The dark side of business email attacks.
John Wilson: One of the nice things for the bad guys, you know, to make their life easier is that BEC is a very low-tech crime.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where, each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with John Wilson. He's a senior fellow threat researcher at Agari by HelpSystems. We're discussing business email compromise attacks.
Dave Bittner: All right, Joe. Let's jump right into our stories here. Why don't you start things off for us?
Joe Carrigan: Dave, I have three stories that I want to go over today. These are interpersonal scams. So the first one is from Brian Roche at WGAL in Lancaster, Penn.
Dave Bittner: OK.
Joe Carrigan: You ever been to Lancaster, Dave?
Dave Bittner: I have. It's lovely.
Joe Carrigan: It is beautiful. He's talking about the secret shopper scam. And this scam has been around for years, but now it's coming back. So here's how this works. Maybe you apply to be a secret shopper. You see an ad, and you say, I want to be a secret shopper.
Dave Bittner: OK.
Joe Carrigan: Or maybe you just get this mail in - physical, actual mail delivered to you. It says, congratulations on being accepted for being a secret shopper. You're going to have fun, and you're going to get to improve customer service. Here's what you need to do.
Dave Bittner: Yeah.
Joe Carrigan: Take the enclosed check. Deposit it into your bank account. And then take that money, and go buy some - wait for it - gift cards.
Dave Bittner: Oh.
Joe Carrigan: Then send us the gift cards, and keep the difference.
Dave Bittner: OK.
Joe Carrigan: Right? And then we'll - and fill out this survey. It all looks legit, right?
Dave Bittner: Right.
Joe Carrigan: But here's what happens.
Dave Bittner: Well, before we get to that...
Joe Carrigan: OK.
Dave Bittner: ...Just for folks who may not be familiar, what is a mystery shopper?
Joe Carrigan: I don't think that they actually exist. Or if they exist, they're actually employees of the company directly.
Dave Bittner: Yeah.
Joe Carrigan: Right? But the idea is that you need to assess the - in a retail operation, you need to assess how well the front face of your business works - right...
Dave Bittner: Right.
Joe Carrigan: ...How well the individual shopper - or the individual associates, if you will, work. I don't think a lot of companies do this anymore. I think they used to do it. I don't know if they - to what frequency they did it.
Dave Bittner: Long ago, my wife worked at the Disney store, and they had mystery shoppers come in from corporate.
Joe Carrigan: Did they?
Dave Bittner: And this is when the Disney store was owned by Disney. I think it's been, you know, sort of sold off.
Joe Carrigan: Right.
Dave Bittner: You know, whatever. But - and the funny thing was, for them, a perfect score for a Disney Store was 101 Dalmatians.
Joe Carrigan: Right.
(LAUGHTER)
Dave Bittner: So...
Joe Carrigan: That's awful.
Dave Bittner: So if they did...
Joe Carrigan: That is terrible.
Dave Bittner: If they did - if they got a perfect score, they got a pin that had a little Dalmatian on it, and it said 101. And that was a badge of honor for the store.
Joe Carrigan: OK.
Dave Bittner: So - but this was 20 years ago.
Joe Carrigan: Yes. I don't know what companies still incur this cost because companies that have brick-and-mortar stores are now competing with a lot of online retailers.
Dave Bittner: Right.
Joe Carrigan: And judging from the customer service I receive when I go into these stores - and this may be the grumpy old man in me talking...
Dave Bittner: (Laughter).
Joe Carrigan: ...I'm going to assume that they don't do very much of this anymore...
Dave Bittner: OK.
Joe Carrigan: ...Or these people wouldn't treat me this way.
Dave Bittner: (Laughter).
Joe Carrigan: But it is just a scam. You have not been magically selected. If there is a mystery shopper, it is probably a corporate employee, as you said. The check will bounce, and you'll be out the money.
Dave Bittner: I see.
Joe Carrigan: That's what happens. So you send these - it's just a gift card scam with - which is a kind of a new scam because we have gift cards now that - we didn't have those 40 years ago, 30 years ago.
Dave Bittner: Right. Right.
Joe Carrigan: But now it involves this floating check scam, which is a very old scam.
Dave Bittner: I see.
Joe Carrigan: Right.
Dave Bittner: I see.
Joe Carrigan: It may have been that you send the merchandise off in the past and then keep the difference, and then the check bounces.
Dave Bittner: I see.
Joe Carrigan: But now that merchandise can be sent electronically in the form of gift cards. So if you get one of these checks, just throw it away.
Dave Bittner: Yeah.
Joe Carrigan: You've been targeted by a scam. You may want to call the bank and let them know - the bank on the check and say, I got this check here. I know it's going to bounce, but somebody's using your information.
Dave Bittner: Right.
Joe Carrigan: There may not be much they can do. Maybe they want you to send it to somebody...
Dave Bittner: Yeah.
Joe Carrigan: ...To have it looked at. I don't know.
Dave Bittner: Yeah.
Joe Carrigan: I've never been involved in one of these, so I wouldn't know. But I would say secret shopper scams are almost always a scam. You know, the whole - from the advertisement to the check, it's fake.
Joe Carrigan: Next, Hank Winchester from ClickOnDetroit has a story about utility impersonation fraud. DTE Energy, which I guess used to stand for something...
Dave Bittner: Probably Detroit something energy.
Joe Carrigan: Right. Yeah.
Dave Bittner: Like, maybe just Detroit energy. Who knows?
Joe Carrigan: Right. BG&E used to stand for Baltimore Gas and Electric.
Dave Bittner: Right.
Joe Carrigan: Now it's just BGE. That's what the company is. It's owned by some - I think Constellation Energy.
Dave Bittner: Yeah.
Joe Carrigan: No, that's probably old. It doesn't matter. People are calling other - calling DTE customers saying, hey. I'm from DTE, and you need to make a payment right now.
Dave Bittner: Mmm hmm.
Joe Carrigan: What's even more freaky is they're showing up in person. And they are saying if someone shows up at your front door, always ask them for identification. And if something seems fishy about the entire operation, call the police, right?
Dave Bittner: Mmm hmm.
Joe Carrigan: So I think that's probably your best bet. I don't know that - have - do people show up and knock on the door and say, I'm going to shut the power or the water off if you don't give me payment right now?
Dave Bittner: No, they do not.
Joe Carrigan: They send you a notice that says that, right?
Dave Bittner: You get several nastygrams in a row (laughter).
Joe Carrigan: Right.
Dave Bittner: And I think they - you know, turning off your water - any of those utilities, I mean, they try as much as possible to not do that...
Joe Carrigan: Right.
Dave Bittner: ...Because it could be life-threatening...
Joe Carrigan: It can be.
Dave Bittner: ...For people, so...
Joe Carrigan: I think there may even be laws against doing it in certain times of the year.
Dave Bittner: Yeah, yeah. So you - yeah. No, they're not going to show up at your front door demanding cash.
Joe Carrigan: Right.
Dave Bittner: That's for sure. I mean, I remember from back when I had my own business that folks would come to the door all the time trying to sell me long-distance service. And they would have lanyards that said they were from Verizon or somewhere like that, and I was always skeptical of that.
Joe Carrigan: Right.
Dave Bittner: They would come to the door and say, hey, can we see your last phone bill? I'd be like, no, I'm not showing you my last phone bill.
Joe Carrigan: (Laughter).
Dave Bittner: Like, I'm just - you're a stranger off the street. Go - be gone.
Joe Carrigan: Every time I think of these lanyards, you know, I go immediately to the movie "Napoleon Dynamite."
Dave Bittner: Oh, yeah?
Joe Carrigan: Where Uncle Rico and Kip are selling Tupperware, something like Tupperware.
Dave Bittner: Right.
Joe Carrigan: And Uncle Rico goes, we need something that makes us look official, like badges.
Dave Bittner: (Laughter).
Joe Carrigan: And they just get some badges printed up.
Dave Bittner: Right.
Joe Carrigan: They go to Deb and get some pictures taken and get some - and use those pictures to print up badges. Anybody can do that.
Dave Bittner: Yeah. You know, I was - over the weekend, I stopped by a local flea market that's near here, sort of like a regular organized sort of thing, and there was one - there was a booth there that caught my eye mainly because of this show. And it was full of used uniforms from well-established companies.
Joe Carrigan: Really?
Dave Bittner: So for example, if you wanted to be Bob from Jiffy Lube, you could totally buy a used Bob from Jiffy Lube uniform.
Joe Carrigan: Really?
Dave Bittner: Yeah.
Joe Carrigan: Dave, you're going to have to tell me where this is because next week, you're going to meet Bob from Jiffy Lube.
Dave Bittner: (Laughter) OK.
Joe Carrigan: He's going to be your co-host on the show next week.
Dave Bittner: Yeah, all kinds of different uniforms you could buy. Yeah.
Joe Carrigan: Amazing.
Dave Bittner: Yep. Yeah.
Joe Carrigan: That's awesome. And the final story comes from Aaron Organ from WANE in Fort Wayne. Get it? W-A-N-E? Wayne? Fort Wayne? Wayne? WANE?
Dave Bittner: OK, W-A-N-E. Clever. Yeah.
Joe Carrigan: Right, yes. This is a story about a man who came to the victim's door and said he was an employee of an attorney that was representing the victim's niece. And then he said, I need cash payment for your niece's services. The victim's niece was impersonated over the phone. So the guy hands him a phone, goes, here's your niece, and the woman says, Uncle So-and-So, yes, this man is here to collect money from me. I don't have it.
Dave Bittner: Oh.
Joe Carrigan: And the guy gets away with 10 grand from this victim.
Dave Bittner: Wow.
Joe Carrigan: It doesn't say if the victim had the money on hand or had to go get it. I'm not sure how that worked out. But he realized it was a scam when he actually called his niece and said, OK, I paid him. And the niece was like, what? I don't know what you're talking about.
Dave Bittner: Yeah. Oh, dear.
Joe Carrigan: Yeah. So the police department said residents should always be aware of demands to pay in cash, which this guy did. Ask to verify the credentials of anyone who asks for payment for a service, and never render payment at your home. If you're unsure, get more information, and always, if possible, go to the place of business to make the payment.
Dave Bittner: Mmm hmm.
Joe Carrigan: These stories about people coming to your home to collect money owed - you know, that's not really owed - are concerning to me. And, you know, here's the issue. This guy is - this victim in particular and the victims from DTE when people show - from the DTE impersonators, when the people show up at your house, and they're looking for money, cash money - these people are criminals, right? And you don't really know how far they're willing to go.
Dave Bittner: Right.
Joe Carrigan: Right? I really think the best thing to do is, if you can do this, is to have someone else call the police if that's available to you. If not, you can always just dial 911 and then press send, and then just carry on the conversation and let the 911 operator listen in, and they'll send a police officer over when they know what's going on. Maybe that'll work, you know. Or you can just blatantly say, you know what? I'm just going to have a uniform police officer come up here and make sure that everything's on the level. You don't mind if I do that, do you?
Dave Bittner: Right.
Joe Carrigan: My concern with this is that that escalates the situation to an immediate gunpoint robbery.
Dave Bittner: Right.
Joe Carrigan: You know, it's a risk. That's why I say try to do it surreptitiously...
Dave Bittner: Yeah.
Joe Carrigan: ...So that the police show up unexpected to this guy.
Dave Bittner: Well, yeah, and I mean, it's - that's one thing that struck me was - you were describing these stories - is how bold it is for someone to be there in person, which I suppose is part of why these scams work because, you know, if someone comes, I would assume, wow, this is bold. That would be awfully bold for a scammer to do something like this, so maybe it is legit.
Joe Carrigan: Yeah. The other thing is that the guy who took the $10,000 from the older man was wearing a mask because of the pandemic, right?
Dave Bittner: Oh.
Joe Carrigan: So you can't really see what his face looks like.
Dave Bittner: Mmm hmm.
Joe Carrigan: You know, he's doing the old Jesse James thing where he used to tie a bandana around his face. You couldn't tell who he is, right? But it's now part of the pandemic.
Dave Bittner: Yeah.
Joe Carrigan: And everybody - it's already socially acceptable to be wearing this mask.
Dave Bittner: Sure. Yeah, it's interesting because I was thinking, you know, would it help if you had something like a Ring doorbell where anyone who comes to your door is being documented?
Joe Carrigan: Yeah. That would be...
Dave Bittner: ...There's photographic evidence - a good use case for that, I suppose.
Joe Carrigan: That would be excellent. Also, you could use that Ring doorbell to screen the calls. And in some cases - and there are privacy concerns about this, of course - but those Ring doorbell feeds are readily available to law enforcement.
Dave Bittner: Yep.
Joe Carrigan: So you know, it's - you know, I could absolutely see where that's a good thing. But I still do have my privacy concerns about it.
Dave Bittner: Yeah. Yeah. All right. Well, interesting stories. Absolutely. My story this week comes from the VICE website - this is VICE by Motherboard - written by Joseph Cox. And the title of the article is "Criminals Abuse Apple Pay in Spending Sprees." Joe, have you used any of these automated payment systems, Apple Pay or Google Pay or any of these?
Joe Carrigan: Dave, I'm ashamed to admit it. Yes, I have.
Dave Bittner: (Laughter) Why are you ashamed to admit it?
Joe Carrigan: Because I'm not sure how much I trust it. But, I mean, it's - it works great.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's a good-working service.
Dave Bittner: Yeah, I use Apple Pay all the time. And I love it because it's fast. It's easy. It's secure...
Joe Carrigan: Yeah.
Dave Bittner: ...Right? Because it's all tokenized.
Joe Carrigan: Your key point is that it is fast. It's faster than using the credit card.
Dave Bittner: Yes, absolutely. Absolutely. So very convenient.
Joe Carrigan: Right.
Dave Bittner: This article is about how some crooks are abusing Apple Pay and other - you know, Google Pay, all the - basically the contactless payment systems to go on spending sprees using stolen credit and debit card numbers.
Joe Carrigan: Ah.
Dave Bittner: So what they do is they get themselves a mobile device...
Joe Carrigan: Right.
Dave Bittner: ...Right? They get themselves a stolen credit card number. They get that card authorized on the device. Now, that's the tricky part.
Joe Carrigan: Right.
Dave Bittner: And that's the part that involves perhaps some social engineering. This article talks about how there are apps available, basically bot apps that will help automate harvesting people's multifactor authentication numbers.
Joe Carrigan: OK.
Dave Bittner: So in other words, let's say that I have stolen your bank account number, your credit card number.
Joe Carrigan: OK.
Dave Bittner: Right. And the information I've stolen or bought on the dark web says, this is Joe's information. Here's his credit card number. Here's his phone number, or here's his address, right? I bought a full set of information about you...
Joe Carrigan: Right.
Dave Bittner: ...Including an active credit card.
Joe Carrigan: Fullz, as the kids say.
Dave Bittner: Fullz with a Z. Yeah.
Joe Carrigan: Right.
Dave Bittner: So I put - I go to put that in my mobile device. Let's just say, for argument's sake, it's my iPhone. So I'm trying to activate Apple Pay. And in doing that, Apple Pay contacts your bank. And you receive a notice from your bank on your mobile device that says, hey, we're trying to authorize something here. And you would probably say, well, that's not me.
Joe Carrigan: Right.
Dave Bittner: And you'd ignore it.
Joe Carrigan: Right.
Dave Bittner: Or you'd call your bank or whatever. So what these bots do, kind of like a story you and I talked about recently - one way they'll come at it is they will just start pounding you with requests for multifactor authentication, and they'll wear you out...
Joe Carrigan: Yeah.
Dave Bittner: ...Right? You're just like, what do I have to do to make this stop...
Joe Carrigan: (Laughter) Right.
Dave Bittner: ...Right? And so that's one way they'll get you to give it away. Another way is that they will actually call you, and they'll - this is part of what the app does - is it uses an automated voice system, you know, an artificial automated voice system. And it says, hello, this is your bank calling. We are doing a security check. We're going to send you a code in 5 seconds to make sure that it's actually you. When you get this code, please enter it in - you know, please tell us what it is or enter it in, you know, here, right?
Joe Carrigan: Right.
Dave Bittner: So - and so what they're doing is they're actually trying to get your multifactor authentication code...
Joe Carrigan: Right.
Dave Bittner: ...To activate the Apple Pay on their device.
Joe Carrigan: Yeah.
Dave Bittner: But they're trying to trick you by saying that this is just a routine security check. We're just making sure that everything's on the up and up and that you are you.
Joe Carrigan: Right. But that's not how that works.
Dave Bittner: Correct.
Joe Carrigan: The only time they send you codes is when you try to use the card.
Dave Bittner: That is right.
Joe Carrigan: But you're - they're basing this on the ignorance of people using it. And by ignorance, I mean just not knowing, right?
Dave Bittner: Yeah, yeah.
Joe Carrigan: They don't know what the system is.
Dave Bittner: Right.
Joe Carrigan: And they say, oh, OK, good. Hey, you're just doing a proactive security check. Well, let me help you out with that.
Dave Bittner: Exactly.
Joe Carrigan: Yeah.
Dave Bittner: Exactly. So once they get this activated on the mobile device, then they take advantage of how fast and easy it is...
Joe Carrigan: Yup.
Dave Bittner: ...Because once it's active on the device, there's no further checking...
Joe Carrigan: Yeah.
Dave Bittner: ...Right? You don't have to hand the card over. There's no signature.
Joe Carrigan: Yeah.
Dave Bittner: They're not checking your ID.
Joe Carrigan: They never check the ID. I have request ID written on the back of all of my credit cards. Maybe 10% of the time, somebody says, it says request ID. Can I see your driver's license?
Dave Bittner: Yeah. So then they basically - typically, what happens is then they go out on a spending spree, and they buy themselves a lot of...
Joe Carrigan: Gift cards?
Dave Bittner: Gift cards (laughter).
Joe Carrigan: I got that one right again. That's good.
Dave Bittner: (Laughter) That's right. Right. So in this story, they have some pictures of some of these baddies bragging on social media, where they bought $20,000 worth of gift cards using, you know, these one-time payment systems. So it's an interesting sort of layering of, you know, various methods to speed up their ability to take advantage of people. You know, the Googles and the Apples of the World - they say, well, this really isn't our problem. It's up to the credit card companies to verify that the payments are legit. We're just an enabling technology.
Joe Carrigan: Yeah. You know, I don't accept that.
Dave Bittner: Yeah?
Joe Carrigan: I don't accept that. This is one of those things where it's a big tech company going, hey, we're just a platform - again.
Dave Bittner: Yeah (laughter).
Joe Carrigan: You know, I understand what you're saying. Yes, there is something going on at the credit card company that can be done. But you need to work with the credit card company to do this. You cannot simply wash your hands of this and walk away.
Dave Bittner: Yeah.
Joe Carrigan: There is something that Google and Apple have to do here to be more proactive.
Dave Bittner: Yeah. Any notions of what that might be?
Joe Carrigan: I'd have to think about what that would be.
Dave Bittner: (Laughter) Right - because that's part of the...
Joe Carrigan: I'll tell you.
Dave Bittner: Part of why people love these services is how quick and easy they are.
Joe Carrigan: I'll tell you one of the things they have to do is, depending on how new the account is, maybe they have to put extra steps in for when you do this. Like, for example, if you just create a new Google account or a new Apple ID and then you start putting credit cards on it, that is a marker for potential fraud, right?
Dave Bittner: Right.
Joe Carrigan: I mean, I had a Gmail address for years before I got an Android phone.
Dave Bittner: Yeah.
Joe Carrigan: Right? They knew who I was.
Dave Bittner: Right.
Joe Carrigan: I had been on that system for a long time. Now, that doesn't stop them from acquiring other accounts.
Dave Bittner: Yeah.
Joe Carrigan: You know, there's all kinds of heuristics they could do from behind this. I mean, these guys are...
Dave Bittner: And they may be.
Joe Carrigan: ...Huge. Yeah, they may be doing it.
Dave Bittner: They may be doing it, yeah.
Joe Carrigan: I don't know. I mean, I think it's correct to say that this is a problem primarily with the credit card provider and possibly with the customer. I mean, everybody's involved here, but I don't think that Apple and Google get to walk away from this going, yeah, this isn't our problem. Somebody else should handle it.
Dave Bittner: Yeah, yeah.
Joe Carrigan: They should be actively involved in fixing this.
Dave Bittner: Yeah, I agree with that. All right. We will have a link to that story in the show notes, again, written by Joseph Cox over on the VICE website.
Dave Bittner: All right. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named John who sent this one in. It's a pretty good one, Dave. Why don't you just read this?
Dave Bittner: All right, it goes like this. It says, attention, we wish to inform you that a power of attorney was forwarded to our office this morning by two gentlemen regarding your unclaimed fun of $8.5 million. One of them is an American citizen named Mr. Robert Porter, and the other is Mr. Wilhelm Berg, a Swedish citizen. The document claims these gentlemen to be your authorized representatives, and the power of attorney states that you are already deceased. What?
(LAUGHTER)
Joe Carrigan: That's what the power of attorney states, Dave.
Dave Bittner: So they're sending a letter to a dead person.
Joe Carrigan: Right.
Dave Bittner: We'll go on.
Joe Carrigan: Yes.
Dave Bittner: It further states that your death was due to coronavirus pandemic, with your date of death being November 27, 2020. They net - they have now submitted a new account to replace the receiving account that was in the original claim of funds. These funds have remained unclaimed for quite some time, and the need for resolution is pressing. Below is the new account they have submitted. In the event that you are in fact still alive, we ask that you confirm your existence by responding to this email. You are to view this as a matter requiring immediate attention and response. We have 48-hour monitoring of all activities within the Federal Reserve Bank. We have...
(LAUGHTER)
Joe Carrigan: Forty-eight-hour monitoring.
Dave Bittner: I mean, 24-hour monitoring is good, but 48-hour monitoring - that is top notch.
Joe Carrigan: (Laughter) Right.
Dave Bittner: We have contacted the bank in Sweden, asking them to wait for further directives from the Federal Reserve Bank prior to authorizing any withdrawals in any form. Our request is based entirely on our attempt to verify that you are, in fact, deceased before money is wrongly disbursed. Finally, we forewarn you that if we do not hear back from you shortly, we will have to assume that you are, in fact, deceased, and the Federal Reserve Bank will proceed with releasing funds to the above newly submitted account. Sincerely, Jones Williams.
Joe Carrigan: (Laughter) Jones Williams. The guy - I've known people that had two first names...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? But two last names - Jones Williams?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: I mean, Johns Hopkins had two last names, right?
Dave Bittner: Yeah, yeah. There you go. Yeah, sure. It happens.
Joe Carrigan: It does. I love that they have stated the account is opened in Sweden - you know, those Swedish bank accounts, Dave (laughter).
Dave Bittner: Oh, that - right. Of course, that's where you keep all your secret money.
Joe Carrigan: Well, that's in Switzerland, but (laughter)...
Dave Bittner: Oh, sorry. You're right.
Joe Carrigan: (Laughter) This is a Swedish bank account.
Dave Bittner: Swedish bank account, Swiss bank account - see, there you go.
Joe Carrigan: Right. These guys have made a mistake.
Dave Bittner: Ignorant Americans, yeah.
Joe Carrigan: That's right.
Dave Bittner: All right.
Joe Carrigan: Well, I think this is - I think they probably meant to put Switzerland in, right?
Dave Bittner: (Laughter) Yes.
Joe Carrigan: But they probably (laughter) made the same mistake you did...
Dave Bittner: Yeah.
Joe Carrigan: ...And put Sweden in (laughter).
Dave Bittner: Oh, goodness gracious. I love the 48-hour monitoring of all activities.
Joe Carrigan: Yeah, that's great.
Dave Bittner: That's pretty good.
Joe Carrigan: John's comment was - if you aren't dead, please email us back. That was (laughter)...
Dave Bittner: Yeah.
Joe Carrigan: ...His favorite thing.
Dave Bittner: Right. That reminds me of in school when the teacher would say, everyone who's not here, raise your hand.
Joe Carrigan: Right, exactly.
Dave Bittner: Yeah (laughter). All right. Pretty obvious scam here.
Joe Carrigan: Yeah.
Dave Bittner: I suppose if you follow up on this, they're going to ask you for some money in order to release your money.
Joe Carrigan: Yeah, it's just an advance fee scam...
Dave Bittner: Yeah.
Joe Carrigan: ...Where - you know, oh, yeah, you got this $8.5 million in your - in this bank account, but we need some money to release it to pay taxes. If you give them any money, all that happens is they keep asking for more money.
Dave Bittner: Right.
Joe Carrigan: They keep asking you for more money until you stop sending the money.
Dave Bittner: That's right. Right. So nip it in the bud.
Joe Carrigan: Right.
Dave Bittner: Don't send any money.
Joe Carrigan: Yeah, just send us the email.
Dave Bittner: (Laughter) It'd be great to send them back a letter that says good - or, bad news, I am, in fact, dead.
Joe Carrigan: (Laughter) Right. Please release the money...
Dave Bittner: I am writing to you from the great beyond.
(LAUGHTER)
Joe Carrigan: I wonder what happens if you do that. That would be a good - that would be a fun experiment.
Dave Bittner: I - yeah, I suspect nothing would happen. They probably...
Joe Carrigan: Yeah.
Dave Bittner: Because you're - no, yeah.
Joe Carrigan: They'd probably know right away that you're messing with them.
Dave Bittner: Yeah, probably. All right. Well, again, our thanks to John for sending that in.
Dave Bittner: We would love to hear from you. You can send us something to be considered for our show. It's hackinghumans@thecyberwire.com.
(SOUNDBITE OF MUSIC)
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with John Wilson. He is a senior fellow threat researcher at Agari, and we are discussing business email compromise attacks. Here's my conversation with John Wilson.
John Wilson: During the pandemic, we saw actually even more attempts at business email compromise. So - and in terms of protecting against business email compromise, it's shocking how many standard anti-spam filters still routinely allow business email compromise messages to come through. Now, I understand why because most of these systems are built around really sort of two things - No. 1, scanning the content to see if there's something spammy, if you will, in the content, as well as looking at, well, have you established a conversation with this person before? So the challenge is this - the BEC scammers' initial message is usually very innoculous - or innocuous. It may say something, for example, like, are you available? I need a favor. And looking purely at the content, you can't block every message that says, are you available? I need a favor. Because, obviously, there could be plenty of messages where that would be, you know, a completely legitimate business, you know, conversation starter.
John Wilson: Unfortunately, what happens is if the victim makes the mistake of answering and saying, yes, sure, what do you need, at this point, the anti-spam filter's saying, well, this is a continuation of a conversation that's already started, so I'm going to lower the bar, right? I'm not going to block something just because now I see something that looks a little bit spammy. And so the traditional email defenses are actually not that great at stopping these types of attacks. Now, there are a new class of email security solutions that are designed to detect identity deception, and that's one of the hallmarks of business email compromise. So they're pretending to be someone that the intended victim would trust. It could be an executive at their own company. It could be the accounts receivable contact, you know - or sorry, the accounts payable contact - no, receivable. I had it right the first time. People will contact one of the, you know, one of your vendors. So, you know, companies owe money to somebody else. You know, usually you've got that person you're working with on the other side as you negotiate payment terms and when you're going to make your payment and how the payment's going to be made. Well, if the scammer gets a hold of that information, they can craft a very convincing email supposedly from that contact and, you know, carry on the conversation at that point. And once again, the content itself isn't going to trigger an anti-spam filter.
Dave Bittner: To what extent are we seeing attempts at sort of, as you say, imitating a known contact? And to what degree are they actually infiltrating that known context email itself to be able to - you know, the old the call is coming from inside the house dilemma?
John Wilson: That's an excellent question, Dave. And so we see it as being about 95% of the time, they are simply imitating. They're using 1 of 4 techniques to do this. One is what's known as the email domain spoof. So this is where I just simply say that - you know, I use the email address in the from header of the person I want to impersonate, but I put a different reply to that's typically going to go back to, you know, some webmail account. When the person looks at the address, everything checks out, right? It says the right address on the line, but when they hit reply, it's going back to a different address. The second technique - and we see this one maybe about 10% to 15% of the time in business email compromise - it's what's known as a lookalike domain. So, you know, if I wanted to pretend to be microsoft.com, I might go register microsorft.com, you know, switch up a letter or two. Or I might change - the C I might just change to an O so it's mocrosoft.com. Most people aren't going to notice that slight adjustment or that slight, you know, wrong entry.
John Wilson: The third technique is what we refer to as the display name imposter. So every email address has two pieces - it's got the technical part, the actual address, something like, you know, john@gmail.com, but there's that other part that might be something like John Wilson. And so all they have to do is create some free webmail account, and when it asks their name, they don't put, you know, their actual name. They put the name of the person they want to impersonate. That makes up the vast majority of attacks; I would say probably on a given day, 60% to 70%. So to get back to your original question, is that fourth type - the compromised account - that makes up about, you know, 5%, I would say, of the attack. Now, there's two ways to utilize a compromise account. One is I literally send the email out of your account and I put some rules in place to make sure that that reply is going to quickly get moved to some hidden folder so that the real mailbox owner, if they happen to be in there, isn't going to even be aware that their mailbox is - you know, that they're kind of on a party line sharing it with the scammer. That is not particularly common, however, because one of the challenges there is, the scammer could lose access to that mailbox partway through the interaction, right? All it takes is that the person logs in at just the right moment and catches that message in the inbox for a second before it's moved to some hidden folder, and they may realize that something is amiss.
John Wilson: So more often than not, what the criminal does instead is they compromise the mailbox, then they essentially put a tap on the line. And so what they do is they create a rule that says any time you see a message coming in or out of this mailbox with the word payment, invoice, you know, bill, due, et cetera, you know, a whole list of financially related keywords, move that message to, you know, the trash and forward a copy of it to this random, you know, yahoo.com account, for example, some random webmail account. Now what happens is the scammer is in the conversation. They're getting a copy of everything. And if they reply, you know, they reply all and then just remove the original person off of it, all the history is there, and so it's going to look like they're, you know, part of the conversation when in fact they're really not. They're actually - you know, they've just been listening. And at this point, they kind of jump into the conversation and shut the real mailbox out of there. And this is particularly common in real estate scams, as well as invoice diversion scams.
Dave Bittner: So it's interesting to me that, you know, the folks who are doing this - the bad folks who are doing this - they don't necessarily have to increase the sophistication of what they're doing because what they're doing works.
John Wilson: Well, exactly. You know, as - the old adage, if it ain't broke, don't fix it. One of the nice things for the bad guys, you know, to make their life easier is that BEC is a very low-tech crime. All you really need is a free web mail account to get started. Now, all of the other information you may need is freely available. Go run a search on LinkedIn, and you can probably figure out, you know, who's the CEO, who's the CFO, who's in charge of payments, or just go to the corporate website. Most companies have a page - about our leadership. You can go to their partner page and realize that, oh, these guys have a partnership with, you know, these five other companies. Maybe I'll pretend to be one of those companies when I send the email.
John Wilson: And then there's third-party marketing - what I call, like, marketing database or marketing aggregation services. Now, these services are intended to be used by marketing professionals. So you want to sell your product, say, to, you know, finance managers at medium-sized companies in the oil and gas industry in Texas. They'll let you target those specific folks, and you can do that data extract and do a mailing. Well, the BEC criminals will go and they'll set up a trial account on these very same services. And the trial account will usually let them get, you know, so many free records in a given time period. And for the criminal - he does, he uses the free trial, and when that free trial runs out of - you know, runs out of free credits, spin up a new email address, sign up again and continue where they left off. And this allows them to get very targeted lists of folks so they can craft a lore that's, you know, designed for a specific industry, a specific company size, a specific persona within an organization.
Dave Bittner: So what is to be done, then? I mean, it seems to me like so much of this relies on the human side of things. Is this a training thing with our employees? Or what's the blend of technical solutions but also vigilance on the side of the users?
John Wilson: Absolutely. So it's really all about defense in depth. And by that, I mean, you know, there's no one silver bullet that's going to stop this problem. So I would say at a minimum, you definitely need your anti-spam filter, right? Even though it doesn't block a lot of the BEC attacks, it does catch a small number of them. And more importantly, it's doing a lot of very other important things - for example, stopping a lot of those messages that would phish someone out of their email credentials in the first place. Second thing you need is one of these advanced sort of impersonation detection-based solutions. Now, Agari by HelpSystems does offer one that's called Agari Phishing Defense. There are other ones out there in the marketplace. So, again, I don't mean for this to be a, you know, commercial advertisement. But I feel that those are an essential part of the stack.
John Wilson: The third thing that you need that's really - I consider it a technology solution because it's sold as such, although it's really kind of what you had referred to before - it's training. Once again, our partner company, PhishLabs by HelpSystems, does offer phishing simulation training. There are other companies out there as well that do that. And so to me, that is another essential thing. And the folks, you know - anyone in your company can become a victim. But if, you know, your IT budget is very tight, you may want to focus on certain groups of users - folks in your finance team, folks in HR, folks that manage, you know, access to systems and executives. Those are the folks I think that need, you know - if you couldn't afford to get every single line worker and every single person who's got an email address at your company, if you can't afford to get them the training, you really want to prioritize and focus on the groups that i just mentioned before.
Dave Bittner: Joe, what do you think?
Joe Carrigan: BEC is not going away because it is remarkably profitable.
Dave Bittner: Yeah.
Joe Carrigan: Just a couple of weeks ago, you asked me, what is the most profitable form? And for some reason, I couldn't remember which it was, but it's business email compromise. That's where people make the most money.
Dave Bittner: Yeah.
Joe Carrigan: The short message - are you available? I need a favor. That's the one that got me that one time, Dave.
Dave Bittner: Oh.
Joe Carrigan: That got me to respond instantaneously. And it was embarrassing when I went downstairs to meet with my boss, Dr. Dahbura, and one of the managers walks out of the office and looks me dead in the eye and goes, I think that was a scam email. And I'm like, gah, he got me.
Dave Bittner: (Laughter) Right.
Joe Carrigan: But, you know, when I say - when I tell other people - or when I applaud people that we talk about in the show for coming forward, it's on me to also come forward with this kind of stuff, too.
Dave Bittner: Yeah.
Joe Carrigan: This happens. It happens to everybody.
Dave Bittner: Right.
Joe Carrigan: But those short messages go right through spam filters because there's so little in them, right? It's really just a simple message that makes perfect sense. And when you reply to that message, now you've changed the heuristics within the spam filter that says, OK, well, this guy has responded, so let's lower the bar, as John puts it.
Dave Bittner: Right.
Joe Carrigan: And that's exactly what these messages are intended to do. That's exactly what they're trying to do with these phishing systems. They're getting - or these spam systems. They're getting through the spam systems and getting you to interact with them.
Dave Bittner: Right. Right - establish it as being legitimate communication.
Joe Carrigan: Right. I like to differentiate between business email compromise and impersonation, right? And I know the attacks were essentially the same, right? But when you have a business email compromise attack, I think that actually involves the compromise of an email account, either in your organization or in one of your organizations you do business with or that you partner with - not just setting up some Gmail clone. And maybe I'm being pedantic here, but I think there's a difference in that a compromised account is a lot more difficult to detect than some fake account that was set up to impersonate somebody else. If I can compromise the CFO's email account, I'm going to have a much higher probability of success - much higher because I'm sending an email from a valid email address. And I'm - it's interesting to see that that's only 5% of these attacks, that 95% of the attacks fall outside of that, don't use that method.
Dave Bittner: Yeah.
Joe Carrigan: Right? But I would really like to see what the effectiveness rate is of that 5%. I'll bet that it's higher than anything else by orders of magnitude. A lot of this damage is done with open source intelligence gathering that's - from information that's out there.
Dave Bittner: Right.
Joe Carrigan: I can find out who the CFO of any publicly traded company is. They have to file that with the SEC.
Dave Bittner: Right.
Joe Carrigan: Right? If you ever go to Yahoo Finance and just click on profile, there's a list of all your executives right there.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: And that information is readily available. I only say Yahoo Finance because that's where I know the information is. But it's out there for everything. If I go to your website - your company's website - there will be pictures of people and all this information about them. It might even contain a bio - right?
Dave Bittner: Yeah.
Joe Carrigan: ...Which is all important information, but just be mindful - this information can be used to impersonate somebody that knows stuff about you. So you should always be aware of what's being said about you out there on the web, regardless of who you are, because LinkedIn is one of my favorite sources for open source intelligence-gathering.
Dave Bittner: Sure.
Joe Carrigan: Right? It's got everything you need. The - your - you know, the vast majority of your employment history is on there.
Dave Bittner: Right.
Joe Carrigan: You know, I don't have my working at Chuck E. Cheese when I was 14 years old, but, you know, everything I've had that's been a tech job is on there.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: This is an interesting vector that John talks about - the marketing companies.
Dave Bittner: Yeah.
Joe Carrigan: Right? There are these data brokers out there that have vast amounts of information about us. And lo and behold, they offer a free trial service to anybody that can provide an email. So guess what? These guys sign up for that free service, and for nothing, they get access to a few records that are potentially very profitable for them. I like what John says about defense in depth. That's very important. Spam filter is going to stop these things from coming in when they're doing credential harvesting, which is a big part of business email compromise. If I can get into your email account, if I can get into your Microsoft 365 account, oh, the damage I can do...
Dave Bittner: Yeah. Yeah.
Joe Carrigan: ...Right? - bad news. Impersonation detection - that's good stuff. Training is key, particularly about your processes. I think that I would also add multifactor authentication.
Dave Bittner: Right.
Joe Carrigan: That's going to be really helpful in stopping account takeover.
Dave Bittner: Yep.
Joe Carrigan: And threat modeling - understand who's going to be coming in and who's going to be targeted. I like what John says about where you spend your money. Put your - you know, spend your money on training on the most important people, the people that handle the most money. That - I think that's great. If you can't afford to train everybody, think about who you're going to train. Think about that hard.
Dave Bittner: Yeah.
Joe Carrigan: I really like what John is talking about towards the end of this interview, where he talks about engaging these scammers, where he leads them on and he says - he gets the information from them...
Dave Bittner: Right.
Joe Carrigan: ...You know, like the bank account information they need to wire to. This changes the economic calculus of this process. Setting up a bank account here is one of the more costly parts of this cybercrime. And when I say costly, it's costly in terms of time. You have to individually set up each one of these bank accounts and then hope that they don't get flagged for fraud.
Dave Bittner: Right.
Joe Carrigan: You remember, I was talking a couple of weeks ago about the - or a couple of months ago about the - somebody opened an account in my name at a TD Bank.
Dave Bittner: Oh, yeah. Yeah.
Joe Carrigan: And that got flagged immediately for fraud.
Dave Bittner: Right.
Joe Carrigan: And they shut it down within minutes of it being open. So you've got to actually do that. You're actually going to have to put money into an account, right? So you have to have money to open an account. So there's actual real economic cost here. Shutting these down before they can be used probably wrecks these people's world.
Dave Bittner: (Laughter).
Joe Carrigan: And I say, good.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: That's excellent.
Dave Bittner: Right.
Joe Carrigan: That's good work, John.
Dave Bittner: Right.
Joe Carrigan: I really appreciate that.
Dave Bittner: Yeah.
Joe Carrigan: Additionally, they can also go on to collect information like IP address and maybe even get some identities out of it.
Dave Bittner: Yeah.
Joe Carrigan: If they can get identities out of it, then they get law enforcement involved. And that's when they start really cleaning up this - cleaning up these people, getting them out of the system.
Dave Bittner: Yeah.
Joe Carrigan: Not that there isn't another million people behind them waiting to take their space - there is.
Dave Bittner: Yeah.
Joe Carrigan: It's a never-ending battle.
Dave Bittner: Well, we appreciate John Wilson coming on the show and sharing his expertise with us. Again, he is from Agari from HelpSystems. We appreciate him taking the time.
(SOUNDBITE OF MUSIC)
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
