Hacking Humans 9.30.21
Ep 167 | 9.30.21

Capture the Flag, Black Badges and social engineering tricks.


Dave Bittner: Hey, everybody, Dave here with an apology and an explanation. You know, one of the most fun parts of doing this show is our weekly Catch of the Day segment, where Joe and I read examples of scam emails. And I usually use some sort of silly voice or character for the scammer. It is a lot of fun. And we've heard from lots of you that it's your favorite part of the show. Back in episode 165, I started our Catch of the Day segment. And what I was trying to emulate was Martin Short's character, Franck, from the "Father of the Bride" series of movies. I came up short. And parts of my interpretation came across as sounding like I was doing a stereotypically Asian voice.

Dave Bittner: We've heard from a handful of you that found that offensive. And you're right; it is. I apologize for my poor job at doing a silly voice and that it came across as a harmful stereotype. I can say in good faith that was not my intention. And my hope is that we've built up enough goodwill here that you'll accept my apology and my explanation as sincere. I will strive to do better. I've gone back and replaced the audio from that segment. And as always, we thank you for listening and for your continued support. Now here's our show. 

Chris Kirsch: You'd get up on stage. And you get given a company name, a target. You are allowed to prepare. And then you have to elicit about - it's about 20 to 30 pieces of information from this company over the phone, live in front of the audience in 20 minutes. 

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Carole Theriault returns. She's speaking with Chris Kirsch. He's the DefCon 25 Social Engineering Capture the Flag winner. 

Dave Bittner: All right, Joe, let's go ahead and jump into some stories this week. 

Joe Carrigan: All right. 

Dave Bittner: Mine comes from cpomagazine.com, and it's titled Nigerian Threat Actors Skip Social Engineering, Make Direct Pitches to Employees to Install Ransomware on Company Networks. 

Joe Carrigan: (Laughter). 

Dave Bittner: And it's... 

Joe Carrigan: They're not wasting any time. 

Dave Bittner: They just cut out the middleman, right? 

Joe Carrigan: Right. 

Dave Bittner: This is written by Scott Ikeda. And really what they're pointing out here is a bold plan from some scammers. And they think they are coming from - well, let me ask you, Joe. Guess a country that you think these scammers are coming from. 

Joe Carrigan: Well, Dave, you've already tipped your hand here. I'm going to guess Nigeria. 

Dave Bittner: Oh, that's right. It was in the title, right? 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Yeah - sorry. Yeah. Nothing gets by you, Joe. 

Joe Carrigan: Right. 

Dave Bittner: So yes, you are correct. They are from Nigeria. And so, as we said, they're sort of cutting out the middleman here. They're going out on LinkedIn. And they reach out to folks on LinkedIn. And they start with just a nice little salutation to begin with - not tipping their hand. But once they get someone on the hook, basically they offer them a commission for installing ransomware on their corporate network. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, that's kind of brazen (laughter). 

Dave Bittner: It is, indeed. This story says that they're offering 40% of the proposed ransom amount - proposed ransom amount, I will add, is a million dollars... 

Joe Carrigan: Right. 

Dave Bittner: ...if the employee is willing to install the Demonware ransomware either physically or remotely. And then if you follow up, they give you an Outlook email address or a Telegram username to reply to. They say that the attackers, they have typical broken English... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, not - passable English, but not great, which... 

Joe Carrigan: Right. 

Dave Bittner: ...Of course, tips their hand. And shocker, Joe - shocker of shockers - they don't really follow through with their promise payments. 

Joe Carrigan: Oh, really? 

Dave Bittner: (Laughter) Yes. Yes. 

Joe Carrigan: Now, Dave, I'll tell you. I think that's a mistake on their part - because if they actually paid the people, they might actually be successful. 

Dave Bittner: Yeah. Yeah. Well, they said - I don't know. I mean, yes, you're absolutely right. But they said in a follow up, for example, that they would pay out $120,000 in response to a company turning over $50 million. And this is - so some folks got in here and - I should mention, these are researchers from a company called Abnormal Security. 

Joe Carrigan: OK. 

Dave Bittner: They're the ones who uncovered all of this. 

Joe Carrigan: Right. 

Dave Bittner: So their researchers engaged with these presumably Nigerian hackers. Right. 

Dave Bittner: And as they went down the path, they were offered $120,000 to hack a company for $50 million, which is... 

Joe Carrigan: Oh, there's no way I'm going in for that small of a fee. 

Dave Bittner: (Laughter) That's right. Everybody has their price, Joe. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: You're going for $50 million. I want at least $20 of that $50 million... 

Dave Bittner: Yeah. 

Joe Carrigan: ...If I'm going to be your guy on the inside. 

Dave Bittner: There you go. So... 

Joe Carrigan: And you know what? Half in advance, please. 


Dave Bittner: Right? Yeah. See, turn it around on them. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. Just take the half and then - and ditch them. 

Joe Carrigan: Yep. 

Dave Bittner: The attackers say - they also say that they're the developers of DemonWare ransomware. They're not. 

Joe Carrigan: Right. 

Dave Bittner: The code is publicly available on GitHub. 

Joe Carrigan: OK. 

Dave Bittner: So not surprisingly, no honor among thieves here. But I really think this is noteworthy because of the brazenness, as we say here. They're not trying to phish people or get into their email accounts. They're just going directly to them and saying, hey, be our partner in crime here, and everybody's going to profit. 

Joe Carrigan: Yeah. 

Dave Bittner: I wonder, if you're an organization - you know, I mean, this is a classic insider threat problem. 

Joe Carrigan: Right. 

Dave Bittner: How do you deal with something like this? I guess it's protecting your systems against the installation of ransomware... 

Joe Carrigan: Yeah. 

Dave Bittner: ...No matter where it comes from. 

Joe Carrigan: Malicious insider threat. 

Dave Bittner: Yeah. 

Joe Carrigan: Well, an endpoint protection system is going to be key here. You know, make sure you have tools that detect viruses or malicious software on your computer. 

Dave Bittner: Right. 

Joe Carrigan: And then report that up to some central system to raise alerts. More importantly, I mean, this should be part of every company's system, is you should have auditing, right? So that if it becomes apparent that one of your people is an insider threat, that you have the forensic artifacts to detail their activities and possibly prosecute them criminally. 

Dave Bittner: Yeah. 

Joe Carrigan: So that's really - you know, I say I'm in for $10 million. I'm not in for this at all, right? I mean, because... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: There is a - oh, no, my price was $20 million. I'm sorry. 

Dave Bittner: Yeah. OK. 

Joe Carrigan: Let me be lucidly clear on that. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: There is a lot of prison time waiting for somebody who does this, particularly here in the U.S. if you - if they can prove it. 

Dave Bittner: Right. But here we go again, right? It's greed. 

Joe Carrigan: Right. Absolutely. 

Dave Bittner: Somebody's on their way out the door. They're not happy with where they're working. And they're thinking, this is the compensation package I've been waiting for. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Right. 

Dave Bittner: And of course, it's not going to end up well for them at all - at all. 

Joe Carrigan: No, it's not. If they get caught, they're doing a lot of time. 

Dave Bittner: Yeah. I guess another lesson here is just, if you get these sort of unsolicited messages on a place like LinkedIn, any of the social platforms, just don't bothering replying... 

Joe Carrigan: Don't... 

Dave Bittner: ...To them. Just... 

Joe Carrigan: Yeah, don't even engage with them, you know? 

Dave Bittner: Let them go. 

Joe Carrigan: Just leave them be. 

Dave Bittner: Yeah. Absolutely. All right. Well, again, we'll have a link to that story in the show notes. That's from CPO Magazine. Joe, what do you have for us this week? 

Joe Carrigan: Dave, I'm going on a trip soon. Well, don't worry, dear listeners, I will be back by the time this episode is released, so don't try robbing my house. 

Dave Bittner: Well, they would not make it past your vicious guard dog anyway (laughter). 

Joe Carrigan: That's right. Guard dogs. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: I have two of them. 

Dave Bittner: Right (laughter). 

Joe Carrigan: And they will give you the licking of a lifetime. 


Dave Bittner: Oh, don't tempt me, Joe. Don't tempt me. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Matt Karsten has a website called The Expert Vagabond. And he has a story recently that he put up on travel scams. Now, you know, my trip is going to be domestic, but these are all focused remotely, you know, for international travel... 

Dave Bittner: OK. 

Joe Carrigan: ...Things that happen in other countries, don't really happen that much in the U.S. But I thought some of them are interesting. 

Dave Bittner: Yeah. 

Joe Carrigan: These are some of his - the article's pretty good. He actually goes into details about how he may have fallen for some of these at some point in time or tried to be targeted by them. The first one is the broken taxi meter scam. 

Dave Bittner: Oh, OK. 

Joe Carrigan: You get to the airport, and you say, I need to go to the hotel. 

Dave Bittner: Right. 

Joe Carrigan: Or if you're Steve Martin, you say, (imitating Steve Martin) I would like to go to the hotel. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: And the cab driver says, all right, but my meter's broken, so you're just going to have to pay what I ask you to pay, right? This is a scam, right? 

Dave Bittner: OK. 

Joe Carrigan: You should either, at that point in time, start negotiating a price, then, right? Or get out of the cab and find another cab or get a shuttle to the hotel from the hotel. Ask the hotel if they have shuttle service... 

Dave Bittner: OK. 

Joe Carrigan: ...From the airport. 

Dave Bittner: What's the scam? 

Joe Carrigan: The scam is that when you get there, they go, OK, that's $100, right? And then if you don't pay, they threaten legal action because, you know, in most countries, not paying a cab fare is a crime. 

Dave Bittner: Sure. 

Joe Carrigan: Right? So they've kind of got you. You don't - you know, so either - I would say, either just get out of the cab. That would be my response. Oh, your meter's broken? Well, we can't ride with you then. 

Dave Bittner: Yeah. 

Joe Carrigan: Just go on to the next cab. 

Dave Bittner: I guess also they're taking advantage of the fact that you're a stranger in a strange town. 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: So you're already feeling a little - perhaps a bit timid... 

Joe Carrigan: Yep. 

Dave Bittner: ...Because of that. 

Joe Carrigan: Yep. 

Dave Bittner: You're out of your element. 

Joe Carrigan: Yep. 

Dave Bittner: Interesting. 

Joe Carrigan: All that applies. 

Dave Bittner: Yeah. What else? 

Joe Carrigan: The closed or overbooked hotel - this is another thing that happens with cab drivers. You get in. You say, take me to this hotel, and they go, oh, that hotel is closed for renovations. And you - I have a reservation. Oh, no, there's nobody going to that hotel. And then they take you to another hotel that provides them with a kickback and probably costs you more. So - have you ever heard of that one? 

Dave Bittner: No, I have not. 

Joe Carrigan: Matt says that he's never fallen for this one, but he's had two or three drivers try to pull it on him. And... 

Dave Bittner: Seems to me that one would be harder to get away with in the era of mobile devices, where you could call the hotel... 

Joe Carrigan: Right. 

Dave Bittner: ...And say, hey, are you open or not (laughter)? 

Joe Carrigan: Yeah, and that's the advice. 

Dave Bittner: Right. 

Joe Carrigan: Call your hotel in advance. Make sure they're open. 

Dave Bittner: Right. 

Joe Carrigan: And when the cab driver says they're closed, just say, you know what? Just take me to the hotel. 

Dave Bittner: Yeah. Or take a different cab. 

Joe Carrigan: Or take a different cab. 

Dave Bittner: Yeah. 

Joe Carrigan: Spills on your clothing - this is one we've kind of talked about before or similar to ones we've talked about before. And actually, one of the things that I've said - this is absolutely how people could get me. 

Dave Bittner: OK. 

Joe Carrigan: We've talked about the scam of the mustard on the kid, right? 

Dave Bittner: Right. 

Joe Carrigan: You have a kid with you, and somebody somehow smears mustard on the kid, and then goes - the kid comes up to you, and you're like, oh, my God, my kid has this on him. 

Dave Bittner: Yeah. 

Joe Carrigan: You're in a crowded place. You start cleaning the kid. And while you're bending over, cleaning the kids, someone picks your pocket, right? Well, this is a very similar one. The person is walking. Maybe they have a hot dog, right? 

Dave Bittner: OK. 

Joe Carrigan: Or maybe they have some coffee or something, I don't know. But they bump into you, and they mess up your clothing. And then they start wiping your clothing down, right? So what they're doing is they're touching you and getting you accustomed to being touched. We had Brandon - I can't remember Brandon's last name, but he was a magician... 

Dave Bittner: Yep. 

Joe Carrigan: ...And a sleight of hand expert. 

Dave Bittner: Yeah. 

Joe Carrigan: And he said that's one of the things he starts doing, is he touches people... 

Dave Bittner: Right. 

Joe Carrigan: ...Get them accustomed to being touched. And then this guy reaches and picks your pocket. 

Joe Carrigan: Fake police scams. This one's terrifying to me. 

Dave Bittner: Go on. 

Joe Carrigan: Right? So first off, a person approaches you while you're in a foreign land, and they say, hey, man, you want to buy some drugs, right? And you being, like, the stand-up citizen, go, well, what kind of drugs? No, no, no. You say... 


Joe Carrigan: You say no, thank you. I'm not interested in buying drugs or doing any time in your prisons. 

Dave Bittner: Right. 

Joe Carrigan: And just then, two more people come out of the crowd dressed as police officers and arrest the guy who tried to sell you drugs. And then they turn to you and go, hey, he was asking you. Give me your passport and your identification and your wallet, right? And they start, like, strong-arming you. 

Dave Bittner: Yeah. 

Joe Carrigan: Matt says that you request that these people show their identification. And then you say, I don't have my passport. It's locked up back at the hotel. We can go back and get it. And if they refuse to comply with that, you can walk away. Another solution I read for this is to say, you know what? Why don't we just go down to the police station, and I'll establish my identity there, right? Usually that causes people to disappear. 

Dave Bittner: Right. 

Joe Carrigan: Right? Because the police don't appreciate impersonators. 

Dave Bittner: Right. Right. That reminds me of the advice that if you're driving, for example, and a police officer, you know, lights up their lights behind you... 

Joe Carrigan: Right. 

Dave Bittner: ...And you feel as though it's not right, just doesn't feel right, you should just drive to the nearest police station... 

Joe Carrigan: Right. 

Dave Bittner: ...And deal with it there. 

Joe Carrigan: You can also call 911 here in the states and say, you know, I'm getting pulled over. You know, here - around here, there is a police officer that drives an unmarked car that I absolutely would not pull over for. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: It's, like, a Hyundai, and it has LEDs in it. And I've seen this guy standing with other police officers, so I'm pretty sure he's a police officer. 

Dave Bittner: Yeah. 

Joe Carrigan: But I'm not pulling over for that car. 

Dave Bittner: Right. 

Joe Carrigan: I'm calling 911, and I'm going, look. I think somebody impersonating a police officer is trying to pull me over. Can you please send a uniformed police officer to pull me over? 

Dave Bittner: Right. Right. 

Joe Carrigan: And... 

Dave Bittner: And they'll say yes, sir, Mr. Carrigan. In fact, we'll send 12. 

Joe Carrigan: Right. Yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's fine. That's fine. But I don't think there's a jury in the world that would convict me of evading a police officer when they see a picture of a Hyundai with LEDs in the front of it. 

Dave Bittner: Sure (laughter). 

Joe Carrigan: I'm not pulling over for that. That's a safety risk. 

Dave Bittner: Yeah, absolutely. Absolutely. 

Joe Carrigan: The friendly ATM helper, right? You walk up to an ATM and, of course, there's no English written on it. 

Dave Bittner: OK. 

Joe Carrigan: Right? So somebody offers to help you. And what they're there to do is - actually, they might even direct you to another ATM that actually has one of their skimmers on it. And then their - a skimmer is a device that will read the information off the magnetic strip of your ATM card. And they will then watch you as you enter your pin. And Matt says, don't let anybody be around you. 

Dave Bittner: Yeah. I think that's something that intimidates me about foreign travel, is dealing with the money - you know, the conversion rates, the - especially places that have very different, you know, values of their money - right? - where, you know, 10,000 of something is worth a dollar, you know, something like that. 

Joe Carrigan: Right. 

Dave Bittner: I just - in other words, I think I could be vulnerable in that situation because of my lack of confidence in things like exchange rates... 

Joe Carrigan: Right. 

Dave Bittner: ...And so on and so forth. 

Joe Carrigan: Yeah. You need cash to get around a lot of countries... 

Dave Bittner: Yeah. 

Joe Carrigan: Because not everybody there - it's not like in the U.S., where we have - you know, every merchant has Square - right? - or some other payment means that they can accept a credit card. 

Dave Bittner: Right. 

Joe Carrigan: They're going to want cash for their goods. 

Dave Bittner: Yeah. 

Joe Carrigan: The group photo offer is another good one, right? If you're with a group, somebody says, do you guys want me to take your picture? And you're like, yeah. And then you're standing there, and he keeps backing up and backing up and backing up and eventually just turns off and - turns around and takes off with your camera. You're like, oh (laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: It was... 

Dave Bittner: I saw one where it was a team of scammers, and they were targeting tourists who had high-end cameras - you know, DSLRs. 

Joe Carrigan: Right. 

Dave Bittner: And they would come in, and they would distract them. And while they were distracting this person, they would steal the lens off of their DSLR. 

Joe Carrigan: Really? 

Dave Bittner: Because some - you know, some of these... 

Joe Carrigan: That lens is expensive. 

Dave Bittner: Some of these lenses are thousands of dollars. 

Joe Carrigan: Right. 

Dave Bittner: And so somebody has a nice lens, and so the person still has the camera hanging around their neck. 

Joe Carrigan: Yeah. 

Dave Bittner: But by the time these folks are gone, you know, they look down, and the lens is gone. 

Joe Carrigan: Right. And that lens comes off with, like, a quarter turn, right? 

Dave Bittner: Yep. 

Joe Carrigan: So it's pretty easy to remove it. 

Dave Bittner: Yeah. I mean, if you know what you're doing, absolutely. 

Joe Carrigan: Yeah. These scammers know what they're doing. 

Dave Bittner: (Laughter) They do indeed. 

Joe Carrigan: You know, they probably run a camera shop (laughter). 

Dave Bittner: Right. Yeah, usedlenses.r-us (ph). 


Joe Carrigan: Here's a big one. And we've talked about this one before plenty of times - fake Wi-Fi hubs. You know, open Wi-Fi - you should never use that while traveling. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, accept the fact that you're going to be in a foreign country and may not be able to communicate as readily. And if you can't afford to do that, maybe you don't go. I don't know. 

Dave Bittner: Yeah, you know, this is an interesting one because I've seen some folks, you know, some knowledgeable security folks say recently that this may be overstated because... 

Joe Carrigan: Really? 

Dave Bittner: Well, because we're at the point now where a high enough percentage of our information is encrypted by default with our web browsing - that that really takes most of the risk out of something like this. 

Joe Carrigan: Yeah. And if they try to do a man-in-the-middle attack nowadays, it's pretty apparent. 

Dave Bittner: Yeah. 

Joe Carrigan: So yeah, that is true. 

Dave Bittner: Yeah, I still - it's good advice, though. I mean... 

Joe Carrigan: Yeah, I still don't connect to these things. I use my phone. 

Dave Bittner: Yep, yep, yep, yep. Good advice. 

Joe Carrigan: Cheap enough. 

Dave Bittner: Yeah. 

Joe Carrigan: This was interesting. And when I did research for this episode today, I found a couple other variations of this one, but this is the motorbike rental damage scam. All right. So you rent a motorbike from somebody. 

Dave Bittner: Yeah. 

Joe Carrigan: And when you bring the motorbike back, there's been some damage that's been inflicted to it, usually, like, a slit seat... 

Dave Bittner: Oh. 

Joe Carrigan: ...Right? And the guy at the rental place insists that you pay an exorbitant price for it, right? There is another one I saw that was about Jet Ski damage, right? You come back, and there's some kind of damage. Maybe the damage was there before. But in this instance, other people were in on the scam, and they would get around the person who rented the Jet Ski and then essentially march him to an ATM to withdraw the money to pay for it. 

Dave Bittner: Wow. 

Joe Carrigan: So it's a risky proposition, I guess. I don't know what you do in this situation. I think you, you know, get law enforcement involved as soon as you can. But, you know, who knows? In some countries, they may be in on it. 

Dave Bittner: Well, you know, like, when you rent a car... 

Joe Carrigan: Right. 

Dave Bittner: ...A lot of times, there's - there'll be a little chart on the rental - you know, the rental form... 

Joe Carrigan: Right. 

Dave Bittner: ...That has a picture of the car. And they'll mark off if there's any dings on the car or anything like that. I could see, like, in a motorbike situation, you take some pictures before you head off with it... 

Joe Carrigan: Right. 

Dave Bittner: ...With the person who's renting it, you know, in the frame so that you can document that this was the condition of this thing when I left this place. 

Joe Carrigan: Right. 

Dave Bittner: And then, you know, at the very least, taking that extra effort will probably have them leave you alone. 

Joe Carrigan: Yes. 

Dave Bittner: They'll move on to an easier target. 

Joe Carrigan: Right. In one of these scams, what they say is they actually have have somebody from the rental organization go out and slit the seat of the motorcycle... 

Dave Bittner: Oh, wow. 

Joe Carrigan: ...Right? And they charge you an exorbitant fee for it. 

Dave Bittner: Oh. 

Joe Carrigan: And what that means is they're just essentially selling motorcycle seats for a high price... 

Dave Bittner: Right. 

Joe Carrigan: ...Because those things pop right off, and you put a new one on. 

Dave Bittner: Right. 

Joe Carrigan: You know, and they probably have an organization back there putting new... 

Dave Bittner: The guy in the shop next door... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, Motorcycle Seats 'R' Us... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Is in on this thing. 

Joe Carrigan: Yep. 

Dave Bittner: That's fascinating. All right. One more? 

Joe Carrigan: One more - gemstone or carpet deals. You meet up with a guy who says, I have a very lucrative side business selling jewelry or gemstones. If you get these back to the United States, you could sell them for a huge profit. Of course, all of these things are fake, right? He's selling you a bunch of cut glass. And when you're on vacation, no matter how good the deal is, remember, if it's too good to be true, it probably is. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, they're not going to sell a bunch of underpriced diamonds or rubies or whatever to just some guy they just met. 

Dave Bittner: Right (laughter). 

Joe Carrigan: They're going to - you know, they're going to make more money on that selling it to somebody who's legitimate. So that's probably a scam. 

Dave Bittner: Yeah. Yeah, you know, tourist destinations are not known for their great deals... 

Joe Carrigan: Right, yeah. 

Dave Bittner: ...In shopping and - you know (laughter)? The jewelry store in the resort hotel - probably not... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...The best deal. 

Joe Carrigan: Ooh, I love that piece. We are not buying that piece here (laughter). 

Dave Bittner: Yeah. But that's not what they're about. 

Joe Carrigan: Right. 

Dave Bittner: You know, so, you know, I guess if you know what you're in for and you can afford it, well, then so be it. But just word to the wise, right? 

Joe Carrigan: Yep. 

Dave Bittner: All right. Lots of interesting stuff here. So we will have a link to that in the show notes, as always. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Reddit. The user has a name that's unpronounceable... 

Dave Bittner: (Laughter) Right, OK. 

Joe Carrigan: ...So we'll put a link in the show notes... 

Dave Bittner: Fair enough. 

Joe Carrigan: ...If it's still there. But this user looks to have gotten some text messages from someone calling themselves Harnique Crush (ph). And there is a picture of a very attractive blonde woman in - as a profile picture. Yeah, yeah. 

Joe Carrigan: And, Dave, as always, why don't you play the the very attractive blonde woman? And I will play the person that tried to - this person was trying to scam. 

Dave Bittner: All right. Hey. How are you doing today? Good evening. How are you doing today? Hello? What going on? Are you there? 

Joe Carrigan: I'm good, thanks. 

Dave Bittner: Nice. How was your day? Why? Are you busy? 

Joe Carrigan: My day was good. Yours? I'm cooking dinner right now, so yes, very busy. 

Dave Bittner: Oh, so when will you be free? How many minutes will that take? 

Joe Carrigan: An hour. 

Dave Bittner: OK. You told me just an hour now. Until today, you never text back. What up? 

Joe Carrigan: Sorry. I got busy with other things and forgot. 

Dave Bittner: OK. It fine. So good morning. How are you doing today? How was your night? 

Joe Carrigan: I'm good today. How are you? 

Dave Bittner: Am just good. Hope all is well with you. 

Joe Carrigan: Did you sleep well? 

Dave Bittner: Yes. And where you from? What state and city you in? 

Joe Carrigan: So I don't share that kind of information with anyone I just met on here. I hope you understand. 

Dave Bittner: Yes, but what bad? What bad knowing the state you are? Is it bad? Why? What are you trying to say? 

Joe Carrigan: I'm saying that there are too many scammers on here to trust anyone initially. 

Dave Bittner: OK. So not forcing you to be here. Why do you have the app and still use it? 

Joe Carrigan: I'm just here to meet new people and make friends. That's all. 

Dave Bittner: So why are you saying scam? 

Joe Carrigan: But certain private information will always stay private. 

Dave Bittner: If you make friends, won't they ask where you are from? There is not F-ing private, I can't be your friend and know your darn place. It's stupid to me. 

Joe Carrigan: Sure. But if they're genuinely interested in being friends, they'll understand that it takes time to build trust. 

Dave Bittner: Yes, it is, but not as you are shingles - saying. You want to be friends? I have to know many, and I will ask. 

Joe Carrigan: Why is it so important for you to know? 

Dave Bittner: Then block me if you don't want to tell because I will ask, I most surely know. 

Joe Carrigan: You can ask. It doesn't bother me. Just know that I won't answer certain personal questions until I know you can be trusted. 

Dave Bittner: OK, then F off. 

Joe Carrigan: Nice to meet you, too, scammer. 

Dave Bittner: Nice to meet you, F-ing dog scammers. F you, A-hole whore. 

Joe Carrigan: (Laughter). 

Dave Bittner: Blocking you off my page. 

Joe Carrigan: And that's where it ends. 

Dave Bittner: Well, that took a turn, didn't it (laughter)? 

Joe Carrigan: Yeah, it did. That took a really bitter turn towards the end (laughter). 

Dave Bittner: My goodness. 

Joe Carrigan: It was pretty good. 

Dave Bittner: Yeah. You know, Joe, you get more flies with honey (laughter). 

Joe Carrigan: Yeah. I mean, this guy could've taken a little bit of time and built some rapport. And, I mean, because it's obviously - first off, I love how you do the voice of someone who's been smoking Marlboros for the past 20 years. 

Dave Bittner: (Laughter) Yes. It's like Lucille Ball in her later years. 

Joe Carrigan: Right. Right. Exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: Because I'm pretty sure this is not a... 

Dave Bittner: (Mimicking Lucille Ball) Oh, Davey. 

Joe Carrigan: ...An attractive blonde woman on the other end of this conversation. 

Dave Bittner: No, probably - good. Yes. I would bet on that. Yeah (laughter). 

Joe Carrigan: Probably a safe bet. 

Dave Bittner: Yeah. All right. Well, that is our Catch of the Day. We would love to hear from you. If you have something you'd like us to share, you can email us. It's hackinghumans@thecyberwire.com. All right. Joe, Carole Theriault is back. She always brightens things up around here, doesn't she? 

Joe Carrigan: Hello, Carole. Yes, she does. 

Dave Bittner: (Laughter). 

Joe Carrigan: Often, when I'm typing, I hear things in Carole's voice. 

Dave Bittner: Is that right? 

Joe Carrigan: Yes (laughter). 

Dave Bittner: All right. Well, maybe you should talk to your doctor about that. 

Joe Carrigan: Maybe I should. 

Dave Bittner: She is bringing us her interview with Chris Kirsch. And he was the winner of the DEF CON 25 social engineering capture the flag. Here's Carole Theriault. 

Carole Theriault: Today, I would like to welcome Chris Kirsch to Hacking Humans. Chris has been in the cyber world for over 20 years. He's worked all over the world and is an expert on encryption, hacking. And he's the co-founder of Rumble Dot Rutten. Now, Chris is also a winner of DEF CON's SC... 

Chris Kirsch: SE CTF. 

Carole Theriault: E CTF (laughter). 

Chris Kirsch: Thinks social engineering capture the flag. Yeah. 

Carole Theriault: Which I know nothing about that. So Chris, thanks so much for joining me today. Let's first talk about DEF CON and getting this black badge. Tell me about that. 

Chris Kirsch: Sure. I'd love to. So DEF CON is one of the world's biggest hacking conferences. I think it's actually the biggest one, about 30,000 people that, you know, fly into Vegas every year - not right now (laughter). 

Carole Theriault: But it's so huge, actually. It's amazing to think it. 

Chris Kirsch: It is huge. They take up three entire big conference hotels in Vegas now. They started out a lot smaller. But it's just grown over the years. And DEF CON has all of these different what they call villages, different parts of the conference that specialize in different things. And one of those is the social engineering village, where they give talks on the topic of social engineering. But they also have this really cool competition that I participated in. And I saw it in my first year, and it just blew me away. And I just wanted to engage in that. So the competition is, basically, you get up on stage in front of about 1,000 people. 

Carole Theriault: OK. 

Chris Kirsch: And you get given a company name, a target. You're allowed to prepare. And then you have to elicit about - it's about 20 to 30 pieces of information from this company over the phone, live in front of the audience, in 20 minutes. 

Carole Theriault: Wow. 

Chris Kirsch: It's a lot of fun. It's nerve-wracking. 

Carole Theriault: I bet. 

Chris Kirsch: First year, I did really well in the written part, but I - when I got up on stage, nobody picked up their phone because it was a Saturday afternoon. So I really bombed the first year. And I thought, you know, I've already lost my dignity here. 

Carole Theriault: Not your fault, though. 

Chris Kirsch: (Laughter). 

Carole Theriault: Not your fault. Not your fault. 

Chris Kirsch: Yeah. I already lost my dignity, so what can go wrong? I'll go back next year. And so the following year went really well, and I won the competition. And that earned me what's called a black badge at DefCon. So that means it's - you know, like, inflates my ego, and then also get in for free. That's pretty much what it means. 

Carole Theriault: So you can go in any year, any time. You can just swan in. 

Chris Kirsch: Yes. 

Carole Theriault: You're like VVVIP. 

Chris Kirsch: Exactly. Exactly. 

Carole Theriault: Nice. 

Chris Kirsch: And I like freebies, right? 

Carole Theriault: I'm glad we're friends, buddy. 


Carole Theriault: And when did this happen? When did you win this black badge? 

Chris Kirsch: God, this was DefCon 25, so the silver anniversary. And this was, I think, about three years ago, something like that. Yeah. 

Carole Theriault: You're the perfect person to talk to because you basically play a bad guy, right? You're playing a scammer effectively. So where are we, as people, vulnerable? Like, what works? How do - you know, how do you go through the mindset of winning trust from these victims? 

Chris Kirsch: Sure. So it actually starts out way before you pick up the phone. Because what I did is, after I got the name of the target company - and this was a - that year, the topic was toy and gaming companies. So I had the name of a target, and I had three weeks to research that target. So I went really deep on LinkedIn, on Glassdoor, on all sorts of sites to read everything I could find about this company and to understand the jargon that they're using internally - because every company's got their own language - to understand how they are organized, to find phone numbers of the different departments and what they care about, understand the company mission, understand what are hot topics for that company. 

Chris Kirsch: And now, once you have a phone number, you can say, all right. If I target this particular person or department, then I have enough background to build a really credible story, something that we call a pretext. And so this OSINT - this open-source intelligence - the research that I did upfront is really helpful to build trust very quickly. So for example, when I called up - I called up a retail location that they had because that was something that was open during my call time. And I just said, hey, I'm Mike so-and-so from Wilmington. Because I knew that was where their headquarters was... 

Carole Theriault: Ah. Smart. 

Chris Kirsch: ...For the subsidiary of the company, right? 

Carole Theriault: Right. 

Chris Kirsch: So I don't even have to say I'm from the subsidiary, et cetera, et cetera. You just use - and that's what I mean by internal lingo. So I'm from Wilmington, and I work on the ERP team. 

Carole Theriault: Yep. 

Chris Kirsch: I have a quick question for you. Are you open right now? Do you have customers in the store? Because that is a question that they would answer even to, like, the average Joe customer who is calling in, right? Are you open right now? So I wanted to start out with something very simple that they would be comfortable asking. And then I say, like, hey, I'm asking because I haven't gotten any bookings data from your POS systems, from your point-of-sale systems. 

Carole Theriault: Using lingo again to try and... 

Chris Kirsch: Exactly... 

Carole Theriault: Yep. 

Chris Kirsch: ...Using lingo again. And I think the person I had was, like, an assistant manager or maybe a security guard, something like that, not at all trained on avoiding scammers on the phone. If you call a call center, a support center or something like that, they're usually trained. But these folks are in retail. They're possibly even minimum wage, right? They're not well-trained on this kind of stuff. So that's why I targeted the store. 

Chris Kirsch: And so I asked them, hey, can you check - does your store have internet access right now? Can you check Facebook, right? So again, I'm increasing my ask. But it's not a crazy ask. It's not a crazy jump. And so I increased it more and more and more until I got them to agree to basically receive a router that I'm going to send them as a replacement through FedEx. And they're going to plug it into the network and send me the old one, right? So if I can control what they plug into the network, I - you know, I win, right? Because I have presence on the network. 

Carole Theriault: Yeah. 

Chris Kirsch: I also got them to go to a website of my choice by saying, hey, can you help me? Just go to this website. It's a quick diagnostics tool to help us figure out what's wrong, right? Little asks for help often - are often responded to if you build rapport upfront. And one technique I used right in the beginning when I called them was actually something that I call an artificial time constraint. So that means I told them that I only have a certain amount of time so that they don't feel that they have to get me off the phone, right? So what I told them is, hey, I wonder if you can help me with this. I only have five minutes because I have to pick up my kids. 

Carole Theriault: That's so sneaky. 

Chris Kirsch: Right. 

Carole Theriault: Yes. 

Chris Kirsch: And that actually also works really well in sales. Like, if any folks listening are in sales, if you're doing cold calls, and you're saying, hey, I'm sorry, I have a customer meeting in five minutes, but I just wanted to make sure I follow up with you on your white paper download to answer any questions that you may have - right? - now, the person on the other end doesn't think, oh, my God, a sales guy. How do I get rid of them? 

Carole Theriault: Yeah. And for the rest of us, when someone gives us an artificial time constraint, we know what's going on maybe. 


Chris Kirsch: But now they're thinking, like, oh, OK. This guy's got to go. I don't have to worry about him keeping me here for ages, right? So I use that. So those are some of the small techniques. 

Carole Theriault: Amazing. And all this info, listeners, can help us stay out of their way. This was Chris Kirsch. He's the co-founder of Rumble.run and a recent black badge winner at DefCon. Chris, thanks for coming on the show. 

Chris Kirsch: All right. Thank you very much for having me. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: That's a great story. Very interesting to hear how that goes. 

Dave Bittner: Yeah. 

Joe Carrigan: The social engineering capture the flag, or SECTF, as it's called, is a DefCon competition that's run by Christopher Hadnagy right now, who we've had on the show. And he's the author of social engineering books that are really, like, the gold standard. 

Dave Bittner: Yeah. 

Joe Carrigan: This competition is also the competition that Rachel Tobac has won multiple times. 

Dave Bittner: Yep. 

Joe Carrigan: Now Chris Kirsch is on the show, so we've had multiple DefCon winners and multiple winners and black badge holders. So I'm... 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: ...Pretty happy about that. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Whenever you win a DefCon event, you get a black badge that entitles you to go into all the remaining DefCons. Every subsequent DefCon, you just walk in with this badge. It's nice. 

Dave Bittner: Well, that's swanky. 

Joe Carrigan: It is. There are two parts to this capture the flag event. The first part is an open-source intelligence gathering, or OSINT part. 

Dave Bittner: Yep. 

Joe Carrigan: And the second part is a vishing part. And in the OSINT part, you have to actually build a report and hand in a report on a company. And competitors have three weeks to complete this report, so it actually starts - this event starts before the DefCon event starts. 

Dave Bittner: Yeah. 

Joe Carrigan: And then when you get to the DefCon event, you actually make the phone calls and try to get the information that you've been tasked with getting. 

Dave Bittner: Right. 

Joe Carrigan: Chris talks about going to LinkedIn and Glassdoor to do his OSINT, target the company. 

Dave Bittner: Yeah. 

Joe Carrigan: But you can also look at Google, Facebook, Twitter. Any open-source resource that's available is going to have information about these things. You know, a lot of times companies have presences on these social media platforms where they can - you can gather information about what they do and how they do it. And he determines the internal jargon of these companies, which I think is interesting. I'd like to know how he does that. He gets to their organization, so a lot of times you can find org charts online. 

Dave Bittner: Yep. 

Joe Carrigan: And then he finds their hot-button issues. And once he has this information, he builds a pretext, which is the lie that he wants people to believe. And building that pretext text is easier because of the of the amount of open-source intelligence-gathering he's done. 

Dave Bittner: Right. 

Joe Carrigan: You know, it's very important for people to realize that when they are targeted by a social engineering attack, there has been all kinds of research that's gone into it beforehand. And not just a social engineering attack - just about any kind of cyberattack is going to start with open-source intelligence gathering. And these attackers are going to do exactly that. They're going to gather all the information about your site. If they're going to do a - about your company, rather. If they're going to do an actual, like, cyberattack, they're going to have a map of all your resources that are on the internet. They're going to know what's going on. 

Dave Bittner: Right. 

Joe Carrigan: It's interesting. He talks about, in this one case, how he targeted somebody at a retail location because he knew that person was probably not going to be trained as well as the people at the corporate locations, right? And then he's going to get - essentially got them to agree to hook up a router on their network, and essentially that would hook it right up to the corporate network. 

Dave Bittner: Yeah. 

Joe Carrigan: So very interesting. One of the other key events or key pieces of information here is that he uses the artificial time constraint, right? He's like, look. I've got to go in five minutes, but I need your help right away. And the guy's like, OK, I can help you for five minutes. 

Dave Bittner: Yeah. 

Joe Carrigan: That's how this works. That's how this mental trick works. Also, he comes in saying that he's from the corporate office, but he uses the proper lingo, the proper jargon, for getting that, to get him to drop their - I think it was Wilmington. He says, I'm from Wilmington... 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: ...So, like, the headquarters. Because that's what they call the headquarters. 

Dave Bittner: Right. Right. Right. And so he short-circuits... 

Joe Carrigan: Right. 

Dave Bittner: ...Some of the... 

Joe Carrigan: Immediately... 

Dave Bittner: ...Suspicion that they might have. 

Joe Carrigan: Immediately gets the guard lowered. 

Dave Bittner: Yep. 

Joe Carrigan: Yep. 

Dave Bittner: Yep. All right. Well, interesting interview for sure. We appreciate Chris taking the time for us. And of course... 

Joe Carrigan: Yeah, good interview. 

Dave Bittner: Thanks to Carole Theriault for joining us as well. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at issi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.