Podcasts
Hacking Humans
Ep 180
Hacking Humans 1.20.22
Ep 180 | 1.20.22

The perfect environment for ATOs (account takeovers) to breed.

Show Notes
Transcript

Jane Lee: That's when you really get the confirmation that, hey, this is something that is worth looking at a second time.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind this social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Jane Lee. She's a trust and safety architect at Sift. And we're going to be talking about the Digital Trust and Safety Index. 

Dave Bittner: All right, Joe, before we get to our stories this week, we've got a bit of follow-up here. What do we have? 

Joe Carrigan: We have a guy I communicate with regularly, a buddy of mine named Ben from Microsoft. He says, glad to hear you guys talking about phishing simulations on "Hacking Humans." I wonder if, rather than doing the phishing simulation promising bonuses or surprise vacation days that they would send out a message, an email that says, hi, everybody. We're going to give you a dollar amount bonus. And we want to remind you that we will never, ever make you click a link or open an attachment to receive a bonus or award from us ever. It's just going to be added to your paycheck automatically. Please remind your teammates, too. And then give them the bonus and do that a few times a year at random intervals. It doesn't have the simulation benefits, but I wonder if it would build awareness, at least against that particular threat, just as effectively without raising - risking the bad feelings of, so it was just a gag, and we're not getting the bonus, right? 

Dave Bittner: Right, right. Yeah, it's the ultimate carrot instead of stick thing, I guess, right? 

Joe Carrigan: Right, right. I - when Ben said this to me, I said, this is absolutely a great idea. I think this would be very effective. You know, and I went on to say that I don't think the benefit - you know, the bonus needs to be a huge bonus, right? If you gave people $25 or $50 bonuses just so that you could have this opportunity to send this out, I mean, you could get around the bonus scam by paying an extra $25 to $50 an employee or even a $10 gift card. Lets say, hey, everybody. We're going to be sending out gift cards. This is just a reminder that we'll never ask you to click on a link. 

Dave Bittner: Right, right. It's the don't-click-a-link bonus (laughter). 

Joe Carrigan: Right. Don't-click-a-link bonus. Right. 

Dave Bittner: Right, right. Click here to learn more (laughter). 

Joe Carrigan: Somebody will be around to ask you if you want an Amazon gift card or a Starbucks gift card or whatever, you know? 

Dave Bittner: Right. 

Joe Carrigan: But, you know, it's a - I think this is a great way to - this would be a great way to to go about reminding your employees that you're never going to send them a bonus notification in the mail that's going to require - or in the email that's going to require them to do something, that it's just going to take place. That's how the process works. You remind your employees of the process because that's really the underlying problem here - is that employees are not aware of the process of how this happens. It doesn't come up as a red flag. That's not how this works. 

Dave Bittner: (Laughter). 

Joe Carrigan: So they go ahead and click on the link. 

Dave Bittner: Yeah. I think it's not a bad idea. I would - I think it'd be interesting if an organization could sort of A/B test this and see - you know, maybe you have different offices or different divisions or something and see which tracks more successfully. It'd be an interesting experiment. 

Joe Carrigan: Yeah. I think it would be great. 

Dave Bittner: Low cost (laughter). 

Joe Carrigan: Yep. 

Dave Bittner: All right. Well, let's jump into some stories here. Joe, why don't you kick things off for us? 

Joe Carrigan: Dave, my story comes from Kelly Eckerman, who is a news anchor at KMBC in Kansas City, Mo. Got one of those K call signs. 

Dave Bittner: Ah, yes. 

Joe Carrigan: Those are west of the Mississippi. 

Dave Bittner: That's right. 

Joe Carrigan: You ever been to Kansas City, Mo.? 

Dave Bittner: I can't recall. (Laughter) I mean, I have - I am really bad at remembering places I've been over the years, so I - well, and I don't know. Am I condemning Kansas City that it wasn't more memorable... 

(LAUGHTER) 

Dave Bittner: ...If I was there? I can't say that I was, Joe. 

Joe Carrigan: I have been there a number of times. And I truly enjoy the city. It's a great city. But there's something interesting about Kansas City that's coming out this weekend. And it's - by the time this show drops, the results will be known, but the Kansas City Chiefs are in the playoffs. 

Dave Bittner: Oh, OK. 

Joe Carrigan: Right? And they're playing a game in Kansas City. And this is - has to do with football or, as the rest of the world calls it, American football. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: And they're going to be playing the Pittsburgh Steelers. By the time episode drops... 

Dave Bittner: The rest of the world, by the way, where when they hold a world championship, they bother to invite other countries. 

Joe Carrigan: (Laughter) Right, exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: Our World Series only includes one other country. And that's Canada. 

Dave Bittner: Right. 

Joe Carrigan: Baseball. But I digress. (Laughter) I digress, as I often do here. So back to the football. The Kansas City Chiefs are going to be playing the Steelers. And as I say often, scammers do not miss an opportunity to profit. And one of the ways they're going to profit is by selling fake or bad tickets to these events. So here's the thing. Have you been to an NFL game recently or ever? 

Dave Bittner: I have been to - well, I have been in the stands as a ticket holder to exactly one NFL game in my life. I have been on the sidelines as a TV cameraman... 

Joe Carrigan: OK. 

Dave Bittner: ...More than that, but... 

Joe Carrigan: That's different. 

Dave Bittner: It's been a while, yeah. 

Joe Carrigan: Right. You get a pass for that, right? 

Dave Bittner: You do. Yes, yes. It's quite exciting, actually. 

Joe Carrigan: The way - I'll bet it is. I've never been on the sidelines of any major sporting event, but I also haven't been to an NFL game in a number of years. But my wife and my son-in-law went to an NFL game. And they bought tickets online through a resale site. And these tickets are essentially just barcodes, right? Like, when my son-in-law printed out the tickets, he just printed them out of his printer at his house that - you know, here are the tickets. These are them. Show these things, and they scan the barcode. 

Joe Carrigan: So what happens in these scams is a lot of times somebody will sell the same ticket multiple times, right? So it actually is a real ticket. But if you're not the first guy or girl to get to the game - right? - you're not the first person that shows that ticket to the ticket agent at the door, you're out of luck... 

Dave Bittner: Oh, I see. 

Joe Carrigan: ...Because that ticket... 

Dave Bittner: So I could buy this - yeah. I could buy this ticket from you. 

Joe Carrigan: Right. 

Dave Bittner: You could sell it to multiple people. I could go online and check to make sure that this ticket is authentic. 

Joe Carrigan: Yep. 

Dave Bittner: And it'll come up as saying, yeah, that's a real ticket. But unless I get to the game early, I'm not getting in. 

Joe Carrigan: Right. Yep. If I sell that ticket to, like, five or six people - and, you know, if you're going to sell it to one person or you're going to sell it to two people, you might as well sell it to 100 people, right? 

Dave Bittner: Yeah. 

Joe Carrigan: It doesn't matter how many people you sell it to. So this article has some interesting things in here on what to do. So if you're purchasing tickets, use a reputable website. There are reputable websites out there. I'm not familiar with them off the top of my head, but they actually have ways to do this. And I'm not sure what the workflow is, but go ahead and check it out. Use a reputable website, and avoid using general item websites. Like, don't buy tickets on Craigslist, right? Don't buy tickets on Facebook Marketplace. Chances are those are going to be scam tickets. 

Joe Carrigan: If you're selling online, do not post pictures of your tickets because those tickets have the barcodes on them. And if I can scan that barcode, if I can look at that picture and get a good enough read on the barcode, even though you've only shown a picture of it and you're thinking the threat model is, well, they're going to print out a picture; it's going to look like a picture - if I can read that barcode with a barcode scanner, I can print out a new barcode. And I can completely fake up a ticket. 

Dave Bittner: Right. Right. 

Joe Carrigan: Trivial to do that. So don't put barcodes... 

Dave Bittner: I'm just imagining - I'm imagining myself having stolen your ticket, and I end up in the stands sitting next to your wife. 

Joe Carrigan: Right. 

Dave Bittner: Oh, hi. 

(LAUGHTER) 

Dave Bittner: Hi, Joe's wife. 

Joe Carrigan: Right. 

Dave Bittner: No, I didn't steal that ticket. Funny - wow, what a coincidence. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Well, Joe couldn't get in, but... 

Dave Bittner: Right. 

Joe Carrigan: I left him at the gate because I'm not missing the football game. 

Dave Bittner: Yeah. Joe's out in the parking lot, listening on the radio. 

Joe Carrigan: Right - waiting for me to come out. 

Dave Bittner: Right. 

Joe Carrigan: Yeah, she's a big football fan, actually. They also recommend that if you're selling it online, go ahead and use a reputable website, one of these sites that monitors thing - I don't know how - again, I don't know how the workflow works. 

Joe Carrigan: If purchasing or selling via an electronic payment system, know the refund policy of that payment system, like PayPal or Venmo, right? A lot of times that money is just gone. I think PayPal has a little bit more fraud protection. Like, you can say, this is a fraudulent sale. I didn't - you know, the ticket didn't work when I went to get in, and I'd like my money back. I don't know that you can do that with Venmo or with things like CashApp. I think it's just gone. It may be. I don't know. Maybe they have some kind of fraud protection. I don't use those apps enough to know. 

Dave Bittner: Yeah. 

Joe Carrigan: Other tips - if it sounds too good to be true, it probably is, right? So if you're seeing... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Tickets for a playoff game being sold at face value when there's an opportunity for people to sell it for a little bit of a premium, that might be a tip-off that you're not looking at a real deal. 

Joe Carrigan: If it's a cash deal, inspect the money. It isn't uncommon for someone to wrap counterfeit bills in real bills. So a lot of times - I guess they're talking here about when you're selling the ticket. If you're going to sell a ticket, make sure you're getting real money if you're getting cash. 

Joe Carrigan: And the final piece of advice here is extra fees paid on reputable websites might be irritating, but they are worth it for the security that you get. 

Dave Bittner: Yeah, yeah, yeah. Isn't that interesting? You know, I've never been - I've never had this situation where I've had a bad ticket, where I've been turned away from something because my ticket wasn't, you know, correct. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. But at the same time, I feel like most places, I could probably social engineer my way in because I'm in that - you know, because we're in that middle-aged guy zone where we can say, oh, gosh, my wife already went in, and she had the tickets, and she's already in there. And they'll probably just say, yeah, go ahead. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I don't know. I get the feeling if you tried that at an NFL game, they wouldn't let you in. 

Dave Bittner: Yeah, probably, probably. Yeah, that's true. Yeah. 

Joe Carrigan: Every year at the Super Bowl, there - I can't remember what the guy's name is. But there's a guy who says he tries to socially engineer his way into every single Super Bowl, and he does it, like, 80% of the time or something like that. I got to find out what that - who that guy is. Maybe we can interview him because... 

Dave Bittner: Yeah. My take is that football is better on TV than in person, and baseball is better in person than on TV. 

Joe Carrigan: I agree with you 100% on both those statements. I think football is a game that grew up with television. 

Dave Bittner: Yeah. 

Joe Carrigan: And baseball is a game that grew up without television. So I think baseball is much more fun in person than it is watching on TV, even though I still enjoy watching on TV. But football - I have been to two preseason games and have absolutely no desire to go to another football game ever again. 

Dave Bittner: Yeah. Yeah. I just also - football - it seems like football people are not my people (laughter). Just the rowdiness of the crowd was a bit too much for me at the game I went to. But... 

Joe Carrigan: Yeah. When my wife and son-in-law went to that game, we actually flew down to Dallas because they're Dallas Cowboys fans. And one of the things they said was that - my wife says, that is the loudest place I have ever been. And I'm like, I have no interest in going to that. Just... 

Dave Bittner: Yeah. 

Joe Carrigan: She says, you got to go. I'm like, no. No, I don't. I don't want to go to that. I don't want to be sitting there, listening to the loudest thing you've ever heard... 

Dave Bittner: Right. 

Joe Carrigan: ...For three hours. 

Dave Bittner: (Laughter) Right. Right. Right. 

Joe Carrigan: That doesn't sound like fun. 

Dave Bittner: It's like when somebody says, oh, oh, God. Smell this. Oh. Oh. 

Joe Carrigan: (Laughter). 

Dave Bittner: Like, what? Why would I do that? 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, we've digressed down many rabbit holes here. 

Joe Carrigan: Yes, we have. 

Dave Bittner: Let's move on. Let's move - of course, we'll have links to that story in our show notes. 

Dave Bittner: My story this week first came to my attention from Twitter, and this is a gentleman on Twitter whose name is Kosta Eleftheriou. And we'll have a link to his series of tweets. So it was also followed up with a story over on The Verge written by Sean Hollister. And The Verge story is titled "Apple's $64 Billion-A-Year App Store Isn't Catching The Most Egregious Scams." So I'm going to go back to Kosta's Twitter thread here, and he starts off his thread by saying how to make $13 million on the App Store. That caught my eye, so... 

Joe Carrigan: Right. I'd like to make $13 million. 

Dave Bittner: Sure, why not? So here's the process of the scam. So I'm going to sort of paraphrase what Kosta has laid out here. He says first, make a basic app people might be searching for. And the example he uses here is an app called Volume Booster, right? 

Joe Carrigan: Right. 

Dave Bittner: Simple app, does one thing - makes things on your phone louder, OK? 

Joe Carrigan: Right. I'd love to have that for my earbuds that don't play my music loud enough. 

Dave Bittner: Yeah. And you know what? There's - that's - there's utility in that app. 

Joe Carrigan: Right. 

Dave Bittner: That's a useful app, right? 

Joe Carrigan: Yep. 

Dave Bittner: But here's where it goes off the rails. Step two - charge an absurd $10 per week auto-renewing subscription that's easy to sign up for but much harder to cancel. OK, so the utility of this app is - it has value. I don't think it has $520 a year in value, right? 

Joe Carrigan: No, it does not. 

Dave Bittner: OK. Step three - buy lots of fake reviews on a daily basis. So you go out to one of these review farms. You pay them. And basically, they drown out all of the bad reviews about how your app is scamming people out of money by being an auto-renew, $10-per-week app. 

Joe Carrigan: Right. 

Dave Bittner: Here's where it gets stickier. Because this app is making so much money by buying all these fake reviews, it becomes the 135th highest-grossing app on the App Store, bringing in $13 million since 2018. 

Joe Carrigan: Wow. 

Dave Bittner: Apple has... 

Joe Carrigan: This thing has actually done this. It actually brought in $13 million. 

Dave Bittner: Yeah. Oh, yeah, yeah. Apple has featured this app many times because of its success. OK. 

Joe Carrigan: Really? 

Dave Bittner: Now - yeah, yeah. Now, let's think about this - $13 million. Apple gets 30% of that... 

Joe Carrigan: Right. 

Dave Bittner: ...$13 million, right? 

Joe Carrigan: Right. 

Dave Bittner: So we'll get to that part of the story in a second. 

Joe Carrigan: I've talked about that before. 

Dave Bittner: Yeah, yeah. There's a perverse incentive here. So we'll get to that in a second. So the developer makes this app. It has - actually has utility. But, you know, people get - here's where this scam gets me, and here's why I think it's particularly interesting for this show, which is that, to me, apps like this get people when they're in the midst of having an immediate need. 

Joe Carrigan: Right. 

Dave Bittner: Right. I wish my music were louder. I've been in this situation where I've said, I wish I could convert this to a PDF. 

Joe Carrigan: Yes. 

Dave Bittner: You know - right? 

Joe Carrigan: Yup. 

Dave Bittner: So I go looking around for a PDF app. And you find an app, and it says, convert your PDFs - free for seven days. And I said, well, this is great. I only need to use this once. I'll install this app. And then what happens, Joe? I forget to uninstall it. Seven days later - kablooey (ph). 

Joe Carrigan: Right. 

Dave Bittner: Right. I'm paying - they get me for at least one of the charges. Now, I will say Apple is very good about refunding charges if you go back and say, hey, you know, I didn't want to pay for this. They're very good about that. 

Joe Carrigan: Right. 

Dave Bittner: But I think what needs to happen and what's lacking here is that Apple should have a mechanism in place for app developers where they are required to have a notice pop up when an app transitions from its free trial to its paid mode. 

Joe Carrigan: Right. 

Dave Bittner: A thing pops up and says, hey, this app is about to transition from being free to being paid. Do you want to continue and start paying for this app? 

Joe Carrigan: Yes. 

Dave Bittner: Yes or no? 

Joe Carrigan: Right. 

Dave Bittner: To me, that would fix this problem. And they don't do that. 

Joe Carrigan: No. 

Dave Bittner: And I can't help wondering, do they not do that because, for example, in this case, Apple has made 30% of $13 million? 

Joe Carrigan: Right. That's, like, $4.5 million. 

Dave Bittner: Yeah. 

Joe Carrigan: Right. 

Dave Bittner: Yeah - which, you know, I mean, that's the money Apple has in the couch cushions, you know, at... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...One Infinite Loop compared to the money they make. But still, when you look across the app ecosystem, it's real money, and you could understand how Apple would not be incentivized to crack down on this. 

Joe Carrigan: Yeah, Apple is absolutely not incentivized to crack down on this. You know, going back to your statement - Apple makes all kinds of requirements of app developers for how the app looks and feels and behaves, right? You can't get an app to open with a different look and feel approved in any Apple ecosystem. You just can't do it. 

Joe Carrigan: So why not do two things? Why not do what you suggested and require that they notify you through a standard interface that the app is about to transition from the free trial to the paid subscription, and then why not also standardize the methodology within an app that allows a user to unsubscribe from the service? Those are the two things Apple needs to do here, and they're not doing it. 

Joe Carrigan: And I think they're not doing it - you know, the pessimist inside of me, the very large pessimist inside of me says they're not doing it because they're making the $4 million from this app. And this is just one app. There are probably hundreds of apps out there like that. 

Dave Bittner: Yeah, sure. Yeah. 

Joe Carrigan: Pretty sure you're talking about real money, Dave, as you like to say. 

Dave Bittner: That's right. That's right. Well - and to Apple's credit, I mean, they do send out notifications for annual subscriptions. For example, I - there's a handful of magazines that I subscribe to through Apple, and they alert you a month ahead of time. It says, hey, this magazine is about to, you know, re-up. Here's just a heads-up. And if you want to cancel, here's how you do it. So they do it in that case. I just wish they would do it in this case. 

Joe Carrigan: Yeah. 

Dave Bittner: And I'm left scratching my head. I guess the optimist in me is left scratching my head why they don't do this. The pessimist in me knows exactly why they don't do it, right? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Because they're incentivized not to. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: So I guess in terms of our listeners, I mean, I put out a little question about this on Twitter earlier today. And one listener wrote in and said, you know, I set reminders for myself about these sorts of things so that I don't forget to unsubscribe. I think that's a good idea. Any time you sign up for something that has a subscription that you're concerned about, go ahead and set yourself a reminder so that you remember to delete that app before, you know, you get hit with that fee. 

Joe Carrigan: Yeah, I - my policy is that when I see that this app has a free trial, I uninstall it and look for another app. 

Dave Bittner: Yep. 

Joe Carrigan: The other thing you can do is you can look for a - you know, even if you have a farm that is producing tons and tons and tons of five-star reviews for this thing, you can still go and look and see what the one-star reviews say, right? And Kosta has a bunch of those on here about - you know, if you actually look at the one-star reviews, nobody pays for one-star reviews. Nobody pays for four-star reviews or three. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: You know, nobody pays for anything but five-star reviews. 

Dave Bittner: Right. All right. Well, we will have a link to that story from The Verge as well as to Kosta's Twitter thread there - both worth checking out. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener who would like to remain anonymous. Go ahead. And this is just a letter that this person sent in about the situation at their place of work. So why don't you go ahead and read the letter that they sent to us? 

Dave Bittner: All right. 

Joe Carrigan: It's an interesting situation. 

Dave Bittner: It says, hi, Joe and Dave. Just had an interesting one at the client I'm working at. They want to supply me with a laptop and want to, quote, "set it up with the least amount of downtime possible," end quote. And thus, IT have sent me a message over Teams requesting my logon details. I know from other colleagues getting these messages, they want a username and password. Naturally, I assumed it wasn't right as, firstly, the new laptop is news to me, and no one told me I was getting it. This just rings true of phishing stories. And why would IT need my own username and password? They should have them. A quick message to my gaffer, the boss, it's legit. I've had to politely raise that you can't have an IT info security policy of don't give out your password unless it's us because we're OK. 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: Hopefully, this will only make things better. Keep up the good work. 

Joe Carrigan: So this is the first time we've had a Catch of the Day that isn't a scam. This is an actual policy, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And it's a very, very bad policy. 

Dave Bittner: Right. 

Joe Carrigan: So it's - here's the thing. He says, shouldn't they have my username and password? They don't have your password. They have a hash of your password. 

Dave Bittner: Right. 

Joe Carrigan: But they shouldn't need your password. If they're in the admin role, they can say, guess what. We're changing your password to something that we know, and then we're going to use it, and then we can set up your laptop. And then when it's time for you to do it, we're going to ask that you change your password to something for you to use. That's how this should work. 

Dave Bittner: Right. Right. 

Joe Carrigan: This should not work with asking your user - a user for their username and password over Teams. And you may think that Teams is a secure channel over which you can ask for this information without much ramification. But if someone compromises your Office 365 account, they're going to get access to your Teams account. And if they do that, the next thing they're going to do is move laterally, and they're going to be asking people for usernames and passwords over Teams. And if you set that up as a business practice, people are going to be much more willing to do that. And then you've got real problems. 

Dave Bittner: No, this is absolutely something that should not be normalized (laughter). 

Joe Carrigan: Absolutely not. Absolutely not. So, anonymous person who sent us this, if you want to let your people, you know, listen to this or say you've got, you know, two guys here who know a lot about security saying, don't do that - and my question is for your security team or for your IT team. How many people do you need me to tell you that this is a bad idea before you believe me? Because whatever that number is, I'll get that number of people for you. 

Dave Bittner: Right. Right. Well, so here's a question. Suppose you're working at an organization and they come to you and request this, and it is legit. What - I mean, you know, it's a legit request. In other words, it is an authorized request. 

Joe Carrigan: Right. 

Dave Bittner: Do you refuse the request? I mean, how much of a stink do you make with something like this that you know is wrong and has security implications? Is this a hill to die on? 

Joe Carrigan: That's an excellent question. And in fact, I'm reminded of my very first sales job when I got out of college. I remind everybody I had my brief and failed sales career. But my first job was working with a value-added reseller. And it was - you know, the owner of the company was sitting at my computer trying to set something up because he was doing a lot of IT work because that's what the company did. And the head of tech support was standing there. 

Joe Carrigan: And the head of tech support turns to me and goes, what's your username and password? And I go, uh, the - and the owner of the company turns around, looks at me and very curtly says, username and password. And I gave it to him. And the reason I gave it to him is because I'm sitting here with the owner of the company getting ticked off at me about being concerned about giving up my username and password. And this was back in the '90s, right? 

Dave Bittner: Yeah. 

Joe Carrigan: So, you know, I'm early in my career. Do I make a stink about this on my second or third day on the job? I don't think I do, you know? 

Dave Bittner: (Laughter) Yeah. Different time, too, different time. 

Joe Carrigan: Yeah, different time. I don't know that I make that - make a stink about that now. I mean, I think I mention it now. I - actually, you know what? Now, in my current role, I absolutely make a stink about it - right? - because I'm supposed to be a security expert (laughter). So... 

Dave Bittner: Right, right. 

Joe Carrigan: ...I mean, if I give them my username and password, the next words out of their mouth are, you know, pack up your desk. Get out of here. You're fired. 

Dave Bittner: (Laughter). 

Joe Carrigan: You're not the security expert we thought you were. 

Dave Bittner: Right. 

Joe Carrigan: But, you know, it really depends on your situation. This guy sounds like he's, you know, not in an IT position. Maybe he is. I don't know. But, yeah, I don't know. I think you have to weigh the decision. But you definitely make mention of it. You say is - first off, you do what this anonymous person said and you ask your boss, hey, is this right? Is this legit? Oh, yeah. This is how they do it. And then you say they shouldn't do that. That's bad practice. 

Dave Bittner: Right, right. 

Joe Carrigan: You know, and then you make the decision as to whether or not you actually comply with the practice. 

Dave Bittner: Yeah, yeah. All right. Well, thanks to our listener for sending that in to us. 

Dave Bittner: We would love to hear from you. If you have a Catch of the Day for us or a story you'd like us to consider speaking about on the air, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Jane Lee. She is the trust and safety architect at Sift. And our conversation centers on the Digital Trust & Safety Index. Here's my conversation with Jane Lee. 

Jane Lee: Yeah, so we - every quarter, we release a report on current trends and trends basically that we're seeing throughout the industry. ATOs, otherwise known as account takeovers, have been increasing at a staggering rate. I think our data showed that between April 2019 and June 2021, we saw an increase in 307% of account takeovers. And I think, you know, given the pandemic and all the related data breaches and really newsworthy things that are happening lately, it's just created the perfect environment for ATOs to breed. 

Dave Bittner: Yeah, one of the things that your report highlights is this fraud ring that you're naming Proxy Phantom. Can you give us some of the details about them? 

Jane Lee: Yeah. So basically what the Proxy Phantom fraud ring is - our data science team observed an unusual number of login attempts hitting several of our merchants and then looked into it further and saw that they were also rapidly cycling through IP addresses at the same time. What makes this different from traditional ATO is the scale and the sophistication at which they're doing it. 

Jane Lee: So credential stuffing is not a real - it's not a new thing. But the way in which the hackers are trying to obfuscate their IP addresses is becoming newer. And, of course, that makes it a lot more difficult to detect for the average merchant that might not be leveraging the appropriate technology. That's what made this fraud ring just really stand out to us. 

Dave Bittner: Can we dig into some of the details here? I mean, when you say that they're rotating through IP addresses, how are they enabling that? What's the technology that they're using? Do you have insights there? 

Jane Lee: Yeah. So what they are doing is they're leveraging scripts, so they basically write scripts to automate the password and username combinations. This is otherwise known - it could be known as a brute-force attack. But basically they have a database of credentials that have been acquired from data breaches, from phishing attempts. And what they do is with this particular fraud ring, within a short period of time, they just start mass testing these credentials across different merchants within the Sift network. I think our data shows that they use about 1.5 million stolen credentials, and we saw up to 2,600 attempts per second, login attempts per second. So that gives you an idea of the scale in which they've been operating. 

Dave Bittner: And what does this look like to a merchant. When they're the subject of this sort of attack, what's going on on their end? 

Jane Lee: So if a merchant has the right technology to notify them when something like this is happening, they will see this as a really abnormal number of login attempts. And that goes for both login failures and successful logins. So they first see that anomaly. If a merchant does not have that right detection, it can go undetected. So you won't really know until the rightful owner realizes that a bad actor got into the account, withdrew some funds or, you know, performed some other sort of illegal, nefarious activity. 

Jane Lee: One thing I would like to add to that is with these credential stuffing attacks that the Proxy Phantom fraud cluster was conducting, you don't necessarily see that downstream event. By downstream event, I mean you don't necessarily see a transaction right away. You don't necessarily see an update password of that right away. This makes it all the more difficult for merchants to know that there are these bad actors doing bad things to their legitimate users, again, making the problem all the more challenging to detect for a lot of merchants. 

Dave Bittner: So this group is willing to bide their time. They have a certain amount of patience. 

Jane Lee: Exactly. And, you know, I believe you spoke to one of my teammates, Brittany (ph), who talked about a lot of the dark web Telegram forum chatter that happens. And what we do see is this type of information, these tactics being traded, they're being exchanged on these forums. And so what they do is they - they'll validate a batch of accounts. Say, where the credential stuffing attacked, they validated 100,000 user accounts. Those then are put up for sale on the dark web, where there are buyers that are willing to buy and get a payday out of them. 

Dave Bittner: So when someone is using this sort of technique - as you say, they're rotating through IP addresses - how do you go about detecting that, and what are the limitations of some of the types of detection that people are using out there? 

Jane Lee: Yeah. So I would say the limitations of how a lot of merchants that I speak with are detecting them is - you know, back in the day, I was at Facebook at one point, and what we would do is do more one-to-one type of blocking, right? So what we see - this is not the case anymore, but what we would see is, you know, you see suspicious activity coming out of an IP address. Then you temporarily stall that IP address or you temporarily block that IP address. 

Jane Lee: But, of course, if you have a network like the Proxy Phantom fraud ring that is cycling through IP addresses in a very short period of time, this becomes all the more challenging. You're constantly playing a game of catch-up. And inevitably, you're going to end up blocking the wrong set of users because IP addresses, you know, frankly, are not the best thing to block. You don't want to - it's a very risky thing to do because there can be good users tied to them. So what unfortunately ends up happening is the fraud teams are just constantly, you know, reactively locking IP addresses as they're surfacing. If you don't quickly address that, you know, once the attack is over, then ultimately, you're going to block a bunch of good users as well. 

Dave Bittner: So what's the solution then? I mean, what are some methods that are effective here? 

Jane Lee: So what really sets the successful merchants apart when it comes to combating rings like the Phantom Proxy fraud ring is leveraging the right technology. You don't want to constantly be playing the game of cat and mouse where you're being very reactive. And with a lot of the more traditional rules-based systems where you're setting if-this-then-that type of rules, that has become ineffective. Why? Because as mentioned, you have these really, really rapid attempts that are very sophisticated in breaching your systems. 

Jane Lee: What has been shown to work is leveraging the right technologies, so machine learning. Machine learning can tell you very, very granular things about a particular type of login. So when you have something like the Proxy Phantom network, you have a bunch of user accounts that are connected to a particular IP network. And that IP network has also done a very similar type of activity somewhere else within, say, the Sift network. That's when you really get the confirmation that, hey, this is something that is worth looking at a second time. 

Dave Bittner: It's fascinating. So the machine learning is capable of - I don't know - detecting patterns that would be hard for a human to see. 

Jane Lee: Absolutely. And, you know, not only is machine learning helpful in detecting those patterns, but the right tooling will also be able to give - provide that information to teams that are trying to fight these types of attacks at a larger scale. 

Dave Bittner: What about advice for the consumer here? If I'm someone who's making use of one of these services and this is a target for these credential-stuffing folks, what are the tips for folks to best protect themselves? 

Jane Lee: Yeah. So for a consumer like you and I, making sure that you practice proper password hygiene - I know it's annoying, but really leveraging things like password managers to have a diverse set of passwords. The reason why I say this is because if you are involved in a data breach - let's say a really notable one recently was T-Mobile. Our data shows - and this is confirmed by the most recent Google security study that they have - but over 65% of users recycle their passwords across different platforms. And so if, again, say you got breached or your account was compromised at a place like T-Mobile, every merchant should assume that about 65% of their users are at risk because they may have reused their password somewhere else. So from a consumer perspective, make sure that you, again, practice proper password hygiene. 

Jane Lee: The other thing that I would recommend is to opt in to two-factor authentication or multifactor authentication. A lot of merchants have this as an opt-in-only feature, but again, this will protect you if there is a suspicious login that takes place on your account to be notified or to have that extra level - that extra layer of protection, which also leads me to the merchant side, right? If you are a merchant, really leveraging things like notifications, security notifications, 2FA, MFA, those types of technologies would really help in protecting both you and your users. 

Dave Bittner: Yeah, I think that's a really good point. I mean, is - do you think it's fair to say that as a provider, if I'm a merchant, that 2FA is familiar enough with people that at least making it an option for them isn't going to seem so strange, it's not going to seem so foreign anymore? 

Jane Lee: Actually, it really depends on the vertical. So, say, in the fintech industry, or financial services, you have users that are a lot more comfortable with having that extra layer of friction, right? Because why? They have actual, tangible money attached to these accounts. 

Jane Lee: We do see a little more resistance in other industries. In those cases, you have more passive options, such as security notifications, which, of course, is that passive email that you send to a user. If I suddenly log in from a brand-new device, my Facebook will tell me, hey, can you confirm that this was you? If not, please report it here. And so... 

Dave Bittner: Right. 

Jane Lee: You can - as a merchant, you can decide how much you want to add that extra friction. Me, as a consumer, I don't mind if I get that passive notification. In fact, it helps me know that the merchant or the platform that I am transacting on is doing their due diligence to make sure that my account is safe. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, there's a lot of information in this interview, and unfortunately, not a lot of it is very surprising. 

Dave Bittner: Yeah. 

Joe Carrigan: Account takeover is up 307% in just a little over two years. That's alarming (laughter). 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: The actor that Jane talks about, this Proxy Phantom that they're calling it, is doing account takeover at scale now. They're attempting 2,600 login attempts a second. That's a lot of login attempts. 

Dave Bittner: (Laughter). 

Joe Carrigan: And what's amazing is that they're still using credential stuffing and they're rotating IP addresses. And if you don't have the correct solution in place to find or to detect this kind of activity, you'll never know that you've been compromised until something happens... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Especially with the way these guys are acting. And you pointed out that these guys are a little bit more patient than the average threat actor. They may wait. They're not going to act right away. 

Joe Carrigan: One of the things she talked about is that they will not change passwords on people. Once they have access, they're not going to go in and do a password change because that locks the user out of the account and is a red flag and lets - it immediately lets anybody know something's gone wrong, right? So if you don't want them to know that, you don't change anything. You just maintain the access. 

Joe Carrigan: IP blocking is great, but not when you're dealing with an actor that goes through IP addresses very quickly. Jane points out that you could very well lock legitimate users out. 

Dave Bittner: Yeah. 

Joe Carrigan: She talks about the if-then-else model and then - and compares it to, like, machine learning. The if-then-else model is very easy to defeat because it's clear, rigid Boolean logic, you know. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, if you do this, then - if one thing is true, then behave this way. If another thing is true, then behave this way. And malicious actors have demonstrated an uncanny ability to get around that. They want to satisfy the true condition to get the result they want, and they're very good at doing that. And... 

Dave Bittner: Yeah. 

Joe Carrigan: That's where machine learning is going to come in and hopefully make things better. Jane put some great numbers behind our incessant nagging about password managers. 

Dave Bittner: (Laughter). 

Joe Carrigan: Let's - I want to walk through this T-Mobile breach that she mentioned. 

Dave Bittner: Yeah. 

Joe Carrigan: So let's assume that you run some system. I don't know if it's a website or a service or something, but let's look at the percentage of users that have mobile phones. We can probably assume that's pretty close to 100%, right? So that's multiplying by one, so it doesn't have any effect. So you don't even need to consider whether or not somebody has a mobile phone. You see the T-Mobile breach in the news, and you go and you quickly do a Google search, like I did, and you see that T-Mobile has about 25% of the market. So you can assume that 25% of your users are on T-Mobile. 

Joe Carrigan: Sixty-five percent of the users - this is the number that came from Jane - 65% of the users reused passwords. When you find - so now it's just a matter of multiplying 25% of 65%, and you find out a number a little over 16%. Sixteen percent is probably the percentage of people - is an estimate of the percentage of people on your system that are vulnerable to a credential stuffing attack because of a breach on another company's site. 

Dave Bittner: Right. Wow. 

Joe Carrigan: So, you know, depending on how many people you have - if you have 10,000 people on your system, that's 1,600 people. It's a lot of people. I mean, 16 may seem like, oh, that's a low percentage, but it isn't a low percentage. It's a pretty high percentage. 

Dave Bittner: Right. 

Joe Carrigan: Again, for protecting ourselves, we hear - Dave, again, we hear - multifactor authentication and password managers. 

Dave Bittner: (Laughter). 

Joe Carrigan: Two great things that go great together. 

Dave Bittner: That's right. 

Joe Carrigan: You can't go wrong if you're using this. It's the best thing. Even if you're just using the SMS multifactor authentication, that absolutely stops your credential stuffing attack in its tracks because those are just automated attacks that don't go through the process of any social engineering. They're just brute force attacks. And an SMS notification will stop that kind of attack without getting any further. 

Joe Carrigan: Now, that doesn't mean that they're not going to set that one aside and go, devote a little more attention to this one if we deem it's necessary. So if you can use a more secure multifactor than SMS, you should absolutely do it. Otherwise, if it's the only thing available to you, go ahead and use it. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Jane Lee for joining us. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.