Hacking Humans 1.21.21
Ep 131 | 1.21.21

Targeted phishing campaigns and lottery scams abound.

Transcript

Arjun Sambamoorthy: Things that we recommend here is to separate your business account from your personal account. Keep business email for business and a personal email for personal use. And on top of that, enable 2FA.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some interesting stories to share this week. And later in the show, Arjun Sambamoorthy of Armorblox. He's going to talk about some targeted phishing campaigns they've been tracking to weaponize various Google services during their attack flow. 

Dave Bittner: All right, Joe, let's kick things off with some stories here. Why don't you start it off for us? 

Joe Carrigan: Dave, as of this recording, the Mega Millions lottery jackpot is $750 million. That's three-quarters of a billion dollars. 

Dave Bittner: Pretty soon, you're talking about real money. 

Joe Carrigan: That's right. And you could be almost a billionaire. You probably won't be almost a billionaire. I don't recommend people buy lottery tickets. 

Dave Bittner: It's a mathematical certainty that I will not be a billionaire (laughter). 

Joe Carrigan: Well, OK. So you have not bought a ticket, right? 

Dave Bittner: (Laughter) No, I have not. 

Joe Carrigan: OK, so... 

Dave Bittner: I think of the lottery as being a tax on people who don't understand math.

Joe Carrigan: Right, yeah. The - I had a - I used to have a supervisor who said, if you buy a ticket, your chances of winning are only slightly better than if you hadn't. 

Dave Bittner: (Laughter) Well, but you got to play to win, Joe. You got to play to win. 

Joe Carrigan: Right, yeah. My argument was they were actually infinitely better because your chances of winning if you don't buy a ticket is zero. And that kind of gets to what I'm talking about today. 

Dave Bittner: OK. 

Joe Carrigan: You know, I'm watching the news this morning - my local news channel. And guess what they talked about. They talk about the Mega Millions jackpot. It's front of mind. And guess who else it's front of mind for. It's front of mind for scammers. 

Joe Carrigan: And Mega Millions has on their site a warning about fake lottery scams. And it's a short warning, but I want to go ahead and read it because this is a very common scam. And when these kind of things become news items, they're only going to become more common. 

Joe Carrigan: So it says, (reading) with the heightened publicity due to a very large jackpot, Mega Millions warns of an uptick in scam attempts as scammers try to take advantage of an increased awareness in the game. We remind customers that the only way to win Mega Millions is to first purchase a ticket from an American lottery and then match some or all of the winning numbers drawn. There is no random reward of million-dollar prizes and/or merchandise through social media sites or apps, via phone calls, texts or emails. There are no international sweepstakes or awards. Importantly, no representative of Mega Millions would ever contact individuals to advise them of a prize. If you haven't purchased a ticket, you haven't won Mega Millions. And remember; you never have to pay a fee to claim a real lottery prize.

Dave Bittner: Right. 

Joe Carrigan: And they're saying that scammers are very sophisticated in their attempts to convince people that they've won a prize, which is nothing new that we've said. They also have this page on lottery scams, and they talk about how scammers are going to reach out to customers. They're going to come via email, phone or maybe even through social media sites. And they're going to tell victims they've won a very large prize, including cash, cars or some other goods. 

Joe Carrigan: Here's a good trick, Dave. Sometimes they'll offer a free play that results in a prize. You want to try that right now? 

Dave Bittner: Sure, yeah. 

Joe Carrigan: So, OK. Hello, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm Joe from the Mega Millions Billions lottery jackpot. You've won a free spin. Do you want me to spin the wheel for you right now? 

Dave Bittner: Well, what do I have to lose? Of course, yes. 

Joe Carrigan: Nothing - it's free. OK, here we go. (Imitating wheel spinning). You win a million dollars. 

Dave Bittner: Woohoo. 

Joe Carrigan: Now, all you have to do in order to get that million dollars is send me a check for $600 for processing fees. 

Dave Bittner: OK. 

Joe Carrigan: And - right? See, that's how this works. 

Dave Bittner: (Laughter). 

Joe Carrigan: Of course, we're doing this, you know, very tongue-in-cheek, but the scammers are going to do it in a very convincing way. They may even have a sound effect behind them or, you know, have a stick that they bang together to make it sound like a wheel. 

Dave Bittner: Ding, ding, ding, ding, ding, ding, ding, ding. 

Joe Carrigan: Right. They may play a soundbite from "Wheel of Fortune." Who knows? 

Dave Bittner: (Laughter). 

Joe Carrigan: Because this was on the Mega Millions site, it's very Mega Millions-focused. But they have some of the names that people have used in these phone calls. They say the United States National Lottery, Mega Millions Mobile Lottery, USA U.K. Mega Millions Lottery, Mega Millions Corporation, Mega Millions International Lottery. And none of these entities actually exist because Mega Millions actually isn't an organization. It's a game. 

Dave Bittner: And that's the - it's like the multistate version of a lottery, right? 

Joe Carrigan: Right. 

Dave Bittner: I mean, it's - yeah. Multiple state lotteries kind of work together to come up with this big prize. 

Joe Carrigan: Yes. Yes, they do. And that's how these prizes get so big - that and the fact that it's almost impossible to win. So... 

(LAUGHTER) 

Joe Carrigan: Because it goes month after month of nobody winning, and the money just piles up. 

Dave Bittner: Right, right. 

Joe Carrigan: Of course, most of the money goes to the states, to their treasuries... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For whatever they want to spend it on. Here in Maryland, we wisely spend it on stadiums, right? 

Dave Bittner: (Laughter) I thought we spent it on education. Are you telling me we spend it on stadiums? 

Joe Carrigan: I think - I know at some point in time - maybe it was Powerball. Some - one of these lotteries was funding the Maryland Stadium Fund, yeah... 

Dave Bittner: I see. Right. 

Joe Carrigan: ...To buy the Ravens and now the Washington Football Team stadiums. 

Dave Bittner: You know, millionaires who own football teams - they need a little boost. 

Joe Carrigan: Right. Yeah, yeah. 

Dave Bittner: They need all the help they can get. 

Joe Carrigan: That's exactly right. 

Dave Bittner: So why not, right (laughter)? 

Joe Carrigan: Don't get me started on this, Dave. 

Dave Bittner: OK. 

Joe Carrigan: This is something that really sticks (unintelligible). 

Dave Bittner: Moving on. 

Joe Carrigan: Right. 

Dave Bittner: Moving on. 

Joe Carrigan: So what do they want? What do these guys want? They want you to send the money under the auspices of taxes or fees. They may want personal information. They may say, we're going to wire you some money, so give us all your banking details. And guess what happens the next morning when you wake up. All your money's gone from your bank because they know what your account is. 

Joe Carrigan: They also do check floating scams. This is interesting. I hadn't heard of this one before from a lottery scam. They'll actually send you a fake lottery check and say, we need you to send us back, you know, some processing fee from that as soon as possible. And, of course, the check doesn't clear, and the person is out that money. 

Joe Carrigan: They have some tips on the website. If someone says you won a lottery that you never played, be suspicious. I don't say be suspicious. I say, recognize this is a lie. 

Dave Bittner: Yeah. 

Joe Carrigan: You have to buy a ticket. If you're like Dave and you don't buy a ticket, and then what happens? You cannot possibly win this lottery, right? 

Dave Bittner: Right. 

Joe Carrigan: If you're in a jurisdiction that's outside the area marketed for the lottery mentioned in the source of the prize, it's probably a scam, right? 

Dave Bittner: Yeah. 

Joe Carrigan: So if you live in a state that doesn't participate in Mega Millions or if you are outside of the U.S. and you get a call about this, it's a scam. If you're told that you need to keep your win confidential, that should be a red flag, right? 

Joe Carrigan: And here, actually, in Maryland - I was looking at the site the other day. It's state by state whether or not you can keep your win anonymous. But in Maryland, you actually can if by some chance, and I guarantee I can - well, I can't really guarantee, but I can almost guarantee this won't happen to any of our many listeners. You win a jackpot like this, you should absolutely never publicly disclose that. 

Dave Bittner: Oh, I mean, this - yeah. Isn't it pretty much a certainty that if you win one of these, it will ultimately - you'll ultimately end in ruin, like it - overwhelming odds are that it does not go well. 

Joe Carrigan: Yes. 

Dave Bittner: Like, you lose all the money, and even where you're - you end up being worse off than you were in the beginning. 

Joe Carrigan: Yes. A lot of the times, that does happen. And there are studies about that. And I think it's like more than 50% of the time, people who win the lottery - I'm going off the top of my head here. I haven't - I don't know what the paper is or - but there was a study done on this. 

Dave Bittner: Yeah. 

Joe Carrigan: And you're absolutely right that over 50% of the time, people lose the money. 

Dave Bittner: Are you aware that in our very community, Joe, there is a home that is known as the lottery house? 

Joe Carrigan: I did not know that. 

Dave Bittner: (Laughter) There is a home. It is known as the lottery house. It was built with the winnings someone won of one of these lotteries - won multimillion dollars. They built a gigantic house. It's something. It is a big, big house, and it is not going to win any architectural prizes. It's known as the lottery house. And ultimately, the folks who built the house ended up getting divorced and losing the house. So there you go. 

Joe Carrigan: Yeah. 

Dave Bittner: It's a cautionary tale. 

Joe Carrigan: Right. 

Joe Carrigan: They have a number of other things that are in here as well. Here's one that's interesting. If they tell you that you can verify that you've won by calling a number, that number is also part of the scam, right?

Joe Carrigan: Now, we've seen this in other scams, right? This goes back for years, where people would print up fake newspapers with lottery numbers in them and then show you a ticket that matches and say, I can't claim the prize for some reason, but you can buy this ticket for me for half the jackpot or for half its value, right? And then, of course, the lottery ticket is worthless, right? 

Dave Bittner: Right. 

Joe Carrigan: It may even be a real lottery ticket, but they've printed up fake information, bogus information. This is just the extension of that just via a phone call. This is the best advice right here. If you think someone on the phone is trying to scam you, just hang up. Hang up and don't... 

Dave Bittner: Yeah. 

Joe Carrigan: You know, don't even say goodbye. Just click, and then let it be the end. Chances are, if you do that, they won't call you back. 

Dave Bittner: Right, right. All right, well, it's good information. And, you know, what happens is these Mega Millions grow. They get more and more attention paid to them. 

Joe Carrigan: Right. 

Dave Bittner: You know, it's an easy story for local affiliates to do. 

Joe Carrigan: Right. 

Dave Bittner: And people are interested. 

Joe Carrigan: On the local news station, this is what you see. 

Dave Bittner: Yeah. And everybody dreams about hitting the jackpot and getting rich and all the wonderful things that'll happen to them. So it's ripe for scammers to take advantage of, for sure. 

Joe Carrigan: Yep. 

Dave Bittner: My story this week comes from one of our listeners over on the "Grumpy Old Geeks" podcast, where I do a regular segment. You've been a guest over on "Grumpy Old Geeks" as well. 

Joe Carrigan: Yeah, I've been with Brian and Jason before. 

Dave Bittner: Yep, fun show. Definitely worth checking out. This is from a listener named Martin (ph), and he says, I've listened to every episode from you guys, but I've never heard you cover anything in regards to Venmo. 

Dave Bittner: Joe, are you familiar with Venmo? 

Joe Carrigan: Vaguely. It's a - isn't it a PayPal product? 

Dave Bittner: I'm not sure who owns it. It may be, but, you know, it's one of the variety of cash exchange, money exchange apps... 

Joe Carrigan: Right. 

Dave Bittner: ...Where I need to send you some money, and so if we both have Venmo, both of us enter our banking information into Venmo, and we can send money back-and-forth and it makes it easy to do. 

Joe Carrigan: Right. 

Dave Bittner: So this listener, Martin, writes in. And he says, (reading) my wife recently sent a small transaction to a friend on Venmo, which triggered the both of them to receive a ton of friend requests on Venmo. Shortly after, she received a text message from a different friend and her mother confirming the payments she had asked for. She was baffled, as she had obviously not asked for anything. It turns out her friend and mother had received a message from "her" - her is in quote - air quotes - claiming that she was at the store and had forgotten her purse. She needed $42 to check out and would pay them right back. My wife quickly changed her password, and I went ahead and disconnected all devices from her account in the security settings just in case. 

Dave Bittner: (Reading) I thought at first that her Venmo account had been compromised, but it turns out that it was a lot simpler than that. Somebody simply looked her up on Venmo - all accounts are public by default - used her first and last name, as well as her profile picture and sent her friends payment requests at random asking for money. The people simply recognized her profile picture and accepted the transaction. 

Dave Bittner: (Reading) The fact that you can freely change your profile picture, first and last name, as well as username as many times as you want and without any verifications or any checks at all from the Venmo app boggles my mind. You would think that a company which is solely used to transfer money in between parties would have a modicum of basic security checks in place. 

Dave Bittner: Yes, you would think so. 

Joe Carrigan: Yeah. 

Dave Bittner: This - I have not heard of this before. This makes total sense to me in that it could be done this way. I have to say, my experience with Venmo is very brief. I believe I have used it once or twice. I think my wife uses it pretty regularly to send money back and forth with her friends and maybe even with our son, our oldest, who doesn't live in the house anymore. The thing that I remember when I started using Venmo was that when you sign up for Venmo, the first thing it does, as many of these apps do, is it tells everybody that you're on Venmo. 

Joe Carrigan: Right, yeah. 

Dave Bittner: Hey, Dave's on Venmo. Great. Great news. 

Joe Carrigan: Great. 

Dave Bittner: All right. I get that. And I agree with Martin here. That boggles my mind - is that the default is that all of your transactions are public. So the other thing I did when I joined Venmo was I started looking around at some of my friends. And I remember one of them was, like, a local politician friend of mine. And it says, you know, Jane sent $15 to Bob. Jane sent $15 to Joe. Jane received $45 from - and I'm going, what? I don't need to know this. 

Joe Carrigan: Right. 

Dave Bittner: And I'm sure that this person doesn't want me to know this. 

Joe Carrigan: Yeah. 

Dave Bittner: This is no one's business but theirs. Why in the world would you have this be public facing? I guess it's so that Venmo puts across a sense that people are actively using this, that, you know, this is the place to be. Look at all these transactions going by. Isn't this great? 

Joe Carrigan: Right. You know, I talked about Venmo with our systems engineer Chris Venghaus. And he and I were having this discussion about it. I said, have you ever used Venmo? And his response was I don't like Venmo because of the social networking aspect of it. I'm like - and when I heard that, I was immediately put off by it. So that's why I have not used it - is because it is like a social network. Now I'm hearing this. I'm further convinced I don't want to use it. 

Dave Bittner: Yeah. I mean, you know, look. And its core, it's a useful app, and lots of people use it for legitimate purposes. But I have to say, I agree with Martin here that the fact that you can change your profile picture and your first and last name as many times as you want and that those - that information doesn't have to match your banking information... 

Joe Carrigan: Right. 

Dave Bittner: ...This, to me, seems like a major security issue with Venmo because... 

Joe Carrigan: I would agree. 

Dave Bittner: I wouldn't because I do this show. But I can (laughter) imagine many people, if they got a - just a casual request from a friend that said, hey, can you send me 20 bucks? I'm - like Martin said in this example, I'm at the store, and I forgot my wallet. Can you send me 20 bucks? I'd probably do it, you know? 

Joe Carrigan: Right. 

Dave Bittner: So anyway, the lesson here is if you use Venmo, make sure that everything is set private. And also, if you get a request for anybody to send you money - and I would say beyond Venmo, use another method to verify it, right? 

Joe Carrigan: Right. 

Dave Bittner: Call that person using the phone number you have for them. Or send them a text message or something. Get off of the platform that they use to make the request and use something else as a second factor to verify it's a legitimate request. 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: And that way, you're much less likely to find yourself scammed by one of these things. 

Joe Carrigan: If you do use it, can you go in and set your profile to private, so scammers can't find you to send you... 

Dave Bittner: I believe you can. Yeah, I believe you - I'm not sure about your profile itself, but I know you can set your transactions to be private, certainly. And that's a no-brainer. I mean, come on (laughter)? 

Joe Carrigan: Right. why isn't that the default? 

Dave Bittner: Yeah. Yeah, I don't get it. I don't get it. 

Joe Carrigan: Yeah, me neither. 

Dave Bittner: All right. Well, our thanks to listener Martin for sending that into the Grumpy Old Geeks podcast. And again, it's - that's a fun show, fun, irreverent show worth checking out if you consider yourself a grumpy, old geek, which I know Joe and I - you and I both do from time to time. 

Joe Carrigan: Very much so. 

(LAUGHTER) 

Dave Bittner: It's a show worth checking out. 

Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day actually comes from my son who received this message in his e-mail. And it's a rather threatening message, but it comes from David Bowditch, allegedly from the FBI. Dave, why don't you read it? 

Dave Bittner: I'll just read the return address here to start off because that really sets the tone for things. 

Joe Carrigan: Right. 

Dave Bittner: (Reading) Federal Bureau of Investigation Field Intelligence Group, J. Edgar Hoover Building, 935 Pennsylvania Avenue, Northwest Washington, D.C., 20535. Attention, beneficiary, I am the deputy director Federal Bureau of Investigation, David Bowditch. We intercepted and seized a sealed envelope at the John F. Kennedy International Airport, New York, N.Y., coming from a foreign country. We scanned the content of the sealed envelope and found it contained a sum of $4.1 million value certified payment bond. Also, the sealed envelope had documents with your name on them as the receiver of the package. We questioned the diplomat that accompanied the sealed envelope into the United States, and we learned that he was to deliver this sealed envelope to your residence as payment of an inheritance winning prize payment due and owed you. The envelope paperwork lacks proof of ownership certificate and legal delivery permanent clearance certificate form. We confiscated the envelope and released the diplomat. The sealed envelope, according to Section 229, Subsection 31 of the International Commerce Regulator's Code Enforcement guidelines, lacks proof of ownership certificate and legal delivery permit clearance certificate and says the content is valued financial material of such amount from the joint team of the Federal Bureau of Investigation and Homeland Security. You are to reply for direction on how to procure the envelope, so you will be relieved of the charges of tax evasion, which is a jailable offense under Section 12, Subsection 441 of the tax code. We will also be asking the IRS to launch an investigation on money laundering if you do not follow our instructions. You are required to reply within 72 hours. At that point, I will walk you through the process of clearing and claiming your money. Failure to comply may lead to your arrest, interrogation and/or you being prosecuted by the court of law for tax evasion and/or money laundering. You are also advised not to contact any bank in Africa, Europe or banking institutions for security reasons. Yours in service, David Bowditch, Deputy Director, Federal Bureau of Investigation. 

Joe Carrigan: Menacing, no? 

Dave Bittner: (Laughter) Well, I mean, money laundering, tax evasion - these are all things that'll grab your attention. 

Joe Carrigan: Right, yeah. They're going to sic the IRS on you? I mean, even though I don't think the IRS handles money laundering investigations - I think that's done by the Federal Bureau of Investigation or by the Secret Service. I don't know who does it, actually. I think just the FBI. I don't know. 

Dave Bittner: (Laughter). 

Joe Carrigan: But I know the IRS doesn't. They handle tax evasion but not money laundering. 

Dave Bittner: Yeah. 

Joe Carrigan: But, you know, a couple of grammatical errors in this - it's obviously the opening part of a scam to get you to pay some money to release some money to you or maybe possibly to garner some personal identifiable information. I chose it today not because it came from my son but because of the amount of just threats that are in (laughter) this thing. It's a good one. 

Dave Bittner: And I could imagine once they get your attention and you call in, they could say, oh, well, thank you for calling. We've cleared all this up. We've established that, yes, you are indeed entitled to this $4 million. All we need from you is a check for six hundred dollars to for the taxes or clear whatever. 

Joe Carrigan: Right. 

Dave Bittner: And the money will be yours. And Bob's your uncle. There's the scam. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Arjun Sambamoorthy from Armorblox. And he and his team have been checking out some phishing campaigns that have been taking advantage of some Google services. Here's my conversation with Arjun Sambamoorthy. 

Arjun Sambamoorthy: Last month, we saw, like, a spike in benefactor scam attacks, right? So we were trying to figure out like, hey, why this interesting, you know, spike in benefactor scam? Benefactor scam kind of attacks, like, this - you know, kind of like a variant of Nigerian scam, been happening for a long time. Nothing new, right? And we started digging deeper. And then we found out, you know, hey, the attack by itself is nothing new. The content of the attack is not new. But what's different was how the attack was actually delivered to the users, right? So then we realized, you know, attackers are actually starting to use Google services and Google products to deliver these kind of attacks. And we started looking in further to just figure out that a whole lot of phishing campaigns, not just benefactor fraud - a whole lot of phishing campaigns are starting to happen with Google services. So we started looking into this, and we observed the same thing for pretty much across all of our customers. And then we thought maybe it'd be an interesting thing to actually, like, you know, let the people know about how people are actually exploiting Google and leveraging Google services to launch these phishing campaigns. 

Dave Bittner: Well, let's walk through it together. I mean, what did you discover, and how did you go about discovering it? 

Arjun Sambamoorthy: I mean, one of the things that came of interest was like - just take a specific example here of some benefactor scams. So if you look at the blog post that he published - so the email actually comes in from someone claiming to be a childless widow. And they say, hey, I have cancer. And my husband has been passed due to COVID. And we have this huge amount of money, and we're looking for someone to actually inherit this money or inherit this trust held offerings, right? And then they said, like, you know, for us to actually inherit this trust, we would like to get some personal information about yourself - stuff like your name, your Social Security number, your tax ID number and stuff like that. And if you actually, like, respond to those kind of emails - so they get your personal information and then they walk away with it. And that's it. It's gone. Usually, these kind of scams are usually spam emails - right? - usually end up less harmful. You never see them in your inbox. And we started to see these kind of emails landing in people's inboxes. So that's what made it interesting for us to find out why these scams are actually starting to show up in people's inboxes. And we started, like - that's why we started digging in deeper to understand, OK, hey, there is a language context to it. You know, there's a sense of urgency. And people are trying to ask for sensitive information about yourself. And most of those emails are coming in from gmail.com. It's not coming in from a suspicious domain, a spammy email domain - right? - with a low reputation. It's coming from gmail.com. I mean, most of these attacks are actually automated attacks coming from Google Forms, right? So that's hyperlink to Google Forms. You click it, and it goes to Google, and then they actually give you options to actually, like, take your personal information and record it and walk away with it. Then our system actually, like, identified the different kinds of context that's being used. And we also notice there is no established trust between the sender and the recipient, right? So even though it's coming from, a trusted source like Gmail and pointing to a trusted or well-reputed domains like forms.google.com, this is not something that was happening quite often for all the targeted users. But so we actually identified this attack, and it came to our attention. 

Dave Bittner: How is it that they're getting past Google's spam filters? I generally - I think most people would consider that Google spam filters are probably among the best out there. 

Arjun Sambamoorthy: Oh, yeah, Google's spam filters are obviously the best out there. But most of these attacks that we see here are actually landing in people's mailboxes. It's not Gmail. It's not actually part of Google, for instance, right? so there's a, like, instance like, you know, Microsoft Office 365 or possibly, like, you know, Microsoft Exchange and different email service providers. Many of the spam filters that we use out there - right? So they try to provide a score to anything - what is spam and what is not spam. It's, like, the email is possibly coming in from gmail.com, right? And it also has a, you know, reputable link to a suspicious website. It's possibly, like, you know, exceeding the threshold of reputation. It's most likely to be highly trustworthy, highly reputable to actually skip the fine filters and land in a mailbox. 

Dave Bittner: Yeah, that's fascinating. So what is your take on this? I mean, in terms of folks being able to protect themselves against it, what do you recommend? 

Arjun Sambamoorthy: What we like to recommend is - I mean, like, because it's just not the, you know, benefactor scam kind of attacks, we also are seeing really interesting kinds of attacks by, like, you know, things like people trying to spoof financial institutions, right? So for example, one thing that we noticed was someone actually getting an e-mail from American Express saying, hey, you know, your personal details are actually missing. Can you actually, like, fill out this form? And they actually take your credentials - your bank credentials, your personal data, the security questions - and then they walk away from it. Things that we recommend here is to separate your business account from your personal account. Keep business email for business and a personal e-mail for personal use. And on top of that, enable 2FA. Multifactor authentication is going to be highly important. But users in general try to - have to protect their accounts because most of these attacks get your credentials and walk away with the credentials. And once they have your credentials, they can do full damage to you or, potentially, to the people that you are in a good relationship with, right? So enabling 2FA is going to be highly important. And on top of that, having security awareness, understanding how what - about these different kinds of attacks on a constant basis and learning from it is going to be highly important. The thing is, like, because that attack paradigm is constantly changing, it is a responsibility to actually try to protect our data and also protect ourselves. So security awareness is something that we would highly, you know - I would highly recommend people to closely follow up on and to protect themselves. 

Dave Bittner: You know, you mentioned that these folks were using Google Forms to collect the data, to gather it up. When they're doing that, is that a potential red flag there? Is it obvious that this is a Google form? Or are they doing a good job of hiding that as well? 

Arjun Sambamoorthy: It's a great point. I mean, it's kind of obvious. I mean, like, if the kind of links they're clicking into and while you're actually, like, you know, filling out this data, if you pay a little bit more attention, you actually know it is Google Forms. It's not actually the website of the bank that's being impersonated. It's not the bank's website. It is Google Forms. But most of these attacks happens with some sense of urgency that destroys people from not paying this close attention. But if someone had to pay close attention to it, they will actually know this is something that's fake. So this is why I think, like, educating people to be more aware of what they're clicking into and trying to be a little bit more paranoid, a bit more suspicious about those emails they receive from unknown domains or unknown email addresses would actually help them better protect themselves. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Interesting interview. Something that Arjun noticed is that the scams are not new. These are not new pretenses or anything. They rarely are new anymore. That's why we have this show because if you're aware of how this scam works, you will hopefully be able to identify it in any form. But what is new is the techniques they're using to deliver the scam. And those are going to continue to change and develop. And we've talked about people using Google services in various capacities before. And we've had Catch of the Days that talk about this. But Arjun and Armorblox have done a deep dive here. And if you go to their blog and read it, it's a pretty interesting post that they have there. These guys are using Google Forms and Gmail because they are trusted and more likely to get by the spam filters. 

Dave Bittner: Right. 

Joe Carrigan: You and he talked about the fact that Google spam filters are pretty good. But they're not sending these emails to Gmail addresses. They're sending them from the Gmail address. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And then they're collecting the information on Google Forms as an easy way to collect this data. And it's all free. This is just another way to just lower the cost of trying to collect this information from people. 

Dave Bittner: Right. And as you say, I mean, when a request comes from a Google domain, that's certainly well-known, well-established as being legit... 

Joe Carrigan: Right. 

Dave Bittner: ...So more likely to make it through those filters. 

Joe Carrigan: It's not going to get stopped by any web filtering you have going on because it's going to Google. On the blog post, they had an example of an American Express scam where they were asking for your username, your password, your account number and, like, your mother's maiden name, which is usually security questions. They're really trying to get into the accounts here. Arjun's recommendation about keeping personal email separate from business email is something I've never said before because I made an assumption that everybody already knows this. And that assumption may not be correct. In fact, it almost certainly is not correct. So let me say this now - I agree. Don't do personal business on a business email address. Do it on a personal email address. And one of the biggest reasons for this is you're not going to be at your job forever, right? You're going to change jobs. And then somebody's going to lose contact with you. And if that person is somebody that you do personal business with, they're going to have a hard time finding you. Or you might not be able to get a hold of their email address because you don't have access to that email anymore. I just don't see why people do this. 

Dave Bittner: Well, and also, it's an important point that you're not guaranteed that you're going to have access to that business email account forever for a variety of reasons. As you say, you could move on to another job. It's possible that the separation of you from your company may not be a friendly one. And so they may cut you off from that email address. It's also possible the company could go under, go out of business. And suddenly, you know, you come into work one day and there's a lock on the door. And everything's been shut down and including the email addresses, so better to have it under your own control. 

Joe Carrigan: Yeah. The server could be powered off... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And then you'll never get to it. His recommendation to use multifactor authentication - again, I recommend you doing that all the time. And it is our responsibility to protect our data. And I like to say, be a little more paranoid. I think that paranoia does you well. 

Dave Bittner: (Laughter) Paranoia, self-destroyer, Joe, you know? 

Joe Carrigan: Well, just because you're paranoid, doesn't mean they're not out to get you. 

Dave Bittner: (Laughter) That's right. That's right. All right, well, our thanks to Arjun for joining us. We want to thank all of you for listening. That is our show. And, of course, our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.