Hacking Humans 12.10.20
Ep 127 | 12.10.20

The landscape has shifted for holiday shopping to online.


Neal Dennis: Stores that typically thrive on Black Friday in-person sales - I hope they've seen the writing on the wall that they're going to have to start trying to find ways to redirect to online procurement cycles with their consumers.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week and, later in the show, my conversation with Neal Dennis from Cyware. We're going to be discussing the cybersecurity concerns and pitfalls that customers need to look out for, especially when they are buying things online, and how e-commerce has become a goldmine for hackers. 

Joe Carrigan: Kind of important this time of year. 

Dave Bittner: It is absolutely the time of year for this information. 

Dave Bittner: All right, Joe, before we jump into our stories, we've got some feedback from our last episode. 

Joe Carrigan: Right. 

Dave Bittner: Do you want to read this for us? 

Joe Carrigan: Sure. It's from a listener named Alan (ph). He says, (reading) I just finished listening to Dave's story about allowing site notifications. While I also have the habit of automatically saying no to those, there are two notable exceptions. I work for a tutoring company. This means it's a good idea to get notified when there are students who require instant online tutoring sessions. This is a thing they have offered for years. It's not just a COVID thing. So just so you know, there are legitimate reasons to say yes to a notification in narrow cases, few and far between as they may be. 

Dave Bittner: Yeah. 

Joe Carrigan: And, yes, Alan, I agree with that. There may be a situation like this where you need to turn on notifications for your browser. I have not personally run into that situation, and for this particular application, I can absolutely see the use case being a valid one. But I can't stand the web right now, Dave... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...When every single webpage wants to send me these notifications (laughter). 

Dave Bittner: Yeah. No, but I think Alan makes a really good point here, which is that when it is a site that you are regularly engaged with and something that you trust, you know, that's a different thing than - as we were talking about, it seems like every site wants you to - not only do they want you to subscribe to their newsletter, but (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...They want to do pop-ups as well. So, yeah, absolutely, I think Alan's right on the money here. There are narrow use cases where the value proposition is worth it, that whatever minor risk there might be - 'cause this isn't a case where they're going to be injecting advertising or someone else's code into this pop-up. 

Joe Carrigan: Right. 

Dave Bittner: I think Alan's pretty confident, you know, that these folks are only going to be sending him stuff that he needs and is going to help him do his job better. 

Joe Carrigan: Right. This is a company with whom he contracts, I assume. I don't... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I don't know how it works, but they're essentially one of his employers or a customer, depending on how it works. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So he wants to know that, absolutely. So, yes, I have no problem with this. I think Alan's 100% correct. 

Dave Bittner: Good use of the technology, yeah. 

Joe Carrigan: Right. 

Dave Bittner: All right, well, Alan, thanks for sending that in to us. And, of course, we'd love to hear from all of you as well. You can send your comments to hackinghumans@thecyberwire.com. 

Dave Bittner: Let's roll into our stories this week. I'm going to kick things off for us. Joe, I have good news (laughter). 

Joe Carrigan: Good news. 

Dave Bittner: Good news, which is, on this show, anyway, kind of few and far between. We're always sharing the bad news. In this case, this is a press release from the U.S. Department of Justice, and the title is "U.S. Law Enforcement Takes Action Against Approximately 2,300 Money Mules In Global Crackdown on Money Laundering." 

Dave Bittner: Now, this is fascinating to me, as, you know, we've certainly talked a lot about money mules. 

Joe Carrigan: Yes. 

Dave Bittner: The interesting things about money mules is that they often don't know that they are money mules. 

Joe Carrigan: That's right. That's - they're often victims. 

Dave Bittner: Right. They get attracted to some sort of job offer. Someone says, hey, I need you to do some work for me. Part of that work is going to be buying this thing from over here and selling this thing from over here. I'm going to need you to buy some gift cards, and I'll reimburse you. And sometimes it's just a pure scam where they'll start the person on some job, and they'll build their confidence but then eventually run off with their money. But there are other cases where they will be ongoing money mules. By passing the money through these unwitting people, they're essentially laundering the money. 

Joe Carrigan: Right. 

Dave Bittner: Evidently, there's an annual effort led by the Department of Justice, and they work with the FBI, with the U.S. postal inspectors, several other federal law enforcement agencies and the European Money Mule Action. So it's a global effort. Europol is in on this. They took action on over 2,300 money mules. Last year's effort acted on 600 money mules. 

Dave Bittner: Now, here's the interesting part of this - is that these were not 2,300 arrests. These were 2,300 notifications. They reached out to these people. They had agents who conducted 450 interviews, but they sent about 2,000 of these people letters warning them that they were facilitating fraud and could face civil or criminal consequences for continuing their actions. 

Dave Bittner: This is interesting to me because I think for the folks who don't know that this is what they were up to, like you said, the folks who are honestly victims, it's good to put them on notice, to let them know and say, hey, if you want to follow up, if you have any questions, please reach out to us. 

Joe Carrigan: Right. I don't know, Dave. If I get a letter from the Department of Justice that says, we think you might be a money mule; give us a call... 


Dave Bittner: Well, that's a good point. But would you start looking for another job (laughter)? 

Joe Carrigan: Yes, I would start looking for another job, which is probably their mission, right? 

Dave Bittner: Right. I would, too, yeah. 

Dave Bittner: So it seems like they're really trying to slow things down here. But I think that's a good thing - you know, rather than, you know, banging on somebody's door and when they answer it, you know, slapping a pair of handcuffs on them right away... 

Joe Carrigan: Right. 

Dave Bittner: ...Particularly for these folks who may be unwittingly taking part in this. 

Dave Bittner: There's some other interesting notes in this press release. They say on about 30 instances, the agents seized assets or facilitated the return of victim funds. Among the asset seizures was a 2019 Lamborghini - same car you drive, Joe... 

Joe Carrigan: That's right. 


Dave Bittner: ...Which was seized as part of an investigation into a business email compromise. 

Dave Bittner: Now, the other interesting thing about this is part of this action is because in January of this year, the Department of Justice, with the signature of President Trump, they have a program that's called the Preventing and Disrupting Transnational Elder Fraud. 

Joe Carrigan: Ah. 

Dave Bittner: I was not aware of this. But there is a National Elder Fraud Hotline, and it's 1-833-FRAUD-11. And this is a hotline manned by the Department of Justice. And if you have a case where you think someone is being a victim of fraud, particularly someone who's elderly, you can call in, and they have resources where they can try to help you. They want to hear about it. This is a hotline that's staffed every day, people who can speak multiple languages and so on and so forth. So I was unaware that there was a National Elder Fraud Hotline, but it sounds like a good thing to me. 

Joe Carrigan: I agree. This is definitely a good government service. I'd like to know what happens with the complaints and what their success rate of closing these complaints is. 

Dave Bittner: Yeah. A bit of good news from the U.S. DOJ and beyond that, an international effort to try to put an end to some of this stuff. That's my story this week. Joe, what do you have? 

Joe Carrigan: Dave, I was also going to start with good news. There is a COVID-19 vaccine coming out, and everybody's very happy about that, right? There's actually two of them. 

Dave Bittner: Yes. Yes, indeed. Yes, indeed. 

Joe Carrigan: Right. Bad news, though - and I'm going to take us right back into the bad news realm - this presents another opportunity for scammers to take advantage of current events to conduct phishing campaigns. 

Joe Carrigan: I was looking for a story on these kind of scams because when I saw the news that there were a couple of vaccines - one had already been approved by the U.K. and, as of this recording, two more that are going through approval - rapid approval with the FDA - expedited approval - I said, I should find a story on this. And I found one that is just too big to ignore. It comes from Claire Zaboeva and Melissa Frydrych at IBM's Security Intelligence. The title of the article is "IBM Uncovers Global Phishing Campaign Targeted at the COVID-19 Vaccine Cold Chain." 

Joe Carrigan: So what is the cold chain? IBM's security has identified this phishing campaign against something called the Cold Chain Equipment Optimization Platform program, which is a program within the vaccine industry that helps keep vaccines at a good temperature no matter where they're going, right? 

Joe Carrigan: And here's the cover story. The adversary impersonates a business executive from a company called Haier Biomedical, which is credible and legitimate because they are in the vaccine supply chain and they're a qualified supplier for this cold chain program. And they say that they are the world's only complete cold chain provider. And disguised as an executive from this company, Haier Biomedical, the adversary sent phishing emails to organizations believed to be providers of materials to support and meet transportation needs within the COVID-19 cold chain. 

Joe Carrigan: So they're targeting these specific companies. And they're - not only the companies, but the European Commission Directorate for Taxation and Customs Units (ph), organizations within the energy manufacturing and website creation software. They're going after a lot of different people with these spear-phishing emails. 

Joe Carrigan: Of course, one of the things they're looking for - we see this very often in these phishing campaigns - is they're going after credentials, right? 

Dave Bittner: Right. 

Joe Carrigan: And IBM thinks that they're using these credential harvesting campaigns to gain wider access within these networks. They're using this current event of the vaccines being approved. They're sending out emails that are essentially requests for quotes to all these different companies, all these different organizations. And then they're getting access into these organizations. 

Joe Carrigan: And then once they get access into the organizations, they're using it to spread. And they are targeting so many people from the energy sectors because there are these cold storage units that are solar powered, right? And they're going after the people that make that. They want that technology. This is so well-orchestrated that IBM is pretty convinced it's a nation-state actor doing this. 

Dave Bittner: Right, because they're not trying to - it's not a quick hit to try to get money or anything. 

Joe Carrigan: Right. No, they've been doing this for a while. IBM has a bunch of different recommendations here. Normally, we talk about how individuals can protect themselves, but today, I guess we're talking about how corporations can protect themselves. One of the big things is assess your third-party ecosystem, right? This is what caused the Target breach, if you remember that. They had a... 

Dave Bittner: Yeah. 

Joe Carrigan: One of their HVAC contractors had their credentials compromised, and that was used to get into the Target system and caused all those credit cards to be breached on Black Friday. 

Joe Carrigan: Share and adjust intelligence. That's a big one. So whenever you see things - there are all kinds of ISECs (ph) out there for just that purpose. 

Joe Carrigan: Use multifactor authentication across your organization. That is my biggest go-to thing to say now. Whatever multifactor authentication - the highest level you have available to you, use it. The best level you can get your hands on - do that. 

Joe Carrigan: You know, there's a bunch of other stuff. Conduct regular email security education training, which is a great way to keep your employees' and other affiliates' attention up about these. But keep the awareness in front of them. Make sure that they know about it. 

Joe Carrigan: And then, of course, it's got endpoint protection and response, which is just use a virus - antivirus software (laughter)... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Which kind of should go without saying, right? But I guess they say it. 

Dave Bittner: Yeah. What's interesting to me about this is how they're going after a critical part of this global effort that is sort of a behind-the-scenes sort of thing, you know? 

Joe Carrigan: Right. 

Dave Bittner: The stuff - it needs to be kept cold. At least one of the vaccines needs to be kept very cold. 

Joe Carrigan: Right. 

Dave Bittner: And so it's a critical part of it. But you can see, when you combine that with everyone's desire to move as quickly as possible, you know, that sets up a set of circumstances where these scammers can go in and do the things they want to do. 

Joe Carrigan: And that is an excellent observation, Dave. Normally we talk about scammers using an artificial time constraint, but here we actually have a real time constraint - the sooner the better for getting this vaccine distributed. 

Dave Bittner: Right. 

Joe Carrigan: It's not really, like, a hard deadline, but it does provide this sense of urgency that does exactly what you say. It may make people more susceptible to clicking on these links and logging into the wrong pages and letting these bad guys collect the credentials. 

Joe Carrigan: One of the technical ways they're doing this is the emails are actually containing the malicious HTML attachments that open locally. So there is no website to take down. There's nothing out there to go after. And if you start noticing the website, the malicious attachment, I can just change the code on it, and you won't be able to tell again. 

Dave Bittner: No, it's fascinating. And I think the broader message here is that COVID has been around long enough. You and I have been talking about there have been - certainly been many consumer-facing COVID-19 scams. All the... 

Joe Carrigan: Right. 

Dave Bittner: The people who do this for a living, they jump on whatever is hot in the news, whatever is topical, whatever is going to elicit that emotional reaction from you. 

Joe Carrigan: Absolutely. 

Dave Bittner: And certainly for the past, well, coming up on a year or so... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...COVID-19 has been at the top of the list for that sort of thing. Interesting to see how this is happening kind of on the industrial side of things as well - perhaps a nation-state using it to gain a foothold to be able to gather information on who knows what. 

Joe Carrigan: Yeah. I think they're going after intellectual property. 

Dave Bittner: Yeah. 

Joe Carrigan: So they're going after vaccine recipes. They're going after storage techniques. They're going after a bunch of stuff that they could capitalize on. 

Dave Bittner: Yeah. I mean, it's interesting because you'd hope in an ideal world that this would be just information that everybody would share freely... 

Joe Carrigan: Right. 

Dave Bittner: ...Around the world. You know, you think about in the past, you know, the efforts against things like smallpox and certainly polio. So, you know, I would like to think that we have that spirit of sharing and goodwill around the world, but there's always somebody, right? 


Joe Carrigan: Yeah. That's right. 

Dave Bittner: All right. Well, that is an interesting story for sure, and we'll have a link to the coverage there about IBM and their efforts. 

Joe Carrigan: Yes. And they have indicators of compromise if you want to put those into your threat detection systems. 

Dave Bittner: Yeah. All right. Well, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Virginia, and she sent us this. She received this email that is a blatant phishing attempt from someone impersonating a bank. And because you are so good at these, why don't you read it for us? 

Dave Bittner: (Reading) Dear beneficiary, please note that after much deliberation and due consideration with executive management of First National Bank, Virginia branch, concerning your unclaimed fund, your account has now become a subject of litigation. Now in our bank after a ministerial resolution meeting yesterday has considered your plight of fund through our consolidated bank First National Bank USA to be transferred to you. Meanwhile, we are, by copy of this email, authorized the remittance department of this bank to open a credit online account login on your behalf and credit you with the above-mentioned sum without further delay. Note - your online account transfer access code will be paid by this bank, including account opening activation fees. We do this in order to make sure a customer do not suffer unnecessary while we pursue the case of fraud corruption through the logical conclusion. Your account must be set up and running within 48 hours upon. We are awaiting hearing from you - Mr. William M. Pearson, branch operations manager. 

Joe Carrigan: And then below, it has a little form button that says, fill out form. And Virginia was kind enough to tell us that this actually goes to a Google Docs form. I checked. The form has since been taken down, but this is obviously just an attempt to collect information at first and then probably lead you on into some kind of advance fee scam. But I love... 

Dave Bittner: Yeah. 

Joe Carrigan: It looks like it's just been run through a translator. It's... 


Dave Bittner: I know. It's like, how hard would it be to get a native English speaker to just give this a quick pass? I guess they don't need to. I guess it doesn't matter. They're successful enough without taking that little extra step. 

Joe Carrigan: There's got to be proofreading services. In fact, I think we had someone on here - it may have been Kurtis Minder - that said there are proofreading services out there for these hackers to use that are cheap, and people promise that you'll get a higher hit rate through your phishing emails. Why don't they use them? 

Dave Bittner: Yeah. Well, I guess the other side of that is, as we've said, you know, that sometimes they can use these as filters to know that if you have someone who's, I don't know, a few sandwiches short of a picnic... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...Responding to this, that you know you've got a good one on the line if, despite this bad English, they still respond, so... 

Joe Carrigan: Right. That's exactly right. 

Dave Bittner: All right. Well, that is our Catch of the Day. Thanks to our listener Virginia for sending it in to us. We do appreciate you taking the time, and we would love to hear from you. So please send those over to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure speaking with Neal Dennis. He is from Cyware. And we were talking about some of the cybersecurity concerns and pitfalls that customers need to look out for and why e-commerce has become a goldmine for hackers. Here's my conversation with Neal Dennis. 

Neal Dennis: Overall, we're probably going to see a much larger presence from a cyber procurement perspective, right? So, you know, we usually have Black Friday. Everybody rushes out, gets their TVs and toasters in person, and then they come back a few days later and they rush online to get the latest and greatest there, right? I believe that, as a whole, the landscape has shifted in recording to understanding nobody is going to really probably focus on the outside perspective. They're going to want to do as much as they can online this year. 

Neal Dennis: And with that in mind, you're going to have - in theory, you should have a lot more retail companies that aren't used to having a major online presence push for that online presence. So where stores that typically thrive on Black Friday in-person sales - I hope they've seen the writing on the wall that they're going to have to start trying to find ways to redirect to online procurement cycles with their consumers, which, you know, opens up a whole world of different issues that they probably haven't had to think about in a long time. 

Neal Dennis: So a lot more focus on cyber procurement as opposed to in person and a lot of companies having to push that direction, from mom and pop shops all the way up to the big companies that may not necessarily be ready for the potential swell online. 

Dave Bittner: Yeah, it's an interesting point. I mean, you think about how many of those retailers kick off Black Friday with some sort of loss leader to get you in the door and how that is a different ballgame when everyone's shopping is going to be shifted to online. 

Neal Dennis: Yeah. If we think about what goes into the online shopping perspective, there's everything from advertisements that you have to do to - not just securing your website - right? - but there's a whole procurement cycle that has to come that's not normal for people. Instead of just advertising Black Friday and saying, hey, show up at 6 in the morning to get X, Y and Z, now they're going to be saying, hey, show up at 6 in the morning to click this link to get to this, to get to that. And there's a whole new advertisement cycle. 

Neal Dennis: There's a whole new third-party potential for exploitation with all that if you're not used to doing that as part of your day-to-day cycles with your customer base. Lots of room for new things to be considered, for sure. 

Dave Bittner: Yeah. I mean, it strikes me that the big retailers are going to be well-equipped for this. You know, the Amazons, the Walmarts of the world, they're going to be able to handle the rush. But for those mom and pop shops, you know, they might not know what they have to do to prepare properly for a large - a sizable portion of their customer base wanting to order things online. 

Neal Dennis: Yeah, that's a fair statement. So a lot of the small businesses out there, they're not - as much as we would like to hope that everybody's prepared - like you mentioned, Walmart, Amazon, they're used to this. They deal with digital sales daily. They deal with the rush online daily. 

Neal Dennis: But those small to medium businesses that are having to make this transition over, they're already ripe for targeting to begin with just because, chances are, they probably have a smaller security team or even a smaller, less managed footprint out the door as a whole from a cyber perspective. But now, all of a sudden, they're purposely escalating their footprint out in the digital space to try to bring those customer bases to them, right? 

Neal Dennis: When we start thinking about all these things, it's very possible, especially when we get down towards that smaller business side, that they might accidentally overlook a few things or they might be a little more susceptible to the more well-known things like typo squatting type things - spoofing someone's domain, redirects, all these other things. And so there's a lot of weird little things that are going to have to come to light from an awareness perspective as a consumer when they start going to these websites, for sure. 

Dave Bittner: Can you give us some insights of the types of things that are going on in terms of targeting some of those smaller organizations? 

Neal Dennis: Yes. So I think probably one of the bigger things - I kind of hit this a few seconds ago - was typo domains - getting out there and trying to spoof someone's business. So if you've got georgiasdiamonds.com, you know, a couple of mistweaks (ph) to those letters and, you know, it still looks like georgiasdiamonds on your phone 'cause not a lot of people are probably doing a lot of shopping on their laptop. They're probably scrolling through a smaller format thing. And so that 1 looks like an i and so on and so forth - redirects, typo domain type things, website spoofing of that nature. And the user, just because they're on a smaller format, is going to have a lot harder time recognizing something considerably low-tech perspective, but pretty effective by virtue of where it's being taking place. 

Neal Dennis: And then, you know, the other part of that is kind of malicious adverts perspective. You know, if you're a mom and pop shop and you're going through some smaller advert clients and content delivery networks, you might have a larger risk of someone usurping just that advert channel for - either to deliver actual malware or just to redirect your potential client base to someone else. Still malicious intent 'cause they're driving ad revenues illicitly, but, you know, there's a couple of weird things that they have to worry about in that pathway as well. 

Dave Bittner: Yeah. It seems to me also that, as you mentioned earlier, you know, these smaller organizations don't have the resources that a larger company could. So it's possible that if they get hit in this sort of way, it's going to be hard for them to have time to recover, you know, and not miss out on the shopping season, you know, the opportunity of a Black Friday, for example. 

Neal Dennis: Yeah, completely. And so that's kind of where for - at least in the retail space, there's a couple of good orgs out there, at least in the U.S. and they kind of support international efforts as well, to kind of help these smaller businesses plus up their skills in these times of need very, very well. So we've got the Retail & Hospitality ISAC, which is, you know, my current - my alma mater from a sharing community perspective back in the day, and then the National Retail Federation. 

Neal Dennis: And now so more than ever, these small- to medium-sized businesses need to be involved or at least be cognizant of what's going on within those orgs if they're a part of them. If they're not a part, now is a great time to reach out and have a discussion to see what they can have - like, get some help around through the holiday season. They may feel like they're alone because of their size, but in reality, there is a pretty decent support network that they can at least leverage to get some best practices off the ground in a very quick way. 

Dave Bittner: What about from the consumer side of things? What sort of tips do you have for those folks as we're heading into this holiday season? 

Neal Dennis: Yeah, great question. And I think this is for any year since we started doing online shopping - is if the deal looks too good to be true, it probably is. Check all of the links and URLs that you receive. Know 100% that probably the vast majority of the adverts that come through to you, whether on a website or even to your inbox in the email, are probably not as legitimate as you would like them to be. And if you saw something for a hundred bucks today and you get an advert for it for 20 bucks tomorrow, it's probably best to just go manually to the website where you're originally looking at it to make sure that that's legit instead of trying to click through various links and not know where you're going to end up. 

Neal Dennis: And then the last part of that - they're not just out there to download malware onto your system. They're obviously out there to compromise everything from your machine itself that you're on, your account credentials for specific sites to get things like credit cards and all this other stuff. But there's a lot of other scams that go on at the same time that target the consumer outside of just the sales cycle itself. 

Neal Dennis: There's charity spoof-hide (ph) things like that. So there's people setting up false charities and trying to solicit gift cards and stuff like that from you that you've got to be aware of. There's legit retail opportunities, but they plus up the price and still buy it through you would (ph) and just kind of do that Dropbox mentality. But you still get a much more expensive price tag with the same product - so less concern there, but you're still spending more money - and a whole lot of other weird little things that they have to worry about, unfortunately. 

Dave Bittner: Do you suppose this is the time of year to be contacting your bank, the folks who provide you with your credit cards and those sorts of things, to see what kind of additional security capabilities they have - you know, enabling some kind of two-factor for charging things to your credit card or your debit card? 

Neal Dennis: Yeah. Oh, my gosh. I would highly encourage it. Some banks have the ability to generate single transaction numbers, basically. So it's like a credit card number for this one transaction kind of event. I'm personally not cognizant of how many financial services entities offer this, but I have seen it. I actually have this with the bank that I'm with personally. And it's one of those things that allows you to literally basically hit generate, and you get a whole unique kind of credit card number. And you can use it for a single transaction. 

Neal Dennis: If you question the site a little bit but you want to go ahead and move forward with that purchase, there are things that certain financial providers can help do to limit that overarching, like, potential threat for fraud and all that stuff for sure. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: That was a good interview, Dave. One of the key takeaways that was talked about there in that interview is that many of these merchants have had to shift to online sales when they aren't used to doing that. And there is a big risk of doing that quickly and possibly badly. I'm not saying that everybody's doing it badly. But whenever you have to do something quickly, there's a really good chance it can go very badly. This is a story from early on in my career. 

Dave Bittner: (Laughter). 

Joe Carrigan: My boss and I were called down to a meeting, and we were - the customer said, we need to develop this system. And we took all the requirements down. And we're like - we're looking at it. And the internal customer goes, OK, you got everything you need? I'm like, yeah. He goes, great. We need it Friday. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? 

Dave Bittner: I'm sorry. Go on. 

Joe Carrigan: I actually turned my head and looked out the window 'cause if I looked at my boss, I would have just laughed. I would have... 

Dave Bittner: (Laughter). 

Joe Carrigan: It was hilarious. And he goes, well, that's not going to happen. But then they compress the time as much as possible, right? And that product - when it first came out, the first iteration of that product was garbage. You know when you're at a job interview and somebody asks you, what's the worst thing you ever did as a developer? That's the story I tell. And it's because of this real time constraint. If you're moving very quickly through things, there's - you're going to cut a lot of corners. You're going to make a lot of mistakes. Even if you don't make mistakes, you might make decisions that are not the right decisions to make. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's what happened in this product. And things can just go badly. But fortunately, there are ways. There are people out there who do this for a living who can get these things up and running very quickly now. You know, this was 15 years ago, back when you couldn't just stand up a web application in a week. 

Dave Bittner: Well, there's that saying, you know? Good, fast, cheap - pick any two. 

Joe Carrigan: Right, exactly. 

Dave Bittner: And I think that applies to - I think that's a - it's a good one. 

Joe Carrigan: Yeah, it's a great saying. I - actually, I have seen that surprisingly late in life. I sat there and thought about that one for a long time. Good, fast, cheap - pick any two. And I'm like, yeah. 

Dave Bittner: Right. 

Joe Carrigan: You can't have all three. These companies that are coming online are not nearly as prepared as the more mature companies that are out there, particularly in the security realm. And things like domain typos or typo domains, rather, might not even be on your radar. You may not even think of that, which a company like Amazon probably goes out and searches for every single day as part of their security measures. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? There's a lot of surface area for consumers, and the consumer is very vulnerable to these. It's not just malware, but these people are looking for credentials. They're looking for PII. They're looking for just money from charity scams. They're looking for all kinds of things. And, you know, the consumers is also very vulnerable in this situation. 

Joe Carrigan: I like Neal's suggestion about using disposable credit cards. I think that's a great way to protect yourself. So if you have a bank that provides those or if you have a service out there - there are a couple of services, at least one that I know of, that you can just go and create a temporary credit card or a single-use credit card. And then you're done. 

Dave Bittner: Yeah. 

Joe Carrigan: And nobody else can ever use it again. That is a great way to protect yourself from these kind of problems. 

Dave Bittner: Yeah, absolutely. Once again, thanks to Neal Dennis from Cyware for joining us. We do appreciate him taking the time. 

Dave Bittner: We want to thank all of you for taking the time to listen to this week's show. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.