Hacking Humans 4.8.21
Ep 142 | 4.8.21

Finding targets of opportunity.

Transcript

Peter Warmka: I think people are not even aware of how effective this sort of advanced social engineering spearphishing attacks through social media can be.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. Later in the show, my conversation with Peter Warmka. He is the founder of the Counterintelligence Institute. 

Dave Bittner: All right, Joe, before we hop on to our stories here, we've got some follow-up, evidently? 

Joe Carrigan: Well, it's not some follow-up; it's just a weird thing that happened to me yesterday as I was sitting here in my office at home. 

Dave Bittner: Yeah. 

Joe Carrigan: I got a phone call from a private number, right? And I'm like, all right, finally, I'm starting to get these phone calls. 

Dave Bittner: (Laughter). 

Joe Carrigan: Last week, I got a phone call that said, press one to speak to a federal agent, but I couldn't get to it fast enough because my screener had already stopped it from bothering me. But I wanted to mess with those people. But this one I answered, and I said hello, and immediately there was an automated voice that said something - it was an Alexa command. It was like, Alexa, ring phones or bring phones. I couldn't understand exactly what it was saying. But I don't have an Alexa device in my house. I had it on speakerphone, but if I had an Alexa device, it would have issued that command to my Alexa device from my phone. 

Dave Bittner: That's weird. 

Joe Carrigan: And I don't know where the end game is here. 

Dave Bittner: Huh? Yeah. Ring phones - what does that... 

Joe Carrigan: Yeah, I don't know. 

Dave Bittner: And then - that is weird. I'm just trying to think of possibilities. Could it have then played some DTMF tones or something? Like - (laughter). 

Joe Carrigan: I don't know. 

Dave Bittner: Who knows? Huh. All right. Well, that's a weird one. I haven't heard of that one. If anybody knows what's up with that, drop us a line there. 

Joe Carrigan: Yeah, let us know. 

Dave Bittner: You can write us to hackinghumans@thecyberwire.com. That's a new one to me. 

Dave Bittner: All right. Well, let's dig into our stories here this week. I'll start things off for us. This actually came across on Twitter. This is from a Twitter user named Jake. His handle is at @jcybersec_. And he is a security researcher. He says he's an expert in credential phishing and phishing kits. Seems like he is from Australia. So he writes on his - it's a threat on his Twitter account. He says, this is a new scam for me - flower shop scams. So you buy flowers from fake flower shops. At first glance, it seems like a standard sort of online scam, right? Somebody spins up a flower shop, a website that seems to be a flower shop, you go and you place your orders for flowers, but there's no flowers. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) There's no flower shop. And I think a lot of us, again, particularly with the pandemic, we're doing more shopping online, but I think flowers is an area where we were already used to shopping online - you wanted to send flowers to a friend or a loved one. But what really struck me about this that I hadn't considered before is that there are situations in which if you buy flowers and send them to someone, chances are you're not going to follow up on that to make sure they got them. 

Joe Carrigan: Yeah. 

Dave Bittner: For example, if someone passes away and you send flowers to the funeral home, right? 

Joe Carrigan: Right. 

Dave Bittner: That's a sort of a standard thing to do here in the U.S. I'm not sure what the custom is around the world. But here, if you have a loved one who passed away, depending on what religion you are, what faith you are, it's pretty common to send flowers to the funeral home. Well, I'm not going to follow up with the person who lost their loved one and say, hey, did you get the flowers? How - did you like the flowers? 

Joe Carrigan: (Laughter) Yeah. 

Dave Bittner: Went all out with those flowers. Pretty nice, huh? 

Joe Carrigan: Yes. Cost me a lot of money for those flowers. You better appreciate them. 

Dave Bittner: Right (laughter). It's not how it's done. 

Joe Carrigan: No, no. 

Dave Bittner: And these scammers are taking advantage of that because you buy what you think are flowers, you think they're getting sent on their way, you get charged for the flowers, but if - the flowers never show up, but there's no follow-up here. The custom is to not follow up. 

Joe Carrigan: Right. 

Dave Bittner: And I think that's a fascinating wrinkle here. 

Joe Carrigan: It's the perfect crime, Dave. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: It's 100% profit. It's a great - you know, you take the money. You don't run because there's nowhere to run to, right? And you just sit there, and your bank account grows fat. 

Dave Bittner: Right. Well, Jake, the researcher here who is looking into this, did some digging into this. And he has some technical details about why he believes that this is a whole series of websites that have popped up all around Australia. Interesting - he lists some of the websites, and they have names like Royal North Shore Hospital Flower Delivery Dot-Com EU, Royal Park Flower Delivery, Royal North Shore Flower Delivery, Atlantis Flowers, Flowers Sydney. So these all sound like legit floral websites, but they are not. 

Joe Carrigan: Yeah, I'm looking through the Twitter feed, and they all look like legit floral websites. 

Dave Bittner: Yeah. No, I mean, the websites themselves, they look good. Jake has found some technical indicators that makes him believe that they're not, some similarities between them. He's curious if other researchers are seeing this around the world. But it seems like something that would be fairly easy to spin up, even in an automated way, where you could go region by region and spin up these sites targeting folks in certain areas - a little SEO and, you know, Bob's your uncle, right? 

Joe Carrigan: Right. Exactly. 

Dave Bittner: You know, if you're going to be out there buying flowers, first of all, go with the big names (laughter), the ones you know about. But also, call your local florist. 

Joe Carrigan: They actually contract with smaller florists locally, the big names. So... 

Dave Bittner: Right. Right, exactly. But that was my point, is - you know, call your local florist because chances are they're part of one of the floral networks. Like, FTD is one of the most well-known ones. 

Joe Carrigan: Right. 

Dave Bittner: But there's a handful of them. And if you call your local florist and order through them, it may cost a couple more dollars, but your local florist is going to make a little bit of money. It's going to get sent through the system. A local florist on the other end is going to make some money. So you're helping small business owners. And hopefully in your own community, especially during, you know, difficult times of COVID and so on, go that way with a trusted source who's close to home. Now, I guess the flip side of that is that, you know, these websites are trying to look like local florists. 

Joe Carrigan: Right, right. 

Dave Bittner: (Laughter). 

Joe Carrigan: But if you do a Google search, you're going to find these sites. But if you search for local florists and call them, chances are these people aren't manning phones. They're just collecting credit card information and charging your credit cards. 

Dave Bittner: Right. 

Joe Carrigan: Dave, there's something I haven't seen at my house in a long time, and I don't know if I could even still get it. But I don't have a phone book here anymore. For those of you who may be too young to remember - to know what a phone book is... 

(LAUGHTER) 

Dave Bittner: It was a - they delivered a doxxing manual to everyone's house every year. 

(LAUGHTER) 

Joe Carrigan: Every year, right? And you had to pay to not be in it. 

Dave Bittner: Right (laughter). 

Joe Carrigan: That was the White Pages you had to pay to not be in. But the Yellow Pages you had to pay to be in, right? You had to pay to put your ads in there. But the Yellow Pages also had a listing. We used to say, go look in the phone book. People would pay to put - a lot of money to put ads in the phone book. I don't even know if it's still an option anymore. I'll have to look into that. 

Dave Bittner: They exist, but you don't automatically get them dropped off at your house anymore. I think it's really become a thing of the past. That business has fallen by the wayside, and all that money is going towards online advertising. But yeah, I mean, that was a lucrative business to be in for a long time, the Yellow Pages. You know, it was a useful thing to have in your house. Everybody - it's how you did a lot of shopping for things that you didn't buy every day. But... 

Joe Carrigan: It was a resource you'd go to when you didn't have the Internet. 

Dave Bittner: Right. Right. And then - and yeah, when you were on your way to school in the snow uphill both ways... 

(LAUGHTER) 

Dave Bittner: ...In your bare feet. You could stuff your shoes with pages from the phone book. 

Joe Carrigan: Right. That's right. 

Dave Bittner: Ah, Joe, we're old. 

(LAUGHTER) 

Dave Bittner: All right. Well, that is my story. We'll have a link to this Twitter thread from Jake. You can check out if you're interested in some of the technical indicators that he's pointed out there, it's interesting stuff. Joe, what do you have for us this week? 

Joe Carrigan: Dave, there has been a lot of talk in the political arena, and I don't mean to get political. I'm just - I'm not saying I'm in favor of anything or opposed to anything here. I'm just talking about what the facts are. There are talks about student loan forgiveness. A lot of people say, we have a lot of student loans. We want them forgiven. And some people are saying, well, let's see what we can do about that. And that is, of course, an item in the news. And that means that there are going to be scams built around it. And the studentaid.gov website has an article on student loan scams. 

Joe Carrigan: And it starts off with, imagine you're a person sitting there. You've got some student loans. And someone calls you on the other end of the phone. They're saying, hey, we can help pay off your student loans or get them absolved or forgiven. And while there are ways to get your loans forgiven or canceled or discharged, chances are you're probably not eligible for these things. So chances are what you have on your phone is a scam. In fact, the Department of Education will never actually call you and say, hey, we got the opportunity to eradicate your loan debt. No loan servicer is going to call you and say that. The only people that are going to call you and say this are scammers. If you think you're eligible for some manner of loan forgiveness, you're going to have to initiate that. 

Joe Carrigan: The first thing to look out for is if you're asked to pay an upfront cost or monthly fees. A student loan debt relief company asks you for payment in exchange for navigating student loans. They're asking for you to pay them for something that you can do yourself, if this is possible. If you're having a hard time making your monthly payments, the servicer can work with you to switch to a more affordable payment plan at the time. And, usually, there's no cost associated with that. It's part of the program with these student loans. When you're given a student loan, the lender who's actually lending the money has a list of restrictions that they have to follow, a list of requirements, actually. Really, the reason that these student loans are made at such low interest rates is because in the event that you do default on them or you - or something happens, the government will reimburse the lender. So the government doesn't make all these loans out. They actually have servicers. And this debt is bought and sold on the marketplace. There are rules about how these loans work. Generally, a lot of these plans which allow you to switch from one to another happen at no cost. 

Joe Carrigan: Second, if you're promised immediate loan forgiveness, no one can promise that. Total student loan forgiveness or cancellation from some loan debt relief company is not a thing. Most government forgiveness programs require many years of qualified payments and qualifying employment in certain fields before they can be forgiven. For example, if you work as a teacher in certain situations for five years, that may qualify you for loan forgiveness as a means of incentivizing people to become teachers. 

Joe Carrigan: Finally, they say you should never provide your FSA ID or password. Nobody's going to ask you for this. If someone is asking you for this, then they're scamming you. There's not probably about it. There's no reason for you - the FSA is the Federal Student Aid. A lot of these scammers will be trying to get this information. I don't know what benefit it provides them. Maybe they can use that to game some system to get money out of it. I'm not sure. One of the things they say is that if you share this information or, God forbid, sign a power of attorney with these folks, this debt relief company, you're giving that company the authority to take any action they choose and make decisions for you on your behalf. And if the debt relief company collects fees from you but never actually makes the payments on your behalf, guess what? You're still responsible for that money. 

Dave Bittner: Right, right. 

Joe Carrigan: So just by handing it off to some kind of debt servicer that works on your end - right? - some debt relief guy or organization, whatever - that doesn't absolve you of your responsibility to pay. And if they don't pay, you're still on the hook for that money. 

Dave Bittner: Yeah. It's interesting, but it's also, I think, a little complicated because there are legitimate debt relief companies out there. 

Joe Carrigan: Yes. 

Dave Bittner: You know, there are companies who do help people who have gotten in a bit over their heads when it comes to things like - it could be student loans. It could be credit card debt, whatever. And they will go and negotiate with the folks that you owe money to and try to lower the amount of interest you owe or things like that. Basically they'll come up with settlements... 

Joe Carrigan: Right. 

Dave Bittner: ...And some sort of payment plan. They take a piece of those fees. That's how they do their business and how they make their living. And there are companies who do that legitimately, but this points out that it's an area where there's a lot of scammers. 

Joe Carrigan: If you have a student loan that you're not able to pay, there are things you can do, and it's not hard to do them. 

Dave Bittner: I suppose part of this, too, is, you know, be wary if someone's calling you out of the blue. If this is something where you think you need some help with your debts and you can go find a legitimate company who has a good reputation, reach out to them, and see what your options are. But if someone's coming to you out of the blue and saying, good news... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Your debt will be gone, boy, that's a big red flag, right? 

Joe Carrigan: It should be a big red flag to everybody. Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Absolutely. 

Dave Bittner: All right. Well, we will have a link to that in the show notes - good information there. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Andrew (ph), and he has an email about a subscription renewal. You want to take it away? 

Dave Bittner: All right. It goes like this. (Reading) Hello. Professor North's department has renewed your service for the period of five years, and the renewal charges - $897.74 - has been debited from your bank account. It should reflect in your bank account within two to three working days. Here are your purchase details. Product name - Unlimited Technical Support for Computer/Printer/Router. Total amount - $897.74. Order status - delivered. This is a recurring charge. We'll continue to charge you $897.74 inclusive of applicable taxes until you cancel. You'll be notified before any future price changes. We'll charge you for the next subscription period three days before your renewal date. You must cancel before then to avoid charges. Cancel any time. Call our support section. Wish to cancel? Be in front of your computer, and call our support section immediately, and follow the instructions. In case you have found line busy, then please leave a voicemail mentioning your name, phone number. Our executive will call you as soon as possible. Please ignore this email if you wish to continue your service. Thanks and regards, Byron A. Drew, senior management of department. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: This is essentially the same kind of thing that goes on with the tech support scam - right? - where they call you and tell you you have a virus, except the hook here is, hey; we've already debited your account for almost $900. And if you watch your account for the next two or three days, you're going to see it move out. You don't want that to happen, right? So you immediately call this number, and they say, well, in order for you to cancel your service, we have to get on your computer and make sure you're not using our software anymore. 

Dave Bittner: Oh. I figured they would say, we just have to verify your credit card information, so just read that out to us... 

Joe Carrigan: Right. 

Dave Bittner: ...Just to make sure we've got it right. 

Joe Carrigan: That could also be part of it. 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: The tell for me here is, be in front of your computer, and call our support section immediately. 

Dave Bittner: Yeah, that's right. That's a good point. Yeah, yeah, yeah. 

Joe Carrigan: And follow the instructions. I'll bet... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That's what happens if you call this number. 

Dave Bittner: All right. Well, our thanks to Andrew for sending that in. That is a good one. We would love to hear from you. If you have a Catch of the Day or a question for us, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Peter Warmka, and he is the founder of an interesting organization called the Counterintelligence Institute. Here's my conversation with Peter Warmka. 

Peter Warmka: If you look at the different threat actors, they could be pursuing various objectives. It could be the theft of proprietary information. It could be trying to steal customer information or employee information that's transactional. The information would be sold on the dark web. Or it could be trying to install ransomware or to utilize business email compromise, or it could be for even sabotage. So there's a number of different reasons, motivations of different threat actors and what they are trying to accomplish. But the commonality here with my previous career and what I see is that frequently insiders are leveraged to actually affect the breach. 

Dave Bittner: Take us through that. I mean, when you were working for the agency, what sort of techniques did you use? 

Peter Warmka: Back then, it was much more challenging in the sense of being able to find those insiders because we would typically have to try to go - well, we call it trolling, getting into the pattern of life aware prospective insiders might be where we could find them, where we could run into them and strike up a conversation. For example, there's the attending different associations or clubs where they might be, cocktail receptions, trade fairs or conferences and finding those targets of opportunity. 

Peter Warmka: Of course, the golden grail would be if we were able to get an organizational chart of our target organization and be able to identify the names and positions of people and then speculate on what type of access they might have within that organization and then try to directly target them. That's very different these days with the internet and social media because... 

Dave Bittner: Right. 

Peter Warmka: I can go out now - I mean, you can imagine how time-consuming that would be, trying to just get into the path of a prospective insider. Here, now I can go ahead, and I can get on the same in any number one of sites. But LinkedIn is very good for this. 

Dave Bittner: Right, right. 

Peter Warmka: Get on LinkedIn. If you go up to the upper left hand search bar, you can search for individuals. I mean, you can look for different individuals or companies or organizations. But let's say you're searching for individuals. You fill in that search category the name of the organization and whatever position you're looking for. Let's say receptionist or IT administrator or CFO. With some of these really large companies, you're going to get a lot of hits because you're going to get both current - people currently in that position, as well as people that previously worked for that company and maybe are no longer there. 

Peter Warmka: But you can easily then increase the parameters and be able to look for individuals by geographic location, be able to put current position and the name of the position there. You can look for individuals who had also, perhaps, graduated from a particular university or who are members of associations. So I can whittle that down to a very manageable list of initial target insiders to then go on to the next step of being able to assess them of whether or not they might be viable. 

Dave Bittner: And I suppose, I mean, that's something, as you say, you know, we see the threat actors doing today. But they can do it at a much higher velocity with tools like LinkedIn. And, gosh, I mean, so many companies basically put an org chart on their website. 

Peter Warmka: Exactly. And, I mean, everybody puts that information out there. And you're right. The velocity is much more efficient. And a big part here is in the older days, I would have to approach somebody. And I would show my face - right? - and my name. Even if I were using an alias, it would be giving an identity on my part. And when I'm searching for insider candidates on LinkedIn, I don't have to approach them. I don't have to identify myself. I can identify them and then begin the process of collecting information on them without them even knowing that it's happening, without exposing my name or my face, et cetera. 

Peter Warmka: And, like, in the old days, once we would identify a potential inside candidate, we would have to try to find a way to get them out of the office, to get them out of the - to be able to be with them one on one to collect information on them. It might take several meetings to really get an entire resume or biography on them to consider - compared to now, on LinkedIn, I get their biography in seconds. And so you have to get a hook into them, a reason for them to meet with you, some pretext, and slowly gather that type of information. 

Peter Warmka: But now I can go - as soon as I identify prospective candidates, I can go on social media. And, you know, there's a tremendous amount of different platforms. And I can begin to collect on individuals predominantly using LinkedIn, Facebook and Twitter, for example. With LinkedIn, what do I learn? I learn about the academic, work experience, their career aspirations from them, as well as the influencers they identify, what certifications and licenses they have, their affiliations with associations, their volunteer work, their network of contacts, et cetera. Facebook - very useful, another optic, but very revealing, hobbies, interests, the sports teams they follow, the music genre they like, favorite foods, travel. Where have they traveled to in the past? Who have they traveled with? What's their social economic status? 

Peter Warmka: They say pictures are worth a thousand words. And pictures are very useful for us to get a good feel about someone's social economic status. Then see other close friends and family members, et cetera. Then I can go onto Twitter. Once again, very useful - I can learn about their pattern of life. What I mean pattern of life is, where do they tend to go other than to their residence or to work, you know? Many people begin to tweet on their way to the gym or on the way to the cafe or on the way to the bar to meet up with friends. I can learn about what their pattern of life is because that can be useful for me later if I want to run into them by chance, OK? I can learn about their political leanings, their ideology, the religious convictions, the things they like and the things that are their pet peeves, et cetera. I mean, I can learn all these things just by visiting some of these social media platforms. 

Peter Warmka: And, of course, the individuals that don't tend to put themselves out there, I will discard them. I'm looking at individuals who have put that information out there for me to harvest because that's going to be useful for me. Just like organizations, if there's not much information there, I'm going to move onto something that's going to be easier. I'm going to move onto... 

Dave Bittner: Right. 

Peter Warmka: ...Perspective insider, also where I can get that information from, because my goal then is to establish a personality assessment profile on prospective insider candidates because I want to identify what might be their motivations and vulnerabilities that I can leverage as a social engineer or human hacker to manipulate them. So for example, motivations, we all have them. What gets us out of bed in the morning? Perhaps, that's money, the accumulation of money and what money can buy - could be family, the welfare of your parents, your siblings and your children - education, education for yourself or education for your children. 

Peter Warmka: Career progression is very important for some people - a better home, a nicer home, bigger home, better location, luxury goods, sports cars, artwork, jewelry or other status symbols - perhaps, desires and wants, you know, dreams of traveling someday, having their own business, for example. Altruism - volunteering for a cause that could be of importance to them and feel empathy. Mentoring, coaching are sometimes very significant. Ideology can be very - in some parts of the world, ideology is really, really a strong motivation if we talk about, you know, capitalism, socialism, communism, extremism. Religious convictions can be, for some people, very strong motivators. Politics, as we see in this country sometimes, you have conservative, liberal, political party supporters, et cetera. While these motivations are considered positive factors, vulnerabilities are usually considered weaknesses. However, for a social engineer, when we're trying to manipulate a insider target, they can also be extremely powerful for us to leverage. And those vulnerabilities, for example, of course, the first one on the list is money. And we're not talking about an abundance of money. We're talking about severe financial duress. 

Peter Warmka: Think about these last months here, ever since the COVID epidemic, even though you're in an organization, you may have retained your employee, but maybe that employee's spouse or some other family member that lives in that household may have lost their job. So it doesn't mean that the employee has no financial concerns because there could be an imbalance now between what they have traditionally brought in as revenue and now their expenditures. So all of a sudden, they feel that stress, that financial stress. And that can be really powerful because when people suffer financial stress, that creates a lot of problems in relationships, in the home place, et cetera. 

Peter Warmka: Monetary is important. Then there's a number of other things that can be sometimes even linked to it - gambling, other addictions, gambling, drinking to excess, drinking leads to family, social problems, health issues. It also lowers the barrier to elicitation, so that if we know somebody likes to drink and tends to drink a lot, we get them liquored up a bit, and it's very easy to begin to get them to talk... 

Dave Bittner: Singing like a canary, right? (Laughter). 

Peter Warmka: That's right. 

Dave Bittner: Well, let me ask you this. I mean, we talk here a lot about educating your employees, you know, using things like anti-phishing awareness, you know, those sorts of things. Are there social engineering methods that you track that are just - the ones that are particularly hard to inoculate people against? 

Peter Warmka: You mentioned phishing. Phishing seems to be like the No. 1 on the list that a lot of entities now are trying to focus on. But it's - pretty much the focus is on that basic phishing, where you get someone that will send out an email to thousands of people, the same email with a link that they want to entice you to click on to or an attachment they want you to open. And so those are pretty standard. People still fall for them, but professional social engineers are going to take it one step higher. They're going to be focusing on spearphishing. 

Peter Warmka: If we're looking at the average cost of a data breach for U.S. organizations of being upwards of $8 million I think last year, they can spend a considerable amount of time to really tailor their attack and spearphishing for - against a specific individual in the organization. And once they have researched them through social media, they can pretty much figure out exactly what type of email to send to them, where even if that person had basic phishing awareness, they're not going to think that this is a phishing attack. They're going to click on that link right away or open that attachment because we're pushing the right buttons to motivate them, OK, and gain their trust. So it's very, very easy. 

Peter Warmka: And I think an area where a lot of people don't think of - we talk about phishing - it's not just an email that can carry a link or an attachment. On a lot of these social media platforms, like on LinkedIn, Facebook, if there is a messaging application within this platform where you can send a message to somebody, that same message can hold that link or that attachment. It's the same thing, but it's so much more effective. Think of you receiving a cold email from someone. You never met this person. There's an email. And you're - first of all, it might not draw your attention. You might not trust it so much. 

Peter Warmka: But if someone approaches you on LinkedIn, first of all, to ask to be your connection, most people, even though a lot of people say, no, I don't accept invitations from people I don't know, so many people, so many people will accept an invitation without even looking at the profile. I am amazed. But, I mean, I run a number of tests on this. I use LinkedIn and other social media platforms, that allow you to create avatars for this purpose of really trying to educate people of how susceptible they are. 

Peter Warmka: Typically, before I go out to give a presentation to a corporation, I will find out who is going to be the attendees in advance. And then I will use an avatar. I will send that avatar to invite them to connect. And the vast majority of people who I target will accept. And then I might exchange a message or two. And then I have that avatar actually send them a message that's going to have an attachment and then ask them to review this attachment. There's a lot of different reasons I might give for why I want them to open the attachment and give me their feedback. But people are typically trusting, and they will want to help out. 

Peter Warmka: So a lot of those individuals will open that attachment. Of course, in my case, it's not malicious, but it will stimulate a malicious attack because people are just so readily trusting, especially when they see a picture. I mean, the avatar does - it's a fictitious account. The picture is borrowed from somebody. It can even be a computer-generated picture. The profile can be built in a matter of a few minutes. And a profile can include some things that we know that create a bond with the target, perhaps the same career path, the same university where the target has gone. I mean, you can just create this thing to match what you know is going to be of interest to the target. So these things are so easily created. And there's not enough discussion on this. I think people are not even aware of how effective this sort of advanced social engineering spearphishing attacks through social media can be. 

Dave Bittner: It's really challenging, I think, because you don't want to find yourself going through life being overly cynical, but at the same time, you have to have your guard up. 

Peter Warmka: You absolutely do. I throw out a motto or a slogan that I really believe in, and it's a real simple thing to remember, and if you follow this, it will really help prevent falling victim to the vast majority of social engineering attempts because think about it - we are social engineered not when we go out and try to contact somebody for information; we're socially engineered when we are approached. We are approached, whether it's by email or a message on social media or perhaps it's a text message or maybe it's a phishing call, someone calling into us, or someone even approaching us, face to face. We are being approached, and we're blindly trusting in that individual, and many times we'll comply with the request. If we turn this around now and think about when I'm being approached, if I attempt to first verify then trust, that will alleviate that type of danger. 

Peter Warmka: A lot of people say, well, OK, trust and verify. But in the case of this world, when we talk about hacking, it's too late. If you trust it and then later you want to verify, no, the damage has already been done. So I threw that slogan out a lot - trust, then verify. And I think just keeping that in the back of your mind, it's not being overly paranoid; it's just being prudent. It's exercising tempered trust. I think that's - it can go a long way to helping individuals protect themselves, as well as the organizations they work for, against these type of hacking attempts. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, I like it when we have people who have retired from the intelligence services on here. It's - I find these some of - to be some of the most interesting interviews that we have. Long-time listeners of our podcast will hear a lot of what we've been saying on this podcast in what Peter had to say, and I like to hear that because it says to me, OK, at least we're on the same page - right? - that what we're saying is important to know. It's important to understand - Peter's perspective and what he's talking about is how to target people. And targeted attacks are much more effective than the wide-net attacks. You have more time to do the reconnaissance. You can really tailor how you're going to attack somebody as an adversary. 

Joe Carrigan: And social media has made this targeting of people so much more easier. LinkedIn is great for reconnaissance, and Peter talks about that. You don't know that it's happening, which is interesting, right? I guess you can pay for the premium version of LinkedIn, but even then, if I set up some fake account - right? - you're not going to know who I am. You're going to see that somebody looked at your profile, but that happens thousands of times a week or a month if you're... 

Dave Bittner: Sure. 

Joe Carrigan: ...Particularly if you're an executive. You're not going be able to weed out the noise. And with the resource of LinkedIn, an adversary doesn't need to - what they call burn their face - right? - to gather this information. Like he was talking about in the old days, you used to have to go out and meet people, right? 

Dave Bittner: Right. 

Joe Carrigan: And in order to gather that information, you might have to have a team of people who interact with the target multiple times. And you can't have the same guy show up repeatedly because then the target will get suspicious. That's not a problem anymore. You never see me. It means it takes fewer people to do the reconnaissance, and it can happen in a much more efficient manner. In this interview, it's great to hear yet another reason not to talk politics on social media. I have my opinions about why you don't talk politics on social media, but your strong political beliefs can be used against you if someone's targeting you, right? But it's very easy to just approach somebody and go, you know that political topic you're talking about? You're so right about that, right? How does that make people feel? Oh, I like the person talking to me here, right? 

Dave Bittner: Right, right. Instant rapport. 

Joe Carrigan: Exactly, Exactly. The same with religion. I don't make any religious posts on my Facebook or Twitter. I just stay away from it. Doesn't matter what religion you are. Even if you're a devout atheist, that can still be used against you. Financial duress is a big vulnerability. It impacts a huge portion of your life, and it really makes you miserable. One of the things to remember is your financial problems are small potatoes to a state entity, right? This is how people get compromised. You know, in the U.S., when you apply for a clearance, one of the things they look at most closely is your financial health. And if you have a lot of debt that's running behind, they know that puts a lot of pressure on you. And foreign adversaries know that, too. And they know they can afford to pay off your debt. It's not that much money. Verify, then trust - or as he puts it, also, exercising tempered trust. 

Joe Carrigan: The original saying was trust but verify. And it was popularized in the U.S. by Ronald Reagan, and it's actually a Russian proverb. Reagan was using it in arms limitation talks for the IMF treaty with Mikhail Gorbachev. And it's a fine philosophy in nuclear disarmament treaties, right? It's a terrible philosophy for the day-to-day operational security that we have to do. And Peter's saying verify, then trust is the way we should be doing things. Don't trust inbound calls. Don't trust emails, especially emails that ask you to change things that - or violate process or do something out of the ordinary. That requires a verification of some kind. 

Dave Bittner: Yeah, yeah. All right. Well, again, our thanks to Peter Warmka for joining us. The organization is the Counterintelligence Institute - worth a look if you're interested in that. 

Dave Bittner: That is our show. We want to thank all of you for listening. We also want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.