Asaf Cidon: [00:00:00] You really want to make sure that you have multiple different layers of defense that are orthogonal to each other. And so if something does get through, one of the other ones can help.
Dave Bittner: [00:00:11] Hello, everyone, and welcome to the CyberWire's Hacking "Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm David Bittner from the CyberWire. And joining me, as always, is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:32] Hi, Dave.
Dave Bittner: [00:00:32] We've got some interesting stories to share. And later in the show, we've got Asaf Cidon. He's from Barracuda Networks. He's going to share some of the trends his team is seeing when it comes to phishing and social engineering. But before we get into all of that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:51] So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:19] And we are back. Joe, before we jump into our stories, we've got some follow-up from a listener.
Joe Carrigan: [00:01:23] Ah, very good.
Dave Bittner: [00:01:23] A listener named George wrote in. The last week, I believe, we talked about some issues with Office 365 - people who are getting phished. And George wrote in and said, if the Office 365 business, enterprise or government subscriptions have O365 Advanced Threat Protection established, the phishing attacks should be mitigated. All links sent via email to the subscriber would go through the O365 link washing machine to determine if the URL is malicious or not. Once the subscriber clicks or taps on the link, it would either go through as normal or a landing page would show up indicating that it is malicious. So ATP, this Advanced Threat Protection, provides an additional layer of security, and it does not in any way diminish the need for phishing social engineering security awareness training. So interesting. This is kind of that, you know, predetonation thing that I like to think about where they automatically look at the link, take it off somewhere off in the middle of a virtual desert...
Joe Carrigan: [00:02:21] Right, an open field.
Dave Bittner: [00:02:21] ...Right - an open field, you know, blow it up to see what happens. And only then do they feed it to you after they've made sure that there's nothing wrong with it. So good information. Thank you, George, for sending that in. Sounds like a nice additional layer you can have on top of your Office 365 stuff there.
Joe Carrigan: [00:02:38] Defense in depth - it's always a good thing.
Dave Bittner: [00:02:39] There you go. There you go. All right. So let's dig into our stories here.
Joe Carrigan: [00:02:43] All right.
Dave Bittner: [00:02:44] Joe, I have a confession to make. This is a true story. This happened to me.
Joe Carrigan: [00:02:51] OK.
Dave Bittner: [00:02:51] I was driving home from work one day. It's about a year ago, driving down Route 95 out of Baltimore.
Joe Carrigan: [00:02:57] Right.
Dave Bittner: [00:02:58] And I come to the exit ramp that leads to where I live. And over on the exit ramp, I see someone - there's a vehicle pulled over to the side. It's a minivan. And there's a gentleman standing next to the van, and he's waving his hands frantically trying to get me to pull over and help - so I do. I'm a gentleman. I do. I pull over. He comes up to the car. I roll down the window. He says, thank you so much for helping. I'm out of gas. My wife and child are in the car there. Can you help? And I said, well, certainly. I'd be happy to help you. I said, I tell you what. Why don't you get in the car? We're just a mile or so away from a gas station. And I'll drive you there. We can get you some gas. I'll drive you back. You'll be on your way.
Joe Carrigan: [00:03:44] Right.
Dave Bittner: [00:03:44] And he says, no, no. I can't do that. I don't feel right leaving my wife and child behind. He says, I tell you what. He says, let me give you some of my jewelry. Give me some money. Give me $20.
Joe Carrigan: [00:03:58] Right.
Dave Bittner: [00:03:58] And let me give you some of my jewelry. That way you'll know that I'll pay you back. And I said, well - I said, sir, you're in need. I don't need your jewelry. I said, here. So I gave the guy $20. I wished him well...
Joe Carrigan: [00:04:12] Right.
Dave Bittner: [00:04:12] ...And went on my way feeling good about myself that I'd stopped and helped a fellow man.
Joe Carrigan: [00:04:18] Yes.
Dave Bittner: [00:04:19] So time passes. And I'm sitting home. And I see a story come on the local news, and it says exit scammers.
Joe Carrigan: [00:04:29] (Laughter).
Dave Bittner: [00:04:29] Police are looking for information on a sudden uptick in people who pretend like their cars are disabled at the side of the road. They try to get you to give them money by offering you worthless costume jewelry.
Joe Carrigan: [00:04:45] Right. Right. (Laughter). You're going, this sounds vaguely familiar.
Dave Bittner: [00:04:46] (Laughter) Yes. Yes. I'm going, ugh. Because I'm sort of going through the stages of denial of going, well, maybe it wasn't. And then they say, and they do this. And I'm like, yeah, yeah, that's exactly what he did. Exactly...
Joe Carrigan: [00:04:56] (Laughter). And here's a picture of him. Aw, that's the guy.
Dave Bittner: [00:04:57] (Laughter) Yeah, exactly, right. So sure enough, I got scammed.
Joe Carrigan: [00:05:09] OK. Well, if you recall, back when we started this podcast...
Dave Bittner: [00:05:14] Yeah.
Joe Carrigan: [00:05:14] ...You and I both discussed this kind of thing. And you and I both arrived at the conclusion that at some point in time, we know we're going to get scammed.
Dave Bittner: [00:05:22] Right.
Joe Carrigan: [00:05:22] And we would rather be scammed if something is relatively innocuous than leave somebody - one of our fellow humans - in need. Right?
Dave Bittner: [00:05:31] That's right. That's right.
Joe Carrigan: [00:05:32] And we agreed that's OK for us.
Dave Bittner: [00:05:35] Yeah.
Joe Carrigan: [00:05:35] I mean, what are you out? You're out 20 bucks.
Dave Bittner: [00:05:36] I'm out $20. You know what? The ideal situation for this for me would have been to have been scammed and not have found out that it was a scam...
Joe Carrigan:  (Laughter).
Dave Bittner: [00:05:46] ...Because then I still could have felt good about myself. I could have felt like I had helped a fellow human. I'm out $20 either way. Either if I'm helping someone or I'm being scammed, it's $20 I don't have. It's $20 I can afford. Right?
Joe Carrigan: [00:06:00] Right.
Dave Bittner: [00:06:00] My children are still going to eat. My mortgage is still going to be paid.
Joe Carrigan: [00:06:03] Right.
Dave Bittner: [00:06:03] So it made me sad. I had to check myself to make sure that it didn't build up my calluses - my cynicism a little bit and say, no, this is the decision I've made, the choice I made in life that I'd rather be a helpful person...
Joe Carrigan: [00:06:19] Right.
Dave Bittner: [00:06:20] ...And every now and then be scammed rather than be cold and say, no, I'm sorry. I can't help you. You know, just keep on driving if there's someone who's truly in need.
Joe Carrigan: [00:06:29] Right. The way around this, Dave...
Dave Bittner: [00:06:30] Yeah?
Joe Carrigan: [00:06:30] ...If you will allow me to be the armchair quarterback here.
Dave Bittner: [00:06:34] OK. Please. It's what I live for.
Joe Carrigan: [00:06:36] Give you my Monday morning advice. What you should have done...
Dave Bittner: [00:06:41] Yeah.
Joe Carrigan: [00:06:42] ...Is said, OK, well, I'm going to give you the cash, but I'll be right back with a can of gas to put in your car.
Dave Bittner: [00:06:47] Yeah.
Joe Carrigan: [00:06:48] But here's the thing, though.
Dave Bittner: [00:06:49] I did think about that. But go on.
Joe Carrigan: [00:06:50] That takes time. Right?
Dave Bittner: [00:06:52] Right.
Joe Carrigan: [00:06:53] So first off, he's on an exit ramp, which is not an accident. Because if he's on the side of the road - right? - you drive to the gas station. You drive back to him on the side of the road, and you put the gas in his car. If you're on an exit ramp on 95 and you're coming south from Baltimore, now you have to get back on 95. You're going to have to drive north at least one exit, get off on that exit and head south on that exit to come back to where he is.
Dave Bittner: [00:07:22] It's an hour of my time.
Joe Carrigan: [00:07:23] Right. It's a lot of time. This is very clever, actually. So as I'm sitting here trying to give you the hindsight advice - right, like Captain Hindsight from "South Park"...
Dave Bittner: [00:07:30] (Laughter).
Joe Carrigan: [00:07:30] ...What you should have done. I'm sitting here going, this is a very clever ruse.
Dave Bittner: [00:07:39] Yeah.
Joe Carrigan: [00:07:39] Right? I'm starting to be more and more impressed with this. Generally, people don't like to hear you talk well about scammers, right? 'Cause they're bad guys. And they're scamming people out of their money. But they are creative. And putting the scam on the exit ramp is genius...
Dave Bittner: [00:07:51] Yeah
Joe Carrigan: [00:07:52] ...Because it makes it very difficult for you to physically help them.
Dave Bittner: [00:07:55] Now what do you suppose happens if the police officer pulls up behind him and says, Sir, what's going on here?
Joe Carrigan: [00:08:02] I think it depends on what's going on at the time the police officer pulls up. If the police officer pulls up to him just on the side of the road - right? - and there's nobody else around, then he goes, my kid was sick. And I just needed to pull over.
Dave Bittner: [00:08:15] Right.
Joe Carrigan: [00:08:16] And he's better now. I just put him back in the car seat. I'll see you later. He drives away.
Dave Bittner: [00:08:20] Yeah. Yeah.
Joe Carrigan: [00:08:21] Right? If the police officer pulls up while he's talking to good old Dave...
Dave Bittner: [00:08:27] (Laughter) Right. Well, you know, but I think this person could have gotten a hundred bucks an hour easy.
Joe Carrigan: [00:08:30] Yeah.
Dave Bittner: [00:08:31] You know, I mean, this is a profitable scam I think.
Joe Carrigan: [00:08:34] I think it is. Yeah. We've heard over and over again from social engineers one of the biggest drives we have as humans is to help other humans. Right? So they prey on that, and they get money out of it.
Dave Bittner: [00:08:45] Yeah. So the lesson is I'm an easy target.
Joe Carrigan: [00:08:48] So if you see Dave driving down the road...
Dave Bittner: [00:08:49] If you see me driving down the road, if I'm walking down the street, I'm the guy you want to hit up for money because I will likely give it to you and away you go. So congratulations.
Joe Carrigan: [00:08:58] Right.
Dave Bittner: [00:08:58] All right, Joe. So that's what I've got this week. That is my confession of the week. What do you have for us?
Joe Carrigan: [00:09:05] All right, Dave. My story comes from the good folks over at Cyber Radio, a story that kind of ties in with one of our old Catch of the Day stories.
Dave Bittner: [00:09:13] OK.
Joe Carrigan: [00:09:13] So you remember a while ago we had a realtor send us an email...
Dave Bittner: [00:09:17] Yeah.
Joe Carrigan: [00:09:18] ...About getting phished on DocuSign. Right?
Dave Bittner: [00:09:20] Right.
Joe Carrigan: [00:09:20] Well, malicious actors have apparently a history of targeting real estate transactions. Most of the time, real estate fraud comes from business email compromise.
Dave Bittner: [00:09:30] OK.
Joe Carrigan: [00:09:30] Right? So it's commonly the result of a spear-phishing attack. There are a ton of people involved in a real estate transaction.
Dave Bittner: [00:09:39] Right.
Joe Carrigan: [00:09:39] You own a house.
Dave Bittner: [00:09:40] Yeah.
Joe Carrigan: [00:09:40] I own a house. As I told you earlier, one of my very first jobs in my failed sales career was real estate agent. You know, there's the real estate agent, the real estate broker - who can be two different people. Generally, if you're buying a house, you don't hear from the broker. You just deal with the agent. There can be a lender - right? - that has staff. There can be a loan officer that you're talking to. And then there can be a title company or the settlement company that you're going to. And there's also a title insurance company, which is separate. So that's the list of companies, organizations involved. So it's a very big attack surface.
Dave Bittner: [00:10:13] Right. And there's inspectors. You can have Radon inspections or bug inspection. You know, there's all - beyond those main people, there's also a web of support companies...
Joe Carrigan: [00:10:22] Correct.
Dave Bittner: [00:10:22] ...Who have their hands in this complicated transaction.
Joe Carrigan: [00:10:26] But the inspectors are not where the big money is.
Dave Bittner: [00:10:28] Right.
Joe Carrigan: [00:10:28] I'm going to pay $300 for a guy to come out and inspect my house. I'm not an attacker and I'm looking at this, I'm saying, $300 - I can try to scam somebody out $300 for a bug inspection or I can try to scam somebody out a $20,000 settlement down payment. That's where I'm going.
Dave Bittner: [00:10:42] OK.
Joe Carrigan: [00:10:43] What they do is compromise someone's email account. And then they'll say, OK, it's time for you to wire money to me - and it'll will be the criminal's address. Right? They'll step into the transaction as it's coming towards settlement. And they'll start capitalizing on that. Now imagine you're trying to buy a house.
Dave Bittner: [00:10:58] Right.
Joe Carrigan: [00:10:58] You get an email from the title company. It says, wire the money here. Right? And you wire the money there. And you go to a settlement, and the settlement company goes, OK, where's your check? And you go, my check? I wired the money to you. You say, you didn't wire any money to us. Now you're out whatever that money was that you wired to them. Right? And you can't buy your house now because that was probably all the money you had saved up for the transaction.
Dave Bittner: [00:11:22] Right.
Joe Carrigan: [00:11:23] Right? You're hosed.
Dave Bittner: [00:11:24] Double whammy.
Joe Carrigan: [00:11:25] Exactly. It's devastating.
Dave Bittner: [00:11:27] Yeah.
Joe Carrigan: [00:11:28] Now, the folks over at Proofpoint security says they routinely spot these kind of attacks using DocuSign, right? So some aren't meant to steal people's DocuSign credentials, but rather other email credentials. Then they create a fake DocuSign landing page.
Dave Bittner: [00:11:43] I see.
Joe Carrigan: [00:11:46] Right? So then they can try to propagate these scams out to other agents or other customers. One of the things they found was something that looked like it came from a lender that had online disclosures and everything. 'Cause there's tons of disclosures in these processes.
Dave Bittner: [00:12:03] Oh, yeah. Yes. Yes. Yeah.
Joe Carrigan: [00:12:03] And they're abusing that process. And one attack was saying, here's some important documents you need to read and sign. And the documents are malicious.
Dave Bittner: [00:12:13] I see.
Joe Carrigan: [00:12:14] Or the links to the documents are malicious.
Dave Bittner: [00:12:16] Ways to harvest your credentials and then pivot from there.
Joe Carrigan: [00:12:17] Exactly. Pivot from there. So Sherrod DeGrippo, who is the director of emerging threats over Proofpoint, said that fraudsters target real estate transactions - and here's what you were getting at earlier - because they are fast-paced by their nature, and they involve communications with tons of people. And that communication is very voluminous. Right? Is that the right word, voluminous?
Dave Bittner: [00:12:39] I think so. It's good enough.
Joe Carrigan: [00:12:40] OK. It means there's copious amounts of it. I'll use another 50-cent word.
Dave Bittner: [00:12:46] Nice. Well, and I think - if I could just say - it's a crescendo.
Joe Carrigan: [00:12:50] Right.
Dave Bittner: [00:12:50] As you make your way toward settlement day, it sort of escalates and escalates.
Joe Carrigan: [00:12:56] It gets more and more stressful as this process goes on, right?
Dave Bittner: [00:12:59] Because happens at the last minute.
Joe Carrigan: [00:13:00] It does. You will be sitting there in the process. And this has happened to me both times I bought a house. We bought a townhouse, and then we moved up to the house we live in now. And both times, almost nothing happens for like the first 45 days of the process. And then in the last three days before settlement, everything goes crazy.
Dave Bittner: [00:13:18] Yep.
Joe Carrigan: [00:13:19] It's just the nature of the beast.
Dave Bittner: [00:13:20] It is.
Joe Carrigan: [00:13:21] So you're going to get a lot of calls. You're going to be getting a lot of emails. Customers should be extremely vigilant in interactions with these parties.
Joe Carrigan: [00:13:29] Yeah.
Joe Carrigan: [00:13:30] Right? So in other words, when you get an e-mail from one of these people, I think it's important that you follow up with a phone call that you make out to the people confirming the email.
Dave Bittner: [00:13:41] Yeah. Well, certainly, anything that has to do with large sums of money...
Joe Carrigan: [00:13:45] Right.
Dave Bittner: [00:13:45] ...Take the five minutes. Make the phone call and just verify...
Joe Carrigan: [00:13:48] Right.
Dave Bittner: [00:13:49] ...This is what needs to happen.
Joe Carrigan: [00:13:50] I'm going to talk about how this works in Maryland. I don't know how it works in the other 49 states.
Dave Bittner: [00:13:54] OK.
Joe Carrigan: [00:13:55] But typically, in Maryland, when you go to settlement, you need to bring a certified check from a bank for the amount. I have never seen in the multiple transactions I've been part of myself, you know, my family and working as a real estate agent briefly, I've never seen a title company or a settlement company say, wire the money. They have always said, bring a certified check from the bank. So if you see somebody saying wire the money here in Maryland or probably most of the United States, that should be a red flag. Right? Instantaneously, you should stop what you're doing and go, that's not right. Here's the big crux of this. In 2017, the FBI received over 10,000 complaints about real estate transaction fraud. And the fraud cases resulted in losses of more than $56 million, from which is a lot of money.
Dave Bittner: [00:14:46] It is a lot of money. It's almost as much as your house costs.
Joe Carrigan: [00:14:51] (Laughter) Almost, Dave. You know, I am rolling around in all this podcast money.
Dave Bittner: [00:14:55] Yes, that's right. Yes, yes, as are we all.
Joe Carrigan: [00:14:58] Right.
Dave Bittner: [00:14:59] All right, Joe. It's a good story, as always. Let's move on. It's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:15:08] So, Joe, this week's Catch of the Day was sent in to us by a listener. His name is Russell. And he said, hi, Joe and Dave. I thought you might like this one for your "Hacking Humans" podcast. I'm down at the bottom end of the planet in Australia. And I use Apple Mail as my mail client, which recently flagged this as spam. So I took a screenshot for you. I'm not sure the authors really got the idea of how phishing emails work, unless I'm mistaken, and LinkedIn now moonlights as a Himalayan tourist advocate. It says, only Google and Kaspersky rate this as a phishing scam on VirusTotal...
Joe Carrigan: [00:15:39] Really?
Dave Bittner: [00:15:40] ...As of today. So here's the email. It's just a regular-looking email. Here it is. Dear LinkedIn user, as part of our efforts to improve your experience in LinkedIn access across our consumer services, we're updating LinkedIn services agreement and privacy. Click the link below to update your account. Now, the link below goes to a website that is humanity-himalayan-mountains.pt. Your account will be deactivated if you do not update. This notice ends Wednesday, August 22, 2018. We apologize for any inconvenience. Thank you for your cooperation. Sincerely, LinkedIn Service Provider.
Joe Carrigan: [00:16:21] Not LinkedIn.
Dave Bittner: [00:16:22] No, LinkedIn Service Provider.
Joe Carrigan: [00:16:22] LinkedIn Service Provider.
Dave Bittner: [00:16:23] Yeah. So pretty straightforward catch here. Also, interesting - and I don't know if this is how a particular mail client rendered out this message, but the fact that they did not try to obfuscate the obviously not LinkedIn link...
Joe Carrigan: [00:16:41] Right.
Dave Bittner: [00:16:41] ...By putting it - making it clickable, you know, having it be the link to some plain text.
Joe Carrigan: [00:16:45] The actual URL to where you're going.
Dave Bittner: [00:16:47] Right. The URL is sitting right out there in plain text. So I don't know if that's the way his mail software rendered it out or if that was just a mistake on the spammer's part, but...
Joe Carrigan: [00:16:57] You know what I envision? I envision two spammers sitting in a room, one going, I think these people are really dumb. And the other guy going, no, I think they just fall for us because we're genius. He goes, no, let me show you how stupid people are.
Dave Bittner: [00:17:09] I see (laughter). OK. That's plausible. All right. Well, thanks, Russell, for sending that in. That is our Catch of the Day. Coming up next, we've got my interview with Asaf Cidon from Barracuda Networks. He's going to share some of the trends that his team has seen when it comes to phishing and social engineering. But before we get to all of that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:17:36] And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:18:23] Joe, I recently had the opportunity to speak with Asaf Cidon. He's the vice president of email security at Barracuda Networks. He shared what his team has been seeing when it comes to phishing and social engineering. Here's my interview.
Asaf Cidon: [00:18:36] There are several areas that are of particular interest. The first one probably most notable is attacks that we call account takeover where the attackers successfully phish someone within the target organization - could be a low-level employee, for example - and then actually steal that person's credentials. So they'll, for example, send an email that appears to be coming, let's say, from Microsoft Outlook leading the person to a fake sign-in page where they'll try to, you know, steal their credentials. Then they'll use those credentials to actually log in as that employee and then send emails from that employee's legitimate email account.
Asaf Cidon: [00:19:16] So they'll actually, you know, send out emails to other employees, you know, maybe phishing other employees or maybe trying to do kind of a business email compromise where they steal, you know, a wire transfer from the company. So we've been seeing those grow a lot in the last few months. And what makes them really nefarious is they're actually coming from the real email address from the employee of - you know, within the organization. So they're obviously a lot harder to catch and a lot harder to spot, especially when they're well executed. So that's one line of attack that we've been seeing and are really focused on.
Asaf Cidon: [00:19:51] Another big one is, you know, just generally targeted phishing and spear phishing. So we've been seeing a lot of attacks in different sectors. For example, the real estate industry has been just bombarded with attacks, you know, any - different types of organizations in the real estate industry, like the actual agents or the title companies or real estate management firms. Oftentimes, what attackers will do is they'll, you know, try to trick one of the folks in the firm, again, steal the credentials, then do reconnaissance, find out, you know, when are the deals about to happen, who is going to execute the deal?
Asaf Cidon: [00:20:27] And then, for example, let's say you're about to buy a house. You're about to wire transfer money for your downpayment to a title company. You'll get an email supposedly from that title company telling you, you know, hey, Dave, this is the bank account you should use for the wire transfer, and that bank account is obviously owned by the attacker.
Dave Bittner: [00:20:44] So taking advantage of the fact that large amounts of money are being planned to be exchanged and also a period in someone's life when it's likely that emails are going to be - being sent back and forth to coordinate those kinds of things.
Asaf Cidon: [00:20:58] Exactly. And I think the real estate example is actually especially nefarious because, you know, it's, in a sense, targeting consumers, which, you know, we can talk a lot about how to make sure organizations are protected and how they can increase their security awareness. Consumers are often the most vulnerable - right? - to these types of attacks. So it's quite tragic if someone loses their down payment because something like this.
Dave Bittner: [00:21:20] Yeah. And, you know, I think a lot of us, when we think about phishing attacks, we think of sort of the numbers game attacks. You know, the Nigerian prince scam, of course, being the - you know, the one that everyone uses as the example. But you all see some longer-term cons. What sort of stuff do you see there?
Asaf Cidon: [00:21:37] You touched on a really good point, right? So the kind of criminal market has evolved considerably in the last, you know, couple years. I mean, it used to be that they just sent out these Nigerian prince scams or, you know, fake Viagra pills or something like that, you know, send it to, you know, hundreds of millions of mailboxes and hope that, you know, 0.001 percent would be gullible enough to purchase (laughter) or fall for this scam.
Asaf Cidon: [00:22:04] They really moved into a smaller number of targets but higher, you know, payoff model, kind of like a B2B instead of a B2C - business-to-consumer, business-to-business - model - right? - where they're willing to invest more time in researching their targets, willing to invest more time in waiting and gathering reconnaissance. But then the payoffs are much higher, and they can do - you know, their conversion rate, so to speak - right? - their chance of success per target is higher. And that has been shown that there - it's a lot more lucrative for them.
Asaf Cidon: [00:22:37] So the FBI actually has been working very hard on stopping these attacks and assembling data on these attacks. And in fact, they compile an annual report that they release every year that kind of aggregates the data that they've collected. And I don't think they've released the report for 2017 yet, as far as I've seen. But for 2016, the data shows that it's over $5 billion in losses from these types of attacks. So it's a really big market from a criminal perspective. And that's why it's so effective.
Asaf Cidon: [00:23:07] And yeah, we've definitely as - you know, the example I talked about earlier, the account takeover attacks, I mean, sometimes attackers are willing to sit for weeks and even months, you know, targeting an organization. You know, they harvest - they steal the credentials of an employee, and they don't actually use that credential for many weeks after that. Or they might sell that credential to someone else, you know, who's willing to pay a premium to get a credential of an employee of a certain organization. And then that - you know, that attacker will launch an attack that's really targeted to that organization.
Asaf Cidon: [00:23:38] So they've become very sophisticated and, frankly, you know, if you're sitting in East Asia or Eastern Europe, you know, or in a developing country, you know, you can afford to actually employ a team of folks that will be looking through social media accounts of companies, buying lists, doing a little bit of research to do these attacks. I mean, they are more sophisticated, but they don't involve any cutting-edge technology or, you know, you don't need to be a foreign, you know, intelligence service or something like that to do these. It's not such a sophisticated operation to set up.
Dave Bittner: [00:24:13] Can you give us a glimpse behind the scenes there at Barracuda? I mean, what sorts of things are you working on to gather the information that you gather and to help protect your clients?
Asaf Cidon: [00:24:23] We really work on various levels kind of of the security stack to try to help our customers. I think the most interesting thing we do to solve these particular attacks that I've talked about is actually use artificial intelligence. And so the basic idea is actually pretty simple kind of behind all the buzzwords. Basically, we develop systems that can learn kind of what's normal and what's irregular in an organization.
Asaf Cidon: [00:24:49] So we basically, you know, observe the communication patterns of, let's say, employees of a company over time. And we learn, you know, who speaks to whom, you know, what email addresses they use, how do they - you know, the types of the text, the kind of style they use to communicate. You know, who are the folks in the organization that deal with sensitive information? What links, domains, does the company typically send in emails? And then we basically trained AI classifiers that can identify anomalous behaviors.
Asaf Cidon: [00:25:18] I'll give you an example. You know, let's say one day suddenly your accountant (laughter) starts sending 10 emails to people they've never communicated with before in the company with kind of funny grammar, let's say, and a link that's going to a website that's just kind of weird, right? It might not be obviously a malicious website, but it's an obscure website that, you know, that person - nobody in the company has never, you know, referenced before. So that would be an example of behavior that, you know, our system that's called Sentinel would be able to flag and automatically detect and kind of stop.
Asaf Cidon: [00:25:55] A lot of the work we do is - you know, in the security world, like, there's been a lot of work in the past of kind of trying - let's create, like, a rule. You know, if we see the word Viagra, it must be (laughter) it must be an attack. Or, you know, if we see certain keywords or we see certain websites or certain links being sent, then it must be an attack. But it's really hard to apply that kind of fixed-rule approach to this problem because, you know, the attackers, again, as we said, they're smart. They tailor the attacks. They're not sending the same, you know, attack to, like, a million different people like the Viagra email. They're actually tailoring it to the specific organization. And so something like AI is much more flexible and kind of tune its rules based on the historical communication patterns of each customer. So it's very effective to stop these attacks.
Dave Bittner: [00:26:48] What'd you think of that, Joe?
Joe Carrigan: [00:26:50] Well, first, Dave, I want to say that I didn't listen to that interview before recording my story.
Dave Bittner: [00:26:55] (Laughter) He hit on some of the same sort of topics, right?
Joe Carrigan: [00:26:58] The same points, yeah.
Dave Bittner: [00:26:58] A reinforcement there.
Joe Carrigan: [00:26:59] Right, exactly. Scammers are targeting these real estate transactions and, of course, other business transactions.
Dave Bittner: [00:27:06] Yeah.
Joe Carrigan: [00:27:06] I want everybody to remember that, you know, we talk about research being the first part - in social engineering - being the beginning of these attacks. But remember that email is like the first kinetic action, if you will, in a hack - right? - that some - I can't remember what the number is off the top of my head. But we hear different numbers, like, ranging from 70 to 90 percent of when a company gets compromised, the attack starts with a malicious email. And what also is kind of interesting to hear is that last year there were $5 billion in losses - billion with a B - to these kind of attacks. You know, it is getting the point where you just can't trust email anymore. We can't trust it, Dave.
Dave Bittner: [00:27:43] (Laughter) Well, you know, it is interesting I think about this from time to time. Like, I know there have been things they've tried to graft on to email to make it more trustworthy and so on.
Joe Carrigan: [00:27:51] Yeah, like signatures.
Dave Bittner: [00:27:52] Yeah.
Joe Carrigan: [00:27:52] You can graft digital signatures on.
Dave Bittner: [00:27:54] There are some - yeah, exactly. But why are we still using email? It's as if we're doing all of our business on postcards.
Joe Carrigan: [00:28:00] Right.
Dave Bittner: [00:28:01] Right.
Joe Carrigan: [00:28:01] Imagine if I could social engineer someone out of their credentials for signing an email. Now I can send verified emails to targets within the company.
Dave Bittner: [00:28:10] And if your boss sends you an email that says, hey, you know, if you don't wire this money in the next hour, we're going to lose a big deal...
Joe Carrigan: [00:28:17] Right.
Dave Bittner: [00:28:18] ...You know, you can understand why people would fall for that...
Joe Carrigan: [00:28:20] Absolutely.
Dave Bittner: [00:28:21] ...You know, coming from what seems to be a legit source.
Joe Carrigan: [00:28:24] Right. And sometimes with the business email compromise, it is coming from, for all intents and purposes, what is a legit source.
Dave Bittner: [00:28:30] Right.
Joe Carrigan: [00:28:31] The CEO's email address.
Dave Bittner: [00:28:33] All right. Well, that is our show this week. We want to thank everyone for listening. And, of course, we want to thank our sponsors at KnowBe4. They're the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can check out at knowbe4.com/phishtest. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:29:00] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams in technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:17] And I'm Joe Carrigan.
Dave Bittner: [00:29:18] Thanks for listening.