Scams abound this time of year.
Dave Senci: So you have to be able to manipulate people, make them believe that you're somebody you're not, be very confident. And there's a lot of value behind that.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, David Senci from Mastercard's NuData Security. He's going to be discussing the security issues with remote access and coaching frauds.
Dave Bittner: All right, let's dig into some stories here, Joe.
Joe Carrigan: All right.
Dave Bittner: I'm going to kick things off for us this week. Imagine, Joe, you're sitting at home and you're minding your own business, and your lovely bride brings in the day's mail from the mailbox from the Postal Service, and there's an envelope there - a kind of a thick, heavy envelope. And you open it up, and it's a letter from Best Buy.
Joe Carrigan: Right.
Dave Bittner: And it says, dear Joe, Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. And sure enough, inside there there's a gift card. And it says - the letter, which I should add is on Best Buy logo paper.
Joe Carrigan: Right.
Dave Bittner: It says - letterhead is the word I'm looking for.
Joe Carrigan: Right.
Dave Bittner: Yes.
(LAUGHTER)
Dave Bittner: Yeah. It says, you can spend it on any product from the list of items presented on a USB stick. And there's a USB stick in the envelope as well. Thanks again for choosing us. Sincerely, Jonas, customer relations.
Joe Carrigan: Right.
Dave Bittner: Well, Joe, what are you going to do here (laughter)?
Joe Carrigan: What am I going to do? I'll tell you what I'm going to do. I'm going to take that USB stick and plug it into a Linux machine and see what happens.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: And then I'm going to try to explore it, and - because they're probably banking on me being a Windows user.
Dave Bittner: Yeah, probably.
Joe Carrigan: And there's probably some Autorun thing that happens. Whatever machine I plug it into is going to be a disposable machine.
Dave Bittner: (Laughter) Take it - take it down to your - the neighbor down the street who you don't like and ask him...
Joe Carrigan: Right.
Dave Bittner: ...If you can plug it into his computer (laughter).
Joe Carrigan: Well, I have plenty of disposable machines just sitting around, Dave, so.
Dave Bittner: As you do, yeah.
Joe Carrigan: Yeah. Well, as I do.
Dave Bittner: Yeah.
Joe Carrigan: I mean, not a lot of people do, but...
Dave Bittner: Right.
Joe Carrigan: You know, I have, like, my old - the first laptop I got when I was employed at Hopkins - I still have that laptop, and it's running Fedora right now.
Dave Bittner: OK.
Joe Carrigan: So I could - and I don't do a lot with it. I just keep it on as a Linux machine.
Dave Bittner: Yeah.
Joe Carrigan: So I could just pop it in there and see what's going on.
Dave Bittner: Yeah.
Joe Carrigan: And if my machine gets pwned, I can just slick it and reimage it.
Dave Bittner: OK.
Joe Carrigan: It's not a big deal. But what would the average person do? Oh, that's a good question.
Dave Bittner: Yeah.
Joe Carrigan: Hopefully, the average person would not plug that USB stick in.
Dave Bittner: Yeah, I would hope so. But evidently, some people do. The folks over at Trustwave, which is a security company, they got their hands on this. Someone sent this to them, suspicious of it being a scam. And so they did what you described there. They plugged that USB stick into a machine that's capable of analyzing it. And sure enough, there was a malicious payload on board, says in this article - which, by the way, I should point out this article is from PC Magazine...
Joe Carrigan: OK.
Dave Bittner: ...Pcmag.com, written by Michael Kan. And sure enough, something using PowerShell commands to then download more malware, and Bob's your uncle.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: They pwned your machine like that.
Dave Bittner: Right, right. But, you know, the thing comes to you on letterhead. We're using the lure of greed...
Joe Carrigan: Yup.
Dave Bittner: ...Where they - there's a gift card in this package here.
Joe Carrigan: Right.
Dave Bittner: And I suppose most people probably wouldn't first check to see if the gift card is actually valid, right?
Joe Carrigan: Right, yeah. That's a good question. You know, the gift card is probably just a gift card. In fact, I'm looking at it on your screen right there. That's probably just a gift card someone went into a store, grabbed and walked out with.
Dave Bittner: Yeah, right, because they - as it says on the card, card has no value until activated by a cashier.
Joe Carrigan: Right.
Dave Bittner: So I imagine if you grab a gift card, it's not the kind of thing they're going to wrestle you to the floor on...
Joe Carrigan: Right.
Dave Bittner: ...Your way out of Best Buy...
Joe Carrigan: Yup.
Dave Bittner: ...(Laughter) because it really has no value.
Joe Carrigan: Or any local supermarket.
Dave Bittner: Yeah.
Joe Carrigan: You go to those gift card stacks that they have...
Dave Bittner: Yeah.
Joe Carrigan: ...Or end caps, and there's just hundreds of gift cards from different vendors all over the place.
Dave Bittner: Right, right. So by having that in there and then having the USB stick, but then in the letter saying basically that - implying that you're going to be restricted to get stuff that's on a list...
Joe Carrigan: Right.
Dave Bittner: ...That's on the stick, that's how they get you to put the stick in your computer.
Joe Carrigan: Yeah.
Dave Bittner: Yeah, yeah. So the lesson here is, I think, pretty obvious and straightforward. If you get something like this in the mail and...
Joe Carrigan: Right.
Dave Bittner: It's most likely a scam. Certainly, if there's a USB stick, it is a scam.
Joe Carrigan: Right.
Dave Bittner: Nobody from Best Buy is going to be sending you something like this.
Joe Carrigan: What's interesting is that this is a high-cost attack. I'd like to know what the success rate of this attack was. I mean, we'll never know, but it would be interesting to know. If I - actually, maybe we could find that out by doing some research. If I just mailed USB sticks out to people, what percentage of those people would plug in the USB stick?
Dave Bittner: Yeah, you could report your findings from jail.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: Well, I mean, there's been some academic research on similar things with USB drops.
Dave Bittner: Right. Right.
Joe Carrigan: Michael Bailey at - I think he was at UIUC - University of Illinois Urbana - yeah.
Dave Bittner: Yeah.
Joe Carrigan: University of Illinois Urbana-Champaign - when he did - and he's just one of the authors on this study. But they dropped a bunch of USB sticks around and tracked how many people plug them in based on a, you know - because the USB stick would report back...
Dave Bittner: Right.
Joe Carrigan: ...Right? - make an HTML request or something.
Dave Bittner: Right. Yeah.
Joe Carrigan: And each USB stick was unique so they could track it.
Dave Bittner: Yeah.
Joe Carrigan: But, you know, this is interesting. I wonder who's behind this.
Dave Bittner: Yeah. You figure - I mean, it's probably around 10 bucks a pop to send these out, but if you - if it does yield you an unusually high success rate, then...
Joe Carrigan: Right.
Dave Bittner: ...I suppose it's worth it. At least, they're trying it.
Joe Carrigan: I'll bet it's less than 10 bucks, though, because those USB sticks are probably very small and very cheap.
Dave Bittner: Yeah. The giveaways (laughter).
Joe Carrigan: Right.
Dave Bittner: All right. Well, that is my story. I will have a link to that in the show notes.
Dave Bittner: What do you have for us this week, Joe?
Joe Carrigan: Dave, it's the most wonderful time of the year...
Dave Bittner: Yes.
Joe Carrigan: ...Right? And the BBB is out with their 12 scams of Christmas.
Dave Bittner: Oh.
Joe Carrigan: This would make a terrible song, by the way.
Dave Bittner: (Laughter).
Joe Carrigan: Maybe at the end of this, we should sing it as a song.
Dave Bittner: OK.
Joe Carrigan: But so I wanted to, as we approach the holiday season - by the time we post this, Hanukkah will already be over, but Christmas is still coming. So here are the top - the 12 frauds of Christmas.
Joe Carrigan: No. 1 is misleading social media ads, right? These guys go out and they buy ads on social media platforms like Facebook, Twitter or what have you. They have these things like free trial offers or counterfeit goods, usually. There's a lot of risk in them, and sometimes they can just be, you know, ways to collect your information.
Joe Carrigan: Social media gift exchanges - this is one I haven't heard about. You know, sign up for a Secret Santa on Facebook, and we're just going to send each other random gifts. Here's your secret (laughter). This is a great scam. I'm going to tell everybody that I'm their - that, you know, they're my secret Santa and they have to send me a gift.
Dave Bittner: (Laughter).
Joe Carrigan: And somebody will send them something. I'll get hundreds of things. That's a great idea.
Dave Bittner: (Laughter) Oh, jeez. OK.
Joe Carrigan: Don't do Secret Santa on social media. That's terrible.
Dave Bittner: OK.
Joe Carrigan: Holiday apps - these are apps that are available in the store, in the various stores, that are generally - haven't been around for very long. I would steer clear of any apps that are holiday themed. Way back, there was some Santa elf bowling thing. I can't remember what it was. It was a seasonal ad, but there was reporting back to some server somewhere. I can't remember all the details. That was back in the early 2000s. So that's been around for a long time.
Joe Carrigan: Free gift cards - free gift cards. Nothing brings out the holiday cheer like free.
Dave Bittner: (Laughter) Well, sure.
Joe Carrigan: And, of course, when you click on these websites to get the free gift card, there's - it's just a massive collection of your data. And at the end, there's no gift card.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yep.
Joe Carrigan: It's just a way to collect your data and then either sell it or sell it to - they say here identity thieves, but I would imagine there's also a market, like a more - you know, not an identity theft market, but a more legitimate use in terms of, like, marketing campaigns and things, right?
Joe Carrigan: Temporary holiday jobs - retailers will go out and hire people, but why not - as a scammer, why not use this opportunity and this time of year to scam people with an employment scam? So be careful with those as well.
Dave Bittner: Right. Make a - especially if someone asks you to pay to apply to a job.
Joe Carrigan: Right. Never, ever pay to apply to a job.
Dave Bittner: Yeah.
Joe Carrigan: Never under any circumstances.
Joe Carrigan: Look-alike websites - holiday sites offering deals and sales and bargains.
Dave Bittner: Right.
Joe Carrigan: They usually come in the form of emails. We've seen all kinds of things like this where that winds up being a - where they mail you something that's not of any value and you've paid tens or hundreds of dollars for it, believing that you're getting a discount. And then they have a tracking number, and they show that they were - something was delivered.
Joe Carrigan: Fake charities - typically 40% of all the charitable donations that a charity receives are received around this time of year, probably for a couple reasons - because it's the end of the year and people are doing it for tax reasons or because they're feeling the cheer of the season.
Dave Bittner: Yeah.
Joe Carrigan: Check out your charities. Vet your charities. There's an organization here in the U.S. called Give.org that rates charities because there are even some charities out there that don't do a good job with managing their money. And these are legitimate charities. And you have to consider as a person donating to a charity, do you want your donation or a large portion of your donation being spent on more fundraising?
Dave Bittner: Right.
Joe Carrigan: You know, you have to think about these things.
Dave Bittner: Yeah.
Joe Carrigan: Fake shipping notifications - now is a big time for fake shipping phishing - right? - because are you expecting any gifts coming in the mail, Dave?
Dave Bittner: Oh, one or two (laughter).
Joe Carrigan: Yeah. Right. So if you get an email right now...
Dave Bittner: Right.
Joe Carrigan: ...That says, hey, this is FedEx and we had a problem delivering your package right now...
Dave Bittner: Right, because if it doesn't arrive, your children will never love you again.
(LAUGHTER)
Joe Carrigan: Right. Exactly.
Dave Bittner: Right.
Joe Carrigan: So it's - this is a great time of year for this.
Dave Bittner: Yeah.
Joe Carrigan: This is one I hadn't heard of. No. 10 is pop-up holiday virtual events. So, you know, there are holiday events every year. And because we're kind of at the tail end of this pandemic thing, some people are still doing it virtually.
Dave Bittner: OK.
Joe Carrigan: Right? So scammers are creating fake event pages and social media posts and emails claiming to be the people organizing this, and they're charging admission for it. And it's a free event.
Dave Bittner: Oh.
Joe Carrigan: Right? So why not capitalize on a free event, Dave? Maybe, yeah, this is another great opportunity for me, I think. You know, we often talk about...
Dave Bittner: What? - is your retirement fund underfunded or something, Joe (laughter)? Do we need to have a conversation, Joe (laughter)?
Joe Carrigan: Yeah, we...
Dave Bittner: You seem unusually interested in some of these get-rich-quick schemes this week. I don't know.
Joe Carrigan: I'm always interested in get-rich-quick schemes.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Top holiday wish list items, right? These are the big toy of the year, right?
Dave Bittner: Yeah, Tickle Me Elmo.
Joe Carrigan: Right, Tickle me Elmo - or this year I think it's the Nintendo Switch.
Dave Bittner: Yeah, still.
Joe Carrigan: You can't find a Nintendo Switch anywhere right now. The only ones you can find are refurbished ones. So if you see an ad for one being sold ridiculously low, you should know right away that's a scam.
Dave Bittner: Right.
Joe Carrigan: OK.
Dave Bittner: Right.
Joe Carrigan: First off, when these consoles come out, a lot of times - well, with consoles it's different - right? - than the rest of the toys.
Dave Bittner: Yeah.
Joe Carrigan: But whenever there's a gift that's in really high demand - right? - like the Tickle Me Elmo you mentioned or the Switch I mentioned or any toy or gaming console or anything, those prices are going to be higher than the retail price, not lower.
Dave Bittner: Right.
Joe Carrigan: So if you see an ad for a low-priced item, you should be wary of it. If you see an ad for just, hey, I'm selling this Tickle Me Elmo or whatever it is for list price - right? - I just want to unload it because I'm a good person, you should be suspicious of that, right?
Dave Bittner: Right.
Joe Carrigan: If you're going to buy these things from somebody, if you're going to pay what essentially is an item scalper money for something, that's something you should do in person or through a trusted site like eBay if you're going to do it. It's not something you should do through some new site - very risky behavior.
Dave Bittner: Yeah.
Joe Carrigan: And finally - and this one really kind of gets my goat a little bit - puppy scams.
Dave Bittner: Aw.
Joe Carrigan: Right, 'cause - actually, fortunately in the puppy scam, not a lot of dogs are involved - no dogs are involved in this, right? It's...
Dave Bittner: No animals were harmed in the execution of this scam.
Joe Carrigan: Right. Right, exactly. What they're saying is they have pictures of these dogs, and they're selling you a dog that's like a pedigree dog. And they'll go through all this process, and you'll send a deposit, and then you'll not get the puppy, right? Generally, I think it's a bad idea to give a dog as a Christmas gift or a cat or any animal as a Christmas gift. Those are not Christmas gifts. Those are entities that you should be making a serious lifelong of the pet commitment to adopting them.
Dave Bittner: Right.
Joe Carrigan: And if you can adopt from a shelter, you should do that as well. There are plenty of animals out there that you can pay a very low fee for, and you can go out and meet these animals. Both my dogs right now came from a rescue out in West Virginia, where we went out and got them. And, you know, it costs 150 bucks. You get to go out and you meet the dog, and you go, yeah, I'll take this one home, and this will be my dog.
Joe Carrigan: And that's a lot better than dealing with a breeder. Our first dog - we actually did deal with a breeder because we had a requirement for a - not - a dog that will not give my son allergies because he was young and had respiratory issues...
Dave Bittner: Yeah.
Joe Carrigan: ...Which he's since outgrown. And if that's got to be your situation and you have to get a dog like a poodle, then go meet the dog. Always meet the dog. If a breeder is not going to let you meet the dog, that's probably a scam.
Dave Bittner: Yeah. Go - yeah, go - go - yeah, go meet the breeder.
Joe Carrigan: Right.
Dave Bittner: Make sure that the dog - this isn't some puppy farm or something, yeah.
Joe Carrigan: Right. Yeah, absolutely. Tour that area.
Dave Bittner: Yeah.
Joe Carrigan: You know, when we went to where we got our first dog, that was a nice setting. It was clear this was not some puppy mill. It was just a woman that had a poodle - a miniature poodle that she was breeding, and she would have a litter a year. And we just said, just give us the runt. We want him. And that's what we got. He was a great dog.
Dave Bittner: Yeah, yeah. So the scam here is that someone will put up an ad or something and says, hey, we're having a litter...
Joe Carrigan: Oh, yeah - the scam. That's right. This show's about scams, not about my dogs. Sorry.
(LAUGHTER)
Dave Bittner: Puppy time with Joe.
Joe Carrigan: Right, yeah. But yeah. So the scam is - you know, hey, look; you can get this dog. Would you like to have this golden doodle, right?
Dave Bittner: Right, the hot breed, yup.
Joe Carrigan: Right. Golden doodles right now are like $4,000 for a puppy.
Dave Bittner: Yeah.
Joe Carrigan: And they will show you pictures of golden doodles. They'll say, look at him. He's so cute. Look how fun he is.
Dave Bittner: Right.
Joe Carrigan: But you'll never see the dog. And they'll insist on a deposit. Maybe like $400, a 10% deposit. And, OK, now we've held the dog. And then as soon as you give them the money, they disappear. They're gone. That's it.
Dave Bittner: Yeah.
Joe Carrigan: And you're out 400 bucks.
Dave Bittner: Yeah, and no puppy.
Joe Carrigan: And no puppy. That's right. Now the cost of your golden doodle just went to $4,400.
Dave Bittner: (Laughter) Right, exactly. All right, well, this is the naughty list - the BBB's 12 Scams of Christmas. That's from the Better Business Bureau, and we'll have a link to that in the show notes.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Henry (ph), who is a listener. And he got this email. There is a lot of appeal to religion in this email. So why don't you read it?
Dave Bittner: All right, it goes like this.
Dave Bittner: (Reading) Greetings in the name of our Lord Jesus Christ. I am Mrs. Elizabeth A. Johnson from Bahrain, a widow to late Dr. A. Johnson. I am 51 years old and a coveted born-again Christian suffering from longtime cancer of the breast. From all indication, my condition is really deteriorating, and it's quite obvious I might not live to more than two months, according to my doctor, because the cancer has gotten to a very worst, dangerous stage.
Dave Bittner: (Reading) My late husband and my only child died last five years ago. His death was politically motivated. The late husband was a very rich and wealthy businessman who was running his gold diamond business here in South Africa. After his death, I inherited all his business and wealth. My doctors has advised me that I may not live for more than two months, so I now decided to divide the part of this wealth to contribute to the development of the church in Africa, America, Asia and Europe.
Dave Bittner: (Reading) I collected your email address during my desperate search on the internet, and I prayed over it. I decided to donate the sum of $5,600,000 to the less privileged because I cannot take this money to the grave. Please, I want you to know that this fund is lodged in a bank here in South Africa. Once I hear from you, I will forward to you all the information you will use to get this fund released from the bank and to be transferred to your bank account.
Dave Bittner: (Reading) I honestly pray that this money, when transferred to you, will be used for the said purpose because I has come to find out that wealth acquisition without Christ is vanity. May the grace of our Lord Jesus, the love of God and the fellowship of God be with you and your family. Reply to me on my private email address. I'm elizabethjohnson@gmail.com.
Joe Carrigan: Right (laughter).
Dave Bittner: Oh, goodness, Joe.
Joe Carrigan: Yeah, man. This is - you know, this is a typical advance fee scam.
Dave Bittner: Yeah.
Joe Carrigan: They're just going to try to bilk whoever responds to this out of fees, promising money that's never coming. But...
Dave Bittner: Right.
Joe Carrigan: I mean, the - first off, she changes from being from Bahrain to being - to in South Africa. I guess you can ask what the story is there, but...
Dave Bittner: Well, she's a woman of the world. She's a world traveler.
Joe Carrigan: Right, she's a world traveler.
Dave Bittner: She's - yes.
Joe Carrigan: Right.
Joe Carrigan: Apart from the terrible English and the obvious scam part, this is - people will fall for this, though, or else they wouldn't be sending these out.
Dave Bittner: Yeah. Well, and sort of keying in on someone's faith...
Joe Carrigan: Right.
Dave Bittner: ...You know, which, again, is a way to short-circuit someone's rational thinking. I mean, you've got - you have a sick woman here...
Joe Carrigan: Right.
Dave Bittner: ...Right? - in another country. She's not going to be around much longer. And her story is all she wants to happen is this money to be used for good things. So, you know, even if somebody, through their good faith, wanted to use every dollar of this for missions of their church...
Joe Carrigan: Right.
Dave Bittner: ...They're still going to get scammed.
Joe Carrigan: Yes, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: You know, I'm very wary of people that approach me and speak to me like this and try to appeal to a mutual belief system. And it doesn't have to be just religion. It can be just about anything.
Dave Bittner: Yeah.
Joe Carrigan: I digress.
(LAUGHTER)
Dave Bittner: It sounds like there's a story there we don't have time for (laughter).
Joe Carrigan: Yeah, there is a story we don't have time for, but - and maybe someday we will...
Dave Bittner: OK.
Joe Carrigan: ...We will tell that story.
Dave Bittner: Yeah, I think it's good advice.
Joe Carrigan: Once those two people have passed away I'll tell the story.
Dave Bittner: I see. I see. Ah, I see. It's one of those stories.
Joe Carrigan: Yes.
Dave Bittner: We all - I think all of us have those kinds of stories in our lives.
Joe Carrigan: Right.
Dave Bittner: Yeah. But I think it's a good lesson, too, that people try to use these things to build rapport with you...
Joe Carrigan: Yeah, absolutely.
Dave Bittner: ...And take advantage of you.
Joe Carrigan: And that's essentially what they are doing. They're trying to build instant rapport and trying to establish a relationship where there should be none.
Dave Bittner: Yeah.
Joe Carrigan: And there is none, and that's the way it should be.
Dave Bittner: Yeah. All right, well, our thanks to our listener, Henry, for sending this in.
Dave Bittner: We would love to hear from you. If you have a Catch of the Day you would like us to consider for the show, you can send it to us. Email us at hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Dave Senci. He is from Mastercard's NuData Security division. And we're discussing security issues with remote access and what are called coaching frauds. Here's my conversation with Dave Senci.
Dave Senci: Yeah, so when we're talking about coaching, what this is is when a fraudster or an individual manipulates a genuine user to believe they are someone who they aren't to perform fraudulent activities on the fraudster's behalf. So a very simple business example would be that I call you, Dave. I convince you that I am from the bank. I ask for information.
Dave Senci: And there's two different ways that you can go about this. One is I ask for, like, let's say the OTP that the bank sends you, and then I go do the fraud myself as the fraudster. Or the second option would be - is where I actually exploit you and continue to make you think that I am somebody else, and you do the fraud on my behalf.
Dave Bittner: And what kind of fraud would we be talking about here?
Dave Senci: Yeah. So let's - using an example of - let's say I call you and I ask for your OTP and I convince you that I'm the bank and we're just doing some checks, and you give me your one-time passcode. I then log in to your bank account. I would then take the funds or the value out of that account out of it, transfer the money out, whatever it may be.
Dave Senci: On the other side, let's say that I'm coaching you on the phone, continuing to make you believe that, again, I work for the bank. I have you log in. I tell you what to do. I may say, hey, Dave, we accidentally deposited an additional $5,000 in your account. You can see on my screen that that has happened. And I'm going to need you to transfer some of that back. What I would actually be sharing you on the screen is just a mocked-up image of your statement or your account that makes it appear there's an additional amount of money in there, but it's not actually in there. And then you would transfer the funds out on your behalf over to me.
Dave Senci: So two different types of coaching there. One is where I'm exploiting a user, and I continue to exploit them and have them do the fraud on their - on my behalf. Or two is just where I get some information from you, and then I would then perpetuate the fraud as the fraudster.
Dave Bittner: How would you rank the sophistication of these folks in terms of the amount of work they have to do ahead of time to head into one of these scams?
Dave Senci: So here's what I would say. I don't know if it's a sophisticated type of fraud. It's more sophisticated social engineering. So you have to be able to manipulate people, make them believe that you're somebody you're not, be very confident. And there's a lot of value behind that. So it's not so much that it's sophisticated fraud attack because, truly, you're convincing someone that you're not and then having them provide you information that provides - that gets you value.
Dave Senci: Now, it's going to - you know, you hit on the amount of work. It's going to take a lot of work because you're going to run across a lot of people that aren't willing to provide that information due to the education that the companies have sent out to watch out for this type of scam.
Dave Bittner: Yeah. I guess what I'm wondering is, do these scammers come in - how much stuff do they know about me coming in? Do they know what bank I deal with? Do they have the last four digits of my Social Security number? Do we have any insights there?
Dave Senci: I don't know if they have that level of detail, but what they have to know at a minimum is who you are. I think they could even get away with not knowing which bank you're at. If they - you know, you'll get those calls that say, hey, we're calling you from the Mastercard and Visa department, but we all know - I personally know that that department doesn't exist because they're two separate companies. So I would tell you that it's going to vary drastically based on the level of information you have.
Dave Senci: But the fraudsters that want to go for the true high value - let's say someone that's just extremely well off - they're going to be able to do their research to take the time to find the right victim. But then you're going to have fraudsters who just go based on volume, meaning I'm going to call up, you know, a hundred people a day, and hopefully I get one person. Now, they're not going to need to do as much research because those are the people that are going to fall for, hey, this is such-and-such from the Mastercard/Visa department. But those more sophisticated attacks where they are taking the time to do the research, looking you up on LinkedIn, trying to buy information about you on the dark web, those are going to take a bit more time and be a little bit more sophisticated just because they did their research.
Dave Bittner: But they're really trading off of some of that brand equity that an organization like Mastercard would have and the breadth of the - I guess, the perceived interaction that a brand like Mastercard has with so many banks.
Dave Senci: Yeah, fundamentally agree. So if a fraudster can take the time to determine who someone is banking with, learn some information about them, it's going to make them appear to be more credible. But that's why it's so critical - and you see a lot of these banks sending out information. We will never ask for your one-time passcode. Do not share your passphrase with us. They're pushing out all this education to kind of mitigate some of these social engineering attacks and scams that happen.
Dave Bittner: So what can be done here? I mean, is this education? Are there technical things that can be put into place? How can individuals and organizations do a better job of minimizing the chances that they'll fall victim to this sort of thing?
Dave Senci: Yeah, it 100% starts with education. So here's the scams to watch out for. You'll even see internal - you'll see companies internally to try to promote education, to say, hey, watch out for phishing attacks, look for these telltale signs.
Dave Senci: And then I'd say it continues with education, even to your client or consumer base. We will never ask for your one-time passcode. We will never reach out directly and ask for this. So there's ways you can validate when someone's calling you to get a sense if this feels right or it doesn't feel right.
Dave Senci: But beyond education, there are things you can put in place to help identify these when these types of attacks are happening. So let's walk through those two business examples that I referenced.
Dave Bittner: Yeah.
Dave Senci: One where I'm going to call you and ask you for your OTP or, two, where I continue to keep you on the phone and have you do the fraud on my behalf. So those - you can put some behavioral biometrics in place to identify that type of behavior. And let me explain how.
Dave Senci: So in a scenario where I'm asking for your one-time passcode and then I log in to your account, my behavior - even though I had the right credentials, my behavior is not going to be the same as yours. So the way that I type in your username and password is not going to be the same way that you type it in, Dave. And then the way that I navigate through that account, is it normal behavior? I'm coming from a new device. I'm coming from a new IP address. Companies are going to be able to identify that and say, this seems off here. This isn't normally how Dave interacts. We may want to flag this as malicious.
Dave Senci: Now, on the flip side, Dave, where I then make you do the fraud on my behalf, it's a little bit more challenging, but you still can identify this. So if you think about it, this is still Dave coming in from his same IP address. This is still Dave coming in from his same device. But his behavior is slightly off. He's pausing. He's on the page longer because he's listening to someone on the phone. He's debating in his head if this is genuine or not genuine, but he's still proceeding. So the way that he normally operates on that page has changed. He's on the page longer than the average human population would be on this page. He's navigating in a weird way just because things feel off, and he's just not used to this scenario, but he's still proceeding.
Dave Senci: So these tiny anomalies can give indication that something is off, and you can use this to then, as a bank, to introduce some type of friction to say, hey, Dave, is this really you? Let's send you some type of verification. Or these different type of anomalies can give indication that something's off here, and you can use these to mitigate this.
Dave Senci: Now, this isn't 100% going to capture every single instance, but it's a good starting point if you can start with education to your consumers and your employees and then put some behavioral biometrics in place to say, if this does happen, let's better identify when it's happening so we can mitigate it.
Dave Bittner: Can you describe to me what happens when the behavioral biometrics does flag something? What happens from the user's point of view? What do they see? And how do you go about that extra layer of verification?
Dave Senci: Yeah. So behavioral biometrics is going to leverage a passive way to identify whether it's a genuine user or not genuine user. So the user would not be able to see a difference when they're interacting, meaning you're looking at, as I said, time on page, time in a specific field, typing cadence, mouse movement. Are you Alt-Tabbing? Are you copying and pasting?
Dave Senci: So what happens is when you leverage, like, a behavioral biometrics solution, information is sent from that solution to, in this example, we're talking about a bank, to say, this specific interaction is risky. The bank would then take that score and then do some type of intervention to say, if it's super risky, maybe we're going to block the event that's happening. Maybe we're going to introduce friction.
Dave Senci: Maybe 'cause it's so obviously fraud, we're going to put them in a honeypot, which is where the fraudster believes that they're interacting with a genuine site, but it's actually a site that doesn't have real financial or impact to the real servers. So the entity, the bank that is receiving these risky scores, has a variety of different mitigation tactics to put in place, depending on the confidence of whether it is fraud or it is not fraud.
Dave Bittner: Do you think there's a competitive advantage here for the organizations that are putting these sorts of things in place? I mean, is this the kind of thing where if I'm shopping around for a new bank, should I be asking the degree to which they're using things like this to help protect me and my family and my colleagues and co-workers?
Dave Senci: I would say security certainly should be top of mind when identifying an optimal organization to work with, right? We know that consumers care about security, and they want their information protected. So the degree that I'm going to go out and reach out to the bank and try to get a sense of what their security stack looks like - I feel like that may be a little bit difficult by doing some Googling online. But I can tell you the majority of banks, and especially the larger ones, have this level of sophistication in place. So, yes, I would say security is certainly top of mind for consumers when looking for a bank to work with. Anyone that is holding value of someone else's wants that properly secured. So giving that sense of comfort to the consumer, I would say, is critical.
Dave Bittner: So then I guess - I mean, it's really the education part that people can do for themselves, for their employees, for themselves, for their families. I mean, that part people can implement on their own.
Dave Senci: Yeah. I mean, education is critical, right? It starts with the organization that you work with, with the organization making you aware of these type of attacks and the telltale signs. It starts with education from the company down to their consumer base.
Dave Senci: And, yes, 100% agree it comes down to me educating my grandparents about, hey, this type of fraud exists. Grandma, no one is going to call you from the bank and ask for this, so don't give it to anyone that calls. So agree it goes to education from the organization to the employers, organization to their consumers, and then just between our own family and friends as well.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Lot of interesting stuff in that interview, Dave. One of the things I would like to note - and I don't know if this is - how this works internally on a bank system, but I think if a bank accidentally transfers $5,000 into your account that they are perfectly capable of transferring it out.
Dave Bittner: Yeah, I would think so.
Joe Carrigan: Right? If they mistake - if they commit that kind of error, they can correct that error. They might have to call you or notify you about it, but they won't walk you through the process. They will say, hey, Dave, we accidentally put $5,000 intended for someone else's account into your account; we're going to take that money out right now.
Dave Bittner: Yeah.
Joe Carrigan: So don't think that you received some windfall.
Dave Bittner: I actually had that happen to me once.
Joe Carrigan: Oh, did you?
Dave Bittner: Yeah, it was a little different. It was someone - this is - someone had written a check, and I deposited it. And before I wrote against that check, you know, I went and said to the bank, this check is cleared, right? And they were like, yup, it's cleared. I'm like, you're absolutely sure this check is cleared? This check is cleared. So I can write against this check? Yes, sir, the check is cleared. So I started to write against the check. Oh, sir, funny story - the check hasn't cleared.
(LAUGHTER)
Dave Bittner: And they pulled the money out. So yes. So, yes, they can do that.
Joe Carrigan: Right.
Dave Bittner: And they will.
Joe Carrigan: That was for a check that didn't clear, though, right?
Dave Bittner: Yeah, that was for a check that didn't clear.
Joe Carrigan: That's - yeah, that's a different issue. Like, what - if somebody deposited $5,000 into their account and they wrote the account number down wrong and they put your account number down.
Dave Bittner: Yeah.
Joe Carrigan: And then they call and go, oh, I see that you - they look at the receipt. The bank can correct that error, right?
Dave Bittner: They can, yes, yes. It's in their legal ability to do so.
Joe Carrigan: Right.
Dave Bittner: Even if you took it all out as cash...
Joe Carrigan: Right.
Dave Bittner: ...I think the bank could come back to you and say, hey, knucklehead, put that money back, you know?
Joe Carrigan: Right.
Dave Bittner: Or here's an IOU, you know?
Joe Carrigan: Yeah.
Dave Bittner: You owe us.
Joe Carrigan: Your account now is overdrawn.
Dave Bittner: Exactly, exactly. Yeah.
Joe Carrigan: These kind of attacks are not - so my point in this whole discussion is the bank doesn't really need your help to do this, right? You should be aware of that.
Dave Bittner: Yeah.
Joe Carrigan: And I want to emphasize that. Somebody that calls you from their bank and says, oh, I accidentally transferred money into your account and I need your help getting it out, that's a lie.
Dave Bittner: Right.
Joe Carrigan: And that's a scam.
Dave Bittner: Right.
Joe Carrigan: These kind of attacks are not technically sophisticated, which is kind of why we talk about them here on this show.
Joe Carrigan: It's interesting that he says he - 18 months ago, they weren't talking about social engineering with coaching scams. We've been doing this show for three years.
Dave Bittner: Yeah.
Joe Carrigan: You know, I will agree with Dave on that, that we - that social engineering is now a much more front-of-mind issue among security professionals than it has been in the past.
Dave Bittner: Right.
Joe Carrigan: And that's good. That's good. I think that's great, actually.
Joe Carrigan: Some attackers are just going to spam call these people, and some are going to do much more research. So it really depends on the attacker's capabilities. I think that people need to be mindful that it doesn't matter what the attacker's capabilities are 'cause if you think about one end of the scale where they're not very skilled - while they're not very skilled, there's a lot of them, right?
Dave Bittner: Right.
Joe Carrigan: And the ones that are very skilled, there's not many of them, but they're really good at what they do.
Dave Bittner: Right.
Joe Carrigan: So you have that continuum to contend with, and you should be aware of it.
Dave Bittner: Yeah.
Joe Carrigan: When I log in to my financial institutions, some of them have the - I still have SMS messages. I did find that one of them started using hardware keys. I'm going to change that. But some of them say, hey, here's the code. We will never ask you for this. And other ones just say, here's the code.
Dave Bittner: Right.
Joe Carrigan: So I think I have a letter to write.
Dave Bittner: (Laughter).
Joe Carrigan: Because saying in the text message that we will never ask you for this code is probably the easiest and cheapest thing a financial institution can do to reduce fraud.
Dave Bittner: Yeah. Yeah, it would help.
Joe Carrigan: Yeah. Education is key. So keep listening to us, right? We're a form of education. Here's my advice on this entire coaching thing. Never provide information on an inbound call. Never take any action on an inbound call. It is always 100% OK to say to someone who has called you, I'm going to call you back on the number I have on file...
Dave Bittner: Right.
Joe Carrigan: ...Right? - or on the number on your webpage.
Dave Bittner: And don't let them give you a number to call back.
Joe Carrigan: Right. Don't let them give you a number to call back.
Dave Bittner: Don't let them say, oh, just call me on my direct line. No, no, no, no, no, no, no.
Joe Carrigan: Right. No, no, no, no, no. You tell me what your extension is, and I will find you, and I'm going to call you back. And if they insist, if they - you may notice at that point in time they start trying to scare you. That should be a red flag that this is a scam. Hang up the phone. Then call your bank and make sure everything's OK.
Dave Bittner: Yeah.
Joe Carrigan: Right? Dave was talking about behavioral biometrics, and that's interesting. It won't stop everything, but it could move any financial institution into a more secure direction - right? - toward more security than less security. But these solutions require the development of software on both the user end and the back end, and you need to collect that data and analyze it.
Joe Carrigan: So, yeah, I don't know. This is something that's probably something that larger organizations can do. Small organizations - maybe not.
Dave Bittner: Yeah.
Joe Carrigan: But maybe there's a software solution out there for it that they could - that smaller organizations could just buy off the shelf.
Dave Bittner: Yeah.
Joe Carrigan: I don't know.
Dave Bittner: I've noticed that a couple of the online banking apps that I use have enabled Face ID, for example...
Joe Carrigan: Right.
Dave Bittner: ...To log in. So once you've established a secure connection with things like SMS and so on and so forth, you can say, hey, for the next 30 days, trust my Face ID to let me into this app, and it'll do so.
Joe Carrigan: Right.
Dave Bittner: So, you know, I think that's a good compromise.
Joe Carrigan: And finally, from the customer perspective, I think we do need to start asking financial institutions about their security policies and practices and what they're doing to keep our information safe and our money safe. How are they - how do they do fraud prevention? What's my recourse if I get scammed out of money? What do you do to prevent that from happening to me? How do you, financial institution who holds my money and profits from it, protect me, the money owner?
Dave Bittner: Yeah.
Joe Carrigan: That's a question that everybody should ask when they go in to start a new account. It should be part of the conversation.
Dave Bittner: Yeah. And it can be a competitive advantage these days...
Joe Carrigan: Absolutely.
Dave Bittner: ...I believe.
Dave Bittner: All right. Well, our thanks again to Dave Senci - he is from Mastercard's NuData Security team - for taking the time for us. We do appreciate that.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
