Hacking Humans 8.26.21
Ep 162 | 8.26.21

Companies don't want their customers to be victims of fraud.


Brandon Hoffman: Well, that's the real challenge with all this kind of gift card and reward system fraud, is that the companies don't want their customers to be victims of fraud. But on the other hand, there's diminishing returns in them really chasing it down.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Brandon Hoffman from Intel 471. And we're going to be discussing cybercriminals going after large retail and hospitality companies. 

Dave Bittner: All right, Joe, why don't you start things off for us this week? What do you have for us? 

Joe Carrigan: Dave, it's that time of year again... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Time for kids to go back to school. 

Dave Bittner: Ah, yes. All right. Well, this is particularly interesting for you as someone who spends much of his time on a college campus, right (laughter)? 

Joe Carrigan: Yes, indeed. In fact, I'm back in the office now, and it's nice. I spent most of this week on a college campus. 

Dave Bittner: OK. 

Joe Carrigan: Beautiful college campus. It's one of my favorite places to be. 

Dave Bittner: Yeah. 

Joe Carrigan: But the Better Business Bureau is out with an article warning people about back-to-school school scams. So there are a number of things to look out for. And of course, everybody knows that it's back-to-school time, including the scammers, so they're going to capitalize on it. 

Dave Bittner: Right. OK. 

Joe Carrigan: These guys don't take a day off, really. 

Dave Bittner: Yeah. 

Joe Carrigan: And they don't miss an opportunity or a trick. So the Better Business Bureau has a number of things to be on the lookout for. One of them is fake credit card scams. These might be calls that come in that might be from a credit card you have, and they're offering some astronomically low rate. And it's really just an opportunity to try to either steal your personal information or get access to your credit card information. So don't fall for that. Remember, don't trust inbound calls. (Laughter) If you get a call from somebody who says that they're from your credit card company, tell them that you'll call them right back... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Unless they're asking, like, this is fraud prevention, was that you? Then you can say yes or no. 

Dave Bittner: (Laughter). 

Joe Carrigan: But other than that, I would say don't answer any inbound calls from somebody claiming to be from a credit card company. 

Dave Bittner: I'm just sort of laughing a little bit here because I remember back when I was in college - you know, back in the Stone Age - that... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...A lot of folks who - my contemporaries in school got in trouble with credit cards. Because you know, when you would go buy your books at the bookstore, in that bag, they'd put a credit card application. 

Joe Carrigan: Yeah. Yeah. 

Dave Bittner: Or you know, there'd be people outside the student union who had a little table set up, you know, and they'd give you a free something, like a free towel or free - some free knickknack. 

Joe Carrigan: Well, I knew a guy in college named Coe Jarrigan. And somebody from a fraternity or a sorority was offering credit card applications. And this dummy signed up for one. And poor Coe, man. He got into a lot of trouble with that because he was a college student. 

Dave Bittner: (Laughter) Right. Exactly. 

Joe Carrigan: And he didn't have a lot of income. 

Dave Bittner: (Laughter). 

Joe Carrigan: So he just wound up having to pay a lot of interest in credit cards. Yeah, that's a - I mean, even the real credit cards are actually a scam for college kids, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Don't get a credit card if you don't have any income. 

Dave Bittner: Right. Right. 

Joe Carrigan: It's terrible. 

Dave Bittner: All right. Well, what else does the BBB have to say here? 

Joe Carrigan: Right. They - look out for apartments that are too good to be true, right? We've talked about these kind of scams as well. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: And you know, you're going to a new college. Maybe you're going to decide right away you're going to live off campus in an apartment because maybe it's cheaper than living in the dorm. 

Dave Bittner: Right. 

Joe Carrigan: I don't know that that's the case. But you're opening yourself up to exploitation from fake ads, fake, like, Craigslist ads or whatever. My advice here is, contact a realtor in the area. If you're really looking to rent an apartment, realtors are your best bet. 

Dave Bittner: Yeah. Right. Right. 

Joe Carrigan: The realtors have access to bona fide systems that, you know - and they know the area as well. 

Dave Bittner: Right. 

Joe Carrigan: So they can really help you out. So... 

Dave Bittner: Right. 

Joe Carrigan: ...Use a realtor. 

Dave Bittner: Yeah. 

Joe Carrigan: Scholarship and grant scams. These are scams where people say, hey, you can apply for a full scholarship, right? But there's an application fee. And then, of course, you don't get the scholarship. Sorry. 

Dave Bittner: I see. 

Joe Carrigan: You don't qualify. 

Dave Bittner: Oh, interesting. 

Joe Carrigan: It's a great way to take advantage of people who are looking to lower their college costs. And of course, these guys are not going to miss that opportunity as well. 

Joe Carrigan: And finally, they're saying, beware of online shopping scams. You know, go to trusted websites. Don't - if something's too good to be true, it probably is. So don't fall for it. 

Joe Carrigan: Other advice they have is, be aware of current scams. The BBB has a site that's called the scam tracker, which is a great site. Also, you can listen to this show. We tend to update you on scams like this on a regular basis. 

Dave Bittner: (Laughter) We do. 

Joe Carrigan: And they say, monitor your credit report. Make sure that you have some kind of credit report-monitoring software out there or system, rather, that you can see when somebody opens a new account. And then you can immediately stop that, nip it in the bud and save yourself a little bit of a headache. 

Dave Bittner: Yeah. It's a good point. I mean, I think of so many, you know, young adults who are headed off away from home for the first time, sometimes headed off to the big city or the big college campus. And you know, it's their first time maybe not being under their parents' wing, first time having a whole lot of independence. And because they are old enough to have adult status... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, they can get their own credit cards. 

Joe Carrigan: Right. 

Dave Bittner: They can sign up for these sorts of things. And it's hard to have that discipline when somebody's dangling... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Whatever money that is, you know, and you can do the things you want to do now and not have to wait. 

Joe Carrigan: Right. 

Dave Bittner: So yeah. You just need to be careful. 

Joe Carrigan: So yeah, the BBB says, according to their latest Scam Tracker Risk Reports, adults age 18 to 24 reported the highest median loss of $150. And lots of scams take place online. We've talked about this as well, that they're more susceptible to fall victim to a scam. And $150 is actually kind of low, I think. I think when older people do fall for scams, they - I find this article interesting in that - with that statistic. I think that's... 

Dave Bittner: Yeah. 

Joe Carrigan: I think there might be more literature out there that says differently. 

Dave Bittner: I wonder if any of this is because that generation are so much more comfortable and quicker with sending money around using the online services - the Venmos... 

Joe Carrigan: Right, like Cash App and Venmo. 

Dave Bittner: Yeah, all those sorts of things, you know, Apple Pay, all those sorts of things. So - whereas you and I may think twice at a request to send money that way... 

Joe Carrigan: Right. 

Dave Bittner: ...Just because, you know, its farther - it's not part of our core - we didn't grow up with that, right? 

Joe Carrigan: No, we did not. 

Dave Bittner: It's not reflexive to us. Whereas someone in that younger generation might say, well, sure, this is how - that's not an unusual ask at all. I send money around to my friends and family and all sorts of things that way. So for someone else to request it that way doesn't raise any red flags. And... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Maybe it should. 

Joe Carrigan: I don't even have accounts on these things. I do have a PayPal account, but I don't keep the app on my phone. So... 

Dave Bittner: Yeah. 

Joe Carrigan: I'm just not comfortable paying their fees, Dave. 


Dave Bittner: Well, I'll tell you, I mean, it's my kids who have pulled me into this, you know? 

Joe Carrigan: Right. 

Dave Bittner: My son will go to - one of my sons will go to, you know, like, a gaming night at the comic book store. And he'll say, oh, Dad, can you send me some money? And I'll, like, just pull out my phone, and I send him some money. And then he has money that he can spend and, you know - and it's great because it's secure, and it's easy. And - but if it were not for him, I'd probably be a lot farther behind than I am. So... 

Joe Carrigan: (Laughter) Right. You'd probably be in old Joe's shoes. 

Dave Bittner: Yeah, that's right. 


Dave Bittner: I have reached the point where sometimes, like, if I'm trying to - like, I'll just throw my kid the remote. I'm like, just fix this. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Fix this. Yeah. Yeah. And I - and that's - yeah. Not proud of that, but that's just the way it is. 

Joe Carrigan: Yeah. We used to be the guys that fixed everything by touching it. Remember that, Dave? 

Dave Bittner: I know. I know. Just laying our hands upon it. And people would look at us like we were magical wizards, you know? 

Joe Carrigan: Right (laughter). 

Dave Bittner: Those days are long behind us. 

Joe Carrigan: I miss that. 

Dave Bittner: Now we just sit back and stroke our beards... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...And tell stories about the old days. Well, speaking of stories about the old days, my story this week is a story about the old days. 

Joe Carrigan: Is it really? 

Dave Bittner: It is. And it's a good social engineering story. I was actually sharing this story with a friend of mine earlier this week. And my friend said, you know what? You should share that on "Hacking Humans." That's a great social engineering story. And I thought, you know what? I think you're right. So (laughter)... 

Joe Carrigan: Cool. 

Dave Bittner: ...This is what I call the tale of the lightning rod edit. Now, when I first got out of college - and I graduated college as an RTF major, which is radio, television and film. So I came out of school, and I was looking for work doing production - video production, film production, those sorts of things. And I got a bunch of work from a guy who was local to me who had a small video production company. And so he did a lot of corporate work. He did a lot of government work. And he would hire me to help him go out on shoots and help him do edits and all those sorts of things. And I was very excited to work for him, and I was learning everything. This is back in the days before everything was computerized, so we were still doing edits with multiple tape decks. And you know, the decks were controlled by computers, but you weren't digitizing everything and just doing everything on the computers. 

Joe Carrigan: Right. 

Dave Bittner: So because of that, editing was much more of a long process. We didn't have the flexibility. It was - I guess the best way to say it, it was more like using a typewriter than using a word processor, right? 

Joe Carrigan: Right. 

Dave Bittner: So part of the process when you're making a video - and these are in the days of, like, 20-minute-long corporate videos - right? - pre-YouTube. So things were much more long-form back then. So you'd be making your video. You'd be working, let's say, with the marketing people at a company. And there would come a point when the video was just about done, and it was time to show it to the powers that be, time to show it to the suits - right (laughter)? - all of the stakeholders, the people who were writing the checks for this sort of thing. And so this guy I was working with - before we were - he was going to take me into this meeting so I could experience what this meeting was like. 

Joe Carrigan: Was this a new experience for you? 

Dave Bittner: I don't know that I had been in this sort of room before. 

Joe Carrigan: OK. 

Dave Bittner: And so he was kind enough to include me so I could have - I could learn what that was like... 

Joe Carrigan: Right. 

Dave Bittner: ...You know? And so... 

Joe Carrigan: Come on in. Keep your mouth shut, and watch what goes on. 

Dave Bittner: Right. So before we went, we did the final sort of viewing of the video ourselves to make sure everything was OK. And we're watching through, and I said to this guy - I said, whoa, wait a minute. Are you sure about that edit there? That's kind of clunky. He was like, yeah. Just leave it in. I said, why? He said, you'll see (laughter). 

Joe Carrigan: I think I know where this is going. 

Dave Bittner: I said, OK. So we go into this big, you know, boardroom with a fine, big wooden table and wood walls and, you know, people who are very well-dressed, and we've, you know, dressed up ourselves. We're not wearing our usual, you know, dirty T-shirts and stained shorts, you know (laughter), as... 

Joe Carrigan: Right, the stuff you actually edited the video in. 

Dave Bittner: ...Video production guys. Right, exactly. 

Joe Carrigan: (Laughter). 

Dave Bittner: Yeah. Yeah. You know, clean up well. So we go in, and we're showing the video. And the time comes for - this edit comes. And one of the bosses says, whoa, whoa, whoa, whoa, whoa. Hold on, hold on, hold on. Stop, stop, stop, stop, stop, stop, stop. And the guy I'm working with says, yes? He says, wait. Back that up. I want to see that again. So we rewind it. It plays, and then come to this awkward edit. And the guy says, wait, that doesn't seem right to me. And the guy I'm working with says, oh, my gosh. You're right. Wow. Thank you for pointing that out. 

Joe Carrigan: (Laughter). 

Dave Bittner: I really appreciate that. I'm so glad you caught that. How could we have missed that? Really happy for your contributions. 

Dave Bittner: And we go on, and, you know, there's some more conversation. They show the rest of the video. It all goes pretty well. You know, a couple notes, a couple changes, things here and there. And afterwards, we're driving back to my friend's studio. And I'm like, so what exactly happened? And he says to me, Dave, that was the lightning rod edit. 

Joe Carrigan: The lightning rod edit. I got it. 

Dave Bittner: I said, what do you mean, the lightning rod edit? He said, here's what I've learned. He said, when it comes time to do a presentation like this, there are going to be people in the room who, for whatever reason, feel the need to justify their existence, right? 

Joe Carrigan: Right. 

Dave Bittner: They can't just sit back and say nothing because, for whatever reason - maybe they have imposter syndrome, maybe - who knows? 

Joe Carrigan: Right. 

Dave Bittner: But they feel as though if they don't say something, their colleagues are going to wonder why they're even in the room. 

Joe Carrigan: Right. 

Dave Bittner: So the lightning rod edit gives them a reason to comment. It's the lightning rod. 

Joe Carrigan: Right. 

Dave Bittner: Right? It's the obviously bad thing that we leave in the video to give those people something to say. And that keeps them from finding other things to comment on that probably don't warrant being commented on. 

Joe Carrigan: Right. 

Dave Bittner: And I said to myself, wow (laughter). 

Joe Carrigan: That's... 

Dave Bittner: I had mixed feelings about it because, you know, it is certainly - it's a little bit manipulative, right? 

Joe Carrigan: Right. 

Dave Bittner: I don't know that I would say it's unethical because it would've gotten fixed anyway. 

Joe Carrigan: Right. 

Dave Bittner: There was no way the video was going to go out with this awkward edit in it, right? 

Joe Carrigan: Now, here's my question. 

Dave Bittner: Yeah. 

Joe Carrigan: Does - are there people in the room that you're showing the video to who understand what you're doing and are fine with it, right? Like, are you showing it to somebody who goes - who says, I know that you're not going to leave that edit in there; it's terrible; you're not putting out a garbage product because I've been doing business with you for a while? 

Dave Bittner: Yes. 

Joe Carrigan: And I'm OK with you leaving this in there so that somebody else can say something about it. 

Dave Bittner: No, I don't - so I don't think other people are in on the... 

Joe Carrigan: I mean, they're not in on it explicitly. But do they understand what you're doing? 

Dave Bittner: I - no. I think they perceive it as being just an honest mistake. 

Joe Carrigan: OK. 

Dave Bittner: Like an oops. 

Joe Carrigan: OK. 

Dave Bittner: Oh, of course - well, of course we're not going to leave that in. You know, that's - it's the same as having - I don't know - someone's name misspelled in their, you know, in their lower third when you're IDing someone or it's just - it's a typo. It's that sort of thing. But in this case, it was deliberate. And this person I was working with used it as a regular sort of business technique that he seemed to believe saved him time and money and, you know, made everybody feel good that they were contributors but kept him from having to - what it did was it saved a lot of back-and-forth and sort of arguing in the room... 

Joe Carrigan: Right. 

Dave Bittner: ...Over things that people believed were good. 

Joe Carrigan: Yes. 

Dave Bittner: Right? It was - it's a misdirection. 

Joe Carrigan: Yeah. 

Dave Bittner: Right? 

Joe Carrigan: It is. 

Dave Bittner: It's a misdirection. 

Joe Carrigan: I get it. I get what he's doing. 

Dave Bittner: Yeah, yeah, yeah. 

Joe Carrigan: I would like to know if he ever tracked how well things went for him when he didn't put the lightning rod edit in. 

Dave Bittner: Yeah, I don't know. 

Joe Carrigan: If - how much time he had to spend on the - that would be the good measurement - right? - because you can quantify this. 

Dave Bittner: Yeah. 

Joe Carrigan: If I had the lightning rod edit in, how much time do I have to spend on reediting after the meeting versus if I don't have the lightning rod edit? 

Dave Bittner: Yeah. And it could've - I mean, this very well could've been - this could've completely been a placebo, right? Like, he could believe that it made a difference, and it didn't. 

Joe Carrigan: Right. 

Dave Bittner: But it did no harm. 

Joe Carrigan: Yep. 

Dave Bittner: And I think once he tried it and it seemed to work, it was a technique he was going to stick with. I'd say I did not - later on, you know, I formed my own company and all that sort of stuff and was doing this type of work for quite a while. This was not something I adopted for myself... 

Joe Carrigan: OK. 

Dave Bittner: ...As a technique. But I always thought it was interesting, and it was effective. And so just a fun little bit of social engineering I thought I'd share. 

Joe Carrigan: That's a great story. 

Dave Bittner: (Laughter) Well, I appreciate that. Yeah, he was a good guy. He was a good guy. And this was - you know, this was not coming - I mean, I think the bottom - what makes me feel OK about this is that I truly believe he was coming at this from the point of view of just sort of saving everyone some heartache. 

Joe Carrigan: Right. 

Dave Bittner: You know, it gave the complainers something to complain about... 

Joe Carrigan: Right, right. 

Dave Bittner: ...While not having them complain about stuff that didn't deserve to be complained about. 

Joe Carrigan: Right. I get it. I think that's a great idea. 

Dave Bittner: Right. 

Joe Carrigan: I don't know. 

Dave Bittner: Right. 

Joe Carrigan: I don't know how I feel about it. I have to think about this one for a little bit. 

Dave Bittner: Yeah, yeah. Believe me. I've thought about it a lot, and I guess I'm at peace with it. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, that is my story this week. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Shannon (ph), who writes, hi, guys. I love your podcast. Thank you, Shannon. I found this email in my spam today. Before I even finished reading it, I knew I had to send it to you. 

Joe Carrigan: So, Dave, why don't you read who this email's from? It's from a very important person we've been talking a lot about on this podcast. 

Dave Bittner: That's right. It says (reading) attention, beneficiary. Attention. My name is Janet Louise Yellen, an American economist who's serving as the 78th and current United States secretary of the Treasury as part of the Cabinet of Joe Biden. Previously, I was the 15th chair of the Federal Reserve from 2014 to 2018. I was the first woman to hold either role. 

Dave Bittner: (Reading) Previously on my Twitter account where I gave a hint of this program on January 29, I tweeted, we need to act big and act now to help people make it to the other side of the pandemic. The American Rescue Plan has small business in mind. I enjoyed discussing it with a panel of small-business owners from across the country yesterday. 

Dave Bittner: (Reading) This is what we are talking about, even though this transactions are meant to be confidential. However, at the international financial organization annual meeting in Dubai, United Arab Emirates, which convened world leaders to discuss the global, regional and industry agendas in the middle of each year, it was agreed, among other things and with the Global Financial Integrity, that making growth sustainable, making growth inclusive and harnessing technology for good is a priority and must be tackled without delay. 

Dave Bittner: (Reading) The amount which was awarded to you is U.S. $2.5 million. Speaking with the United Nations Association of the USA, UNA-USA, and with the Council of Europe, adding the Asian Parliamentary Assembly, and all are in support of the payoff of beneficiaries from countries in Europe who are guided by the European Union organization, also USA, South America, Middle East, Africa and Asia, through online banking system in order to avoid the huge payment of tax in your country. 

Dave Bittner: (Reading) Therefore, the EU Parliament, which is headquartered in Strasbourg, France, and has its administrative offices in Luxembourg city, initiated the electronic random pick. And through this electronic random pick, your email was chosen for the implementation of making sustainable growth and harnessing technology for good. Funds have been mapped out for those picked in the process. This disbursement will be monitored by the Global Financial Integrity. The representative you are therefore advised to contact, Miss Jan Schakowsky, who will monitor the release of your funds. Best regards, Janet Louise Yellen. 

Joe Carrigan: I love this email, Dave. 

Dave Bittner: Wow. 

Joe Carrigan: It's like there's - at these monetary meetings, there's this big wheel. They spin it. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: (Imitating game show wheel spinning). 

Dave Bittner: Oh, Joe Carrigan... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...$2.5 million. 

Joe Carrigan: Woohoo. 


Dave Bittner: Right, yeah. 

Joe Carrigan: And I love that it's always Janet Louise Yellen. I didn't know Janet Yellen's middle name was Louise. I actually verified that by looking it up on Wikipedia. 

Dave Bittner: OK. 

Joe Carrigan: And it is Janet Louise Yellen. 

Dave Bittner: All right. 

Joe Carrigan: But I don't know why that's included in here. I think it's interesting that it is. 

Dave Bittner: (Laughter) Right, right. Yes. So I think there's some interesting things in here - that they pulled a actual, legitimate tweet of hers. 

Joe Carrigan: Right 

Dave Bittner: So if you wanted to sort of fact-check this... 

Joe Carrigan: Right. 

Dave Bittner: ...She did tweet what they said. She tweeted, so that's real. 

Joe Carrigan: Right. 

Dave Bittner: But the rest of it is not. 

Joe Carrigan: No. 

Dave Bittner: Two-point-five million dollars because we spun the big prize wheel... 

Joe Carrigan: Right. 

Dave Bittner: ...And your email address came up. 

Joe Carrigan: Randomly selected your email. 

Dave Bittner: Right, right. 

Joe Carrigan: That's not how international financial policy works. 

Dave Bittner: No, no, no. And the United Nations decided that instead of - I don't know - vaccinating children in Africa... 

Joe Carrigan: Right. 

Dave Bittner: ...We're just going to give you $2.5 million - go crazy. Go have fun with it. Go - it's going to be technology for good. This totally makes sense, yeah, on the world stage. All right, well, that was a good one. 

Joe Carrigan: Thank you, Shannon. 

Dave Bittner: We would love to hear from you. If you have a Catch of the Day for us or a story you'd like us to cover, you can send us a note to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Brandon Hoffman. He is from a company called Intel 471. And we're focusing on how cybercriminals have been going after large retail and hospitality companies. Here's my conversation with Brandon Hoffman. 

Brandon Hoffman: The gift card situation is - has been around for quite some time. It's almost as a secondary cash-out method, as it were, because monetizing things like reward accounts, you know, are quite difficult, as you can imagine. So if you think - if you had access to somebody's frequent flyer account, certainly you wouldn't just - if you were a cybercriminal, you can't just simply issue a ticket for the person who bought the stolen miles, right? 

Dave Bittner: Right, right. 

Brandon Hoffman: Because that would obviously make it quite easy to track. 

Dave Bittner: Right. 

Brandon Hoffman: And so instead of simply monetizing them the way they would other pieces of information, they found that gift cards is a secondary cash-out method which makes it less traceable. 

Brandon Hoffman: And actually, the interesting thing about gift cards is that there doesn't seem to be as much of an effort from fraud teams around gift cards and rewards miles. And I know you didn't necessarily intend to link rewards accounts to it, but they are kind of related in the sense that... 

Dave Bittner: Yeah. 

Brandon Hoffman: ...They're not treated the same as actual, you know, stolen money or stolen data, even though to many of us who have lots of reward points or airline miles or things like that, to us, they're pretty much the same as cash to a degree. 

Dave Bittner: And I suppose - I mean - or I guess is it fair to speculate that for a lot of these companies - because so many gift cards go unused that I suspect it's an area of high profit for them. So maybe that's a reason why they don't keep a such a close eye on it. They're not losing money there. 

Brandon Hoffman: Yeah, it is interesting because it's kind of like they've already received the money - the organization, right? And so as long as it gets used - because at least here in the U.S., gift cards no longer have expiration. They legally can't expire, right? 

Dave Bittner: Right. 

Brandon Hoffman: They used to expire, as you probably recall, and in parts of the world, maybe they can. But from a pure accounting perspective, you know, they've already collected the revenue. They just need to be able to recognize the revenue, which means the gift card needs to be used. 

Brandon Hoffman: So to a varying degree - I don't want to say they don't care 'cause they do - it needs to be used from a business perspective - right? - so they can recognize that revenue. Now, of course, the big companies that have gift cards programs - right? - they do track this from a fraud perspective, and they do care, right? But it's less intense than, you know, people who are stealing actual money or intellectual property. 

Dave Bittner: And you all were tracking some folks who were selling these rewards programs, selling the points and access to them online. 

Brandon Hoffman: Correct. 

Dave Bittner: What's the mechanism there? How are they going about doing that? 

Brandon Hoffman: Well, so there's - you know, typical with the cybercrime marketplaces, you know, there's two stages. One is, hey, I have access to reward accounts. I don't want to cash it out or monetize it. I'd rather just sell this access to somebody who can do something with these rewards. That's the first, most basic step. The second is somebody who has the access and has turned them into something - some other financial instrument, like a gift card, and then they'll sell that gift card for a portion of the value. So it's kind of like a derivative of a derivative, you know, as it goes downstream. That's - you know, that's pretty common with how we see cybercrime functioning, right? There's people who sell products, goods and services, and some people want to do the full chain of monetization, and some people just want to do the little piece that they're good at and move on. 

Dave Bittner: Another area that you all looked into here was video games. Why are the criminals attracted to them? 

Brandon Hoffman: It's an interesting thing with the video games. I think it's because video games are, you know, really at the center of a lot of, you know, young culture. There's a lot of people who - they spend a lot of their leisure time in video games, and a lot of people spend a real lot of money with the video games that they like. And so people are always looking for ways to advance their gaming mechanisms or to get more credits in their gaming systems. 

Brandon Hoffman: And I think maybe - I don't want to say it's just younger folks, but I think people are looking for ways to, just like anything else, kind of get a deal, as it were, on, you know, video game credits or things like that. And so I think that the cyber criminals know that there's a - you know, there's a popular following. Lots of people spend a lot of money on video games, and that's just another way for them to monetize this. 

Brandon Hoffman: And I think probably when we talked just a moment ago about who's really tracking these things - you know, I don't know that I want to go out and say for sure that there's even less of an eye on it there, but I - you know, I have a feeling that it's less tracked specifically in video game setups. You know, think, for example - Amazon, right? Certainly, their fraud team is spending a lot of time looking at gift card abuse. But some of these video game providers - you know, they're just - like we talked about earlier, they're bringing in the money. They don't care how it's used. And probably, there's less of an eye on it because there's - I just - you know, I don't know how to say that. There's - I don't want to say that... 

Dave Bittner: Well, I mean, it strikes me that every dollar - because they're getting the money ahead of time, every dollar they spend on fraud prevention goes against that money that they've already collected. So there's sort of a... 

Brandon Hoffman: Yeah, thanks for acknowledging that. Yeah. 

Dave Bittner: Right. There's a funny incentive there. 

Brandon Hoffman: Well, that's the real challenge with all this kind of gift card and reward system fraud, is that the companies don't want their customers to be victims of fraud. They don't want their systems to be abused for fraudulent purposes. But on the other hand, there's diminishing returns in them really chasing it down. So they put preventative mechanisms in it, but it's not the same thing that, like, financial services is going to do where people are stealing whole bank accounts, right? 

Dave Bittner: And what about ransomware? I mean, obviously, lots of stories about ransomware in the news and retail organizations have that on their radar as well. 

Brandon Hoffman: Yeah, I mean, ransomware - yeah, big right now. No victims are excluded. No potential victims are excluded. Ransom retail, of course - plenty of big ransomware events to point to when we look at ransomware, you know, retail. Yeah, not excluded there. I think it's interesting, too, because with retail, there's so much more that a ransomware group can do. Aside from, you know, the obvious, which is crippling the retail system, preventing e-commerce from taking place - that has a significant revenue impact. 

Brandon Hoffman: But then there's, you know, more recently, this emergence of focus on the data exfiltration, as opposed to the encryption, as a lot of ransomware - as the service providers and ransomware groups have talked about, that some of them were shying away from doing the encryption and rather just focusing on the data exfiltration and using that as leverage enough to get paid, because the retail organizations have such rich information. They have personal, identifiable information of their consumers, their customers. They have payment card information. 

Brandon Hoffman: And then also, you can cripple them, preventing e-commerce from taking place, right? So there's - you can really hit them three different ways that are meaningful. And I think that makes them a little bit more of a juicier target to a degree. 

Dave Bittner: What can people do to protect their own interests here? I mean, for the folks who actively collect their frequent flyer miles or their hotel rewards points, are there things that you all recommend to - sort of best practices to, you know, not be the low-hanging fruit? 

Brandon Hoffman: Yeah, I mean, the majority of these compromises - I mean, if the organization itself is compromised, you know, like your airline or a retail organization - right? - of course, there's limited things you can do because they're going to take the data from the back end. But as a consumer, a lot, you know, a lot of this does happen through compromised credentials. So them planting malware, phishing attacks against consumers that can, you know, they can collect the username and password for these accounts, which is, you know, that happens. The majority of these cases are from compromised credentials. 

Brandon Hoffman: And so as a consumer, the best thing you can do, of course, as we've said for a long time, rotate your password frequently. That has limited value, but it has value. Of course, taking advantage of any two-factor authentication that a provider or anywhere you log in, you know, if they offer two-factor authentication or multifactor, definitely take advantage of that. Beware of, you know, emails and phishing. Just like always, you know, if you're going to click on something from, you know, somebody that you do ecommerce business with, you know, verify that that email did come from them. And then the other thing is browser sanitization. You know, however you browse the internet on your computer, just make sure that it's always up to date. You know, run antivirus, antimalware to make sure that some of those credential stealing or info stealing malwares, you know, are not loaded in your system. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, I think it's interesting that the bad guys are focusing on specific industries, right? I don't - I'd like to know if this is the case. Are there people who are essentially, like, experts at exploiting the travel industry? I would not be surprised to find that they are. Why... 

Dave Bittner: I'll bet they are, yeah. 

Joe Carrigan: Why wouldn't there be people who are just, you know, like people who just say, I exploit hotel chains, I exploit airlines, and that's all I do because there is plenty of opportunity to do this? 

Dave Bittner: Right. 

Joe Carrigan: One of the things that Brandon says is that compromised credentials are the biggest or soon to be the biggest vector that he's seeing. Those credentials are compromised via some social engineering attack... 

Joe Carrigan: Yeah. 

Joe Carrigan: ...Via phishing or calling the on the phone and asking for it. And the compromised credential threat model has a pretty long kill chain, if you will. They use - kill chain's a jargon term. It just means an opportunity, you know, a list of opportunities to stop the attack. 

Dave Bittner: OK. 

Joe Carrigan: Right? So if you can stop the phishing email, you can stop the attack. If you can stop the - block the phishing site, you know, where the people enter their credentials, you've stopped the attack. If you can use a hardware-based multifactor authentication, you can pretty much stop the attack. 

Dave Bittner: Yeah. 

Joe Carrigan: And if you can stop a strange login from an unusual point of origin, like a VPN or another country, you can stop the attack. So there are lots of opportunities to stop the attack, but they still keep happening, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: The footprint is large for the travel industry. And there are a lot of industries that are like this. You think of the customer-facing websites. Think of an airline and the systems that they have that people have to use to book flights. You know, I fly a lot on an airline that doesn't have assigned seating, but on the airlines that do have assigned seating, those - that has a lot of overhead associated with it. The the system behind it has to be more complex, right? 

Dave Bittner: Sure. 

Joe Carrigan: And the larger that footprint, the bigger the attack surface. And that's what - it's interesting that there are a lot of ways for people to make money exploiting this industry. And Brandon makes a great point about gift cards. They're a great, great way to launder money and steal affinity points and rewards. 

Dave Bittner: Yeah. 

Joe Carrigan: In terms of laundering money, it doesn't make the money look legitimate, right? Because if you - you know, if you have a billion or a million dollars in gift cards that you've received, that's not going to look legitimate, but... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...It does make the money really easy to move around. 

Dave Bittner: Yeah. 

Joe Carrigan: And you can quickly turn these things into crypto currencies just on lots of open markets out there. It's readily available for anybody to do that. 

Dave Bittner: Yeah. Yeah. And the - it's hard to trace. And it's easy to spend that money because it's in the organizations whose gift card you have - it's in their interest to make that transaction as frictionless as possible. 

Joe Carrigan: Right. 

Dave Bittner: They're not going to ask a lot of questions. 

Joe Carrigan: Right, because they have the money in escrow, actually. 

Dave Bittner: Right. Right. They already have the money. Right. Right. 

Joe Carrigan: But they can't actually count it as a as revenue since it's in escrow. They really can't use it until you spend it. So it is in their interest. And they have to maintain the escrow as well. That has an expense associated with it. 

Dave Bittner: Right. Right. 

Joe Carrigan: So the sooner you get it out of escrow, the better off you are. 

Dave Bittner: Yeah. Yeah. All right. Well, again, our thanks to Brandon Hoffman from Intel 471 for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Coe Jerrigan. 

Dave Bittner: (Laughter) Thanks for listening.