on it right at the moment when it could've gone bad. But she was just along for the ride. She was at that moment where she was about to sort of give up the ball game there. 

Joe Carrigan: That's interesting. Did you take the opportunity to educate her on this? You know, not to sound, like, condescending or anything, but, you know, it seems like - you said she's along for the ride. She's in on it. And she's essentially gotten hooked. I mean, how do you stop this from happening when you're not there? That's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Your concern, right? 

Dave Bittner: Well, I told her - first of all, I said don't call them back (laughter). 

Joe Carrigan: Right. 

Dave Bittner: I said, hang up the phone, Mom. Don't call them back. 

Joe Carrigan: Yep. 

Dave Bittner: And I explained to her that these are almost always scams. 

Joe Carrigan: Yes. 

Dave Bittner: So I said, if you're concerned - I said, here's what you do - get in your car and go to the Verizon store. 

Joe Carrigan: Right. 

Dave Bittner: Right? That way you know that - you know, they're going to take good care of you there. You know you're dealing with people who actually work for Verizon (laughter). 

Joe Carrigan: Right. 

Dave Bittner: So - and my mom is someone who's completely, totally happy to do that. 

Joe Carrigan: Right. 

Dave Bittner: She would love nothing more than a reason to get out of the house and run a little errand. So that would work for her. So we'll see. But it's just a reminder to everybody out there to spread the word. You know, those bad guys are out there. And anybody can fall for it. And it's really a shame when you see a loved one in the midst of it. 

Joe Carrigan: Yeah. It's almost as if this is the same group of people, it seems, isn't it? 

Dave Bittner: Well, I don't know. The other group was hitting my dad. And this was my mom. 

Joe Carrigan: Right. 

Dave Bittner: So - I mean, I suppose it's possible. I suspect, if anything, you know, maybe they have a list of senior citizens or something like that to... 

Joe Carrigan: Yeah. 

Dave Bittner: ...They think are more susceptible. But hard to know... 

Joe Carrigan: Probably buy the list from the AARP. 

Dave Bittner: Right. 

(LAUGHTER) 

Dave Bittner: Exactly. Exactly. So just word to the wise there to be mindful of this. Remind your elderly friends and family to be on the lookout for these sorts of things because it can happen to anybody. All right. Well, let's move onto our stories this week. I'll kick things off for us. My story this week comes from Naked Security by Sophos. This is written by Paul Ducklin, who's been a guest on our show before. And the article is "SMS Phishing Scam Pretends to be Apple "Chatbot" - Don't Fall for It!" (Laughter). So... 

Joe Carrigan: OK. 

Dave Bittner: ...We talked about SMS phishing before, which sometimes goes by the name smishing because of the S there in SMS. This article outlines a message. I'll read it here. They did a screen capture of it on the Naked Security blog. It says, hello, Christopher. Congratulations. You received an opportunity to be in the testing group for our newest iPhone 12 as part of Apple 2020 testing program. You've been selected as perfect candidate. Click this link for further information. Now... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...What's interesting about the link is the link says www.apple.co.uk/2020promo. That is a completely legit-looking URL, right? 

Joe Carrigan: That's correct. 

Dave Bittner: Naked Security is in the U.K. So the .co.uk wouldn't raise an eyebrow for folks who are over there. But like, you know, so many of these things, that's what the text looks like. But underneath the hood, it's not going to Apple (laughter) in the U.K., right? It's going somewhere completely different. 

Joe Carrigan: OK. So in SMS, you can now, essentially, obfuscate the link by putting text over top of it? 

Dave Bittner: Yes. Yes. 

Joe Carrigan: I did not know this was possible in SMS 

Dave Bittner: Yes. I believe it is, yes - well, clearly is because they're doing it here. 

Joe Carrigan: Right. Yeah. Absolutely. 

Dave Bittner: So (laughter) right. And the article goes on. And if you click through - if you decide that you really want to be one of the first people to have one of those Apple iPhone 12s, you click through. And it takes you to a website that says, congratulations. Here's your chance to get the iPhone 12. It has a timer on it. So you know, time is running out. You only have two minutes to claim your prize, right? 

Joe Carrigan: The old artificial time constraint. 

Dave Bittner: That's right. That's right, to turn up the heat on you. And then it asks you to fill out some information - your email address - and asks you to verify some information about yourself. And then, ultimately, in the end, it asks you for your credit card information... 

Joe Carrigan: Ah. 

Dave Bittner: ...Just for - you know, just for a modest shipping fee to receive the iPhone 12 - for a modest fee to receive it. And, of course... 

Joe Carrigan: Because if Apple is going to run a beta program, the one thing they can't afford is the shipping cost to send you your free iPhone 12. 

Dave Bittner: (Laughter) That's right. That's right. 

Joe Carrigan: (Laughter). 

Dave Bittner: Apple who has all the money... 

Joe Carrigan: Right. 

Dave Bittner: ...Literally have all the money. 

Joe Carrigan: I think they're the most cash flushed company ever to have existed, aren't they? 

Dave Bittner: I believe that is correct, yes. 

Joe Carrigan: Yeah. 

Dave Bittner: They are sitting on a mountain - a bigger mountain of money than the dragon in "The Hobbit." So... 

Joe Carrigan: Right. Smaug. 

(LAUGHTER) 

Dave Bittner: So as this... 

Joe Carrigan: How sad is it that you make that reference and then I know - I get it and can name the dragon? It's... 

(LAUGHTER) 

Dave Bittner: The truth hurts, Joe. So... 

Joe Carrigan: Yes. 

(LAUGHTER) 

Dave Bittner: As they say in this article, what to do? First and foremost, there is no free iPhone. 

Joe Carrigan: Right. Absolutely.... 

Dave Bittner: (Laughter) There's never a free iPhone. 

Joe Carrigan: ...Never is a free iPhone. 

Dave Bittner: No. No. 

Joe Carrigan: That's a ruse. 

Dave Bittner: Yes. They're taking advantage of greed, perhaps even a little bit of techno lust. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). They say keep your eyes open for clues. There are some spelling errors and things like that that are in this message that could be... 

Joe Carrigan: Yeah. There's a... 

Dave Bittner: ...A tell. 

Joe Carrigan: ...A grammatical error in here as well. You've been selected as perfect candidate. It's like Boris Badenov is writing this. 

Dave Bittner: (Laughter) Right. Look at the link before you click. Again, as we've talked about many times, that's more difficult on a mobile device. But you can click and hold on a link. And it will show you the actual link. But slow down. Check a link before you click. 

Joe Carrigan: Right. 

Dave Bittner: I mean, first off, don't click on the link, right? 

Joe Carrigan: Yes... 

Dave Bittner: But if you... 

Joe Carrigan: ...By no means should you click on the link. 

Dave Bittner: If you must click on the link, click and hold (laughter) and see what it is. And then, finally, the Sophos folks say consider a web filter to help keep the bad stuff out, things like a corporate VPN, you know, filtering on your local network. Those sorts of things can be helpful. So interesting article there. Anything jump out to you, Joe, about this? Any comments from you? 

Joe Carrigan: Well, one of the things that strikes me in this article is that when you click on the link, the very first thing that happens is a bunch of confetti falls down. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, it's like some Cascading Style Sheets or JavaScript confetti on the webpage. 

Dave Bittner: Right. 

Joe Carrigan: That doesn't strike me as something Apple would do. 

Dave Bittner: No (laughter). 

Joe Carrigan: That's very un-Apple. 

Dave Bittner: Yeah, known for their economy in design, right? 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Their clean interfaces... 

Joe Carrigan: Apple does a really good job... 

Dave Bittner: (Laughter). 

Joe Carrigan: As much as I don't like Apple, they do an excellent job on user interface. And that is out of character for them. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: What you said originally sticks with me, that there is no free iPhone. This is just something that's too good to be true. And I will confess to this, Dave, that techno lust you mentioned is a hook for me. 

Dave Bittner: (Laughter). 

Joe Carrigan: If somebody were to call me up or contact me and go, hey, do you want this free, new gadget? I'd be like, yeah, I do. 

Dave Bittner: (Laughter) I do want that new... 

Joe Carrigan: I really do want that free, new gadget. But maybe... 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: ...Maybe I should think about this a little bit better. 

Dave Bittner: Right. Right. 

Joe Carrigan: (Laughter). 

Dave Bittner: Yeah. I'm with you. I'm with you. 

Joe Carrigan: Yeah. 

Dave Bittner: I've certainly fallen for that for myself. All right. Well, again, that's from the folks over at Naked Security, the Sophos blog. We'll have a link to that in show notes. That is my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, it's that time of the cycle again. What do I say about getting your political news from social media? 

Dave Bittner: Ah, yes. I know this. Don't do it. 

Joe Carrigan: That's right. Don't do it. And the main reason... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...I say this is because, by their very nature, these services are not conducive to political discourse or even to your own political thought. Their algorithms isolate you in this echo chamber. And they only show you the things that they know will get you to stay on the page or in the app. That's what they're designed to do because that's their business model. Their business model is dependent upon you looking at the screen. And if... 

Dave Bittner: Right. 

Joe Carrigan: ...They can keep you looking at the screen, they're going to keep you looking at the screen. And if they show you political information from your friends or even ads that you either agree with or disagree with, depending on how you will react, they're going to show you that. So... 

Dave Bittner: Yeah. It's all about engagement. 

Joe Carrigan: It's all about engagement. Right. But the second most important reason that I tell people not to use these platforms for your - as sources for political information is that they are vulnerable to exploitation. And today, I have another fine example of why you don't trust anything political on a social network. Taylor Hatmaker over at TechCrunch is reporting Facebook has taken down two networks of fake accounts. Facebook and Graphika - Graphika is a company that specializes in social media disinformation. That's right. There's a company now out there that (laughter) specializes in social media... 

Dave Bittner: In creating it? 

Joe Carrigan: No, no, in detecting it. 

Dave Bittner: OK (laughter). 

Joe Carrigan: In detecting it. 

Dave Bittner: Phew. 

Joe Carrigan: No. 

(LAUGHTER) 

Joe Carrigan: No. Creating it is the job of nation states, Dave. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: This is a company that actually has a legitimate business model of finding these networks out there. That's how bad this is. This company can survive on that, right? Facebook has taking down over 200 fake accounts, 40 pages, 9 groups and then 27 Instagram accounts. One of these networks was run out of China. And one was running out of the Philippines. One of the interesting points in this story - and actually, the headline of Hatmaker's story - is that the accounts from the Chinese network used images that were generated with generative adversarial networks - or GANs. We've talked about these before. Basically, it's one machine-learning model that generates an image. And it passes it to a second machine-learning model that tries to detect that it's fake. And if it detects that it's fake, the first model tries again, right? 

Dave Bittner: Oh. 

Joe Carrigan: And it keeps trying until the second network says, this looks like a legitimate picture. And that's the picture they use. If you look at these pictures in Taylor Hatmaker's article, there are nine images. And only one of them looks the least bit off. And it's negligible. It's really, really slight. And the only reason I think I know that it's not a real image is because I was told these are fake images. These images look really, really good and convincing. Now, here's what's interesting. The Chinese network started operating in April of 2019. That's over a year ago. That's how long this network existed before Facebook took it down, for more than a year. You can do a lot of in more than a year. In 2020, they set up three U.S. focus groups. In other words, they were trying to engage United States citizens with these groups. One group was pro-Trump. One group was pro-Biden. And one group that was called Quack Quack (ph) - it was anti-Trump. And I imagine that they were probably in the process of setting up an anti-Biden group, as well. But these guys are trying to play all sides of the die here, not just two sides of the coin. They're going pro-Trump, pro-Biden, anti-Trump and probably anti-Biden. 

Dave Bittner: Right. 

Joe Carrigan: They're probably trying to get everything that they can just to put as much political information out there and to push their propaganda. Of course, they're pushing their agenda particularly with regard to issues of the South China Sea, which the Chinese government is very interested in expanding its control over, as we've seen. But these guys existed for over a year before Facebook shut them down. And I guarantee you that is not the only one out there. There's more out there that Facebook just hasn't found yet. There are plenty out there that Twitter hasn't found. Whatever your social media network, these guys are out there on it. So that's why I say, do not get your political news from Facebook or any other social media platform. 

Dave Bittner: Yeah. And I think it's important to note that with groups like this - and this particular one is coming out of China, but we've seen disinformation coming from Russia. We've seen stuff coming from Iran. There are plenty of other nations that do it. I mean, those are the biggies. It's important to understand that their goal here isn't necessarily to get you to choose one candidate or the other. 

Joe Carrigan: That's right. 

Dave Bittner: One of their primary goals is to just make you feel uncertain about our system... 

Joe Carrigan: Right. 

Dave Bittner: ...To inject that uncertainty, which is corrosive to us as a nation. 

Joe Carrigan: That's exactly right. Another goal that they have is just to get us to dislike each other enough that we start hating each other based solely on our political biases or political beliefs. And, frankly, I'm speaking as an American here, but that's just un-American, right? 

Dave Bittner: Right. 

Joe Carrigan: One of the things we've always had in this country is tolerance for other people's political beliefs. And recently, that has not been the case. And I believe that is in large part due to foreign meddling in our political system. And you're right. The goal is not to get one person elected over the other. The goal, particularly with regard to Russia, is to just sow political discord. That's it. 

Dave Bittner: Well, let me this, then. If we don't get our political news from Facebook, what do you consider to be a good place? 

Joe Carrigan: Here's what I recommend. This is something I think is important that you do, whatever your political leaning. If you lean to the left or lean to the right, you should get your political news from a trusted source on either side of that spectrum. If you lean to the right, you should definitely get your news from a trusted source that you're going to like, but you should also get your news from another source outside of your political spectrum because they're going to say things that you don't normally think about. There's a great website called allsides.com, which will take an issue and show you news from the left, news from the right and news from the center. And it gives you the headlines, and then you click on and read the articles. I think that's a good website to start with. 

Dave Bittner: Yeah. 

Joe Carrigan: But you have to go with a news source that demonstrates integrity. And that doesn't mean that they say things that you agree with. That means that what they say is true and that you can find them to be trustworthy. There is always going to be bias in your media, period. It's always going to be there. It's very hard to get that out. But you can counteract that by balancing the bias that you receive with bias from the other side. 

Dave Bittner: Right. Right. Try to break out of that bubble. 

Joe Carrigan: That's right. Make a deliberate effort to break out of the bubble. Exactly. 

Dave Bittner: All right. Well, those are our stories for this week. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Our Catch of the Day comes from Reddit users SlyFox227, who was lucky enough to be invited to join the Illuminati, Dave. Still waiting for my invitation. 

(LAUGHTER) 

Dave Bittner: Well, it goes like this. Here's the message. 

Dave Bittner: (Imitating accent) Procedure of joining the Great Illuminati Temple of Money, Fame and Power. Join Illuminati today and get all you've ever wanted to become. Are you a businessman or woman, politician, musician, student footballer? Do you want to be rich, famous, powerful and protected in life or to be amongst those that matter in our society today? What do you seek for in life. Then take this step and get it all today. Illuminati is free for all, and we don't take blood sacrifice. All we need from each member is to follow the rules and regulations that make us who we are today in the world. The Illuminati Brotherhood has many to achieve after becoming a member. A lot of benefits await you now. 

Joe Carrigan: (Laughter) That was great. 

Dave Bittner: (Laughter) 

Joe Carrigan: Are you saying that Arnold is a member of the Illuminati, Dave? Is that what that is? 

Dave Bittner: (Imitating Arnold Schwarzenegger) Get to the chopper. 

Joe Carrigan: (Laughter). My favorite part is that they don't take blood sacrifices. 

Dave Bittner: Well, it's good. 

Joe Carrigan: Yeah, I'm relieved. 

Dave Bittner: (Laughter) I mean, who among us hasn't been in a group that requires blood sacrifice? 

Joe Carrigan: That's right. 

Dave Bittner: I'd say it's a breath of fresh air to not have to join a group that requires a blood sacrifice, right? 

Joe Carrigan: (Laughter) Indeed. 

Dave Bittner: (Laughter). All right. I don't - what's the goal here, Joe? What's the end game? 

Joe Carrigan: I have no idea what the end game is here, Dave. This is probably just to collect information. I don't know. Maybe they're actually going to try to get you to pay some money. Maybe this is the opening of a scam where they just say, OK, your membership fees are due, and it's a thousand dollars a year. 

Dave Bittner: Right. 

Joe Carrigan: Now you're a member of the Illuminati. 

Dave Bittner: (Laughter) Yes. Everything you've ever wanted. 

Joe Carrigan: Right. 

Dave Bittner: All right. It's a good one. Thanks to Reddit user SlyFox227 for sharing that. That is our Catch of the Day. 

Dave Bittner: All right, Joe. You know, I recently had the pleasure of speaking with Alex Mosher from a company called MobileIron. And what sparked our conversation was the folks at MobileIron sent me a package that I received in the mail. (Laughter) And I'm not going to give too much of the story away because we talk about it in the interview, but here's my conversation with Alex Mosher. 

Dave Bittner: Setting the table here, I guess a couple weeks ago now, I received a package in the mail, which I had actually gotten a heads-up that a package would be coming, so I was prepared for it. When I opened this package, inside was a box full of delicious cookies. And there was a note from you and your team at MobileIron. And it said, sometimes our QRiosity gets the best of us. Enjoy this sweet treat. Can you describe to us what was in that box of cookies? 

Alex Mosher: Sure, absolutely. So you have, obviously, the cookies. And then on each of the cookies, we went ahead and put a QR code. And the reason that we did that is as, you know, we've certainly seen as a result of the pandemic going on, a lot of contactless interaction with various systems. Go back to a restaurant, oftentimes the menu is on a QR code or you get a receipt or a bill and you're using a QR code. Or you're checking out at a service or maybe even an online system. Maybe even folks that used to bill you in person, now maybe they're sending you an email, and that has an embedded QR code in it. So QR codes have become really relevant in our lives and certainly, I think, amplified as part of the whole pandemic that we've been going through and managing through. 

Alex Mosher: So what we did was we took a box of great cookies, something everybody would, as you mentioned, love to have, and we put a QR code on, incentivizing you to - hopefully your curiosity get the best of you and... 

Dave Bittner: Yes. 

Alex Mosher: ...Get you to go ahead and scan that QR code. 

Alex Mosher: Now, the gotcha point with our QR code was it directed you to a site that very easily could have been a phishing site or a malicious site of sorts just to kind of get you thinking about - whoa, I don't even think about when I go to those examples I gave before - the restaurant, the bill - you know, wherever it might be. And I just maybe blindly scan things like QR codes with my mobile device because it's so easy to do and it makes life certainly much simpler, especially in the current times. 

Dave Bittner: Yeah. And I did exactly that. And now - granted, I - you know, I knew that this was coming, and I had a certain amount of trust in both the team at MobileIron and the PR team. And because I'd been warned ahead of time that this was coming, it wasn't out of the blue. So I had fairly high confidence that nothing bad was going to happen. But when I used the QR code and went through to that page, it gave me a - sort of a good-natured sort of, you know, slap on the wrist that, hey, this could have been bad. And then there was a nice educational page about all the things that you need to look out for. 

Dave Bittner: You know, one thing that struck me with this is that, you know - like, for example when I go to buy gas, there's a big poster there next to the gas pump. And sometimes the gas pumps themselves have QR codes on them that say... 

Alex Mosher: That's right. 

Dave Bittner: ...Pay with your mobile device; use this QR code. You know, what's to keep a bad actor from printing out a sticker that looks like, for all purposes, it belongs there? 

Alex Mosher: Yep. 

Dave Bittner: ...That would then send you somewhere bad? 

Alex Mosher: Yes. Actually, it's a really great point. And if you think about it, a few years ago - you remember? - there was a whole big warning that before you go to an ATM, even at a known bank, you're supposed to kind of, like, pull on the card thing to make sure that it doesn't just pop off as a... 

Dave Bittner: Right. 

Alex Mosher: ...Bad card reader - right? - that's just reading your credit card number. QR code - let's face it. You and I can go build a QR code on a printer, even put it on a nice sticker. Where they are at the gas station, usually there's no longer a gas attendant that's outside watching what you're doing. It's absolutely nothing in those scenarios to do that. Think about the person who may be - use my restaurant example again. I leave a restaurant, stick a new - all those are are stickers anyways. How do you know whether that's the one the restaurant intended or not? 

Alex Mosher: I could even make it look like a restaurant webpage, maybe take me about 10 minutes on YouTube to find out how to spoof something that looks like that restaurant or that gas station's page so it pops up on your device. You're like, wait - this looks legitimate. Let me just enter in my credentials and go. 

Alex Mosher: And by the way, if you don't think that actually happens, if you just dissect what happened just a matter of weeks ago with Twitter and the big hack that happened there, one of the main ways that they were able to phish folks' emails was they made a landing page that looked like a legitimate Twitter landing page for internal employees. So when they went to the page, they didn't look at the URL. They just looked at the page, said this looks legit - username, password. And the whole rest of it is history. 

Dave Bittner: So what are your recommendations here? How - what are some of the best ways that both people and organizations can protect themselves from this sort of thing? 

Alex Mosher: So I think you have to think about phishing in a very different way than we've traditionally thought about it. Right? The problem's been around for 20-plus years, certainly from an email perspective. Really, as soon as an internet-based email - maybe 30 years ago - was really consumed by large organizations, you know, phishing and spam was a problem. 

Alex Mosher: It's certainly gotten far more sophisticated over the last 30 years, and we've gotten decently good at protecting, you know, kind of our traditional corporate email sources. And the hackers know that. Right? They know that we're - trying to phish your traditional corporate email is a relatively challenging thing to do. But if you think about other sources of communication, you know, email, in a lot of ways, is sort of that very legacy, maybe even, you can argue, a dying platform from a communication perspective, even in the business world. A lot of people are using things like social media to communicate. Certainly as you go younger, that's more and more common. They're using applications. Like, if they have an iPhone, iMessage, SMS, WhatsApp - right? - all of those sources. 

Alex Mosher: Oftentimes if you have email, you don't just have one email account, especially on your mobile device. You might have a personal email account or more than one personal email account. You certainly got many different ways of communicating with friends and colleagues and others. So I think it's really important that we look at trying to protect ourselves kind of holistically. Think about the platform that people are using and the different sources of communication that could potentially be utilized to phish, just like the QR code example you and I just discussed. 

Dave Bittner: You know, one thing that struck me in my own experience with the cookies that you all sent out was that, you know, I think it's the default in iOS that when you have your camera app open and it sees a QR code, it automatically sort of triggers it. And it says, hey, do you want me to open this? You can disable that, but, you know, that a - there's an issue - I could take issue with that itself. 

Alex Mosher: Yeah, no, absolutely. And if you think about it, there are legitimate good sources, like use the gas pump example you gave - certainly makes life a whole lot more convenient, right? Could you imagine today with the challenges - I gave the restaurant example. Restaurants are under enough pressure just to stay afloat. If they had to literally reprint menus every single time somebody came into the restaurant because they have to throw them away because of the pandemic, costs would go up, and it would be even more stress on the organization. 

Alex Mosher: So there's really positive things that are on the front end. Think about, you know, the communication platforms we have, the ability to quickly just communicate with all kinds of people on platforms like SMS and iMessage and WhatsApp and the sort. So because these systems are so great and they benefit us so greatly, it's what really puts them at such easy target from a hacker's perspective because they know that that you're doing things in quick real time. You're not really paying super close attention to what's happening. You're there at that location. Get the cookie. Scan it. You're thinking something good is the result - and only to find out that, you know, something bad has happened at the end of the day. Again, you don't have to go even far back in history. I'll reference again that Twitter attack. A lot of this was sort of done that same way, using systems that were put in place to make life easier and more convenient. We focused more on the convenience side than we did the security side. You really have to find a balance between the two. 

Dave Bittner: Yeah. And as this proves, a surefire way to get through someone's defenses is directly through their stomachs. 

Alex Mosher: Yes. There's no doubt. 

Dave Bittner: (Laughter) Yeah. 

Alex Mosher: There's been a huge uptick in phishing on mobile devices, in excess of 50%. And it's for all the reasons that we talked about, right? The convenience factor, the ease of getting to a user's data and information and the fact that you've got this very small screen with very limited real estate, and so things like validating links before you click on them are often very difficult. You get that tiny little Bitly link or an abbreviated link. So you're not really sure what you're clicking on before you're clicking on it. Those challenges continue to really drive the need to look at protecting yourself in those outer, you know, endpoints from a phishing perspective. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: Dave, I have one question. 

Dave Bittner: Yes. 

Joe Carrigan: Where are my cookies? 

Dave Bittner: (Laughter) Your cookies are in my belly. 

(LAUGHTER) 

Dave Bittner: They were delicious cookies, Joe. I ate them all. 

Dave Bittner: Were they addressed to both of us, Dave? 

Dave Bittner: (Laughter) No, they were not. They were addressed to me. But I should've - you're right. It was rude of me and selfish to not share these scammy cookies with you. 

Joe Carrigan: Were the QR codes actually printed on the cookies? 

Dave Bittner: Yes, they were. They were. 

Joe Carrigan: Really? 

Dave Bittner: You can - if you want to go digging back in my Twitter account, which is @Bittner, I posted some pictures of them. 

Joe Carrigan: Ah. I will do that. 

Dave Bittner: Yeah, they're like, you know, flat shortbread cookies. They're quite tasty. They had icing on them. And printed on the icing - because, you know, they can dot matrix print on baked goods now (laughter). 

Joe Carrigan: Yes, that's right. 

Dave Bittner: That's what they did here. 

Joe Carrigan: Here's a vector none of us expected (laughter). 

Dave Bittner: I'm sorry - inkjet print, not dot matrix - inkjet print. Yeah, yeah. 

Joe Carrigan: Right (laughter). Yeah, dot matrix print - you'll wind up with a pile of crumbs at the end. 

Dave Bittner: Right, exactly. Exactly. 

(LAUGHTER) 

Joe Carrigan: I'm familiar with QR codes and bar codes from my time in my failed sales career as selling printers - in particular, bar code printers and Multiplex bar code printers. But a QR code is a matrix bar code. And that's all it is. It's nothing different than the technology that you use at the grocery store the checkout with the UPC on the bottom, except that while the UPC is read in one dimension, a QR code is read in two dimensions. And there are some features in the QR code that tell whatever's reading it how to orient the image and what version of the QR code you're looking at. It's all very interesting. A QR code can hold up to 4,000 characters of information. That's a lot of data in a little bitty spot. And... 

Dave Bittner: That's more memory than my first computer. 

Joe Carrigan: Right (laughter). That's about as much memory as my first computer had. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's - 4K. Your first computer had to have more than 4K. 

Dave Bittner: It did, but the screen - the video display took up about half of that, so you were left with about 2 1/2 K of - but we digress (laughter). 

Joe Carrigan: Right. Old men talking about their old computers. 

Dave Bittner: (Laughter). 

Joe Carrigan: If it's a URL, the app - like, your camera app on your iPhone or your Android may just open that up. And I think you said in the interview that your phone just opened that URL up. Most people don't think about this as a vector. I do because I'm paranoid and steeped in the information security field, right? So this is one of the things I think about. But on my phone, I have an app from Trend Micro that reads QR codes and then vets the websites that they point to. It tells you whether or not it's safe to go to it or not. I recommend that if you're going to use your phone to open QR codes that you use one of these apps. QR codes are a vector. And you should absolutely not trust the QR code that you're looking at when you see it because, like you and Alex said in the interview, that's easy just to print one out and put a sticker over top of the existing QR code and replace it with a malicious one. 

Dave Bittner: Right. 

Joe Carrigan: So use some kind of vetting system like the app I was talking about earlier. And just be careful. Everything out there that has a legitimate purpose can also be used maliciously. 

Dave Bittner: Yep. And never underestimate the ability of tasty baked goods... 

Joe Carrigan: That's right. 

Dave Bittner: ...To penetrate your security. 

(LAUGHTER) 

Dave Bittner: Defense in depth is out the window when cookies are involved. 

Joe Carrigan: That's right. 

Dave Bittner: So (laughter) - all right. Well, our thanks to Alex Mosher for joining us and thanks to the folks at MobileIron and their PR folks as well for sharing that campaign with us. It was a lot of fun. But also, I think some good lessons to share - so it's good for everybody. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.