Fraud activity within secure messaging apps in plain sight.
Brittany Allen: The barrier to entry of fraud is definitely dropped by the explosion of activity in these fraud channels.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Brittany Allen. She's a trust and safety architect at a company called Sift. And she's going to be sharing the story of a new fraud ring on Telegram, where the bad actors are leveraging the app to steal from on-demand food delivery services. So stick around for that.
Dave Bittner: All right, Joe, let's dive in here with some stories. Why don't you kick things off for us this week?
Joe Carrigan: All right, Dave, let's talk URLs.
Dave Bittner: Oh, goody.
(LAUGHTER)
Joe Carrigan: You love it when I get a little technical, don't you?
Dave Bittner: Oh, it makes for scintillating radio. Go ahead, Joe. Go ahead (laughter).
Joe Carrigan: Well, I'm going to do this as best as I can. A URL is a universal resource locator, and these are - when you see a link on the web or you see a link in your email, a URL is behind that link, right?
Dave Bittner: Yeah.
Joe Carrigan: And these are ways to explicitly point to a single resource on the internet. And there are five parts of a URL, but I'm only going to focus on the two parts today. But the five parts are the protocol - that's how it starts. So you remember when we used to give out web addresses, we'd say H-T-T-P, colon.
Dave Bittner: Yeah.
Joe Carrigan: That's the protocol part.
Dave Bittner: The HTTP...
Joe Carrigan: Right.
Dave Bittner: ...Is the protocol. OK. Right, right, right.
Joe Carrigan: That's right. We're going to use Hypertext Transfer Protocol.
Dave Bittner: OK.
Joe Carrigan: It can also be other - like, H-T-T-P-S. It can be FTP, FTPS - or SFTP rather.
Dave Bittner: Yeah.
Joe Carrigan: It can be SSH. But it always has some protocol label and then a colon. Then immediately after that is the designation for the host. Now, the host is the actual computer, the physical or virtual computer that this service you're going to connect to runs on. And this can be either a fully qualified domain name or an IP address. But the important part for this story is that it starts with slash, slash. So you would hear us say, go to H-T-T-P, colon, slash, slash - thecyberwire.com. That's a URL.
Joe Carrigan: Because there are three optional parts that we're not going to talk about much more. There's a port number that you can use, a path and then a query string. But that's not important for this story.
Dave Bittner: Yeah. OK.
Joe Carrigan: All right. Now, Dave, let's do a little bit of internet history.
Dave Bittner: Oh, goody (laughter).
Joe Carrigan: We're going to get into the way-back machine.
Dave Bittner: (Laughter) OK.
Joe Carrigan: So the internet started mostly on Unix machines.
Dave Bittner: Yeah.
Joe Carrigan: And they were Unix operating systems or Unix-like operating systems. And they used a slash to denote things like directories, right?
Dave Bittner: OK.
Joe Carrigan: So everybody's familiar with folders, and those are just directories in a computer sense.
Dave Bittner: Right. And it's worth noting that in the early days, before we had, you know, GUIs, before we had graphical user interfaces, that everything was done on the command line. And so when you wanted to get to a directory, you typed it in. You weren't looking at physical graphics of folders on your desktop...
Joe Carrigan: Right.
Dave Bittner: ...Back in the day.
Joe Carrigan: And you can still do this on most - I think on all computers. You can open some kind of command line and navigate the directory using the old interface. And it's still there. There are some people who swear by it and will not use any other interface on a computer.
Dave Bittner: Right.
Joe Carrigan: I'm not one of those people, although I do use it frequently. There are some things that it's just easier to do in the command line. But Linux and Unix - actually, back then it was just Unix - they had these slashes for directories. Then along comes DOS. And the first version of DOS doesn't have any directories, right? So they don't think about directories. And then they use the slash character to denote command line arguments or switches for commands.
Dave Bittner: OK.
Joe Carrigan: So when you're typing a command in, you can enter an argument to that command - an option, if you will - and that, in DOS, started with a slash, which is the same thing that Unix used for directory.
Dave Bittner: Uh-oh (laughter).
Joe Carrigan: Right. Yep. So when DOS got directories, they had to go a different route because they couldn't just go, well, we're going to switch now and match up with Unix. We're going to use the backslash, right?
Dave Bittner: Right. Yeah.
Joe Carrigan: So they start using the backslash for directories, and that continues to this day in Windows-based operating systems. Now in 1990, Tim Berners-Lee comes up with the URL scheme, and he uses slashes to denote the beginning of the host and the path.
Dave Bittner: OK.
Joe Carrigan: So - because Tim Berners-Lee was probably working in a Unix environment, right? So he says, if I want to denote a server, I'm going to use slash, slash, server name and then, slash, the directory and the path name. But the world is full now of DOS users who start becoming internet users. So what do they do? They don't understand that there's a difference between slash and backslash, en masse. It's a very common typo. If you start thinking of directories and you've been working in a DOS environment all your life, when you think of what separates a directory, you're going to think backslash and not slash.
Dave Bittner: Right.
Joe Carrigan: That's the important part. U.S. cybersecurity company GreatHorn has a blog posting this week about a clever trick that phishers are using to get past spam filters. Instead of putting slash, slash at the beginning of their host name, they're putting slash, backslash. So a URL would read H-T-T-P, colon, slash, backslash - thecyberwire.com.
Dave Bittner: OK.
Joe Carrigan: Now, remember - the first two parts of the URL are the protocol and then the host string. So if you go to your web browser and you type in H-T-T-P, colon, slash, slash, or you type in slash, backslash, or backslash, slash or even backslash, backslash...
Dave Bittner: (Laughter).
Joe Carrigan: ...Your web browser will go ahead and replace those incorrect slashes with the correct slashes.
Dave Bittner: OK.
Joe Carrigan: Not only will it do it if you type it in, but if you click on a link that is formatted that way, it'll still take you to the website. And I tested this yesterday with Firefox and with Chrome to make sure this is right. I actually wrote up a little HTML document and put a bunch of links that all went to Google and had all four different configurations for slashes, and every single one of these things worked in both browsers.
Joe Carrigan: Now, why is this significant? This is significant because these phishers have figured out that the spam filters and the malicious email filters, when they're looking for links, they don't check for alternating slashes in the links. That breaks the search algorithm. So their links are getting right through these phishing prevention tools and spam prevention tools. And when they get through, if the user clicks on it, the browser goes, well, let me help you with that there, user. I'll reformat these things just fine. And bam - Bob's your uncle.
Dave Bittner: Interesting.
Joe Carrigan: They have gone to your phishing site. And GreatHorn has noticed a 5,000% increase in this recently.
Dave Bittner: Wow. So the browser is trying to be helpful.
Joe Carrigan: Correct.
Dave Bittner: The browser has your back if you mistype something or, by force of habit from being an old-time DOS user, you know, maybe you're putting backslashes in. Who knows?
Joe Carrigan: Right, right.
Dave Bittner: (Laughter) But the browser thinks it's being a good neighbor and helping you out.
Joe Carrigan: Yep.
Dave Bittner: And the scammers have figured out that they can take advantage of this...
Joe Carrigan: Absolutely.
Dave Bittner: ...And get past spam filters.
Joe Carrigan: There's two parts here. We as humans don't like changing our behavior, right?
Dave Bittner: Yep, yep.
Joe Carrigan: Which is why...
Dave Bittner: You least of all.
Joe Carrigan: Me least of all. Correct.
(LAUGHTER)
Joe Carrigan: I'm actually OK with changing my behavior when I realize something is not secure.
(LAUGHTER)
Joe Carrigan: I probably shouldn't do that.
Dave Bittner: OK.
Joe Carrigan: You go all the way back to the time when people who were developing DOS were looking at the situation and they were like, should we make everybody change to slashes instead of backslashes and use something else to delineate switches? They said, you know, our user base is already accustomed to this. Let's not tax them on this. Let's not make it more difficult to upgrade to a new version of DOS. Let's try to make that as painless as possible.
Dave Bittner: Right.
Joe Carrigan: Which is probably the right answer, right?
Dave Bittner: Yeah.
Joe Carrigan: Because you don't have the foresight in the early '80s to go, well, one day the internet is going to be around.
Dave Bittner: (Laughter).
Joe Carrigan: And in 10 more years, Tim Berners-Lee is going to invent the URL, and that's going to use slashes. We better standardize on slashes now, when we have a smaller user base than the user base of just about everybody in the world.
Dave Bittner: Microsoft also not having a reputation for necessarily playing well with others.
Joe Carrigan: Yeah.
Dave Bittner: Certainly back in the day, right? (Laughter).
Joe Carrigan: Yeah. They had this thing where you would have a standard, and they'd be like, hey, that's nice, but we're going to do it this way.
Dave Bittner: Yeah. Right. Well, even the early days of the internet, you know, look at their - their browser was...
Joe Carrigan: Oh, yeah.
Dave Bittner: ...Nonstandard compared to - it didn't adhere to the standards (laughter)...
Joe Carrigan: Yes, I'm...
Dave Bittner: ...As well as many thought it should, right?
Joe Carrigan: I'm very glad they came around on that. I credit, largely, the open-source community for that because the open-source community said to Microsoft, we're just going to build operating systems that are good and free, and we're going to follow the standards, and you're going to have to come in line. And eventually, that's what happened.
Dave Bittner: So what's to be done here? I mean, is this a matter of the folks with the spam filters catching up to this? I suppose from a user point of view, you should be on the lookout for this, right?
Joe Carrigan: Right. From the user point of view, there's not much that can be done. This is definitely a development issue with the spam filter developers. They didn't take this into account. And you know what, Dave? The fix is really simple, and we're probably going to see these kind of things getting caught because, like we always say on this, it's - on the show, it's an arms race, right? Somebody has found something that's going to work, and, you know, it's like they've poked a hole in the dam or they found a hole in the dam. The water's rushing through. Somebody's going to run over and stick their finger in that hole. And...
Dave Bittner: (Laughter) Yeah, but they're going to - I mean, as long as that, you know, water is leaking out of the dam, they're going to take advantage of it as long as they can, right?
Joe Carrigan: Right.
Dave Bittner: Which is what they've done here.
Joe Carrigan: That's right. And that's why GreatHorn is seeing a 5,000% increase in this.
Dave Bittner: Wow.
Joe Carrigan: Because phishers and scammers have realized, hey, this works. Let's make hay while the sun's shining.
Dave Bittner: Yeah. Boy, I do not miss the days of backlashes.
(LAUGHTER)
Dave Bittner: I just - there was a time when I was a DOS user, you know, in the early days.
Joe Carrigan: Yep.
Dave Bittner: And I guess at some point in time, when I converted to becoming a Mac user, the backslashes just sort of - like, oh, God (laughter). It's just confusing, I think. All right. Well, interesting story, for sure.
Dave Bittner: My story this week comes from our friends over at Naked Security. This is written by Paul Ducklin, who's been a guest on our show. Thanks to our pal Carole Theriault. This story is titled "ScamClub Gang Outed for Exploiting iPhone Browser Bug to Spew Ads."
Dave Bittner: There's a couple parts to this story. There's a digital ad company who - it's just called Confiant. And they published an analysis of a malvertising group that they call ScamClub. This ScamClub group - these are the folks who provide the annoying pop-up ads that we've all seen on our devices (laughter). I think particularly for me, I've seen them on mobile devices, where, you know, you're browsing along, minding your own business - doesn't really matter. It could be a totally legit website. And all of a sudden, something pops up, and it says, good news, you're today's lucky winner, right? (Laughter).
Joe Carrigan: Right. Little bits of confetti fall down.
Dave Bittner: Right, right.
Joe Carrigan: Yeah.
Dave Bittner: Yes. You know, you are either going to get a new iPhone or a $100 gift card to Amazon or who knows what. But it's valuable. And all you need to do is take our brief survey.
Joe Carrigan: Right (laughter).
Dave Bittner: And you will win this prize. Well, of course, the survey is a scam. Usually, there is no prize.
Joe Carrigan: Right.
Dave Bittner: Sometimes you have to pay money to access things. And it's all quite scammy. And evidently, these folks were taking advantage of a vulnerability, which actually has a CVE - 2021-1801, which Apple recently patched...
Joe Carrigan: Oh, very good.
Dave Bittner: ...In iOS and iPad OS. So if you're not, you should be running 14.4 on those devices. And they said this wasn't a really severe bug. Like, it didn't allow remote code execution or any kind of privilege escalation or anything like that. But it did allow the advertisers to evade some of the security restrictions that the WebKit sandbox has on these devices.
Dave Bittner: Now, just as a little side topic, it's worth noting that on iOS devices, Apple insists that you use their engine for web browsing, right? You have to use the one that they provide. So...
Joe Carrigan: So there is no other web browser on iOS.
Dave Bittner: It's a little trickier than that. So, like, you can get Chrome on iOS, but it's running Apple's core web engine. It's running the WebKit engine underneath.
Joe Carrigan: OK.
Dave Bittner: And, you know, I mean, I think there's two sides to that. On the one side, this ensures from Apple's point of view that there's a baseline level of security. But from the user point of view, it's restrictive, right?
Joe Carrigan: Right.
Dave Bittner: You can't just go run whatever you want. That's the bargain you make with iOS - right? - in exchange for security.
Joe Carrigan: That is exactly - that's the bargain you make with Apple.
Dave Bittner: Yeah.
Joe Carrigan: And their reasoning behind it is sound, I think. Apple's priority has always been the user experience, and they've always wanted it to be consistent. And as they've matured as a company, they now want that to also be secure. So that means they have to have this totalitarian view of this, where things like exactly what we're talking about here happen. If you want to be a web browser, you're going to have to use WebKit as your rendering engine.
Dave Bittner: Yeah. So evidently, this bug allowed these scammers to execute redirects. You know, so they'll send you to other websites and fetch content and so on and so forth. So two things here I wanted to note. First of all, if you're using an iOS device, it's in your best interest to keep it current.
Joe Carrigan: Right.
Dave Bittner: And so go and check to see if you have an update coming. The latest update protects against this thing. But then the other thing is I thought it was worth pointing out about these online surveys, you know, that you should watch out for them.
Joe Carrigan: Right.
Dave Bittner: They can seem harmless. You know, they lure you along. You remember not long ago, we were talking to one of the researchers from Ben-Gurion University who said that there's kind of a sunk-cost thing that goes with these.
Joe Carrigan: That's right.
Dave Bittner: Like, the longer you go down the path of the survey, the more likely you are to stick with it because you've already invested time.
Joe Carrigan: Yeah, you've invested time, so you're willing to give up more information.
Dave Bittner: Right. Any time someone starts you down a path of doing a survey in exchange for a prize, don't do that. (Laughter) It's...
Joe Carrigan: There is no prize.
Dave Bittner: (Laughter).
Joe Carrigan: There is no prize at the end of the tunnel here.
Dave Bittner: Right. Right.
Joe Carrigan: The light at the end of the tunnel is an oncoming train of identity theft.
Dave Bittner: (Laughter) Nice, nice. Right. A good point here that Paul Ducklin makes - he says, know your privacy limits and stick to them.
Joe Carrigan: Right.
Dave Bittner: You know, what are you willing to share, and what are you not? And again, these types of things, these surveys - they lead you down that path, and they ease you into a sense of comfort, where you give out - maybe they start out by asking you for a piece of information that you're perfectly willing to share. And then 10 minutes later, you're 10 questions down the line. And you're - you know, you're giving them your blood type, right (laughter)?
Joe Carrigan: Right. Exactly.
Dave Bittner: I think that's worth mentioning, as well.
Joe Carrigan: Agreed.
Dave Bittner: All right. Well, we will have a link to this story in our show notes. Again, our thanks to the folks over at Naked Security, part of Sophos, for this story that we're using this week. Those are our stories. It is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named John. John received this letter in the mail. It's not anything out of the ordinary, but what is unusual is that he actually received a physical letter. And it is a picture of the letter with the envelope behind it. It's remarkable.
Dave Bittner: It claims to be from Canada Trust.
Joe Carrigan: Right.
Dave Bittner: Logo there on the top of the printed letter.
Joe Carrigan: Yeah, the TD Bank logo. But that logo is in black and white and not the light green that TD Bank is usually in.
Dave Bittner: OK. It goes like this.
Dave Bittner: (Reading) I am aware that this letter has come to a surprise to you, as we've not met before or handled any business deal in the past. Nevertheless, I've contacted you with genuine intentions, and I hope I can trust you with this inheritance opportunity, which I explain below. My name is Mr. Lenny Mendoez, an account manager with TD Canada Trust Bank, Ontario, Canada. I retrieved your contact address in my search for the next of kin to a deceased customer of our bank, Mr. George, a citizen of your country who lived and died in London from cardiac arrest in the year 2011. Unfortunately, this customer died intestate, leaving his bank account with an open beneficiary status. All efforts made by our bank to locate his relatives have been unsuccessful. So I decided to write you.
Dave Bittner: (Reading) As I have monitored this account in the bank for almost 10 years now, no one has come forth with any claim. I would like to present you from our bank, the next of kin, to claim this dormant account with 9.2 million U.S. dollars, 9,200,000 U.S. dollars. I assure you that this transaction would be handled under due inheritance procedures, and every necessary legitimate arrangement will be put in place to make sure you the real beneficiary of the inheritance funds. It also requires all confidentiality. At this stage, I believe that you are ready to keep this absolutely discreet until you are able to claim the funds from the bank. Once the funds are released to you, it will be shared between the two of us.
Dave Bittner: (Reading) Please send your response to my personal email, lennymendoez@lennyconsult.com, indicating readiness to proceed with this transaction. Then I will give you more details, and we shall have in-depth discussion regarding a successful completion of this transaction. I await your response. Sincerely, Mr. Lenny Mendoez.
Joe Carrigan: This is fantastic. He lived and died from cardiac arrest.
Dave Bittner: (Laughter).
Joe Carrigan: Lived and died in London from cardiac arrest. That's a bad sentence. This is almost identical to our scam email from last week that we had. The only difference and the reason I put it in here was because these guys are actually going out of their way to send people mail. There's a cost associated with this. They're doing the same tricks, where they have our - the listener's full name. And they're addressing it to him, and they're making the deceased person - this is a fictitious deceased person - have the same last name.
Dave Bittner: It reminds me - you remember - I don't know - in the past couple of weeks, we're talking about Amazon review scams...
Joe Carrigan: Yes.
Dave Bittner: ...And how I had purchased something on Amazon? My wife actually got a postcard in the mail from someone she had purchased something from on Amazon asking her to do a review and that if she did the review, took a picture of the review, sent it to them, they would send her free product. Well, but what struck me about that was they went to the trouble of paying for postage, right?
Joe Carrigan: Right, right.
Dave Bittner: Like, they sent this in the mail (laughter).
Joe Carrigan: Right.
Dave Bittner: ...Which is - it's just fascinating to me - which means it must be worth it. You know, those reviews have value to - the more good reviews you get, the more stuff you sell, I guess. And they've done the math.
Joe Carrigan: I wonder what the return rate on these letters is, I mean, 'cause our guard is up when we receive an email like this, but maybe our guard is not so up when we receive an actual letter.
Dave Bittner: Interesting. All right. Well, that is our Catch of the Day. We want to thank our listener for sending that into us. We would love to hear from you. If you have an interesting Catch of the Day or a question for us, you can write us. It is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Brittany Allen. She is the trust and safety architect at a company called Sift. And our discussion centered on a new fraud ring that they've been analyzing. These folks use Telegram, and they leverage the app to steal from on-demand food delivery services. Here's my conversation with Brittany Allen.
Brittany Allen: We spend a lot of time learning about fraud in order to fight fraud. And one of the resources that we had been looking at before had been looking into dark web activity, seeing what happens with information that ends up there due to a data breach, see what's happening within these fraud groups. But there's an easier layer to access. And that is within these apps such as Telegram that are secure messaging apps or are privacy-focused. And there is a lot of fraud activity within those groups. They might be groups that have the most obvious names, such as Fraud World...
Dave Bittner: (Laughter).
Brittany Allen: ...Or Scam World. It - there's one called Fraud University. There's some really great ones in there. But, basically, we were able to go into those groups, sort of learn the language, learn what they're talking about when they say that they have freshly spammed fullz for sale, learn all of that info. And then we were able to find this emerging pattern of fraudsters who would agree to order food on behalf of other fraudsters at a heavily discounted rate. And we learned that that was just another little glimpse into the part of the fraud ecosystem - was that specific role.
Dave Bittner: Before we dig into some of the details of this specific fraud, can you give us a little more information on these groups themselves? Is there any sort of vetting before you join a group like this? Or is anybody welcome?
Brittany Allen: There can be. There are layers to access. So the groups that we are in are the ones where all you need to do is know that the group exists, either by pulling it up in a very limited search - that it actually isn't that useful for this purpose via Telegram - or seeing that the groups are advertised elsewhere. Maybe they're advertised in a Reddit thread. Or maybe someone has mentioned them on Twitter or somewhere else online. And then once you get into a few of the Telegram groups, you'll realize there are more and more other ones that are being shared within those channels. And sort of the network that we've been able to build of groups we have insight into has only grown.
Brittany Allen: Now, you're completely right. There are some that are locked down, either by paying to join them or by the fact that you would have to make a certain number of purchases before you would qualify to join them. Those are premium groups. A couple of them have opened up to us regular people every now and then. I've managed to squeeze into one or two of them. But honestly, the insight that we get from the public groups is staggering to see just how much is happening in plain sight.
Dave Bittner: Well, let's go through this specific case here that you track. This is having to do with some on-demand food delivery services. Take - walk us through this step by step. How does it work?
Brittany Allen: Absolutely. So, as I mentioned before, with the fraud ecosystem, all of the fraudsters have different roles to play. It's not like they do everything all of the time. And so there are these fraudsters who have advertised their service of, I will buy food for you on your behalf. They say what restaurants or what food delivery apps are their specialty. And then they say, at this rate - you can pay me via Bitcoin - it'll be a substantial discount. So maybe you're only paying 25% to 30% or 40% of the value of the food. So it's, therefore, pretty exciting or pretty attractive to you so that you can not have to spend a lot of effort on this ordering of the food and then also save a little money along the way.
Brittany Allen: But what they do is they advertise what they've got available. You as this prospective diner will reach out to the fraudster with a screenshot of what you want from that website. So you would pull up that food delivery of, let's say, add a whole bunch of things to your cart. Take a screenshot. Send it to the fraudster. Make your payment via Bitcoin or whatever else they accept. And then they will place that order on your behalf. And the next thing you know, you'll have your food delivered to you. You'll have pretty good plausible deniability just in case the food delivery app does catch on or try to investigate you because you won't have been the one that placed the order. But you'll still benefit in the end from getting the food. And it's just sort of another level of service.
Brittany Allen: And the fraudsters that are running the scam are the ones who specialize in knowing, what are the current vulnerabilities with the delivery apps and the restaurants that I know are popular and will help me make money by facilitating these orders? You'll see them post that a certain restaurant is down, which means they can no longer get their orders through. Or it's back up. But now there's a limit. Your cart needs to be of this size. Or if it's a delivery app that supports buying alcohol, you can't order liquor at this moment because we're not able to get through the fraud prevention system of the customer or - sorry, of the merchant - at this time. There's a lot of variables behind that that you'll just see through these advertisements that are repeated again and again and again and again throughout these fraud channels on Telegram.
Dave Bittner: Now, how are the fraudsters paying for these orders? What's that mechanism there?
Brittany Allen: So when - you've got the diners on one hand paying via Bitcoin, which is something that is more secure, isn't going to be prone to a dispute or having the funds clawed back if they're dissatisfied. So the fraudster running the scam is happy to receive that payment. The fraudster running the scam is going to be using stolen credit cards to make his purchase or might be using access to accounts that have been compromised via account takeover, such as when user credentials - email address and passwords - are leaked via data breaches or otherwise sold on the dark web. So he's got one of those two setups ready to go on that food delivery app, for example.
Brittany Allen: And in the end, that just hurts the merchant financially. If a credit card that is stolen is used to pay via their app or if an account is taken over and the credit card on file is used maliciously, in the end, the real legitimate cardholder is going to file a chargeback dispute against that payment to get their money back. And not only does that leave the merchant with a loss for that particular transaction, but it also hits them with a chargeback dispute fee, which, in the case of an order for, let's say, $10 worth of dumplings, could be more, could even be double the value of that order itself, and their losses can quickly snowball.
Dave Bittner: It's interesting to me that nobody goes after the person who was buying the food who's, you know, at some point complicit in this. Is it just not worth tracking them down so far?
Brittany Allen: I have heard some stories of people who have placed orders being sort of chased down or being targeted by the merchants. To be able to show up on the merchant's radar like that, first of all, you're going to really need to have a high value of orders. They're not going to have the time to, let's say, go after one person who is connected to one fraudulent pizza order in a city that's 2,000 miles away from this company's headquarters that they aren't able to send an enforcement agent out to. That's just something that's really not scalable for them.
Brittany Allen: And then also remember there's kind of that degree of separation. What would be really the most valuable thing to go after, the one guy that ended up with the pizza or the fraudster who facilitated the order of hundreds and hundreds and hundreds of pizzas that week and was a bigger sort of financial impact on the merchant? And that person is harder to get to just because of the lack of information about them that can be gleaned publicly, that can be gleaned by looking at these Telegram groups. So maybe you cut off one person who benefited from the scheme, but then you don't get to the source, and you don't actually stop the source.
Brittany Allen: Although I will say, I have seen some amusing to me, as a fraud fighter who's been in trust and safety for over a decade, so I'm amused by this, but I have definitely seen some people in the app saying, oh, my gosh, you know, I got questioned. I got called by the merchant, or I got - this happened to me. What do I do? What do I do? And trying to be talked through...
Dave Bittner: (Laughter).
Brittany Allen: ...Some of those exact situations. A little bit of schadenfreude. I don't hate to see it.
Dave Bittner: Right, right, absolutely. What about the delivery people themselves? I mean, do they suffer anything from this? It seems to me like they're the people who might have, you know, a lot to lose, especially in these hard times.
Brittany Allen: You know, that's a really interesting angle. It's a really interesting point to address because if there is the impetuous for the person who's committing the fraud to look as normal as possible while submitting an order and they're paying with a stolen credit card, they should be fine to leave a tip. They should be fine to leave a generous tip because it isn't their money. And it would just come down to what is sort of that agreement and arrangement between the merchant and the delivery guy. Is he working directly for the merchant? What happens if there's a dispute or a complaint on an order that he delivers?
Brittany Allen: But I would think in most cases that they are protected from loss, and it's really the merchant that will have to eat this because of the nature of the fraud, that it's coming from a fraudulent credit card payment and didn't have anything to do with the quality of the order. But that is...
Dave Bittner: Yeah.
Brittany Allen: ...A really good point and would be very unfortunate in these times, as you pointed out.
Dave Bittner: Yeah. So what's to be done here? What are your recommendations for folks to best protect themselves against this sort of thing?
Brittany Allen: So for merchants, that's going to be a tricky question because if they are one of the more popular restaurants, let's say, there are going to be a lot of fraudsters who are trying to figure out what their vulnerabilities are and are testing them in multiple different ways. Do these accounts that were compromised work? Does it work if I put a certain item in my cart or if I leave an item in my cart for a certain amount of time and then come back? What can I do to look as legitimate as possible and to not trigger any sort of indicators of suspicious activity for this merchant?
Brittany Allen: So first of all, just being aware that it's happening is a step in the right direction. But merchants also need to have an understanding of what the signals of that fraudulent transaction are. And because that can be a huge amount of signals to deal with, using machine learning to pair that with the vast amounts of data would really help the teams analyze those different signals to stop a suspicious transaction. So it may not just come down to is it a brand-new account, what type of item is being ordered, but the actual behavior, for example, of the fraudster while in that account.
Brittany Allen: There's a lot, a lot of different factors to consider. And honestly, if you look at the different kinds of risk that different kinds of merchants can face, what has the least amount of time for a merchant to be able to react? Food delivery. It could be that the delivery guy is going to leave with that bag of burritos in just a few minutes. It's going to be a very quick process. Or the delivery is guaranteed to happen in 30 minutes or less. There's a really small window that they have to analyze all of the data and signals that they possibly can to try to prevent fraud loss.
Dave Bittner: And so we're at the point now where these sort of systems, as you describe - you know, using things like artificial intelligence, machine learning and so on - they can detect these patterns that would otherwise, you know, elude, say, a human who is looking for them.
Brittany Allen: Definitely as far as being able to do so on a more quick and efficient basis, yes. It's - you can't imagine that there would be the possibility for some human being to sit in front of every single one of these orders and say, does this look legitimate or not? There's no way that that can scale, and there's no way that a merchant could reasonably do that to try to prevent this type of fraud, especially the type that's changing.
Brittany Allen: Like I said, I will pull up my Telegram account in the morning just to see if there's any buzz about new attacks or new companies that have been targeted. And I'll, on average, have about 30,000 messages ready to look through. I couldn't possibly read them all, but that's really an example of how much activity and how many different ways these companies are being hit that they would need to react to and try to stay in front of.
Brittany Allen: Because this type of fraud is happening on these secure messaging apps like Telegram and not just in somewhere like the dark web that is more difficult for your casual user to access - that we're seeing activity there from professional fraudsters who are reselling stolen credentials, fraudsters who are running Telegram rings or food delivery rings like what I just described. And we're also just seeing casual fraudsters in the mix. Maybe this order to get discounted food is someone's first step into being comfortable with fraud, with seeing how much risk they're willing to take on by sharing their, you know, home address with a fraudster who is now going to hopefully send food to them if they can trust the situation.
Brittany Allen: And as more and more and more people are using these apps or as the membership of these fraud groups grow, that just takes more casual fraudsters and increases their comfort level with committing fraud and defrauding companies. And that is a emerging pattern that merchants really should be keeping an eye on because the barrier to entry of fraud is definitely dropped by the explosion of activity in these fraud channels.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: I think this is awesome that she has infiltrated one of these groups.
Dave Bittner: (Laughter).
Joe Carrigan: Pretty good. I might try to do this on Telegram as well, just to see if I can get in and see what's going on.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, because you can just get in by knowing they exist, and that's just the first step. And then you can get into more if - I guess if you buy fraud services, which I'm not. I have no interest in doing.
Joe Carrigan: I'm fascinated that the public group offers as much information as Brittany says it does, and that's why I kind of want to check this out. Very interesting with the food delivery fraud, with - were I a bad guy, I would not do this. I would use a service to pick up food, but I would never have a criminal process end at my physical address.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: That's just me.
Dave Bittner: Yeah. Right. Exactly. Yeah, isn't that interesting?
Joe Carrigan: It is. These people have no problem doing that, and I don't understand why. I mean, you're going to give somebody your address and then commit fraud and have that delivered to - now, maybe you're having it delivered to a vacant house, maybe not. I love when Brittany talks about the panic of some of these people who've been - who've scammed the restaurant. And if you're ordering from a large restaurant chain, you may be fine. But if you order from a small business, I can certainly see that business owner taking it personally...
Dave Bittner: Right (laughter).
Joe Carrigan: ...And calling you up and going, you know I have your address and phone number, right?
Dave Bittner: Right. Right. Exactly. Right. Yeah, me and half a dozen of my best dishwashers are going to pay you a visit (laughter).
Joe Carrigan: Right. Exactly. I'd be terrified. That's exactly the - my - this is why I just buy my food. I wouldn't do it 'cause it's wrong. There could be real-world consequences for people who do this. For larger apps like Grubhub and Uber Eats, I wonder who pays for the fraudulent transaction. Is it the food delivery app, or is it the restaurant? I don't know. I don't use those services. My kids use those services. I don't. I just don't see the value in them.
Dave Bittner: I'm not a hundred percent sure, but my sense is, from some of the stories I've read related to this sort of thing, that the ultimate victim here usually ends up being the restaurant. And...
Joe Carrigan: Right.
Dave Bittner: ...You know, so many restaurants are mom and pop businesses or local.
Joe Carrigan: Absolutely.
Dave Bittner: Even if they're chains, they're small ones. You know, it's not like it's just being written off by a corporate behemoth like McDonald's or something. These are...
Joe Carrigan: Right.
Dave Bittner: ...Real people who are getting hit by these things.
Joe Carrigan: Yeah, large companies can have a good security and fraud program, but small merchants can check the terms and conditions of these delivery apps. These small merchants don't have their own apps, usually. They use some third-party app like Grubhub or Uber Eats or - what's the one for pizza? - Slice.
Dave Bittner: Yeah. Yep.
Joe Carrigan: Brittany makes a good point about the time disparity here. Food has to be delivered quickly, but the cardholder has something like 60 days to dispute a charge. So the restaurant really does have a risk. They have to have faith that the person ordering the food is a legitimate person and not some fraudster because all the cardholder has to do is say, that's not my charge, and the credit card company goes, OK, we're not going to pay it then. And that's it. And that business is out the money. And as...
Dave Bittner: Yeah.
Joe Carrigan: ...Brittany points out, they're also out a fee.
Dave Bittner: Right. Yeah. It's interesting stuff, this evolution of this particular scam. There's - this is one of those ones that leaves me scratching my head, you know...
Joe Carrigan: Right.
Dave Bittner: ...Just as you say, because if it ends at the scammer's home or place of business or something, I mean - the brazenness, I guess, is what...
Joe Carrigan: Right.
Dave Bittner: ...Strikes me about it.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: That's a good way to put it. It's absolutely brazen.
Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Brittany Allen for joining us. We do appreciate her taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.