How likely are online users to reveal private information?
Lior Fink: People - when they use mobile devices, they are less attentive. They invest less cognitive resources in what they do. They do things more casually.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Professor Lior Fink from Ben-Gurion University - he's got insights from their study on how we can be manipulated into sharing private information online.
Joe Carrigan: They do a lot of good work over at Ben-Gurion.
Dave Bittner: They really do. It's an interesting place.
Joe Carrigan: It is.
Dave Bittner: For sure.
Dave Bittner: All right, Joe, let's jump in to some stories here. I'm going to kick things off with some good news (laughter).
Joe Carrigan: Yes, excellent.
Dave Bittner: Good news, yes. This comes from the folks over at CyberScoop. They're reporting on a press release from the U.S. state attorney's office for the Eastern District of Virginia from our Department of Justice. And this is a Nigerian man sentenced to 10 years for $11 million fishing scam, a story written by Shannon Vavra from CyberScoop. And evidently a Nigerian national - his name is Obinwanne Okeke, and he's been sentenced to 10 years in prison for coordinating an international spearphishing campaign that cost victims about $11 million in losses.
Dave Bittner: The scheme ran from 2015 to 2019, and evidently they were targeting this company called Unatrac Holding, which is a British firm which handles sales for Caterpillar, the...
Joe Carrigan: OK.
Dave Bittner: ...You know, the industrial company with the contractors and all that kind of cool heavy equipment. Well, evidently, these guys, these - this Nigerian guy led a team of bad guys who targeted this company. And the way they got to them is pretty typical these days. They sent their chief financial officer a phishing email. It had a fake login link to Microsoft Office 365.
Joe Carrigan: So then they got into his Outlook account.
Dave Bittner: They got into his Outlook account. They went through his Outlook account and figured out where the company was sending invoices and so on. And they operated as if they were him, and that's how they got people to send them lots of money.
Joe Carrigan: Yeah, so over about - what? - four or five years?
Dave Bittner: Yep. Yep.
Dave Bittner And Joe Carrigan: One million bucks.
Dave Bittner: Yeah.
Joe Carrigan: Not bad.
Dave Bittner: And...
Joe Carrigan: Even with the prison sentence, it's still not a bad salary.
Dave Bittner: (Laughter) Well, they also went in and set a lot of his filters and his email forwarding and so on and so forth so that he would not be immediately aware of what they were up to.
Joe Carrigan: Right. That gives them time to move the money out of the accounts that they've fraudulently transferred it to.
Dave Bittner: Yeah. So the FBI evidently got a search warrant, and they worked with Google to get information about an email account that the scammers were using, that - they were the sort of the receiving end of the information that was being sent to them through this CFO's account whose email they infiltrated. And once the FBI got into their Google accounts, they found all sorts of other incriminating things, copies of passports and driver's licenses that appeared to be stolen. So looking through the FBI's report on this, the press release - it doesn't say it overtly. What I think is going on here is that they worked with folks in Nigeria...
Joe Carrigan: Right.
Dave Bittner: ...Had this guy extradited to the U.S.
Joe Carrigan: Yeah. The Nigerian government is not really a big fan of these guys. Yeah. They know they have a problem with this, and they know they're kind of the butt of a lot of jokes about this. And they're really not OK with that. And...
Dave Bittner: (Laughter).
Joe Carrigan: They're making a good faith effort...
Dave Bittner: Right.
Joe Carrigan: ...To make sure this is not the case because Nigeria's - isn't that the most populous country in Africa? I mean, it's...
Dave Bittner: I do not know.
Joe Carrigan: It's a big player in Africa. And, you know, Africa's the next and, in fact, the last on the planet - the last developing continent. And these guys really want to move into the next - you know, become part of the global economy. And...
Dave Bittner: Right.
Joe Carrigan: They know in order to do that, they got to get rid of these scammers who operate within their country outside of the law.
Dave Bittner: Yeah - so some good news here.
Joe Carrigan: Yeah, that's good news.
Dave Bittner: Looks like this person's going to be enjoying a lovely vacation, as we like to say, at Club Fed.
Joe Carrigan: Club Fed (laughter) - all-expense 10-year vacation.
Dave Bittner: And hopefully, yeah, some folks will maybe even get some of their money back. But the important thing is it's one less scammer out there on the loose, doing the bad things that they do. So that's my story this week. What do you have for us, Joe?
Joe Carrigan: Well, Dave, you have good news. I do not.
Dave Bittner: (Laughter).
Joe Carrigan: Marek Beno over at Avast - by the way, do you know what Avast means? It's a nautical term.
Dave Bittner: That's what pirates say.
Joe Carrigan: Right. It means stop, actually. It's actually...
Dave Bittner: Oh, really? OK.
Joe Carrigan: Yeah. Avast means stop the ship.
Dave Bittner: Oh. Avast, mateys.
Joe Carrigan: Right. Exactly.
Dave Bittner: All right. I just thought it was a pirate exclamation (laughter).
Joe Carrigan: Yeah. No, that's arr (ph).
Dave Bittner: (Laughter).
Joe Carrigan: So - well, I want to talk what's going on with this campaign. They've noticed there's more sextortion campaigns going on. Most of the emails are in English. They're targeting users in the U.S. and the U.K. There are some emails in Spanish. And they have some samples in the article. And these samples are pretty graphic. You remember the good old days of sextortion, Dave, when it was all innuendo and implied?
Dave Bittner: Right, right.
Joe Carrigan: Well, it's not that anymore. It's...
Dave Bittner: (Laughter) Oh, boy.
Joe Carrigan: It's just gross to read some of these. Of course, they are all completely fake. They're just sending these things out. They're putting a Bitcoin address in there, and they're threatening people. These have actually led to suicides, and the article actually links to a couple of other articles about suicides that have occurred.
Joe Carrigan: But there's a new twist on this campaign, and that is the attackers say that they have found a zero-day exploit in Zoom. Now, why? You think back to a year ago, and how many Zoom meetings were you going to then versus now? I mean, I'm in a Zoom meeting at least four times a week now - four or five times a week.
Dave Bittner: Yeah.
Joe Carrigan: So Zoom is there. Zoom is on my laptop. It's always available. So they're trying to make people think that, oh, you have Zoom on your computer; we know you have Zoom on your computer. We're going to use that as a foothold. Now, Avast says - and they make it clear - they don't think there's a zero-day in Zoom, and there's no evidence that there is. It's just what these guys are saying. And additionally, there's another feature of these emails, and that is they seem to be sent from the email address that they're targeting. So they're spoofing the victim's email address and sending emails to make them think that the attackers have control of the victim's computer. Right?
Dave Bittner: Oh, OK.
Joe Carrigan: So if you got an email in your inbox that was sent from email@example.com, you'd be like, hey, somebody's in my account. Right?
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: They've hacked me. They've got me. You know, this is - it lends credence to the claim that they've got footage of me doing illicit things on my computer - not really illicit, but, you know, just inappropriate things. Anyway, they're not doing that. They're not actually in control of your account. They're just spoofing your email, which is one of the weaknesses of email that you can spoof addresses.
Joe Carrigan: I'd like to tell the story (laughter) of a friend of mine who one day sent me an email from his corporate email. But he actually got in there and sent it from, like, firstname.lastname@example.org or something like that.
Dave Bittner: (Laughter) OK.
Joe Carrigan: And he sends me an email. And I get this email from email@example.com. And I open it up, and it's him. And I'm like, oh, that's very cool; you changed your email address. And - I mean, this was back in the '90s. And he gets a phone call, says, hey, somebody down there is impersonating whitehouse.gov. And he goes, well, I have to put a stop to that...
Dave Bittner: (Laughter).
Joe Carrigan: ...Make sure those people don't do that anymore. So he doesn't - he didn't do that anymore. But if you're not checking for it or if you're a malicious actor, it's something that's very simple to do. I can just fill that in there, and I can automate this with a script and just send these things out. They found other campaigns that they discussed in the article, too - the old Trojan installed claim. You know, hey, we've installed a Trojan on your computer, and we've been watching you. They also say that these have ticked up significantly since January 11. Like, the bad guys are back from vacation. So you know, Dave, even multinational cybercriminals need to take a holiday every now and then, right?
Dave Bittner: Well, yeah. I mean, it's hard work (laughter).
Joe Carrigan: Yeah, it is.
Dave Bittner: I recently had a conversation over on the "Recorded Future" podcast, which I host, with a researcher. We were talking about there are companies who are doing - not companies, organizations who are doing deep fakes as a service. You know, some of the - for example, some financial institutions will require you to send a video of yourself as verification.
Joe Carrigan: Right.
Dave Bittner: So they'll say face the camera, face to the right, face to the left. And so there are organizations now who will make deep fakes of whatever the request is that's being made so that the bad guys can use that. And one of the things we were speculating was that it's easy to imagine that these deep fake folks could get into this extortion business. Imagine them not only sending a description, but sending a video and it's you. And even if it's not - even if you know it's not you, the threat of them sending that to your friends, family, loved ones, co-workers - right? - and the embarrassment that that could cause could certainly be the root of a ransomware attempt, a potentially successful ransomware attempt.
Joe Carrigan: Absolutely.
Dave Bittner: People would be willing to pay to prevent that despite it being fake.
Joe Carrigan: I think you're right. I think that would absolutely increase the payout. I did look at the Bitcoin addresses in these emails. Of the four I checked, three of them had transactions. But they were all back in October, so I don't know if those were left over from another campaign or if those are still open. I don't know. They're always open, but sometimes people just throw away the private keys so they never use them again.
Dave Bittner: Right. Well, you know, spread the word. I mean, this is a pretty common thing. And...
Joe Carrigan: It is.
Dave Bittner: ...Make sure that your friends, family, loved ones know about these sextortion things. And if they get one, don't let them short circuit your emotions.
Joe Carrigan: Yes, absolutely.
Dave Bittner: Just stay calm. And - they did not catch you doing what they claim that they caught you doing. And...
Joe Carrigan: That's right.
Dave Bittner: ...There's no shame in that. So...
Joe Carrigan: That's right.
Dave Bittner: ...There you go. All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Michael (ph) who writes, (reading) hi, Dave and Joe. "Hacking Humans" is one of my favorite podcasts.
Joe Carrigan: That's awesome.
Dave Bittner: Yep.
Joe Carrigan: (Reading) You guys are great to listen to, and I've learned a lot from the show.
Joe Carrigan: Hey, that's great. We love hearing that.
Joe Carrigan: (Reading) I particularly look forward to the Catch of the Day. Here's an email I received this morning that fits that bill. Hope you enjoy reading it, too. I'm disappointed that I won't be receiving my share of the proceeds from this phony estate, but the laugh it gave me was reward enough.
Dave Bittner: All right.
Joe Carrigan: So why don't you read this? What's amazing is that the very first line in this email says, hello, Michael. So they've got some information for this guy.
Dave Bittner: All right. It goes like this.
Dave Bittner: (Reading) Hello, Michael. My name is Steve Botham (ph). We are unfamiliar with each other, but it takes a day for people to know. I would like to propose a legitimate business to you, and please take this seriously. I am proposing a deal that would make us richer. You are very important to this deal, as you will find out. I am a senior accountant with my bank here in South Africa. I have worked with the bank for more than 17 years now, and I was the personal accountant to one engineer, John Roblinski (ph), a foreign contractor with Royal Dutch PLC, who has an investment account with my bank. Unfortunately, my client died, along with his immediate family, in France while on sabbatical in the summer of 2007. May their soul rest in peace. He died without leaving a will. Several efforts were made to find his extended family through your embassy, without success. I received a notice last week to provide the next of kin of John Roblinski and his accountant or risk the account transferred to the government in 21 days time. I am contacting you to assist me in repatriating the funds left behind by my late client, since you both share the same last name. His claim will be executed without breaching any South Africa laws, and success is guaranteed if we cooperate on this. The bank will release the account to you because of your last name and my recommendation of you as the next of kin. I am a very honest person, and I cannot lie. I expect the same from you. I will forward my international passport so you know that I am not joking when I get your response. The amount involved is $15,500,000 U.S. dollars. I propose we share the proceeds 50-50. I think this is fair. I will give you all the necessary information about the deal when I get your response. I anticipate your cooperation. Treat this proposal with utmost confidentiality and urgency for a 100% success. If you are not interested, please delete this email. Regards, Steve Botham.
Dave Bittner: Thanks to Michael for sending this in. I'm pretty sure that I hammered the last name there, which is probably for the best because who needs your last name being sent out to everyone anyway, right? (Laughter).
Joe Carrigan: Right. That's what's interesting about this, is they have a lot of Michael's information in here. They have his first and last name that you've obscured. It's very compelling because they come up with this deceased person that's going to have your last name, kind of an uncommon last name. I think this is a compelling phish. I mean, it's obviously fake. It's - Michael's spot on here. This is not at all a real thing (laughter). Nobody would reach out and say these kind of things in a legitimate business transaction. And of course, no one would offer to split the proceeds 50-50 with you, right?
Dave Bittner: (Laughter).
Joe Carrigan: If you're entitled to an inheritance, you're entitled to the inheritance.
Dave Bittner: Right. No, I mean, it's a pretty typical one, but it's a good variation on it.
Joe Carrigan: It is.
Dave Bittner: And lots of fun. So thanks to Michael for sending that in.
Dave Bittner: We would love to hear from you. If you have a phishing email that you think would be a good Catch of the Day, you can send it to us. It's firstname.lastname@example.org.
Dave Bittner: Joe, I recently had the pleasure of speaking with professor Lior Fink from Ben-Gurion University. They recently completed a study titled "How We Can Be Manipulated into Sharing Private Information Online." Here's my conversation with Lior Fink.
Lior Fink: Generally, we are very interested in online consumer behavior. And the idea was to see if we can find, if we can identify biases in the behavior of consumers in the context of their privacy behavior, to see if we can manipulate information disclosure in relatively simple ways and demonstrate that people behave in a non-normative, sort of biased way and that we can manipulate that behavior relatively easily.
Dave Bittner: Well, let's go through the research together. I mean, how did you go about your experiments here? What was the process?
Lior Fink: We looked at the sign-up procedures, and we did a field experiment. This means that we collaborated with a a startup, a fintech startup that specializes in money transfer services. And the idea was to see if we can increase their sign-up rates by small manipulations or changes in the sign-up form. The items, information items, the information the firm requested remained the same. We simply introduced small changes in the way the forms appear or are presented to users. And we were able to see that we are able to increase the rates of sign up significantly by very small changes in how - in the order and structure information items. So we request the same information, but we change very subtle things in the structure of the forms.
Dave Bittner: Well, take us through exactly what you did here. I mean, what was the information being requested, and what changes did you make?
Lior Fink: The information is the basic information. The firm wants to get the user's name, email addresses, telephone numbers, where they live. It's a firm that caters to the needs of users in different countries. What we did was to introduce to - we manipulated two things. One thing was to simply arrange the items in an ascending privacy intrusion order. We ordered the items of the information that they are asked to provide first is their less intrusive information, and then the items are arranged in an increasing order, and the last items are those that require the most sensitive information.
Lior Fink: The second mechanism was to break down information items across several pages. So instead of having the entire form on one page, they had to answer a question - each question appeared on a different page, and they had to submit their answers for each question separately. So the idea was to draw the one-foot-in-the-door theory. So it's the same way as the marketing person wants to put the foot in the door and ask you to do something small to increase the likelihood that you'll do something larger. We applied the same principles and ideas in those online forms. So we ask for smaller things at the beginning to increase the likelihood that they will continue and fill out the entire form.
Dave Bittner: It makes good sense to me that you were using, you know, the ascending privacy intrusion order, that you start off with the least intrusive things and then go on. I'm a little surprised about the notion of using multiple pages. Can you explain to us what was going on there? And what was the results? I have to say, it's hard for me to guess.
Lior Fink: The idea behind a multiple-page manipulation was, as long as you don't submit the form or move across pages, the information is still yours, right? I mean, you still haven't submitted it. It's still just text you put in a form. But then once you press - move to the next page, basically the information was sent to the server, probably placed in the database. So you already sort of revealed something about yourself. Then what we anticipated is that some mechanisms like sunk cost - I mean, you already started to provide information, so now leaving would be - you already paid the price. So sort of now continuing with the process is easier - right? - versus a situation where you still haven't provided anything. And this manipulation was more significant in terms of the effect. It increased sign-up rates by 55%.
Dave Bittner: Wow.
Lior Fink: Versus the other - the ascending order manipulation, that increased the sign-up by 35%. We found that both manipulations each independently - together the effects were most significant - were very effective in causing people to complete the forms.
Dave Bittner: Now, this is fascinating to me. And I suppose, as with anything like this, these tendencies that people have could be used for good things or for bad things. I mean, you're using the word manipulation, which is a little bit of a loaded word, I suppose, but, you know, in this case, it could just be for business purposes - trying to get someone to sign up for a service or a product or something like that. But I could imagine that folks who are up to no good could use these same sorts of methods to try to lead people down a path that may not be in their best interest.
Lior Fink: That's right. Actually, manipulation is a loaded word, but for a researcher, for someone who does experiments, it is a very common word because that's the word we use to describe the process in which we create a variable. For example, I want to see the effects of the vaccine, something very relevant right now, so I sort of manipulate the fact that the vaccine is given, that this is how we write it and call it. And so manipulation is the word we use for creating a variable. So we sort of manipulate the sequence of the pages or the sequence of the items. So that's why the word sounds a bit irregular.
Dave Bittner: Sure.
Lior Fink: But yes, our conclusion is not that firms are doing something wrong here. I mean, if you want to go that avenue, that there's sort of something wrong going on, you could also say that an ad is something wrong because it sort of causes you to buy something you may not really want, right?
Dave Bittner: Right. You're influencing someone.
Lior Fink: Yeah, so influence is not necessarily a bad thing. And here we assume that people entered the forms to become users of that service. I mean, they want to transfer money across countries. So the idea is not that there's something wrong going on, but still, I think that people should be more aware to the fact that very small changes can influence their behavior, especially when they're less attentive, when they are doing things in a more casual manner. That's when the biases occur more frequently.
Dave Bittner: Do you have plans for more research along these lines? Are there other things related to this that you want to look into?
Lior Fink: Yeah, one of the things we're working on right now - my team is very interested in the effects of mobile use. And we have other stuff on mobile behavior. So one thing we want to look at is whether different devices, the use of different devices, also changes privacy behavior in general and also the sort of effects in particular. Our hypothesis is that people, when they use mobile devices, they are less attentive. They invest less cognitive resources in what they do. They do things more casually usually, and usually they're more interrupted. They're sort of in a noisy environment. They move around, maybe in a train, maybe doing stuff while walking. So in those situations, we anticipate that the biases will be even stronger. So basically, as we move toward more mobile use, we anticipate that those sort of behaviors will become more frequent and will be even more easily biased. So that's one thing we want to look at right now. I mean, that's what we're doing these days.
Dave Bittner: Do you have any recommendations for how people can be more self-aware of these sorts of things, to sense when something like this is being put in place?
Lior Fink: In a lot of the literature on your heuristics and biases, awareness is an important thing. But, I mean, it's one thing to say that awareness is important and another thing to say how to actually increase awareness. Because we are doing a lot of things during the day, we're very cognitively busy, and we want to be very efficient in what we do, so a lot of times we've learned to do things without proper attention. So I guess that the best recommendation would be to simply identify the instances when you need to invest more attention in things. I mean, you probably won't go and take a mortgage on your house when you are not attentive enough or you won't to buy a car - right? - when you don't have enough attention to devote to it. But getting into an app and filling out a form just to start using the app is something we might do without proper intentions. So devoting more attention to those sort of things might increase our ability to identify situations where we are sort of doing things that are not aligned well with our preferences and intentions. And another thing basically would be when asked to provide information to just try to skim through the entire form before starting to fill it or try to see as much as you can about what you're being asked to do before you start like scrolling sort of - I'm going to do it on the fly. I'm going to start and then see what's going on. No. Look at things before you start, Then decide whether you want to continue or not, because once you start behaving, you sort of increase the likelihood that you'll continue in the path - in this path. And it's sort of an automatic thing we do without being aware that we are actually starting to behave in a way increases the chance that we continue.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Dave, again, I like a lot of the research that comes out of Ben-Gurion University. They do a lot of really interesting stuff. I'm fascinated with their hardware research, but this is also very, very interesting to me. Changing the order of the items requested can change the response rate. So ordering the questions from least intrusive to most intrusive gets a 35% increase in response rate. And by using multiple pages, you get another 55% increase. It wasn't clear whether or not if you compound those with the rate of increases. But, you know, my question, Dave, is, why does this work? Because I know that when I see multiple pages, like when I see the first page that says, hey, fill out this form and it's not very intrusive information and I say, OK, I'll give you that information and I click on the next page and there's a request for more information, I'm out right away because I think there's no way this is going to end in anything other but me having to give a blood sample.
Dave Bittner: (Laughter) Yeah. Yeah.
Joe Carrigan: Right? So I walk away.
Dave Bittner: I think it probably has to do with the sunk cost fallacy.
Joe Carrigan: Yeah.
Dave Bittner: You know, the more pages you get in, the more you feel like you're committed to this and you want to see it through to the end. That's my guess.
Joe Carrigan: I guess the sunk cost fallacy and what he calls the foot-in-the-door methodology that they use in marketing. I mean, I understand these things, understand how they work. But from a personal perspective, I don't think I get that. I'm ready to cut and run from any kind of deal at any point in time. What's interesting is maybe I just think I am, right?
Dave Bittner: (Laughter) Right.
Joe Carrigan: Maybe I'm not really ready to cut and run at any point in time.
Dave Bittner: Right.
Joe Carrigan: Maybe. And maybe there are people that know that about me. In fact, I can guarantee...
Dave Bittner: Yeah. Well, they do now.
Dave Bittner: Yeah.
Joe Carrigan: So nobody should believe that just because they haven't click that submit button that they haven't already given that website that information that they've typed in. As soon as you type it in, you're at risk of having disclosed it. Distraction is very important. In fact, at the Information Security Institute, we have some research about how distraction impacts the efficacy of phishing emails. And it doesn't surprise me that this is the same case for signing up. So if Lior is correct, mobile usage will make this a much bigger problem - "problem" with quotes - in the future. And I suspect that he will find that his hypothesis is correct, that being distracted makes you more likely to fall for these things. And being on a mobile device is the definition of using a device while distracted, I think. We talk about people driving while distracted by a mobile phone, but that means you're also distracted from what you're doing on the mobile phone by driving. Right? I say be attentive. You know, don't multitask. Multitasking is bad. Instead of multitasking, what we need to do is task switch and devote our entire attention to whatever task is at hand. I think that's just good personal policy.
Dave Bittner: Yeah, absolutely. Well, it certainly is interesting research here. And we want to thank professor Fink for joining us again from Ben-Gurion University, always interesting research going on there, just fascinating stuff.
Joe Carrigan: Indeed.
Dave Bittner: That is our show. We want to thank all of you for listening. And we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.