Hacking Humans 10.28.21
Ep 171 | 10.28.21

Good grammar is essential for business email compromise.


Brandon Hoffman: I think, you know, there's a multiprong approach that you have to take to address this problem seriously.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Brandon Hoffman returns. He's from Intel 471, and he's got some research on business email compromise. 

Dave Bittner: All right, Joe, let's dive into our stories here. 

Joe Carrigan: OK. 

Dave Bittner: I'm going to kick things off. And, you know, our listeners may not know this about you because they only get to listen on the show, but, Joe, you are a wearer of elite sneakers. You come in here every week with a different pair of fancy, expensive, high-quality sneakers. I've never seen anyone who has a collection of sneakers quite like yours. 

Joe Carrigan: Yes, Dave. That's correct. I have... 

Dave Bittner: (Laughter). 

Joe Carrigan: I have so many sneakers I don't know what to do with them. 

Dave Bittner: Yes. 

Joe Carrigan: I only wear a pair of sneakers once. I'm like - you know how Jerry Lewis used to only wear a pair of socks once? 

Dave Bittner: Is that right? 

Joe Carrigan: Yes. He was a peasant compared to me. 

Dave Bittner: (Laughter). 

Joe Carrigan: I only wear my sneakers once. 

Dave Bittner: I see. Well, this story is right up your alley. This is from The New York Times. It's written by Daisuke Wakabayashi, and it's called "The Fight for Sneakers." And the story here starts off with a - there's a shop in Boston called Bodega, and it's a streetwear shop in the Back Bay neighborhood of Boston. And they're well-known for having the latest sneakers in their shop. So when a new sneaker comes out, they're the first to have it. 

Joe Carrigan: They're actually the second, Dave. I'm the first to have it. 

Dave Bittner: (Laughter) I stand corrected. That's right. 

Dave Bittner: So back in 2019, New Balance came out with a special edition of their 997S sneaker, which is a very high-quality shoe. And the entire stock sold out online in about 10 minutes. But the problem is about 60% of the sales went to bots. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. So the bots had claimed hundreds of pairs of these New Balance sneakers for a single customer, and so many, many people weren't able to get their sneakers at all. And, of course, what these bots do is they buy up the hot sneakers as quickly as possible, and then they go and they resell them. And there are... 

Joe Carrigan: Because people are willing to pay more than New Balance is charging for them. 

Dave Bittner: Correct, correct. And, of course, as you know, Joe, being a sneaker aficionado... 

Joe Carrigan: Right. 

Dave Bittner: ...These sneakers go for high dollars on the resale market. 

Joe Carrigan: They do. 

Dave Bittner: And they're very collectible. And this article has a little bit of the history of it, that this really kicked off back in the '80s with the original Nike Air Jordans. 

Joe Carrigan: Right. 

Dave Bittner: Which I remember when those came out thinking to myself, who in the world would pay that much money for a pair of sneakers? 

Joe Carrigan: Right. 

Dave Bittner: And turns out lots of people (laughter). 

Joe Carrigan: Yes. 


Dave Bittner: And I - you know, I mean, we - you and I were around when this ramped up, when sneakers became a thing, became a fashion statement. 

Joe Carrigan: Yes, they - yeah. I remember this clearly. And in case the listeners haven't picked up on this, I own exactly one pair of serviceable sneakers. 


Joe Carrigan: And they are New Balance. And I'm wearing them now, actually. 

Dave Bittner: Yeah. 

Joe Carrigan: But it's time for me to get new ones because these are about a year old. 

Dave Bittner: Ah, OK (laughter). 

Joe Carrigan: But I paid - for these, I think I paid 120 bucks. And that is more than I ever thought I would pay for a pair of just regular sneakers. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: (Laughter). 

Dave Bittner: When I was a kid, because my feet are shaped like duck feet - I have very wide feet. 

Joe Carrigan: Right. 

Dave Bittner: And New Balance was the only brand that came in widths. So I - you know, when everyone was getting Nikes, I got a pair of Nikes and proceeded to bust through the sides of them in about two weeks. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. And my mom said, well, we're never doing that again. So I had a teacher, actually, who was a runner, and he said, you know, you should check out these New Balance shoes. And at that point, no one had ever heard of New Balance. So I had to go to the special runners' shoe store and buy these New Balance shoes. And I remember they were like $75, which was an unbelievable amount of money back then. 

Joe Carrigan: Right. 

Dave Bittner: But they were great, and they fit me perfectly and they lasted a long time. And so, you know, I've been a fan of their shoes ever since. But I digress. 

Joe Carrigan: Right (laughter). 

Dave Bittner: This - so these shoes became collectibles, starting with the Jordans. I remember the Reebok Pump was another hot shoe... 

Joe Carrigan: Yup. 

Dave Bittner: ...Back in the day. I had a pair of Reebok basketball shoes. I remember also that the style at the time was to wear them loose, to not tighten your laces, to just have your - the tops of the shoes open. 

Joe Carrigan: Yes. 

Dave Bittner: That's the style when I was in high school. 

Joe Carrigan: That's the way I used to wear my high-tops. 

Dave Bittner: Yes, exactly, exactly. So anyway, a big market for these shoes, and they sell out quickly. A shoe that will retail for $200 can sell for $800 on the resale market. 

Joe Carrigan: That's amazing to me. 

Dave Bittner: Yeah, it is. But - so the question is, should these retailers be trying to shut down the bots? This article points out there's nothing illegal about bots... 

Joe Carrigan: Right. 

Dave Bittner: ...Nothing illegal about using automation to try to purchase large quantities of things. But if you're a retailer, you kind of have mixed feelings about this because, on the one hand, a bot sort of makes your life easier because if you sell all of your shoes instantly to one location, basically you put - stick them on a pallet and ship them off and cash your check. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Yeah. 

Dave Bittner: But on the other hand, you have a lot of disappointed customers. 

Joe Carrigan: Yes. 

Dave Bittner: And so for the long term, it's not good for you to not be able to have the product available. 

Joe Carrigan: Here's another angle for this, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: Are these retailers and manufacturers actually losing money that these essentially shoe scalpers are making? Could these guys be charging a higher price for the shoe to begin with? 

Dave Bittner: It's a good question. 

Joe Carrigan: And should they do that as a matter of course? I mean, these are luxury items. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, these are not - you can get a good commodity shoe for a reasonable price. 

Dave Bittner: Yep. 

Joe Carrigan: Right? You don't need to spend - a $200 shoe - nobody needs to go out and buy a $200 shoe. 

Dave Bittner: Right. 

Joe Carrigan: Now, my shoes are serviceable shoes built for running and walking. 

Dave Bittner: Yeah. 

Joe Carrigan: And they didn't cost me 200 bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: But if I'm going to build a luxury shoe or manufacture a luxury shoe and I'm going to sell it, as a business owner, I think, I'm missing out on profit. Somebody else is eating my lunch here. 

Dave Bittner: Yeah. And I wonder - because, as you say, it's kind of like scalping concert tickets. And there came a point where the Ticketmasters of the world got smart on this and said, well, if the people are willing to pay this much for concert tickets, why not we charge that much for concert tickets? 

Joe Carrigan: Right. 

Dave Bittner: And I think we've seen - I mean, look. You know, the prices of shoes have gone only in one direction - the price of these elite sneakers. 

Joe Carrigan: Yes. 

Dave Bittner: But one of the interesting things this article points out is that the value of the shoes on the retail market seems to be directly correlated with how quickly they sell out. So a shoe that sells out in 10 minutes is worth more than a shoe that takes 45 minutes to sell out. 

Joe Carrigan: So even if - let me see if I have an opportunity here, Dave. You and I could write a bot that buys shoes... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Buys up all the shoes in 10 minutes. 

Dave Bittner: Right. 

Joe Carrigan: That creates a demand. So maybe if the - to my point earlier, if the manufacturer charged - or the retailer charged the high price, they wouldn't sell at all because nobody believes they're in demand. Perhaps the bots are creating this perceived demand. 

Dave Bittner: Yeah. Yeah. I think that's a big part of it. 

Joe Carrigan: Yeah. 

Dave Bittner: And this article points out that one of these retailers was able to slow down people's orders. They did things - you know, obviously, we're all familiar with CAPTCHAs. 

Joe Carrigan: Right. 

Dave Bittner: Right? But they had - they've had to put more sophisticated CAPTCHAs in place. They have CAPTCHAs that ask you trivia questions. They have CAPTCHAs that - not just asking you to, you know, click on all the pictures that show a picture of a bridge, you know, but they actually have you draw a box around the image with the largest airplane - you know, that sort of thing - so more sophisticated CAPTCHAs. But what they found was in the process of slowing down people's purchases, the shoes sold out in 45 minutes instead of 10 minutes... 

Joe Carrigan: Right. 

Dave Bittner: ...And was considered a failure on the retail market. So the value of the shoes on the resale market - that's the secondary market - was much lower because it took 45 whole minutes, Joe (laughter). 

Joe Carrigan: To sell out the shoes. 

Dave Bittner: Right, right. Rather than 10 minutes - it was considered a failure. So what - isn't that - what a world, right? 

Joe Carrigan: It's - I feel like I'm living in crazy town. 

Dave Bittner: (Laughter). 

Joe Carrigan: This is - I don't understand the difference between the shoes selling out in 45 minutes and 10 minutes. 

Dave Bittner: Well, Joe, you and I are old. So obviously, we... 

Joe Carrigan: Yeah, I mean, that's what it is. And that's why we wear New Balance shoes. 

Dave Bittner: It's not - exactly. 

Joe Carrigan: (Laughter). 

Dave Bittner: It's not designed for us. It's for people who are into this. But there's a good point. The last sentence of this article is one of the resalers. He says, at some point, you have to ask, how much time are we supposed to spend to stop people from buying our products? 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Yeah. 

Dave Bittner: Which is - I guess it's fair. You know, there are other things that bots come in and - you know, we see - you know, we're heading into the Christmas retail... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Season. 

Joe Carrigan: The hot toy is going to be out there somewhere. 

Dave Bittner: And - yeah, and the bots scoop up all that stuff. 

Joe Carrigan: Right. 

Dave Bittner: The PlayStations, the - you know, the hot Lego thing - whatever it is, they swoop in and get them. And I don't know. I guess it's a balance. Are you OK with bots? 

Joe Carrigan: I'm kind of torn here, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, as - I understand, you know, the retailer's trying to say, well, you want me to not sell things? I mean... 

Dave Bittner: Right. 

Joe Carrigan: ...Your mission is to sell things. 

Dave Bittner: Right. 

Joe Carrigan: But at the same point in time, I'd be very frustrated if I had to wind up paying - well, actually, first off, I view it this way. If it's something that's going to be replenished, the factories are not going to shut down - right? - like PlayStation 5s, whatever they're up to now... 

Dave Bittner: Yeah. 

Joe Carrigan: Sony is not going to stop manufacturing those. 

Dave Bittner: Right. 

Joe Carrigan: They're always going to be available. There may be a demand, and a high demand, but that demand is going to wane as the people who cannot stand being without a PlayStation 5 are satiated, if you will. 

Dave Bittner: Yeah. 

Joe Carrigan: And I can wait for that. 

Dave Bittner: Right. 

Joe Carrigan: So - and I've always been able to wait for that. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's not something that's new in my personality. 

Dave Bittner: Right. 

Joe Carrigan: I'm not paying a premium for something that will be readily available soon. I'm also not the kind of guy that goes in for these shoes, these exclusive shoes. I very much take a commodity view of these products. I don't know. Maybe I lack empathy here because of my thinking on it, but I don't know what to do. But, yeah, I'm frustrated here, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: I don't know the answer to your question. I have - because I absolutely understand that people are upset. 

Dave Bittner: Well, yeah. Well, and - but I think part of it is that the manufacturers of these shoes are creating artificial scarcity by making them limited editions from the get-go. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. So if there are only going to be 5,000 pairs of whatever shoe it is and they know there's going to be high demand, then part of what you're counting on is the desire in the secondary market to get people to buy them quickly. They - you - people want to be the person who's out there at, you know, the hottest place to be seen wearing the latest sneakers that everybody wants and nobody can get. 

Joe Carrigan: Right. 

Dave Bittner: So that's fashion, you know? And, yeah, not a world I know anything about either. 

Joe Carrigan: Not a world I actually get. 

Dave Bittner: (Laughter) Yeah, yeah. So anyway, interesting article. We'll have a link to that in the show notes if you're interested in the world of retail bots and the types of things that resellers are trying to do to thwart them. Again, that's from The New York Times. We'll have a link to that in the show notes. 

Dave Bittner: Joe, what do you have for us this week? 

Joe Carrigan: Dave, I have two stories. First, I'm going to talk about a story from Fox News that has - talks about a report from the FTC, the Federal Trade Commission. They have released their annual report, Protecting Older Consumers. It's a 55-page report. And guess what the biggest scam that older consumers have fallen victim to is. 

Dave Bittner: (Vocalizing). I'm going to guess that it is, like, the Microsoft tech support scam. 

Joe Carrigan: Ah. You would be incorrect. 

Dave Bittner: Ah, OK. 

Joe Carrigan: It is romance scams. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: Romance scams. 

Dave Bittner: Yeah. 

Joe Carrigan: Last year, in - or in 2019, rather, American seniors lost around $84 million to romance scams. In 2020, they lost $139 million... 

Dave Bittner: Wow. 

Joe Carrigan: ...Through romance scams. These are just the scams that were reported to the FTC. 

Dave Bittner: Yeah. 

Joe Carrigan: The hardest-hit people were between 60 and 69 and the 70-to-79 groups, which reported $129 million of losses. So they share the lion's share of the losses. 

Dave Bittner: Yeah. 

Joe Carrigan: The seniors do, in this case. There is a big COVID-19 part of the scam. People are using that as an excuse not to meet with people... 

Dave Bittner: Oh. 

Joe Carrigan: ...But to still carry on a relationship. 

Dave Bittner: I see. 

Joe Carrigan: So it provides a way for the scammers to say, yeah, I don't want to really get together. You know, I know we're both older. I would hate to get or give you COVID-19. That would be awful. 

Dave Bittner: Right. That makes sense. 

Joe Carrigan: Right? There are some other scams out there, like prize sweepstakes and lottery scams. But the vast majority - or not the vast majority, but the lion's share, the biggest piece, at about 10% of the losses was this romance scam. 

Joe Carrigan: The other story I have actually comes from the BBC, right? And this is a little bit of a better story, Dave. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Eight men who have - who come from Nigeria have been arrested in South Africa and accused of being part of a dating scam. And they've appeared in South African court, and they've worked with the FBI and the Secret Service. 

Dave Bittner: Oh. 

Joe Carrigan: And they have been accused of defrauding more than a hundred victims of almost $7 million. 

Dave Bittner: Wow. 

Joe Carrigan: So these guys are actually responsible for a significant amount of romance scams, and now they've been arrested in South Africa. Now, they're - the FBI and the U.S. Secret Service are working with the police in South Africa and probably the Nigerians as well. But the men are wanted in Texas and New Jersey for a variety of offenses, including conspiracy to commit wire fraud and money laundering - oh, and aggravated identity theft, too. 

Joe Carrigan: They're not really getting a lot of sympathy for bail because everybody thinks they're an immediate flight risk, right? 


Joe Carrigan: They think they're going to leave South Africa and head back probably to Nigeria, where they're well-connected and will just disappear into the crowd. 

Dave Bittner: Right. 

Joe Carrigan: Nigeria is a very populous country. 

Joe Carrigan: These people concocted sob stories - was what the law enforcement is calling it. They preyed on their victims through dating sites using these fake identities. Once they had ingratiated themselves to their victims, they allegedly concocted sob stories that they needed money to pay taxes or to release an inheritance, which is interesting, I think, that they're using the same scam that other Nigerian scammers use - you know, here's your money from the Nigerian prince, right? 

Dave Bittner: Right, right. 

Joe Carrigan: But this guy is saying, hey, I got money from a Nigerian prince, and I need to - my father was a Nigerian prince, and I need to get the money out. 

Dave Bittner: Yeah, sticking with the classics. 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: 'Cause it works. They also needed money for overseas travel, crippling debt. And then they just siphon the money away from their victims. 

Joe Carrigan: But these guys, these eight men, are now hopefully going to be brought to justice, possibly extradited to the U.S., where they could face up to 20 years in prison. 

Dave Bittner: Wow. You know, we see this with a lot of the ransomware folks who typically come - or the - you know, the bulk of them originate from Russia, and they get lazy, and they decide they want to take a vacation somewhere. 

Joe Carrigan: Yep. 

Dave Bittner: And they go to a country that has an extradition agreement with the United States (laughter) or... 

Joe Carrigan: Yep. 

Dave Bittner: ...One of the other, you know, European or NATO countries, and they get nabbed. 

Joe Carrigan: Right. This is - that's what happened to Roman Seleznev, who was a carder who just infected hundreds of machines all over the U.S. and the world. He was very successful at his art, had lots of money. And the U.S. authorities kind of knew who he was, but they - Russia doesn't extradite their citizens, period. 

Dave Bittner: Right. 

Joe Carrigan: They just won't do it. So we had to wait for this guy to leave Russia, to go on vacation. I can't remember which country he went to. But when he went there, the U.S. authorities worked with that country and arrested him, and now he is our guest at... 


Dave Bittner: Yeah. 

Joe Carrigan: ...At Club Fed. 

Dave Bittner: Yeah, I guess - I don't know. Maybe Russia doesn't have very nice beaches or something. Or maybe - it's probably just the grass is always greener, you know? 

Joe Carrigan: Yeah. 

Dave Bittner: You got all this money sitting there. It's burning a hole in your pocket. You're going to go to the - you're going to go to the fanciest place and, you know, whatever, take your significant other and go have a good time. 

Joe Carrigan: Yep. 

Dave Bittner: And then you get nabbed. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: And you couldn't afford - you have all those millions of American dollars, and you can't afford to buy yourself a fake passport (laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: So... 

Dave Bittner: Interesting, interesting. 

Dave Bittner: All right, well, you know, back to your original story here about the romance scams, I think it's a good reminder that those of us who have elderly folks in our lives - our loved ones, our parents, whatever, our relatives, uncles, aunts, all that stuff - just check in with them and remind them that - to be wary of this. 

Joe Carrigan: Right. 

Dave Bittner: That if someone is trying to romance them, that that should be a red flag. 

Joe Carrigan: It should be. And if you've never met this person in real life and they start asking you for money, that should be another red flag. Also remember that there - while it is the case that older people are less likely to fall for a scam, when they do fall for a scam, it's far more impactful. They lose a lot more money than younger people do. 

Dave Bittner: Right. Right. All right, well, those are our stories this week. 

Dave Bittner: We would love to hear from you. If you have something you'd like us to cover, you can send it to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a Reddit user named Steve P (ph). He had someone impersonate a friend on Facebook and try to set him up for one of those benefits scams. The entire exchange at the end does get a little bit blue. We're going to stop before that 'cause we're a family show. Right, Dave? 

Dave Bittner: (Laughter) That's right. Yes, we are. 

Joe Carrigan: But if you want to look at the whole thing, we'll put a link in the show notes. So, Dave, why don't you play the part of the scammer? I will play Steve. And it goes like this. 

Dave Bittner: (Reading) How you doing? 

Joe Carrigan: (Reading) Very good, thanks. Very well, considering everything. 

Dave Bittner: (Reading) Good to hear from you. I'm doing wonderfully great as well. I've been trying to get you here 'cause I saw your name on the DHSS list. Have you heard from them yet? 

Joe Carrigan: (Reading) What is the DHHS list? What? Sorry. 

Dave Bittner: (Reading) It's Department of Health and Human - that workers, hearing, deaf, old, young, students, widowed, retired and people with disabilities to benefit from them financially to maintain the standard of living. Did you receive any money yet? 

Joe Carrigan: (Reading) Oh, that. Yes, I got 1,000 pounds per month. It's great. 

Dave Bittner: (Reading) OMG, I got $50,000 check from them. But I saw your name entitled to the bonus when mine was delivered to my doorstep. You have to contract the agent for more inquiry. Do you know how to get it? 

Joe Carrigan: (Reading) My agent is great. He put me in for the 100,000-pound home upgrade grant that pays for a new house with wheelchair ramps. I can't wait. 

Dave Bittner: (Reading) This is for real. I hate scam and hoax, but this is real. I got the money for real. I'm planning to buy a new house soon. They came to my home to deliver the cash to me in person. And my bank told me the cash is real. I think you have heard about this. Many of my friends have also benefit from it. 

Joe Carrigan: (Reading) Yes, it's fantastic, isn't it? I'm glad you're working for it, too. 

Dave Bittner: (Reading) This is the new online claiming agent, there always, 24/7. Text him. Let him know you want to get your money. Message him now. 

Joe Carrigan: (Reading) No need. My agent is bringing a wheelbarrow full of cash to my house later. Then we're taking it to the bank so they can prove it's real, and I'm buying a new car. 

Dave Bittner: (Reading) This is the agent text number. Let him know you want to claim your grant money. Text the agent now, Mr. Williams Genes Grant (ph), with your full - I'm surely they'll get back to you ASAP. 

Joe Carrigan: (Reading) No way is he better than my agent, Mr. M. Oneybags. He's the best. I'm sticking with him. 

Dave Bittner: (Reading) Just try. This is real. How are you? 

Joe Carrigan: (Reading) Yes, I know it's real. I wouldn't be sitting here with the heating on full, looking forward to my new car and house if it wasn't real. Have you got the heat pump grant? I have that. I've got two heat pumps and now triple-pane glass. It's like the Bahamas in here. 

Dave Bittner: (Reading) OK. 

Joe Carrigan: (Reading) Don't go. Are you using bitcoin to buy SpaceX shares? I am. I started with 250 pounds, and now my Nigerian account has over 370,000 pounds in it. I've only been doing it for four months, too. 

Dave Bittner: (Reading) Wow. I am not using bitcoin. 

Joe Carrigan: (Reading) I'm telling you, man, SpaceX is a money pot. Get on it before regulators close it down. And bitcoin is untaxable because it's not physical currency. 

Dave Bittner: (Reading) OK. Hi. 

Joe Carrigan: (Reading) Let me show you my Bitcount (ph) statement. 

Dave Bittner: (Reading) Show me. 

Joe Carrigan: (Reading) Here's today's balance. 

Joe Carrigan: And he shows him some fake picture that probably says three - I can't read it 'cause it's so small, but it probably says 370,000 pounds. 

Joe Carrigan: (Reading) I started with 250 pounds. 

Dave Bittner: (Reading) OK. Wow. 

Joe Carrigan: Now the guy tries to send a chat to Steve, a video chat, and Steve just misses it. 

Joe Carrigan: (Reding) All you do is buy a bitcoin from a rep, and then it goes up. A whole bitcoin is too expensive because of COVID and chemtrails. But soon, I will be able to buy a whole one. I'm a rep now, too. Do you want me to get you some bitcoin? 

Dave Bittner: (Reading) Yes, now. 

Joe Carrigan: (Reading) OK. Do you have PayPal? 

Dave Bittner: (Reading) No. 

Joe Carrigan: OK, and this is where it gets a little bit... 

Dave Bittner: (Laughter). 

Joe Carrigan: We're going to (laughter) - we're going to leave it here, but this is pretty good. 

Dave Bittner: Yeah. 

Joe Carrigan: He tries to turn it around on the guy, trying to get him to send him some bitcoin, which probably doesn't pan out. But it's still pretty good. 

Dave Bittner: Right, right. All right, well, that is a fun one. Thanks to Steve P. over from Reddit for posting that so we could make use of it. 

Dave Bittner: Again, we would love to hear from you. You can send us your Catch of the Day submissions to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Brandon Hoffman. Great to have him back on the show. He is from Intel 471. And he and his colleagues there have been doing some research on business email compromise. Here's my conversation with Brandon Hoffman. 

Brandon Hoffman: Yeah, essentially, business email compromise is essentially a scam. They call it business email compromise generally because the scams are most likely perpetrated through the use of either a typosquatted domain, meaning an email that comes from a domain that looks exactly like yours but maybe has one character off and it's hard to catch, or in some cases, somebody's actually compromised the email server, and they're sending you an email directly from a trusted user. It also includes social engineering components. And, of course, there's some money laundering activity that happens on the back end of this fraud chain or this scam chain, as it were. 

Brandon Hoffman: So that's kind of - you know, when you think about business email compromise, what do you think about? In its most basic version, you know, somebody compromised an email system. They send an email to somebody who has the authority to make a wire or send money to pay a, quote-unquote, "bill" or some other invoice or receivable. And obviously, that account is the scammer's account. And so, you know, in its most basic form, that's kind of what it looks like. 

Dave Bittner: And to be clear here, I mean, this is a widespread thing here. We're talking about, you know, real losses all around the world. 

Brandon Hoffman: Yeah, yeah. It's funny to think about because it's - technically, it's the least technically dependent kind of form of cybercrime, and yet it comprises almost half of the cybercrime losses, you know, kind of year over year. So it's interesting to think about - you know, specifically about the title of this podcast - right? - "Hacking Humans." This really is directly aligned with the notion of people, you know, being the weakest link to a degree. 

Dave Bittner: Yeah. Now, in this recent blog post that you all published, you were highlighting how some BEC scammers are using some of these underground forums. Can you take us through some of the things that you all discovered? 

Brandon Hoffman: Yeah. And it's interesting. I'll provide a little bit of background. You know, when we talk about tracking adversaries in underground forums, a lot of the things that we track are technically related. So what tools are they using? How are they using them? What are they targeting? And with business email compromise, as I noted earlier, it's really not all that technically dependent. So what they end up using this for is some of the low-level technical things they need - for example, access to an email domain - or most frequently, actually, it's as a recruiting service for people who are native English speakers or people who can launder the money. 

Brandon Hoffman: So really, when you look at a classic attack chain, there's tooling, you know, kind of sprinkled throughout. But in this case, it's really kind of at the beginning and really the end of the fraud chain, which is the laundering of the money. 

Brandon Hoffman: And the reason it's so important for them to have somebody who can speak English and write English properly is because these business email compromises are aimed at executives or people with authority inside organizations, mostly aimed at North America, Western Europe. And, you know, something that's misspelled or the wrong parlance or the wrong phrasing can be an immediate tipoff to somebody. So imagine yourself - if you got an email from somebody at your company and things were all spelled improperly or the grammar wasn't right, you'd say, well, something's off 'cause I get email from that person all the time, right? 

Dave Bittner: Right, right. 

Brandon Hoffman: And so those are the things that they're looking for on the underground forums, as opposed to buying a piece of malware or buying a DDoS service or, you know, well, one - any of the myriad other things that can be bought. 

Dave Bittner: Yeah. I mean, it really speaks to the fact that these scams are human-to-human scams. I mean, they're - you know, they're taking it - as you mentioned, the technical skills are minimal. They're really taking advantage of the social engineering side of things. 

Brandon Hoffman: Hundred percent. A hundred percent. 

Dave Bittner: Yeah. 

Brandon Hoffman: Yeah. 

Dave Bittner: So what are your recommendations here? I mean, for folks to best - to set themselves up for success, to protect themselves against this sort of thing, what can they put in place? 

Brandon Hoffman: You know, on the technical defensive side, there are some other things I think we noted in the blog around, you know, DMARC, which is a domain message authentication, which is, you know, checking for typosquatted emails that come in. 

Brandon Hoffman: There's also simply just the human awareness element. You know, if you're in a position of authority and you think that you might be falling victim to one of these scams, you know, certainly just being aware of the request that's being sent to you is critical. You know, if somebody is asking you to approve a wire or move money around or make a change to an agreement or something like that that seems not normal, you know, just be very aware. Double-check things - you know, approval. Double-checks are always important for these types of things. 

Brandon Hoffman: You know, to a degree, that does get tricky because if they have access to the system, they can read historical email and craft a message that's similar. So you just have to be diligent in that regard. And I'm not a financial expert, right? But, you know, wire transfers always carry some risk. They can be intercepted, redirected, and once it's done, it's done. 

Dave Bittner: Right. 

Brandon Hoffman: As the banks will warn you (laughter). 

Dave Bittner: Right, right. 

Brandon Hoffman: So, you know, any process that people can put in place from the fraud team to help choose a different method of disbursement or, you know, things like that. Again, I'm not an expert in that space, but those types of things are what you need to be on the lookout for. 

Dave Bittner: Yeah. It seems to me, like, you know, basic things, even like, you know, requiring a second person to sign off on things that are, you know, above a certain amount, can help slow down that process, get a second set of eyes on it. 

Brandon Hoffman: Yeah. And if you don't have the ability to do kind of this message filtering or DMARCing, as it's called, when you get one of these requests, it's always worth just taking a look at the sender's address and make sure. You know, like, for - in our case at Intel 471, if somebody sent it to me and the I in Intel was actually a one or even a different character in a different - you know, or numeral or something else... 

Dave Bittner: Yeah. 

Brandon Hoffman: ...It's hard to see, but - because we glance at things as humans, right? We just kind of glaze over it. But the devil's in the details in this one (laughter). 

Dave Bittner: Right, right. What about protecting the email accounts themselves? I mean, is this a thing where, you know, multifactor authentication is critical? 

Brandon Hoffman: Yeah. Anything that you can do to protect those accounts is important. So whether it's multifactor, whether it's monitoring for compromised credentials and rotating accounts and passwords rapidly, all those things are important. 

Brandon Hoffman: In some cases - and this is more of a rare case - somebody will compromise a whole service, like a whole group of, for example, Office 365 email accounts. In that case, there's not much you can do about it. You're dependent on the service provider. But also, fair to keep in mind that most of the times, those will be auctioned off at a higher rate than BEC scammers are willing to pay. So it's less of an issue, more, as you know, relevant to keep your own security posture updated. And be vigilant in the monitoring of those things. 

Dave Bittner: Yeah, it's interesting to me how it seems like BEC compromise is sort of simultaneously kind of low-hanging fruit in terms of the technical skills to do it, but also, the losses are huge. I mean, it's a large percentage of the losses that occur every year. 

Brandon Hoffman: Yeah. And I think it's really that it's the shotgun approach. And again, I don't know how much I can speak to the exact amounts on an individualized basis, but when you look at it at the aggregate, that's when it becomes kind of staggering. You know, you think to yourself, OK, well, you know, we - as a company, you know, we wired 50 grand to the wrong place. You know, OK, that's our mistake. Maybe it's not a big deal. I mean, 50 grand's still a lot of money to any company, right? But... 

Dave Bittner: Yeah, yeah. 

Brandon Hoffman: ...You know, it's not a staggering loss. But then, you know, you do that a thousand times, you know... 

Dave Bittner: Right. 

Brandon Hoffman: ...We got a lot of money going up (ph). 

Dave Bittner: It adds up (laughter). Soon, we're talking about real money. Right, right. 

Brandon Hoffman: Yeah, exactly. So I think it's similar to kind of, you know, malware spam, malspam campaigns and things like that - the access brokers. It's really about volumetrics more than anything else. 

Dave Bittner: What do you say in response to people who make the case that this really shouldn't be the user's problem, that there should be technical measures in place at any organization so that users don't have to worry about these sorts of things? Is that realistic? 

Brandon Hoffman: I think it's realistic if you have a holistic viewpoint on the problem, meaning if you're willing to be vigilant about compromised credentials, if you're willing to implement technical controls around typosquatted domains, if you're vigilant in the fraud side on your financial team of not using risky protocols like a wire transfer or having multiple steps for an approval process for any amount - you know, because, as I said, even 10 grand, five grand here and there, these things add up for the scammers, and it just fuels it. So I think, you know, there's a multiprong approach that you have to take to address this problem seriously. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Business email compromise accounts for about half of cyber losses now? That's amazing. 

Dave Bittner: Yeah. 

Joe Carrigan: That means it's probably more damaging than ransomware, right? It's actually something that everybody should be paying attention to. If you can mitigate the business email compromise risk, then you can cut your risk in half, almost. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? - for cyber losses. Not technically sophisticated - that is a key function of this. It's not - it's something that anybody can do once they have access or even if they're using an impersonating email domain. It targets the people and the process, which is also human-generated as well. 

Dave Bittner: Yeah. 

Joe Carrigan: The skills they are looking for when they're on the dark web, these guys are looking for essentially proofreaders and writing skills. These are not technical skills. These aren't - these are not technical hacks. 

Joe Carrigan: As far as protecting yourself with technical solutions, Brandon is right about DMARC being a great solution, but that is as long as your accounts haven't been compromised already. But it can also help stop those account compromises because a lot of times, those begin with a phishing email that is designed to harvest credentials. And that phishing email is not going to come from Microsoft, right? It's going to come from some third-party hacker website that is not going to have an accurate DMARC record. 

Dave Bittner: Yeah. 

Joe Carrigan: But once the compromising of an internal account is done, you are now solely dependent upon the nontechnical defenses. And this includes things like your internal processes - right? - and your security awareness of your employees. 

Dave Bittner: Yeah. 

Joe Carrigan: Are they going to look for red flags? Is this person who's calling me to ask me to transfer money, is he asking me to do something outside of the process, like keep this secret, don't tell anybody, only transfer the money? Is there an artificial timeline? 

Dave Bittner: Right, right. 

Joe Carrigan: Right? That is a big red flag for these things. 

Joe Carrigan: Another technical solution that's good is multifactor authentication and monitoring of stolen credentials. That's also good. 

Dave Bittner: Yeah, you know, I got a couple - just this week, I got a couple of indicators on my - on MFAs for different accounts that... 

Joe Carrigan: Really? 

Dave Bittner: Yeah, that somebody - you know, here's your reset code for whatever. 

Joe Carrigan: Really? 

Dave Bittner: (Laughter) I was like, I didn't request a reset code for whatever. Yeah. So, you know, MFA works. 

Joe Carrigan: Somebody's trying to take over your accounts. 

Dave Bittner: Yeah, exactly. 

Joe Carrigan: They didn't get them, did they? 

Dave Bittner: Not that I know of, no (laughter). 

Joe Carrigan: OK. I would've immediately tried to log in. Paranoid Joe would've changed his password, which is just saying Joe would've changed his password. 

Dave Bittner: Right (laughter). 

Joe Carrigan: I would've changed my password (laughter). 

Dave Bittner: Right. Paranoid Joe is redundant. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Fifty thousand dollars may not be a big loss to a lot of companies, particularly larger companies, but it is a huge win for these bad guys. You know, if you can do this 20 times a year, you're making a million bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: And that's a lot of money regardless of where you live. And in some countries, it's an obscenely large amount of money. 

Dave Bittner: Yeah, it goes a long way. 

Joe Carrigan: Right. Additionally, from time to time, we hear about these business email compromise attacks that are very sophisticated and wind up netting tens of millions of dollars. 

Dave Bittner: Right. 

Joe Carrigan: I mean, it is a huge risk for businesses all around the world. The more money you have, the bigger your risk, I think. 

Dave Bittner: Yeah. Yeah. Well, and I think we've heard that the folks who are doing this are being much more deliberate in who they're targeting. They're going after the big wins, the big scores. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 'Cause it's worth their time. 

Joe Carrigan: It is. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Brandon Hoffman. He is from Intel 471. We appreciate him taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.