Hacking Humans 4.1.21
Ep 141 | 4.1.21

The pandemic is slowing, time to travel?


Fleming Shi: I think cabin fever - people are getting really stuck for a long time, and so there will be a rise in bookings for hotels, mainly because people are getting ready to plan for their vacation. They really need it.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Fleming Shi from Barracuda Networks. We're going to be discussing travel-related phishing attacks. 

Dave Bittner: All right, Joe, before we jump into our stories here, we got some interesting feedback from a listener who prefers to remain anonymous, but someone we've corresponded with on more than one occasion. And this person wrote in and said, (reading) this morning, I did a check on whether anybody had claimed Gmail accounts using characters close to one of my doctors' business Gmail email accounts. Lo and behold, I discovered two registrations in which the letter I had been replaced with a letter L. His account has two letters I in it. In my opinion, there is simply no way anybody would've signed up for Gmail accounts, which, for example, the word Fairfax had been turned into Falrfax (laughter). 

Joe Carrigan: Right. 

Dave Bittner: He says, (reading) I informed him of this and suggested he have his receptionist block those two Gmail accounts so she could never be hoodwinked into receiving an email from those accounts and think it was him. He immediately had her do so. 

Dave Bittner: I think this is a really good idea. 

Joe Carrigan: Yeah. 

Dave Bittner: I actually hadn't thought about this, of coming at this from the blocking of accounts side. Just go through and look at your own business domain... 

Joe Carrigan: Right. 

Dave Bittner: ...And go through and try to generate similar ones and just block those. That's a great idea. 

Joe Carrigan: Right. Yeah, this is with email addresses, and it's a great idea for the business to do this so that they can't get scammed. But the issue is that these are probably going to be targeting maybe customers of the business. Actually, maybe not. Maybe they are trying just to get in 'cause it would be very hard to find customers unless you actually breach this business, which would take a lot of effort. 

Dave Bittner: Yeah. 

Joe Carrigan: And this seems to me like a low-effort thing going on here. So they might actually be trying to target this business. So that is a good idea. 

Dave Bittner: Yeah, yeah. I like it a lot. It's a simple idea, easy to implement. And there really isn't any downside to it that I can think of. 

Joe Carrigan: Nobody's ever going to say, I'm a patient and here's my email. It looks very much like yours. 

Dave Bittner: Right, exactly (laughter). I'm so - I'm such a fan of your practice here that I've modeled my life after it. 

Joe Carrigan: Yeah. 

Dave Bittner: All right. Well, thanks to our listener for sending that in. We do appreciate it. 

Dave Bittner: Let's get to our stories here. Joe, why don't you kick things off for us? 

Joe Carrigan: Dave, I have a story from Sean Emery, and he is a reporter at the Orange County Register. And they have a story about an Irvine man who is accused of $1 million in romance scams. 

Dave Bittner: Wow. 

Joe Carrigan: And this is - his name is Ze'Shawn Stanley Campbell. He's 33 years old. And he has been charged with wire fraud, bank fraud, money laundering and aggravated identity theft. I don't know what makes a crime aggravated. Do you? I'm not a lawyer. That's a good question for Ben. 

Joe Carrigan: So Campbell has been charged with these crimes for alleged romance scams that he's been conducting over the course of the past six years. And according to the indictment, he either befriended or carried out romantic relationships with at least 10 people to whom he lied in order to convince them that he was wealthy, reliable and successful, which is... 

Dave Bittner: (Laughter) That's why I have that on my business card, you know? 

Joe Carrigan: That's right. 

Dave Bittner: Dave Bittner - podcast host, wealthy, reliable, successful. 


Joe Carrigan: Prosecutors allege that he would tell them he had millions of dollars in various bank accounts, and then he'd show them false bank statements to back up these lies. 

Joe Carrigan: Now, this reminds me of a story from my past. 

Dave Bittner: (Laughter) Oh, boy. Of course it does. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: This was back in 1999 or thereabouts. And this person was a bit of a scammer. He's one of those people in your life that's well versed in the way of the scam. 

Dave Bittner: Right. 

Joe Carrigan: You know, scam way. 

Dave Bittner: Yeah. 

Joe Carrigan: You know where I'm going, Dave? 

Dave Bittner: I think I might. 

Joe Carrigan: OK, right. And... 

Dave Bittner: Continue. 

Joe Carrigan: We were at his house. And there on his counter in plain view is this W-2 laying out with his name on it. And I pick it up, and it has this salary on it, this annual salary on it that is supposed to be impressive. And he looks at me, and he goes, pretty nice, huh? And I know immediately because I grew up with an accountant for a father who did a lot of taxes that you can just get software that prints these out and... 

Dave Bittner: Right. 

Joe Carrigan: You know, you can print out W-2s for yourself that said you made a million dollars last year. 

Dave Bittner: (Laughter). 

Joe Carrigan: And as long as you don't file that with the IRS as a W-2 for one of your employees, it's fine. You just shred it, and you move on. 

Dave Bittner: Yeah. 

Joe Carrigan: And I am almost 100% convinced that's what he was doing with leaving these things around. You can print out these documents pretty easily, particularly tax documents, with modern technology. It's not very difficult to come up with fake bank statements. 

Dave Bittner: Right, sure. 

Joe Carrigan: You just need to get some imagery from the bank, which is available on their website. You have to download it. And you can make yourself fake bank statements, no problem. 

Dave Bittner: Right. 

Joe Carrigan: Campbell's also alleged, falsely claimed to have been a Navy SEAL, which he was not... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Who served in Iraq and Afghanistan. And he also claimed to be a successful Bitcoin investor. 

Dave Bittner: Why not? I mean... 

Joe Carrigan: Right. 

Dave Bittner: ...If you're going - you're all-in, might as well, yeah (laughter). 

Joe Carrigan: Right. So this guy - right. This guy's firing on all cylinders, right? The prosecutors say once he gained their trust, he would ask friends and partners for money. He would say, I need a loan for some medical bills. I need to invest in some real estate. Hey, I'm going to invest in Bitcoin. 

Joe Carrigan: Now, I don't know about you, Dave, but if somebody comes up to me and says, I'm going to invest in Bitcoin, I'm like, you do that with your money. 

Dave Bittner: Yeah (laughter), yeah. 

Joe Carrigan: If I'm going to invest in Bitcoin, I'm going to invest in Bitcoin. It's easy enough to do. 

Joe Carrigan: And then finally, he would say he needed to cover some business expenses. Sometimes he would convince these people to pull money from their retirement funds or their bank accounts. But the retirement funds - that part to me is just sickening. And he signed fraudulent notes saying that he would pay them back. And then he would use the money to, quote, "buy luxury items for himself," make payment on car leases that he had leased in the victims' names, pay personal debts or other personal expenses. 

Joe Carrigan: I'm reminded of the scene in "Dirty Rotten Scoundrels" where the guy is driving the woman around after Steve Martin scammed her out of money, and Steve Martin's coming out of the shop - do, do, do, do, do, do (ph). 

Dave Bittner: (Laughter). 

Joe Carrigan: That's what I think of when I think of this. 

Joe Carrigan: It got worse, Dave. If somebody refused to lend him money, he would say, that's OK; I'll just open up some credit cards in your name. And then he used the credit cards or the lines of credit. 

Joe Carrigan: And according to the indictment, at least 10 people in Orange County and Los Angeles suffered losses of more than $1 million. And he was arrested on March 6 at the Dallas-Fort Worth Airport and is expected to be taken to Los Angeles, which I imagine by now has probably happened. 

Joe Carrigan: An important note here - Mr. Campbell is entitled to the presumption of innocence. He's only been charged with these crimes. He's not been convicted of them. I want to say that this is all alleged. But the indictments are pretty good. 

Dave Bittner: I mean, there are people who have - they choose this path, right? And they - somewhere along the lines, they find they have a gift for this sort of thing. And I guess, you know, once you start down that path, it can be alluring. 

Joe Carrigan: Right. If you're making a million dollars in six years, that's a lot of money by any standard. 

Dave Bittner: And I guess it comes easily to the people for whom this is reflexive. But I just can't imagine trying to keep track of that web of lies, you know? 

Joe Carrigan: Yeah. 

Dave Bittner: Do you have to keep a spreadsheet? I don't know. I mean, it just... 

Joe Carrigan: I don't know. 

Dave Bittner: Where I'm coming from is I was going to say, well, it beats working for a living, but, no. I mean... 

Joe Carrigan: It is working for a living. 

Dave Bittner: It is working for a living. I mean, albeit if you're bringing in more than a million dollars from people, you know, nice work if you can get it, I suppose. But, yeah, it's a shame. My heart goes out to all the folks who got scammed. I guess the insult to injury is that this is an affair of the heart, right? He's... 

Joe Carrigan: Right. 

Dave Bittner: He's pulling on people's heartstrings. And that sort of compounds the level of evil that we're talking about here, again, allegedly. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, it's an interesting story. We'll have a link to that in the show notes. 

Dave Bittner: My story this week actually comes from Fox News, and it is titled "Phone Scammer Pretending to be McDonald's CEO Nearly Cons Pennsylvania Restaurant Out of Thousands." It was written by Michael Hollan. So before we get to the story, Joe, have you ever actually met Ronald McDonald? 

Joe Carrigan: And I don't think so. I mean, maybe when I was very young, but... 

Dave Bittner: (Laughter) Yeah, yeah. 

Joe Carrigan: ...I don't think I have. 

Dave Bittner: Years ago, I was - when I was, you know, in the video side of the business, I was producing a story on a - like, a new nonprofit that helped kids in underprivileged areas. And as part of the open - grand opening event, Ronald McDonald was there. 

Dave Bittner: And I remember there was a reporter from The Washington Post who was trying to get a statement from Ronald McDonald. And the reporter was getting very frustrated because he said - the reporter said, so what is your name? And he said, Ronald McDonald. And the reporter said, yeah, I get it. But, like, what's your name? Ronald McDonald. OK, I - what is your name? My name is Ronald McDonald. 

Joe Carrigan: (Laughter) The guy was not breaking character. 

Dave Bittner: No, no. And that's - you know, that's the rule. If you're Ronald McDonald, you are Ronald McDonald. You're - you know? 

Joe Carrigan: Right. It's like... 

Dave Bittner: That's it. 

Joe Carrigan: It's like when you're in character at Disney, you do not break character in that role. 

Dave Bittner: Exactly, exactly. Now, the other story is I remember when I was - when one of my boys was younger and we were at the local McDonald's where Ronald McDonald's making an appearance. You know, he does a little magic show and so forth. And this Ronald McDonald had a very, very thick Baltimore accent, which... 


Dave Bittner: He looked spot on, but... 

Joe Carrigan: It was Jimmy Early (ph). 

Dave Bittner: Yeah, he was definitely the regional, local Ronald McDonald. 

Joe Carrigan: Right (laughter). 

Dave Bittner: So anyway, I bring all that up because I couldn't help thinking in my mind that these poor people at the McDonald's, the manager of this McDonald's, actually got a phone call from Ronald McDonald (laughter), and that's how he fell for the scam. You know, it's like - and he turns to one of his co-workers and says, oh, my God. You know - do you know who's on the phone? No. Who? The man himself. 

Joe Carrigan: Who? 

Dave Bittner: Ronald is actually on the phone. Are you kidding me? Yes, it's Ronald. What does he want you to do? He wants me to go across the street to the liquor store and buy a bunch of gift cards. Well, you got to do it. I mean, it's Ronald McDonald. 


Dave Bittner: Anyway (laughter)... 

Joe Carrigan: I don't think... 

Dave Bittner: That is not what happened. 


Joe Carrigan: It's very funny to imagine. 

Dave Bittner: Yeah, it is funny to imagine. But actually what happened was someone called a McDonald's and spoke to the manager and convinced this person that they were the CEO of McDonald's and got them to take money out of the till to the tune of about $4,000. And... 

Joe Carrigan: 'Cause McDonald's restaurants actually make a pile of money every single day. 

Dave Bittner: Oh, yeah. No, it's a great business. 

Joe Carrigan: Right. 

Dave Bittner: And this manager did it, went across the street to another store that sells gift cards, bought a bunch of prepaid gift or debit cards, only at the point where they were about to turn over the numbers realized that maybe something had gone wrong here... 

Joe Carrigan: Right. 

Dave Bittner: ...And reached out to, I believe, the FBI. And the scam was thwarted before they - the bad guys actually got the money. All's well that ends well. They got the money back. You know, the gift cards were canceled and all that sort of thing. 

Dave Bittner: But it was interesting to me because we hear about these gift card scams all the time, but I hadn't heard of someone focusing on a fast-food place like this. 

Joe Carrigan: No. 

Dave Bittner: Certainly, using this - claiming to be the CEO of McDonald's, I suppose, would add a certain amount of gravitas to the claim. 

Joe Carrigan: Right, right. 

Dave Bittner: I mean, not as much as claiming to be Ronald McDonald, but you know. 

Joe Carrigan: Right. That would... 

Dave Bittner: (Laughter). 

Joe Carrigan: That would be one that would get me. 

Dave Bittner: (Laughter) That's right. 

Joe Carrigan: I'd be like, oh, my. You got my attention now, Mr. McDonald. 

Dave Bittner: (Laughter) That's right. Free French fries for life (laughter). 

Joe Carrigan: Yeah. Normally we think of somebody - of this happening to somebody who might not have a lot of life experience. But this is a general manager of McDonald's. 

Dave Bittner: Yeah, not a small business, you know? 

Joe Carrigan: Right. 

Dave Bittner: Like, I mean, like you said, McDonald's - I mean, that's a - that is a busy - most McDonald's are busy businesses, handling lots of money. And, I mean, being a manager of McDonald's is a lot - a whole spectrum of responsibilities. 

Joe Carrigan: It is. And the fact that this person almost fell for this, I'm not really surprised by that because, like we said before, there are plenty of hooks that will work on just about everybody. And all that happened here was the scammer found the one hook for this manager that would work. And I guess he was insistent enough that the guy actually went through the process of taking money out of the till and going and buying gift cards. 

Dave Bittner: Yeah. All right. Well, it's, you know, a funny story only because I can't stop thinking about actually getting a phone call from Ronald McDonald. 


Dave Bittner: All's well that ends well. I'm glad the scammers didn't get what they wanted to, but it's another reminder that probably one of the biggest red flags, like a flare in the sky... 

Joe Carrigan: Right. 

Dave Bittner: ...Is if someone asks you to go buy any sort of gift card or anything. So... 

Joe Carrigan: Yup. 

Dave Bittner: You know, spread the word about that. 

Dave Bittner: That's my story. We'll have a link to that in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Tarik (ph). Tarik writes, (reading) dear "Hacking Humans" podcast, after being a listener to your show for some months now, I might have something worthy of sharing. I usually blindly delete such emails, as they are apparent phishing, but I found myself in an interesting spot and recognized a new attack vector that just worked on me. 

Joe Carrigan: Ah, see? Tarik knows. These things - like I just said, these things will work on you, too. 

Joe Carrigan: (Reading) They are raising the stakes with not a single, but two gentlemen trying to reach me with a power of attorney and claiming authority that I was dead. That brought the game up a little bit. Therefore, in line with some of the other great literary achievements of this fine brand of email, "Hacking Humans" has just become the prize recipient of the Unlikely Phishing Hook of the Year Award, presented by the Institute of Questionable Intentions. 

Dave Bittner: Very nice. 

Joe Carrigan: I love that very much. 

Dave Bittner: Which of us gets to keep the award at our house? I guess we could switch weeks. 

Joe Carrigan: Yeah, yeah. We'll switch weeks. I think that's a good way to do it. That way we don't have to divide up the weeks, you know, the days... 

Dave Bittner: Right, sure, yeah. 

Joe Carrigan: ...And then every other Saturday. 

Dave Bittner: Yeah. 

Joe Carrigan: Just switch weeks. 

Joe Carrigan: (Reading) Wishing you all the best. Keep up the great show you put on at "Hacking Humans." 

Joe Carrigan: Dave, why don't you take it away? 

Dave Bittner: (Reading) Dear beneficiary, we wish to inform you that the power of attorney was forwarded to our office by two gentlemen regarding your unclaimed fund for $56 million. One of them is an American citizen, Mr. Robert Booter (ph), and the other is Mr. Bill Himberg (ph), a Swedish citizen. We be waiting for you to contact us since last year. 

Dave Bittner: (Reading) The document claims these gentlemen to be your authorized representatives, and the power of attorney states that you were already deceased. It further states that your death was due to (unintelligible) and your date of death is January 27, 2020. They have now submitted a new account to replace the receiving account that was in the original claim of funds. These funds have remained unclaimed for quite some time, and the need for resolution is pressing. Below is the account that they have submitted. 

Dave Bittner: (Reading) In the event that you are, in fact, still alive, we ask you to confirm your existence by responding to this email if you would view this as a matter of requiring immediate attention and response. We have 48-hour monitoring of all activities within Federal Reserve Bank. With this regard, you will be directed to our office center that you will go in person to sign the final papers. Because we have a payment center in Europe, Asia, America and Canada, you will go to any of the office that you will be directed with a copy of the accounts and your funds. 

Dave Bittner: (Reading) We have contacted the bank in the Sweden, and we asked them to wait for further directives from Federal Reserve Bank prior to authorizing any withdrawals in any form. Our request is based entirely on our team to verify that you are, in fact, deceased if our money is wrongly dispersed. Yours in service, Rutherford Steven Caplan (ph), the United States. 

Joe Carrigan: (Laughter) This is great. First off, can individuals open an account with the Federal Reserve Bank? I don't think they can. 

Dave Bittner: I don't think so (laughter). 

Joe Carrigan: I think the Federal Reserve Bank is a bank that only does business with other banks. 

Dave Bittner: Yeah, I think - yeah. Yeah, I think that's how it works, yeah. 

Joe Carrigan: Right. I like how they have 48-hour monitoring. So apparently they're trying to put a time horizon in there, but they kind of botched that sentence. So you... 

Dave Bittner: Right. 

Joe Carrigan: Normally, you say 24-hour monitoring so we know what's going on. Forty-eight-hour monitoring - what is that? I don't know - 48 on, 24 off? 

Dave Bittner: Yeah. 

Joe Carrigan: Thank you, Tarik, for sending that in. I appreciate it. 

Dave Bittner: All right. Well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Fleming Shi from Barracuda Networks. We were discussing travel-related phishing attacks. Here's my conversation with Fleming Shi. 

Fleming Shi: If you look at - the pandemic has gone through its - hopefully the full life cycle, but it's getting to the point where vaccines are available now, people are getting vaccinated. In the 2020 - in that year, last year, the major attacks that happened on health care - logistics, including logistics for PPE as well as to - all the way to vaccine poaching. All that happened. 

Fleming Shi: The next phase for the targets will be people who are getting back out there, really kind of enjoy the world, right? I mean, if you think about traveling through the holidays, I was pretty surprised how many people actually got on the plane and, you know, really tried to see their family, right? 

Dave Bittner: Yeah. 

Fleming Shi: I think cabin fever - people are getting really stuck for a long time, and so there will be a rise in bookings for hotels, mainly because people are getting ready to plan for their vacation. They really need it. 

Dave Bittner: Yeah, it seems as though there's a lot of pent-up demand when it comes to travel. As you say, people are having cabin fever. And so with that resurgence of activity in that area, what particular areas are you all focused on? What do you think the bad guys are going to target? 

Fleming Shi: You know, in 2018, '19, travel was already targeted, right? So if you remember, Marriott was attacked, like, two times in two years in 2019 and 2020. They were basically subject to data breach. Hundreds of millions of guests' private information were stolen. 

Fleming Shi: And if you think about that, if you - from attacker's angle, that's perfect storm. They can see - they can get the information, they can do mass, volumetric type of phishing attacks, or they can target somebody, and social engineering make even more trustworthy. So basically, having all that data out there, that includes information such as the travel behavior - where you like to go, including your maybe loyalty program information - if they want to craft something that is very trustworthy, they can do that pretty easily - right? - and they can fool people. 

Fleming Shi: Then, of course, that leads to impersonation of sites - could be a booking site or reservation system that looks legit, but behind the scenes, they're harvesting your credentials. I am pretty sure when they lost the data, they didn't lose all the passwords, but they lost email information, birthday information - all sorts, right? 

Fleming Shi: Birthday celebration type of situation - they could craft something that's very targeted or potentially more volumetric, as I mentioned. But the key there is when those crafted attacks happen, they will look real. And those credentials that was not stolen in the past, and it can be harvested through those phishing impersonation attacks. 

Fleming Shi: So once you lose your credential, then from that point on, you may lose access - what we call the takeover. Of course, in email terms, we would have a lot of solutions to protect you on that. But from the safe - you're just using a booking site or a reservation site, you lose your credential, basically, I think the attackers can get in there and further penetrate through your travel behavior and try to figure out your payment information. All that stuff can happen. 

Fleming Shi: The reason I want to provide the backdrop is, like, this is not just new this year. It's just going to be probably more well prepared for the bad guys to launch these attacks. 

Dave Bittner: Yeah. Well, what sort of things can consumers do? I mean, knowing that this is likely to be on the horizon here, are there some things that we can do preemptively to make sure that we're less likely to get hit by this sort of thing? 

Fleming Shi: Definitely. There's a few things you should be considering. First of all, this is for travel preparation stage, right? Once you get on the road, that's another set of things you need to worry about. But before you get on the road, I would say be very cognizant about clicking on links that offers really great deals that may not look real. 

Fleming Shi: Secondly, when you get to the site, if you don't have a password manager, I'll recommend really strong password. So password managers provide system-generated passwords, which is much harder to guess - right? - very random. You will still have the convenience of actually getting into the site. But if the reservation site has, like, multifactor or two-factor authentication, you want to utilize those features because passwords still can be stolen, even system-generated. 

Fleming Shi: So my thinking here is it's really important to, while you plan your trip, besides all the COVID pandemic-related things you have to worry about, really have to pay attention to where you're clicking, where you're going, check the certificates on the site. If you don't have a password manager, at least validate this is the site you're going to. Watch out for typo spotting, domains and basically impersonation that could be trying to get you to put in your password. 

Fleming Shi: The other element is be very careful of using same passwords while you're using travel reservation sites versus your bank account and other work-related - try to do your best to not cross them because... 

Dave Bittner: Right, right. 

Fleming Shi: ...If your password gets stolen, it can quickly turn into much worse problem - to getting to your bank, getting to your VPN, getting to your workplace. So, yeah, it is pretty important to really think through how you are handling the travel reservations. 

Dave Bittner: Now, you mentioned, you know, once you get on the road, there are things to be concerned about as well. I mean, if you can - I'm imagining being out there and maybe taking a road trip and, you know, stopping to get gas or get a snack, stop at a restaurant or something or, maybe if I'm flying, you know, stopping at the airport to buy things. Lots of opportunities here for folks to take advantage of somebody. 

Fleming Shi: Yeah. Yeah, definitely. You know, travel - it's definitely not just flying, right? If you go to the train, if you're doing any type of travel that takes a long time, there's waiting areas. And you have to watch out for Wi-Fi hot spots that might be also impersonated or fake ones because you know how it is. Like, when you'd go to a place when it was really safe, maybe before the pandemic or before cyberattacks were this prevalent and scary, people would, like, join some type of lounge Wi-Fi or any type of waiting area or free Wi-Fi, right? 

Dave Bittner: Right. 

Fleming Shi: So then your system ask you, do you want to remember this the next time you come in here? It's super convenient. You're already online. And you have to be very careful. So basically, before you travel, especially this year, just forget all the things that - all the Wi-Fi hot spots from your network list. Just make sure you delete them because those Wi-Fis, they don't have strong security. Somebody can create a fake Wi-Fi hot spot with the same name. It could actually end up you've been connected to a very adversary type of bad-intented (ph) hot spot, which they can monitor your traffic or packet or where you're going. So that's one thing to pay attention to. Wi-Fi hot spots are dangerous. 

Fleming Shi: I would actually, because LTE and the 5G is already here, if you can, just turn on Wi-Fi - maybe turn it off. And when you really need a Wi-Fi - let's say your laptop doesn't have SIM card or cellular capability or you don't have a MiFi or anything like that - what you can do is use your phone, create a hot spot throughout your 5G and let your own device connect to your phone, then go, then access the internet, right? 

Dave Bittner: Right. 

Fleming Shi: So, yeah, that way you avoid the situation where you will end up joining a malicious Wi-Fi hot spot. So I think that's one thing people can use. And the beauty is a lot of phones today is 5G capable. So I'm pretty sure if there is connectivity that the carrier provides - minus, of course, you know, watch out for your data plan. So with that, I think it's important advice, I think. 

Fleming Shi: And the final way, just like working from home, if you use your own laptop for work, I would recommend if your company don't provide it, somehow get a zero trust type of agent, a network access agent, down to your laptop before you travel. So that way, you're not just logging in to VPN, things like that (ph), but you are really limited as a minimal set of access so you can do a job, right? You don't want to have a full VPN turned on, and things can go bad because the whole IP C4 (ph) stack is open, potentially. So I think that's really important. 

Fleming Shi: Plus, most of the zero trust network access agents or solutions provides a posture measurement, constant monitoring of where you are. If you are on a - let's just say you missed a patch for your OS, operating system. It may actually shut the access off to a certain application (ph) you use for work. That will protect your workplace. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Very interesting interview, Dave. Do we think of travel as a vector for cyberattacks? I generally don't do that, but it's true that there's been a lot of attacks on travel organizations. Like, Marriott is a great example. 

Joe Carrigan: Affinity programs are a great way to collect data of value. And you may not think about this. One of the things I tell people when I'm speaking is that malicious actors have ways of monetizing just about everything... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...Things you would never think of. 

Joe Carrigan: I'm reminded of the story that you told about when you were at Walgreens, and the phone rings, and the person on the other end is just giving out phone numbers, and the clerk at the store is going, no, there's no balance on that one; no, there's no balance on that one either. Your thinking is these guys are just calling in with phone numbers and seeing who has a balance on their account so they can just go in and go, yeah, here's my Walgreens account number, and I'll take all this stuff for free. Thanks. 

Joe Carrigan: That's just an affinity program. It's the same kind of thing. You earn points when you shop there, and you can get free stuff from time to time or discounts off of things. There are other things like that, like there's - around our area, you can get discounts on gasoline at Shell if you shop at a Giant Food. So these things all have value to somebody. 

Joe Carrigan: Fleming makes a great point. He says that attackers may not have gotten access to password hashes in this data breach, but they have gotten enough information they can conduct very convincing phishing campaigns. So now it's just a matter of running the phishing campaign to get the passwords and then get access to someone's account. 

Dave Bittner: Right. 

Joe Carrigan: These attacks are not new, but because we're getting back to traveling again, these attacks are going to increase on the rise. This is the same thing we've been saying for years now, that these bad guys keep an eye on the calendar. They keep an eye on the social situations. They keep an eye on the news. They know what's going on. And they know where the market's by. 

Joe Carrigan: These guys are almost like stock investors, right? When hurricane season starts, people start investing in Home Depot for some reason because they think that there is going to be a big run on the Home Depot for the wood to board up your house. Or for when a major disaster... 

Dave Bittner: Sure. 

Joe Carrigan: ...Strikes, they invest in the lumber industry because they know that the... 

Dave Bittner: Right. 

Joe Carrigan: ...Lumber industry is about to get a windfall. These guys are doing the exact same thing. 

Joe Carrigan: Great advice to use multifactor authentication and a password manager. Fleming also talked about password reuse and gave a great use case of why that's bad. You know, if you're using your - the same password on your affinity program or your Marriott rewards points or whatever airline you fly, and then that gets phished and you use that same email and password on your bank account, they're just going to credential-stuff that set across all the financial websites. So if you do, they're going to find it. It's automated. They probably already have a script that does that. 

Joe Carrigan: And then Fleming talks about not using public Wi-Fi and deleting these Wi-Fi networks saved in your computer, in your mobile phone, and just, instead, use your mobile phone hot spot. I activated this on my account a few years ago, and I have never looked back. 4G LTE is faster than my first three high-speed internet connections. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: Right? So - and it is more than fast enough. I'm doing this podcast on a 4G LTE connection right now through my hot spot on my phone. It is plenty fast. I've gotten in the past 68 megabits per second on the T-Mobile connection, and that cost me about 10 bucks a month. 

Dave Bittner: Right. 

Joe Carrigan: Well worth it. Well worth it. So whatever - whoever your mobile provider is, get the mobile hot spot activated on your phone, and then just use that. And you really don't have to worry about trying to use public Wi-Fi anymore. 

Dave Bittner: Yeah. No, good advice. And again, we appreciate Fleming Shi for taking the time for us. 

Dave Bittner: And we appreciate you all for taking the time to listen to our show. 

Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.