Hacking Humans 7.22.21
Ep 157 | 7.22.21

It's ok to be trusting, just be careful.


Gil Friedrich: So everything about them other than the end result looks very much like a phishing attack.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Gil Friedrich from Avanan. He's going to be talking about how some bad actors are infiltrating organizations using popular collaboration apps. 

Dave Bittner: All right, Joe, we've got some good stories to share this week. But first, we have some follow-up, a couple of bits of business to take care of. Why don't you take us through what we've got here this week? 

Joe Carrigan: Right. We got two bits of follow-up, Dave. The first one is from Michael who writes to let us know that Cybrary is not as free as it used to be. The free version now only gives you access to intro videos of courses but no longer full courses. I recommended Cybrary a little while ago as a good starting point. And it's - you know, what has happened is Cybrary had that as an interactive - or an introductory offer. And now that they've gotten some legs under them, they're going with a paid model. So you really have to pay. He says the material is still great; you just have to pay for it. 

Dave Bittner: OK. 

Joe Carrigan: If anybody knows - you know, and the cost is reasonable. It's not exorbitant. It costs about as much as Coursera does. So it's not too much. 

Dave Bittner: OK. 

Joe Carrigan: So if you got $50 bucks or $100 bucks a month you could spend on it, I would still recommend it. However, if anybody knows of any good free resources, I would appreciate if they'd let me know. Send that into hackinghumans@cyberwire.com. And let me know, and I'll share them here. I'll also do some research to find some good free resources. 

Dave Bittner: All right. 

Joe Carrigan: The second piece is - Tobias writes in with an observation. And he says, hello, Dave and Joe, big fan, yada, yada, yada, and so on. I'm studying cybersecurity in Denmark near the end of my bachelors, and I've noticed a weird thing that people do when I tell them what I do. As an example, I met a girl in the park last week. We got to talking, and I told her what I do. Her reaction was to ask me what cybersecurity is and then ask what constitutes a good password. She then opens her phone and the Note app and proceeds to show me all of her logins and asked me which ones are good. I, of course, recommended a password manager - Bitwarden, which is the one that Tobias recommends - and upon hearing of this concept, she became very happy. She did have good passwords and no password convention, lots of variation, which is good - you know, naming conventions in passwords is bad. It makes them easy to guess. But this is not the first time this has happened to me. Sometimes people will tell me the base password and an example of a variation or how they construct their passwords. Now, granted, I'm a nice guy who can easily strike up a conversation, but it seems absurd that people would show and tell strangers their credentials simply because they are told that the person works in or studies cybersecurity, especially in a country like Denmark, which is heavily digitized. Do you have any experience with this? Regards from Denmark, Tobias. 

Joe Carrigan: I don't know. Dave, do you get experience - I've had people just blurt out their passwords to me (laughter). 

Dave Bittner: Yeah, yeah. This reminds me of - Jimmy Kimmel, the talk show host... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Has a whole series of videos, and you can see them on YouTube, where they just go up to people on the street on camera and ask them for their passwords, and lots of people just blurt them out (laughter). So... 

Joe Carrigan: Yeah. It's like, it's my dog's name followed by the year I graduated high school. Oh, and what's your dog's name? It's Kevin. 

Dave Bittner: Right (laughter). 

Joe Carrigan: And when did you graduate high school? 1992. OK. 


Dave Bittner: Thanks. 

Joe Carrigan: So your password's Kevin 1992. Yeah, you just figured that out. Yep. 

Dave Bittner: Wow. Brilliant. Brilliant. Yeah, you know, I think what this comes down to is something that we come across here over and over again, which is that, in general, people are trusting. 

Joe Carrigan: Right. 

Dave Bittner: People are trusting of other people. And I don't think that's necessarily a bad thing. I think you could be trusting but also careful. I wouldn't be doing this sort of - I guess (laughter) you and I probably wouldn't do this because, you know, the weight of the world has crushed our spirit, and we are cynical, doing this show. 

Joe Carrigan: Yes. 


Dave Bittner: And hopefully, folks who listen to this show will know better than to do this. 

Joe Carrigan: Yeah. 

Dave Bittner: But at the same time, what are the odds that - if someone didn't come up to you and just say, hey, what's your password - in other words, if you were the one volunteering it to a stranger just in the course of conversation, I bet chances are nothing bad is going to come of that. 

Joe Carrigan: Yeah, you're - it's not a good... 

Dave Bittner: Still not a good course of action (laughter). 

Joe Carrigan: Right. It's not a good practice. But you are face-to-face with the person as opposed to being over the internet, so, you know, you have actually established some real rapport. 

Dave Bittner: Yeah. 

Joe Carrigan: And, I mean, I'm not saying do this. I'm not saying it's OK. I'm just saying, I understand, you know? It's... 

Dave Bittner: Right. Exactly. 

Joe Carrigan: It's - yeah. So, yes. Yes, Tobias. 

Dave Bittner: Yeah. 

Joe Carrigan: This has happened to us. And we tell people, shh, don't say that. 


Dave Bittner: Right, right, right, right. All right - well, good feedback from our listeners. And, of course, as Joe mentioned earlier, we would love to hear from you. You can write to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right. Well, let's jump into some stories this week. Joe, why don't you kick things off for us? 

Joe Carrigan: Dave, this week my focus on my story is all about fake information or information that's invalid or wrong or deliberately so. It comes from Sue Poremba, who has an article on Security Boulevard. And one of the things in the article is in March of this year, the FBI released a private industry notification warning the public that, quote, "malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12 to 18 months. Foreign actors are currently using synthetic content in their influence campaigns, and the FBI anticipates it will be increasingly used by foreign and cybercriminals for spearphishing and social engineering in an evolution of cyber operation tradecraft." 

Joe Carrigan: So it's coming. It's not only coming. It's here, but it's going to get worse. And then the article goes on to talk about three types of misinformation. And the first one is very common, very old misinformation tool. It's called propaganda, right? And it is a popular political tool that spreads skewed information to grow an ideological base. And it's based on facts, but the facts are used selectively, so the whole picture isn't presented. Like, here's an example. Russian track star finishes second in race. USA Runner finishes second to last. This is a classic example. There's only two people running in the race. 

Dave Bittner: Right, right, right, right (laughter). 

Joe Carrigan: But that's how they spin it in Russia, right? It's - I think this may have been a quote from somebody in - back in the '70s, when they were talking about Russian campaigns and Russian propaganda. But it's one of my favorites. 

Joe Carrigan: Next are the two biggies of the current day, and that's misinformation and disinformation. And a common definition here is misinformation is spreading bad information without understanding that it's incorrect. In other words, the person is misinformed and spreading the information. And disinformation is deliberately spreading false information. 

Joe Carrigan: There are three common elements used to manipulate the information for social engineering purposes, and the first element is missing context. This is information is presented in a misleading way, or some vital facts are missing, like in my propaganda example, right? The vital fact is that there were two people in the race. It's commonly manifested on social media as presenting a photo that has nothing to do with the caption. And we see this all the time. Look at the riots... 

Dave Bittner: Right. 

Joe Carrigan: ...Going on in in the U.S. right now. And it might even be a picture of some other country that's having some riot somewhere. 

Dave Bittner: Right, right - or a gathering that was from a different time for a different purpose. 

Joe Carrigan: Right. Absolutely. And... 

Dave Bittner: Yeah. 

Joe Carrigan: We see these all the time in social media. I've just come to ignore them, but they still have the power of having the emotional effect. And that's really the entire goal of these things - is to have the emotional impact upon the viewer. 

Joe Carrigan: The next element is deceptive editing. Here, the threat actor is taking something that was once a genuine photo or illustration or some media story but then editing key elements. So it distorts the reality to a different message. And we see this frequently as well with a lot of the news sites. It will take a news story and then take out key information or put in just fake information. It's just deceptive. It's deceptive editing. It's - I like the term. 

Dave Bittner: Yeah. We've also seen some of these where, like, they'll take a video and they'll slow it down to make the person sound confused or drunk or something like that. 

Joe Carrigan: Right. That's exactly right, Dave. There was a thing with Nancy Pelosi that came out where she looked like she had had a little too much to drink, but it was just a video that someone had slowed down so that she sounded that way. 

Dave Bittner: Right, right. 

Joe Carrigan: And I saw that shared on Facebook. And I'm like, this doesn't seem real to me. You know, it's just - it threw up red flags. 

Joe Carrigan: And the final one is malicious transformation, and this is the most serious of the three. It's where videos are altered through AI to create something that appears real. These are essentially deepfakes, right? We've seen these before. Right now or in the past, they've been easy to detect because there's things like - the deepfake images never blinked. And then the deepfake editors were like, well, we'll add blinking algorithms. How about that? And it's getting harder to detect them. It's getting harder to see them in - you know, see them for what they are. So... 

Dave Bittner: Right. 

Joe Carrigan: These are going to become a real problem in the next 12 to 18 months, the FBI is saying. So we're getting ready for this, Dave. This is what's going to happen. 

Dave Bittner: How do you - I mean, we're getting ready for this, but what can we do to prepare ourselves? I mean, is it just a matter of coming into all this stuff with an appropriate amount of skepticism, taking a second look at things? 

Joe Carrigan: Yeah. I think as a consumer of media, that's exactly what we have to do. We have to think critically about every piece of media we see. Where did this come from? Who is doing this? What's the source that I'm looking at? You know, what's the providence of this journalism that I'm seeing? That's a really good way, is just go with a trusted news source and don't get your political or any news from social media. I know I've said that a couple of times before on this show. Just don't do it. It's going to be all fake and manipulated, doesn't matter. From the corporate standpoint - from, like, Facebook and Google and Twitter - they're going to have to be vetting this stuff as real and saying, nope, this is a faked image. This is doctored. This is incorrect. This is a Deepfake. They need to really do better with that because it is really deceptive - or really effective deception to the human, but there are artifacts left by the process that computers can easily pick up right now. 

Dave Bittner: All right. Well, we will have a link to that in the show notes. My story this week comes from Vice - Motherboard - Tech by Vice website. And it's titled "Annoying LinkedIn Networkers Actually Russian Hackers Spreading Zero-Days, Google Says." Let me ask you this, Joe. Do you get much spam on LinkedIn? 

Joe Carrigan: No, I don't get spam. Like, are you talking about, like, message spam? 

Dave Bittner: Yeah. 

Joe Carrigan: No. 

Dave Bittner: Yeah, people reaching out to you? You know... 

Joe Carrigan: I - you know, I have... 

Dave Bittner: ...I don't either. 

Joe Carrigan: I have gotten a couple of people reaching out to me, but they're like - generally, Dave, when that happens, I just disconnect from them and block them (laughter). 

Dave Bittner: (Laughter) I see, I see. This is the friendly guy that you are. 

Joe Carrigan: Right, yeah. Oh, you're here to sell me something. You know, I don't... 

Dave Bittner: Goodbye. 

Joe Carrigan: I don't think LinkedIn is a sales platform. I don't think of it as - I think of it as a networking platform. And as soon as someone tries to leverage it as a sales platform, I cut them out of my life. 

Dave Bittner: Yeah, yeah. Well, I - it's interesting to me because I see lots of stories from other people who say that they're constantly being hounded by recruiters or, you know, folks like that on LinkedIn. I don't really see any of that. And I think it's probably because my job title is listed as a podcaster, and how many of those does the world really need, right? 

Joe Carrigan: Right. Yes, there are plenty of you out there, Dave. 

Dave Bittner: (Laughter) Yeah, exactly. 

Joe Carrigan: I do get hit up by recruiters. 

Dave Bittner: And there's not a whole lot of recruiting. Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: OK. 

Joe Carrigan: I do get hit up... 

Dave Bittner: Yeah. 

Joe Carrigan: ...By recruiters, though. And usually, I ask them a few key questions that they have a difficult time answering, and that's the end of the discussion. 

Dave Bittner: I see. All right. Well, this article starts off by saying that most LinkedIn spam is just annoying, but some new research from Google suggests that some of it might be outright dangerous. Evidently, there were some Russian hackers who were targeting some European government officials with LinkedIn messages. And the messages contain malicious links that were designed to exploit some zero-days in Windows and iOS, according to the reporting from Google here. Real quick, Joe, just for folks who may not be up on this, what is a zero-day? 

Joe Carrigan: A zero-day is a vulnerability that has not been published yet. So they're - the reason it's called a zero-day is because you have zero days to prepare for its execution. 

Dave Bittner: Right. 

Joe Carrigan: There are mitigations you can do once they're discovered. But if they're undiscovered, you're pretty much vulnerable to them. And if somebody is exploiting one, then, you know, there's really not a lot that you can do. These vulnerabilities tend to be very, very expensive and very valuable. So the fact that people are using them on LinkedIn is interesting, and it indicates that they really, really, really, really want the target to use the link. 

Dave Bittner: Right. Yeah. Zero-days are - they're a high-value thing, and people don't use them just willy-nilly, generally. 

Joe Carrigan: That's correct. 

Dave Bittner: So in this case, for example, one of the zero-days was a zero-day in WebKit, which is the browser engine on iOS devices. And in fact, it is the only browser engine on iOS devices. It's one of those things - it's one of the restrictions that Apple places on people. If - so for example, you know, Chrome on iOS is not using Chromium as its underpinnings. It has to use WebKit, and it's something that Apple requires. 

Joe Carrigan: Right. 

Dave Bittner: So there's a vulnerability that has since been patched by Apple. But this zero-day allowed these bad guys to steal authentication cookies on iOS devices from places like Google and Microsoft and LinkedIn and Facebook and Yahoo. So these authentication cookies would go a long way toward allowing them to log in to someone's private account without needing the authorization that they would otherwise need. 

Joe Carrigan: Right. And once they get in, they probably just downloaded everything. So... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Even though the vulnerability has been patched and even if you went through and invalidated all the cookies, all the information is probably already gone. 

Dave Bittner: Right, right. So according to the folks over at the Google Research Lab, they didn't really have a whole lot of visibility into the success rate, but they said that each month, they send more than 4,000 warnings to their users about attempts by government-backed attackers or other illicit actors to infiltrate their accounts. And so that's just Google keeping an eye on this. 

Joe Carrigan: Right. 

Dave Bittner: They did say that this is likely Russian government-backed. So it sounds like it was espionage sourced, right? I mean... 

Joe Carrigan: Yeah. 

Dave Bittner: ...It's Russian government folks going after European government folks. But I think the lesson here is one we've repeated, which is you just need to be super careful when clicking on links. 

Joe Carrigan: Yeah. Or don't don't click on them. Just don't use them. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: What's somebody going to send you that you need - I mean, they're sending zero-days, so this has to be effective, right? This has to get people to click on the links or else they wouldn't be spending zero-days on them. But if some stranger sends me a link, I'm not clicking on it. 

Dave Bittner: We don't - we also - we don't know the degree to which they're able to use other methods. You know, were they able to infiltrate the email account of a co-worker, for example, and have it come through that and then use that combination of that with the zero-day, which could very well be all it would take to get someone to go through? 

Joe Carrigan: Yeah. If somebody compromised your LinkedIn account and sent me a message as you, I might do it. That's a good point. 

Dave Bittner: Yeah. Exactly. Exactly. And so I don't know. I think this is a tough one to defend against when you have someone who has the sophistication of a state-level actor, someone who is willing to use a zero-day to get what they're after, it's a tough one to defend against. 

Joe Carrigan: It is. 

Dave Bittner: I have a lot of empathy for the folks who fell victim to this. 

Joe Carrigan: Yeah, me too. 

Dave Bittner: Yeah. All right, well, we will have a link to that story in the show notes as well. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Lucio who writes, this guy contacted me on Reddit, and it seemed suspicious. I went to the website but did not create an account. Great podcast. I started listening a few months ago, and it's very eye-opening. So, Dave, why don't you be the part of the guy that reached out? And I will play the part of Lucio. 

Dave Bittner: All right. Goes like this. I'm growing my social engagement, making new friends and mostly business partners. 

Joe Carrigan: Nice. 

Dave Bittner: Thanks. Are you conversant with forex trading? 

Joe Carrigan: I know that it's a 6-plus-trillion market, but I haven't really dived into it. 

Dave Bittner: It sounds interesting. I work with professionals that can manipulate the market and make meaningful profits in return for investors - 25% is well-assured weekly with a minimum of $100 to $5,000 for eight weeks with no risk or loss. 

Joe Carrigan: Interesting. How do you do it? That's 100% for eight weeks? That's a great return in a month. And you said that's for eight weeks, so that would be a 200% return. How do I get in? 

Dave Bittner: Yes, weekly ROI is 100% guaranteed, fam. Sorry, I've been kind of busy. Great account and choose forex trading as your investment package. You can give me a screenshot on Telegram or WhatsApp if you're having any difficulties. Here's the link. 

Joe Carrigan: Right. And, you know, this is where the conversation ends. But it's very interesting. This guy is looking to move Lucio off of the Redit platform before he gets found out by Reddit and Reddit terminates his account. And he is, you know, he makes some pretty outlandish claims here. Like, he has a - he works with professionals that can manipulate the market. He can manipulate the foreign exchange market, Dave. 

Dave Bittner: (Laughter) Yeah. What does he need Lucio for? 

Joe Carrigan: Right (laughter). 

Dave Bittner: Exactly. 

Joe Carrigan: First off, let's think about that. The entire government of China works diligently or, you know, makes an effort to manipulate their currency. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And they can only manipulate one portion of that market as a nation-state actor. But this guy? This guy can manipulate the entire market so that you're always guaranteed to make money on it. 

Dave Bittner: Yeah. Seems legit. Seems legit. I think - you alluded to this, but I think it's worth highlighting that any time in any of these apps or any of these interactions - doesn't matter if it's like this, on Reddit, it could be in a dating app - anytime someone tries to move you off the platform somewhere else, that should be a red flag. 

Joe Carrigan: Absolutely. 

Dave Bittner: That's a big red flag. Yeah. Yeah. So just file that away. Keep that in mind. 

Joe Carrigan: Yes. 

Dave Bittner: All right. Well, our thanks to Lucio for sending that in. Again, if you have a Catch of the Day you'd like us to consider for use on air, you can send it to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Gil Friedrich. He's from a company called Avanan. And we were discussing how some bad actors are taking advantage of some of the common messaging apps that organizations use to communicate internally to fraudulently make their way in and to do the things they want to do. Here's my conversation with Gil Friedrich. 

Gil Friedrich: So it actually started from a customer reporting this to us. This is one of the largest U.S. municipalities, and they basically drew our attention to this because initially we were blocking it. Then some of their end users said, hey, this is actually legitimate. And then so they were releasing it. And then some of their end users said, oh, no, no, this is actually not legitimate. What's going on? So that's what, you know, sort of put a spotlight for our anti-phishing team to try to understand what was it exactly. 

Dave Bittner: Yeah. 

Gil Friedrich: It was on the border between, you know, just fraudulent criminal phishing and maybe something else. So that's what intrigued us. 

Dave Bittner: Well, let's walk through it together here. I mean, take us through the details. What exactly were folks finding in their inbox? 

Gil Friedrich: So at the end of the day, the senders the company behind it - it is a legitimate pension fund that basically asks mostly, you know, I want to say local government employees, municipalities, counties, et cetera, to have them as the managers of their pension funds, you know, probably that they get from their employers. So this is all legitimate. What I guess what wasn't - what started to be fishy here were two things. First, when you read the context, most of the recipients, any - let's say, any naive recipient would say, this email came from my city. Right? This is my municipality, my employer, almost instructing me to take a meeting with our new pension fund. That's how they positioned the email - that, you know, sort of that the municipality had made some change and, you know, as part of the service to you, you need to schedule a meeting with this company. Once we saw that with the specific municipality I mentioned, we looked across other SLED customers we have, and we saw, you know, school districts that had it and other municipalities, et cetera. So it seemed to be pretty widespread. And it was, you know, the same tactic of almost looking like your employer was sending you an email and telling you that you need to set an appointment. 

Dave Bittner: And what sort of things were in the email to make it seem as though it might have been coming from the employer? 

Gil Friedrich: So it starts with, first, the from - you look at the from. It's assistants for, you know, name of school district personnel - or something like that. So the reach-out looks as if it comes from your employer, from, you know - from the organization you work for. And then it looks like something annual. So it says, you know - it talks about you being an employee. It says every year, every employee of, you know - of our whatever municipality, school district, is eligible to schedule a meeting. They also insinuate in some of the emails that there was a change, so, you know, you have to act. We change - you know, something new. Something changed. You need to act in order to take care of your pension. Yeah, so all of these basically point to the fact that, hey, your employer has made a change. It's - you know, it is about your pension, and you have to schedule a meeting with these guys. 

Dave Bittner: And so if I click through to set an appointment, what happens next? 

Gil Friedrich: So that's when they turn legitimate. So that's when, you know, they come in, and they say, you know, we're such and such. We are a pension fund. And, you know, we would like to give you an offer. The interesting thing is one more thing - is the name that that company chose for itself is very similar to a very large, legitimate pension fund that was actually suing them in - I believe in Colorado for, you know, trying to use a similar name. So when they thought about, you know, what's our go-to market? How are we going to get - you know, people move their pension to be managed by us? They thought, let's choose a name that is similar to someone big. Let's go after maybe the less tech-savvy audiences that we can find in the audience we address, et cetera. And I guess they found that sweet spot within, you know, government employees where the pension is anyway managed in a certain way, and they were just able to replicate that process. 

Gil Friedrich: So the end result wasn't fraudulent, I believe. The end - you know, they weren't stealing anyone's money. This is why it's interesting as well. Most phishing attacks, you know, it's just thieves on the other side that, you know - you lost your money if you fall for the scam. In this case, the end result wasn't necessarily fraudulent, but everything leading to it was - you know, you had impersonation, using someone else's name, you know, not really revealing who you are in the first email, et cetera. They also - once they started to see that they were getting blocked, this is where they got to - really, what we see from phishing attacks - so changing their domains, changing the sending IP and so on and so forth so that any filter that is trying to block them, you know, will fail. This is when they became a moving target. So everything about them other than the end result looks very much like a phishing attack. 

Dave Bittner: Yeah, it's a really - I mean, I guess it's an interesting tactic to take as a sales approach, to try to deceptively schedule a meeting with someone, even though the - ultimately, the business might be legitimate. I think most people who would look at this as a way of prospecting - doesn't really seem to be on the up and up. 

Gil Friedrich: Correct. And in general, philosophically, you know, I had this discussion with our data analysts, actually - the people that are behind the algorithm, the phishing algorithm we run - because, you know, the algorithm at the end needs to say it's a legitimate email or spam or marketing or phishing. And so we had this discussion. What's the borderline between what is spam and what is marketing, for example, or what is phishing and what is marketing? 

Gil Friedrich: And in general, the assumption is that, you know, spam - if you think about these axes of how many emails they sent and how fraudulent or deception the campaign is, you can sort of put the area of which one would fall in where. Generally speaking, marketing would be something driven from something they know about you, right? You've shown interest in one thing, and they'll send you an email over another thing. You already have an office in Manhattan. They offer you a, you know, better office. It's not invited. You can consider that spam, but it's not widespread. When it's everything just sent to everyone - you know, they offer you to buy whatever, Viagra. They don't know anything about you. You know, they send millions of millions of emails. That's when it becomes a clear spam. 

Gil Friedrich: And then phishing is when the end result is not legitimate, right? So it's not so much about the email, right? If in the end they would sell you fake pills of, you know, Viagra or COVID-19 vaccine or whatever, then that's fraudulent, if there is just, you know, taking the money. Oh, and the other thing about phishing I would say is that they hardly ever reveal their true intent - right? - because it's fraudulent. So they're using different tactics like impersonation and, you know, moving around so that you don't really know who they are, et cetera. And even though the end result here wasn't fraudulent, everything else fell very much into those categories of what we would consider phishing. 

Dave Bittner: Yeah, it's fascinating to - you know, if you read the sample of the email that they posted here, how you can see how deliberate they are in doing the things that they want to do, making it seem like they're coming from one organization but also very carefully toeing that line of not being, you know, actually deceptive. It seems as though every word is very carefully chosen so that, you know, they have, I suppose, the opportunity to defend themselves if someone were to come at them, despite how - you know, clearly you can see what their intentions are here. 

Gil Friedrich: Yeah. Yeah. They could say, oh, I apologize - right? - in the end. We'll fix it. Yeah, I agree with you completely. And marketers do that all the time. I think here they cross the line - mostly the impersonation side. So marketers - you know, I get a lot of emails, as you as well, probably, with, you know, how are you? - under the assumption that I'll open the email because, you know, more likely than if they were upfront about the objective. 

Dave Bittner: Right. 

Gil Friedrich: So marketers do this all the time, in a sense. I think they also cross the line in marketing just from the impersonation aspect of it. You know, the from is not the real from, et cetera. The reply to is different than the from. That's, you know, commonly used by phishing attacks. 

Dave Bittner: Yeah, it's interesting to me, too. I mean, as you mentioned, you know, this kind of puts you and your colleagues in an interesting position here, because in the end, they're not trying to cheat people out of money. They're trying to sell them something that is legitimate, but the tactics that they're using are undesirable. Ultimately, how did you end up categorizing this? How did you - is this something that you filtered out so that it wouldn't end up in your users' inboxes? 

Gil Friedrich: Yes, eventually we did. And I believe most of our customers were happy with it. But you are touching an important point. We don't see this with phishing attacks, right? No one wants phishing attacks in their inbox. We do see this with, you know, let's call them marketing emails. And it really depends on the recipient - where for one recipient, you know, this invite to a webinar would be super relevant and they want to get that email. And the same organization, a different recipient would say, this is spam. Why are you showing this in my inbox? So, yeah. So I think, you know, someone could consider this - hey, this is a service that, you know, might benefit me because I was actually worried about where my pension is saved, and I wasn't happy with something. 

Dave Bittner: Right. 

Gil Friedrich: So you're right. At the end of the day, with this one, we blocked it. We also wrote this blog, and it goes back to the intent. So if you want to offer an employee of a municipality, you know, another option for their pension, be up front about it, say it. At that point, we would consider that marketing. And I think the organization and us as a filter would consider it legitimate and allow it through. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: Very interesting stuff, Dave. COVID definitely accelerated our movement to these other messaging apps, but it was going to happen eventually. We were going to be - you know, I was already actually into Slack, and we already had Teams set up, although I hadn't used them nearly as much as I have here. And actually, what I've used the most is Zoom, not really Slack. I think my Slack usage is probably around the same. I'm not really a big fan of Slack. You know, maybe it's just because I haven't been using it as much as I like. 

Dave Bittner: Yeah. 

Joe Carrigan: But I'm just not a big fan. I'd rather talk to somebody than sit there and type to them. 

Dave Bittner: Yeah. 

Joe Carrigan: I would like to do that. I'd like to get a little more attention from them. There is a change with an adjustment period, but we've had a lot of changes in such a short time, and I think that's really a big part of the issue, right? Like, we were going - you know, if we were going to be more organic in our changing, it would have been slower. You know, we would have gone from a rollout from one - from just email to Slack maybe over a couple of years. But no, we didn't do that. We went into that new environment in, like, a month, right? 

Dave Bittner: Right. 

Joe Carrigan: And I think that that is a big part of the issue. So these platforms, we tend to think of them as a little more closed. And there is this assumption of security. So a phishing email that harvests credentials and those credentials are then used to access, let's say, Teams - because Gil was exactly right. If I can break into somebody's Microsoft 365 account, I don't have access to just their email; I have access to all their files. I have access to their team's accounts, so I can send messages as them. Once you're in there, you're in there. But there's still the assumption of security, right? Still the assumption that this person is the real person I'm talking to because, like he said, it is - everybody assumes it's vetted, right? 

Dave Bittner: Right. 

Joe Carrigan: It all starts with an email that can be sent by anybody. This is why email still stinks, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: It's the only service in the world where anybody can send you something. I think it's interesting that 3% of the Google Drive links are malicious. That was - I think that's stunning. That's a lot. 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, if 3% of the files in your computer were malicious, you'd be terrified (laughter). And he talks about two layers, the tech and the people. And he really views users as a layer of security. And that's great. I think that's a good way to look at it. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, I often say if I was CISO or, you know, security awareness or whatever person in a company, that would be the first thing I'd tell everybody - is, you know, you're all part of my security team now, and if you see something, say something. 

Dave Bittner: Right. 

Joe Carrigan: And I expect that you guys are going to notice these things when they come in. I'm also expecting that sometime you're going to fall for it, and that's OK. Just, you know, don't be afraid. Don't be embarrassed. Let's just get it fixed. 

Dave Bittner: Yeah. You know, not long after Gil and I had this conversation, I noticed on our own Slack channel at the CyberWire, one of my colleagues popped up with a second identification, like a different version of the same person than I was used to seeing. And it caught my attention, and I reached out to this person on their original account (laughter), a private message, and said, I just want to check to make sure this is you, you know? And the person responded and said, yes, yes, that was me. I, you know, accidentally logged in using a different device, and so on and so forth. It was just - it was an error on my part, but thank you for checking, right? 

Joe Carrigan: Right. 

Dave Bittner: So, I mean, I don't mean to toot my own horn here or anything, but having had the conversation with Gil, I think, put me in that frame of mind to be extra vigilant about this sort of thing. And I'm glad I was. Turned out to be nothing, but... 

Joe Carrigan: Right. 

Dave Bittner: ...It was better that I asked than not. So I'd say to everybody out there - it's that old if-you-see-something-say-something thing, right? 

Joe Carrigan: That's right. And that's why we do this podcast, isn't it, Dave? 

Dave Bittner: (Laughter) That's right. All right, well, our thanks to Gil Friedrich from Avanan for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. And we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.