Business phishing: Who's biting the bait?
Matthew Conner: If you're just doing delivering training that tells people, look out for sender, don't click this - and you might be meeting regulatory requirements, but you won't be solving the problem.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Matthew Connor. He's founder of an organization called Conscientious Security. We're going to be talking about a phishing study he conducted when he was working with F-Secure.
Dave Bittner: All right, Joe. Good to be back, first of all. We took a week off last week...
Joe Carrigan: Yes.
Dave Bittner: ...Tending to some family business, but glad to be back in the saddle here. Also wanted to share with our listeners that we are kicking off our fifth season of "Hacking Humans" this week, so...
Joe Carrigan: Isn't that great?
Dave Bittner: It is great.
Joe Carrigan: Congratulations, Dave.
Dave Bittner: Well, thank you. Congratulations to you - couldn't do it without you.
Joe Carrigan: Of course not.
Dave Bittner: I think together we've really done something here.
(CROSSTALK)
Dave Bittner: Four years behind us. And...
Joe Carrigan: Yeah.
Dave Bittner: And more to come.
Joe Carrigan: Almost 200 episodes.
Dave Bittner: So thanks to all of you for listening and, of course, thanks to our sponsors for making it possible. We do appreciate it.
Joe Carrigan: We're grateful to both parties.
Dave Bittner: We are indeed. All right. Well, let's dig into some stories here this week. I'm going to start things off. And I saw a press release come by. Actually, the first one I saw came from Microsoft, and that led me to the folks over at the FIDO Alliance.
Joe Carrigan: FIDO.
Dave Bittner: Do you know what FIDO stands for?
Joe Carrigan: I do now, Dave.
(LAUGHTER)
Joe Carrigan: You've asked me this twice before.
Dave Bittner: OK.
Joe Carrigan: It's fast identity online.
Dave Bittner: That's right. Congratulations. You go to the next round.
Joe Carrigan: That's right.
Dave Bittner: So the FIDO Alliance - it's an organization that is really all about authentication.
Joe Carrigan: And an open standard for that authentication.
Dave Bittner: Yes.
Joe Carrigan: Right.
Dave Bittner: Yes. And that's what we're going to get to here. So they had a press release that came out on May 5. And it says Apple, Google and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign-ins. So this is, I think, good news and...
Joe Carrigan: I would agree.
Dave Bittner: ...Particular interest to our audience because, certainly, passwords are something that we talk about a lot - password managers. And I think FIDO is really trying to push us toward a world where passwords are not the No. 1 option...
Joe Carrigan: Right.
Dave Bittner: ...For logging into things.
Joe Carrigan: Yep.
Dave Bittner: And I'm on board (laughter).
Joe Carrigan: Me, too. You know, Dave, I think we were on the CyberWire maybe five or six years ago. This is before we started "Hacking Humans."
Dave Bittner: OK.
Joe Carrigan: And it was one of the first episodes you and I did together.
Dave Bittner: Yeah.
Joe Carrigan: And there was a topic of moving beyond passwords. And I said, I don't know what that looks like. Now, thanks to the FIDO Alliance, we have a very good idea of what that looks like.
Dave Bittner: Yeah. Yeah. So a couple of things I wanted to note here. First of all, when you have all three of these names on board - right? - you've got Apple, Google and Microsoft.
Joe Carrigan: Right.
Dave Bittner: And it's funny. Like, some of the side commentary I've seen, it's like, Google's on board. Microsoft's on board. Can you guys believe we got Apple on board?
(LAUGHTER)
Dave Bittner: Like - 'cause Apple, I guess, likes to do things their own way...
Joe Carrigan: Yeah.
Dave Bittner: ...Most of the time, so...
Joe Carrigan: Yeah. Apple's not really into standards.
Dave Bittner: Right.
Joe Carrigan: But I think in this - I mean, they are into standards. They're into their own standards.
Dave Bittner: Yeah.
Joe Carrigan: And they do a good job with their own standards.
Dave Bittner: They're into standards in their own interest, I guess...
Joe Carrigan: Right. Exactly.
Dave Bittner: ...Might be a way to say it. They like to have - play in their own sandbox.
Joe Carrigan: Yep.
Dave Bittner: So the fact that we have these three big hitters on board with this program and they're all - they've all committed to expanding it this year, I think that's noteworthy because we've seen a lot of standards - you know, for example, some of the pay standards, like Apple Pay and Google Pay and...
Joe Carrigan: Right.
Dave Bittner: You know, for - you still can't walk into every establishment and use those to pay for things.
Joe Carrigan: Right.
Dave Bittner: And some places - like, I think Walmart has their own version of that.
Joe Carrigan: Yeah. Yeah. That's - 'cause I asked - I was actually at a Walmart a little while ago...
Dave Bittner: Yeah.
Joe Carrigan: ...And asked if they had Google Pay, and the cashier said, no, you have to use the Walmart version. And I'm like, I'm not doing that.
Dave Bittner: (Laughter).
Joe Carrigan: I'm not getting a proprietary solution...
Dave Bittner: Yeah.
Joe Carrigan: I mean, granted, Google pay is nothing but a proprietary solution, as is Apple Pay.
Dave Bittner: Yeah.
Joe Carrigan: ...But, you know, it's something - I'm not using a solution to shop at one store.
Dave Bittner: Right.
Joe Carrigan: Not going to happen.
Dave Bittner: Yeah.
Joe Carrigan: I'll go through the hassle of putting my credit card in the machine.
Dave Bittner: Yeah. So what FIDO is doing here - what they've managed to do with these providers - and many others are on board as well - is shifting from a password to what some folks refer to as a passkey...
Joe Carrigan: Yes.
Dave Bittner: ...You know? And how would you describe a passkey, Joe?
Joe Carrigan: Well, I mean, it's a public/private key thing here. Now, last time we talked about the FIDO Alliance, we had a listener write in and say, you guys never mention SQRL, which is another passwordless authentication. But while they're similar, SQRL works with zero-knowledge proofs...
Dave Bittner: OK.
Joe Carrigan: ...And FIDO works with a different technology that lets you create, essentially, as many keys as you want with a FIDO-compliant device. But, essentially, what you're doing is you're building your own private key when you access a website, and the name of that domain is part of the algorithm that generates that private key. I see. There's also a secret on the device that nobody else knows that helps you generate the private key.
Dave Bittner: Right.
Joe Carrigan: But once you register your FIDO device, what they have - what the company you're logging in with has is a public key of your data.
Dave Bittner: Yeah.
Joe Carrigan: And with - as with SQRL, that's the same thing they have. So if somebody were to break into, let's say, Google - hack into Google...
Dave Bittner: Right.
Joe Carrigan: ...And steal your credentials, and all they got was a bunch of public keys, it would essentially be useless.
Dave Bittner: I see. I see. So what they're saying they're going to be rolling out over the next - or over the course of this year are a couple of primary things here. One, they're going to allow users to automatically access their FIDO sign-in credentials, which is their passkey...
Joe Carrigan: Right.
Dave Bittner: ...On their devices - even new ones - without having to re-enroll every account. I love this (laughter).
Joe Carrigan: Say that part again - they're going to do what?
Dave Bittner: They're going to be able to access their sign-in credentials on many devices - even new ones - without having to re-enroll every account. So in other words, you get a new device...
Joe Carrigan: Right.
Dave Bittner: ...You don't have to go through - it'll flow through, right? You - by signing on with your FIDO credentials, it'll establish the new device, and you're good to go...
Joe Carrigan: OK.
Dave Bittner: ...with all of your single sign-on stuff.
Joe Carrigan: So the new phone, not the new FIDO device, right?
Dave Bittner: Correct. No, no.
Joe Carrigan: Like, if I got a new YubiKey - and there are other devices out there that use the same thing.
Dave Bittner: Yeah.
Joe Carrigan: If I got a new YubiKey, I'd still have to enroll that twice.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: Yeah, yeah, but your phone.
Joe Carrigan: My phone, right.
Dave Bittner: And I think most people are probably looking forward to using this - using their mobile device as their passkey.
Joe Carrigan: Right.
Dave Bittner: The possession of that device to be the thing that allows them to get into things.
Joe Carrigan: OK.
Dave Bittner: You know, because I think we see the utility of things like Face ID and Touch ID - and the Google equivalents of those - just how convenient they are. It's a nice blend of convenience and security...
Joe Carrigan: Yes.
Dave Bittner: ...Right?
Joe Carrigan: I will agree with that.
Dave Bittner: It's the - it does hit that sweet spot. The second thing they're saying here is it's going to enable users to use FIDO authentication on their mobile device to sign into an app or website on a nearby device regardless of the OS platform or browser that they're running. So I've already seen this in play within the Apple ecosystem, where you can - like, if you have your mobile device - your iPhone, or even, like, your Apple Watch - that can serve as a verification system for logging into a desktop Mac or something like that.
Joe Carrigan: OK.
Dave Bittner: So this will handle that automatically and seamlessly.
Joe Carrigan: That's cool.
Dave Bittner: Yeah, it is cool. But I think adding that so that it's cross-platform, cross-device, seamless, you know...
Joe Carrigan: Right.
Dave Bittner: ...One system - one standard to rule them all, right (laughter)?
Joe Carrigan: Yes. Yeah.
Dave Bittner: I think that's - to me, that's really going to go a long way towards trying to push us towards jettisoning passwords, wouldn't you think?
Joe Carrigan: I would certainly hope so.
Dave Bittner: Yeah.
Joe Carrigan: It's a much more secure form of authentication. You know, when I set up an SSH server on my network...
Dave Bittner: Yeah.
Joe Carrigan: ...At - well, actually, I just put it on the network, and our network engineer, Chris Venghaus, says - makes - you know, he gives me an IP address. He does all the setup. I just do the operating system install.
Dave Bittner: Right.
Joe Carrigan: One of the things that's our policy is that if it's going to be remotely publicly accessible, or even on a network where publicly accessible stuff happens, you can't use password login. You have to use public/private key authentication...
Dave Bittner: Oh, I see.
Joe Carrigan: ...Right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And that's what this is. And the reason we do that is because somebody has to get a hold of your private keys. They have to violate all the stuff to get into the private keys and get that. Now, that's going to be the next attack vector for social engineering, though. People are going to be trying to do that. But with a hardware key, like a YubiKey or a Google Titan or some other key built on this standard, I don't know how you do it because you never really - the user never really knows what the key is. It's just a secret on a device that has no user interface aside from a little button that you touch.
Dave Bittner: Yeah.
Joe Carrigan: And now YubiKey is coming out with one that's actually got a biometric on it.
Dave Bittner: Yeah.
Joe Carrigan: So now you can't have somebody else do it unless they've collected a finger from you or something.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: But, like I say, there's no such thing as a perfectly secure system (laughter).
Dave Bittner: Yeah, and for - like, I'm most familiar with Apple's system on iPhones, you know?
Joe Carrigan: Right.
Dave Bittner: And they have the secure enclave in there, and that its own little walled-off section of hardware...
Joe Carrigan: Yep.
Dave Bittner: ...That performs the scan checks that you are who you say you are. And then all it does is it passes over to the OS, yeah, we're good here.
Joe Carrigan: Right.
Dave Bittner: This is that person.
Joe Carrigan: Yep.
Dave Bittner: But the OS doesn't have access to the secret key. The OS doesn't have access to your fingerprint or your face scan or anything like that. So...
Joe Carrigan: Yeah. It's called a trusted platform module.
Dave Bittner: Keep them separate like that.
Joe Carrigan: An enclave.
Dave Bittner: Yeah. Yeah. So I think this is good news. I think this is a hopeful sign that we're heading in the right direction with this. I was particularly pleased to see the big names all signed up here because, you know, quite often, with these sorts of things, you get one or two, and then there's always a holdout.
Joe Carrigan: Right.
Dave Bittner: Right? (Laughter) Yeah. You know, you end up with Blu-ray and HD DVD, and you don't know which one to...
Joe Carrigan: Yeah. But where's Facebook on this one? And Amazon? I would like to see them join in.
Dave Bittner: That's a good question. That's a good question. I don't know. They're not listed here, so I don't know.
Joe Carrigan: Come on, Zuck and Bezos, get on the bandwagon here.
Dave Bittner: (Laughter) That's right. That's right.
Joe Carrigan: I'm sure they listen to this show.
Dave Bittner: Yeah, I'm sure. Yeah.
Joe Carrigan: I just motivated them to participate.
Dave Bittner: Sure. Yeah. Zuckerberg is just sitting by his mobile device every week...
Joe Carrigan: I wonder what Joe and Dave are going to say this week.
Dave Bittner: ...Waiting for "Hacking Humans" to drop. I'm sure that's exactly what happens.
Joe Carrigan: Right.
Dave Bittner: All right. We'll have a link to that press release in the show notes here. That's my story. Joe, what do you have for us?
Joe Carrigan: Dave, my story comes from Peter Butler over at CNET. And he has a story called "Zelle Scams: How They Work and How to Keep Your Money Safe."
Dave Bittner: OK.
Joe Carrigan: So it starts off with a great piece that answers a question that you and I have pondered on this show before - what is Zelle, and how does it work? Well, we know how it works. It's just a peer-to-peer payment thing, very much like Cash App or - what's the Square - Cash App is the Square. There's another one out there. PayPal is another one.
Dave Bittner: Yeah.
Joe Carrigan: Venmo. That's the one I can't remember.
Dave Bittner: Yeah. Yeah. Yeah.
Joe Carrigan: So - but Zelle is actually created by a consortium of major U.S. banks, including Bank of America, Chase, Capital One and Wells Fargo.
Dave Bittner: Yes.
Joe Carrigan: And it charges no fees and works with almost 1,500 banks and credit unions. So I like the no fee part because there is a pretty significant fee with all the other ones.
Dave Bittner: OK.
Joe Carrigan: So maybe I'm going to start up a Zelle. I don't know.
Dave Bittner: OK.
Joe Carrigan: Who knows? I do have Cash App, and I can buy bitcoin with it.
Dave Bittner: All right.
Joe Carrigan: Which is - I don't know if you can buy that with Zelle because I am not a Zelle user. But I digress, as I normally do. So there are a number of scams that have been perpetrated by these, and one is a text message that comes in and says, hey, you've made this large Zelle payment. And then you respond, no, no, that's wrong. Respond - you know, because it's - the text says, respond yes or no. And you go, no. And that immediately validates you to the scammer, and then they call you spoofing the bank's number, right? And then - or a bank's number.
Dave Bittner: Yeah.
Joe Carrigan: Hopefully your bank. It's a shot in the dark they're taking, right? And then they essentially try to walk you through getting your money back. But really, what they're doing is transferring the money out, right? Another one is the utility payment scam, and this one was recently discussed on a Mets game broadcast between...
Dave Bittner: (Laughter) What?
Joe Carrigan: ...Keith Hernandez and Gary Cohen. You remember Keith Hernandez?
Dave Bittner: I remember - well, I have to admit, I'm not much of a sports ball guy, but...
Joe Carrigan: Sports ball.
Dave Bittner: But I do remember Keith Hernandez. He made an appearance on "Seinfeld" at one point. I think he was dating Elaine or something, but - so I know who he is.
Joe Carrigan: OK. Well, he was a first baseman for the Mets...
Dave Bittner: OK.
Joe Carrigan: ...For a while.
Dave Bittner: Yeah.
Joe Carrigan: So now Keith Hernandez calls for the Mets - calls games.
Dave Bittner: Yeah. Just like Jim Palmer...
Joe Carrigan: Right.
Dave Bittner: ...Calls for the Orioles, right?
Joe Carrigan: Yeah.
Dave Bittner: OK.
Joe Carrigan: I was bemoaning this last night at the CyberWire event that we attended, that Jim Palmer - my favorite thing to listen to is Jim Palmer and Gary Thorne call an Orioles game.
Dave Bittner: Oh, OK.
Joe Carrigan: I used to love listening to that. Now, Gary Thorne actually also is with the Mets, as well.
Dave Bittner: OK.
Joe Carrigan: He's a backup broadcaster. But Keith Hernandez is talking with Gary Cohen about how he got scammed or - didn't get scammed. He didn't lose any money - but how he got hooked with a Zelle scam.
Dave Bittner: Well, let's take a listen. Here's the - so this is a clip from - in the midst of calling a baseball game...
Joe Carrigan: Right.
Dave Bittner: ...They had this conversation. All right. Let's check it out.
(SOUNDBITE OF ARCHIVED RECORDING)
>>KEITH HERNANDEZ: I got an email with the FPL - which is Florida Power & Light - logo that said, you are - did not pay a down payment of X amount of dollars, and we are going to turn off - going to send a guy out today. If it's not paid within 30 minutes, we're going to shut your power down. Thirty minutes.
>>GARY COHEN: Thirty minutes?
>>KEITH HERNANDEZ: And I bit the hook.
>>GARY COHEN: You fell for that?
>>KEITH HERNANDEZ: And I call the guy.
>>GARY COHEN: Segura gets in front of McNeil's ground ball. Go on.
>>KEITH HERNANDEZ: I call the number, like an idiot. And I'm listening to this guy. And then finally, I snap. I said, I've been a - I go, I know you're a monopoly, OK? You've had - I've been here for 27-plus years. I pay on time, and you're going to send a guy out and shut my power down in 30 minutes. That is baloney.
>>GARY COHEN: Can I ask you one question, Keith? The guy you got on the phone - was he a Nigerian prince?
>>KEITH HERNANDEZ: No, he wasn't. He had a Spanish accent. And I just snapped on him.
>>GARY COHEN: Well, let me ask you a question. In the course of all of this - reading the email, getting a little nervous, calling the number, snapping on the guy - at what point did you realize that this was not actually Florida Power & Light...
>>KEITH HERNANDEZ: That...
>>GARY COHEN: ...Threatening to turn off your electricity?
>>KEITH HERNANDEZ: I've been a very dependable customer. I said, this is baloney. So I called my banking institution, and Lillian, my - is my representative down in Florida. And she just said, Keith, no, no, no, no. I had to pay through Zelle. And I never heard of Zelle. And it's really almost like Todd Zeile's spelling, Z-E-L-L-E. I go, what's Zeile - Zelle? I go, what the heck is that? You got to be kidding me. Then it kind of sunk in.
>>GARY COHEN: You know, unfortunately, these kinds of scams often get perpetrated on senior citizens like yourself.
>>KEITH HERNANDEZ: I know. I know.
>>GARY COHEN: I just don't expect you to be the one to fall for it.
Dave Bittner: All right. Well, good news...
Joe Carrigan: That he didn't...
Dave Bittner: ...He didn't get scammed (laughter).
Joe Carrigan: Right, that he realized it was a scam, I guess.
Dave Bittner: Right. But you know what? He got saved by the person at the bank, right?
Joe Carrigan: Well, yeah, he called the person at the bank after he was on the - got off the phone with the other person. They said, don't worry about it. It was a scam.
Dave Bittner: Right.
Joe Carrigan: But at some point in time, he got suspicious. But what's interesting here is that Gary Cohen goes - you fell for that? - which is also - you know, I think that what Keith Hernandez fell for here is something that's easy to fall for. And Keith is talking about how they call him in the morning. He's had one cup of coffee. He's kind of groggy. And they hit him with, hey, your power is about to be cut off in 30 minutes.
Dave Bittner: Right.
Joe Carrigan: And that immediately just sends him into a panic, right?
Dave Bittner: Yeah. He has to act now.
Joe Carrigan: Right.
Dave Bittner: Right, so he can brew that second cup of coffee.
Joe Carrigan: But he starts thinking about it. And he gets angry and starts, you know, going - I guess he channels his inner Joe...
(LAUGHTER)
Joe Carrigan: ...And starts yelling at the guy, because this is exactly how I'd handle it, you know? No, I pay my bill every month.
Dave Bittner: (Laughter).
Joe Carrigan: But eventually, he realizes it's a scam. I think - but Gary Cohen's response is also kind of a natural response. It's not a helpful response, but a lot of us say this. I can't believe I fell for that or you fell for that. It's something we do.
Dave Bittner: Yeah. Well, I mean, you know, look, we make the point many, many times, over and over again here, that you should not shame the victim...
Joe Carrigan: Correct.
Dave Bittner: ...Right? So I think, hopefully, Gary can come away with that lesson. It can happen to anybody.
Joe Carrigan: Yes, because Gary listens to this show, too.
Dave Bittner: Well, yes, he does (laughter).
Joe Carrigan: Gary and Zuck, they probably have coffee together.
Dave Bittner: In between innings...
Joe Carrigan: Right.
Dave Bittner: ...They listen to our show a couple minutes at a time. I'm sure that's what happens.
Joe Carrigan: (Laughter) Right.
Dave Bittner: But, yeah, I mean, have some sympathy here. And, look, it can happen to Keith Hernandez. I suspect his bank account probably has a little more in it than yours or mine. I don't know.
Joe Carrigan: I'm sure it does.
Dave Bittner: Former major leaguers versus current podcasters - probably has a higher-level financial adviser than you or me (laughter).
Joe Carrigan: Yes. Well, I mean, Dave, we are rolling around in all this podcast money.
Dave Bittner: That's right, wheelbarrows full of cash.
Joe Carrigan: Right.
Dave Bittner: That's right.
Joe Carrigan: So Peter Butler says, how - has a section here - how can I protect myself from Zelle scams? No. 1, don't respond to unsolicited text messages and emails.
Dave Bittner: Yeah.
Joe Carrigan: OK? Watch for red flags such as urgent deadlines or Zelle requests from new recipients. Never give anyone your two-factor authentication code. These are the codes that are sent to you over your phone.
Dave Bittner: Right.
Joe Carrigan: This is why I classify this as one of the least secure forms of multi-factor authentication. And I do not say you should not use it if it's the only thing available to you. I'm just saying you should move along the spectrum to the more secure options.
Dave Bittner: Yeah.
Joe Carrigan: Let's see. The last one here is, use Zelle only to transfer money to family members and friends or businesses you know and trust. In Hernandez's case, he would've thought, this is a business I know and trust - right? - if that scam had gone through. Now, here's something interesting in this article. In June 2021, the Consumer Financial Protection Bureau clarified its position on banks' required compliance with the Electronics Fraud Transfer Act of 1978...
Dave Bittner: OK.
Joe Carrigan: ...Also known as Regulation E. And they said that if a third party fraudulently induces a consumer into sharing account access information, that consumer should receive the same protections as if the money were acquired from a stolen debit card or other banking access device, which is interesting.
Dave Bittner: Yeah.
Joe Carrigan: So this article correctly points out that normally, when you have a - you're the victim of Zelle fraud or some kind of peer-to-peer cash - or peer-to-peer money-sharing app, the banks usually tell you, tough luck. You authorized that transaction.
Dave Bittner: Right.
Joe Carrigan: And you have two ways of recourse. One, they say that once the media gets ahold of one of these stories, they almost immediately refund the money - right? - which is great. But now you can also go to the Consumer Financial Protection Bureau and file a complaint with them.
Dave Bittner: OK.
Joe Carrigan: So you can try to bring the heavy hand of regulation down upon them.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: I don't know how effective that would be.
Dave Bittner: Well, it's worth a shot.
Joe Carrigan: It is. But, yeah, it's better than doing nothing.
Dave Bittner: Yeah, absolutely. All right, well, we will have a link to that article in the show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Arias (ph) who writes, I've been listening to the show recently, and I've discovered - I discovered it in my podcast app. I'm listening from the oldest and working my way up to the latest - dedicated listener. Currently, I'm in the early 2020 shows, so I have about 1.5 years of show to catch up. So I mean...
Dave Bittner: Condolences.
Joe Carrigan: Yeah (laughter).
Dave Bittner: Sorry (laughter).
Joe Carrigan: I don't know if I could sit down and listen to a year and a half of this show, Dave.
Dave Bittner: That's right. That's right.
Joe Carrigan: So if this Catch of the Day makes it to the show, say hello to me. Hello, Arias.
Dave Bittner: Right. So a year and a half from now...
Joe Carrigan: I will listen to when I get to it.
Dave Bittner: Yeah. OK. Good.
Joe Carrigan: All right. So this is a text message exchange that I think Arias got. It's a wrong number scam...
Dave Bittner: OK.
Joe Carrigan: ...Right? So it's being perpetrated against him by somebody who is claiming to be a female.
Dave Bittner: OK.
Joe Carrigan: So, Dave, you always do the best breathy female voice.
Dave Bittner: (Laughter) OK.
Joe Carrigan: So why don't you play the part of the scammer? And I will play the part of Areus. And I like Areus' first response.
Dave Bittner: Starts off like this. (Imitating woman's voice) Hello there.
Joe Carrigan: Hello. Identify yourself.
Dave Bittner: (Imitating woman's voice) I'm Maya. Are you Jason with the wine with us last night? Nice to meet you.
Joe Carrigan: I am not Jason. You might want to check your number.
Dave Bittner: (Imitating woman's voice) I'm very sorry. Maybe I drank too much last night and saved the wrong number. I hope you don't mind.
Joe Carrigan: Ha-ha, no worries. Sounds like you had fun. If you can't remember, it didn't happen. You need a do-over.
Dave Bittner: (Imitating woman's voice) Thank you. You're a kind and friendly person. Have a nice day and a happy family.
Joe Carrigan: Thank you. Good luck with finding Jason.
Dave Bittner: (Imitating woman's voice) Thank you. Acquaintance is fate. I'm from Singapore and currently living in Los Angeles. How about you?
Joe Carrigan: Strange. I am from Los Angeles and currently living in Singapore. Wow. That's crazy. We're the opposite. LOL. Small worlds, huh? By the way, you woke me up at 1:30 here in the morning.
Dave Bittner: (Imitating woman's voice) I do not believe.
Joe Carrigan: What part don't you believe?
Dave Bittner: (Imitating woman's voice) You are not from Los Angeles.
Joe Carrigan: Why not? Compton, to be precise.
Dave Bittner: (Imitating woman's voice) OK.
Joe Carrigan: So what's up? Got a picture of yourself? I mean, if you want to get to know each other, at least I can put a face to your name.
Dave Bittner: (Imitating woman's voice) Of course. My name is Mia, and I'm 35 years old. How about you?
Joe Carrigan: And this person sends a picture of a woman that is probably a model because she is very attractive.
Dave Bittner: Yes.
Joe Carrigan: Right? And she does not look like she's 35 years old.
Dave Bittner: No - probably half that.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: And this person probably just went out on Google...
Dave Bittner: Yep.
Joe Carrigan: ...And found a picture of a very attractive woman that looked like she would come from Singapore. And that's what he sent. And Areus sends back this picture of a guy leaning against some equipment like a DJ. And he says, I am Blake, 38 years old, and I'm a radio DJ.
Dave Bittner: (Imitating woman's voice) Nice to meet you, Blake. Your work is very cool. You are a gentleman.
Joe Carrigan: (Laughter) Thank you. By the way, you're a gorgeous lady.
Dave Bittner: (Imitating woman's voice) Thanks. Are you a radio DJ in Singapore?
Joe Carrigan: No, in Los Angeles. I am on vacation right now. What do you do for a living?
Dave Bittner: (Imitating woman's voice) Wow, that's great. A vacation can relax you and help you. I'm a jewelry designer with my own company when I'm all bespoke and doing real estate and crypto investments with my aunt.
Joe Carrigan: You're an entrepreneur, too. I invest in crypto as well. I hate all this up-and-down stuff - worse than a roller coaster. I have a few mining rigs for crypto back in LA. My brother is running them right now.
Dave Bittner: (Imitating woman's voice) Wow. That's so cool. You're a man with a great mind. It was such a pleasure talking to you.
Joe Carrigan: Likewise.
Dave Bittner: (Imitating woman's voice) Do you have any other chat software besides this one?
Joe Carrigan: What's wrong with this one?
Dave Bittner: (Imitating woman's voice) You can add a contact information to facilitate our conversation. I believe we can also become better friends. What do you think?
Joe Carrigan: You need to practice your scamming skills a little bit more. I can tell you're a beginner, and you're boring me. Bye.
Dave Bittner: (Imitating woman's voice) Then I'll lie to your family. Bye.
Joe Carrigan: (Laughter) I don't know what that means. But he says, I could train you. I have a group of very talented guys who could teach you to do this better if you'd like to work for me. And that's the end of it.
Dave Bittner: Yeah.
Joe Carrigan: It's pretty interesting. This has a lot of hallmarks. I don't know what the endgame is here, maybe a crypto scam 'cause she mentions crypto, or the scammer mentions crypto.
Dave Bittner: Yeah. And also interesting is she's trying to get him off this platform.
Joe Carrigan: Right. That was a big red flag for me.
Dave Bittner: Yeah.
Joe Carrigan: So good work. Good work on - and by the way, who are your guys that you know that can train them better? Is that us?
Dave Bittner: Well, pen testers, probably (laughter).
Joe Carrigan: Yeah.
Dave Bittner: Yeah. Something. Who knows? Who knows?
Joe Carrigan: Thanks for sending that in, Areus.
Dave Bittner: Yeah, that was a good one. We would love to hear from you. If you have something we would like to consider for the show, you can email it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Matthew Conner. He's the founder of an organization called Conscientious Security, and we spoke about a phishing study that he conducted back when he was still working for F-Secure, another security company.
Joe Carrigan: Yep.
Dave Bittner: Here is my conversation with Matthew Conner.
Matthew Conner: When I first joined F-Secure, I found a company that was delivering large-scale phishing simulations to a variety of different industries that had a lot of data and wasn't really interpreting that data, wasn't really exploring what that might mean. And the sort of academic mind at the back of my head said, we should look for trends here. We should look to - big data will give us answers that we might not have had. We look at phishing emails, and we think we know why that works and why it doesn't work. But actually, if we step back and look at a lot of data, we might find things out that we didn't know before. So that's what prompted this. And we had some partners, and we worked with them. And, yeah, then - and cracked on making this study.
Dave Bittner: Well, let's go through it together. What was the methodology? How did you go about it?
Matthew Conner: We first designed four emails, or took the skeletons of four emails that we - we've seen very regularly in the wild and that we also know are quite effective. So there are other emails out there that are maybe more common, but these ones are both - they're both seen, and they can be quite effective in getting people to click and then producing the damage, the consequence that occurs thereafter. We then took this out to the customers of ours and to potential customers and - as F-Secure. We explained what we wanted to do and tried to get them on board.
Matthew Conner: And as you can imagine, there's a lot of legal wrangling in there to try and - you know, try and take some of this data out to make a large public study because that's really what we wanted. We didn't just want to take this information and have it for ourselves and use it within F-Secure. We wanted to try and move the conversation onwards of that little bit in terms of, how do we solve this problem of phishing? Or how do we start to solve that problem a little bit more?
Matthew Conner: Once we'd established our participants, we then found that we had to tweak and change those emails. And the ones that we designed had to be kind of redesigned slightly. And we kind of gave ourselves new barriers and new design kind of sound effects for them. We were very well-versed in producing phishing simulations, so that was all all right. And eventually, when we had the clients on board, everything signed off, we delivered these emails en masse.
Matthew Conner: So what we did - this is probably a bit of a preamble, but this is the real crux of the study. So we've got four different phishing emails. We had four participating organizations. And what we did was take all employee lists for those organizations. We randomized them within the organization and gave each person at random just one email. We did this so that there would be overall parity. We wouldn't be giving one group one email, and then saying, well, this didn't quite work for - this worked for retail, but would it work the same in banking and finance? So we randomized everyone and drip fed those emails out over a week. So every day between - I think it was between 10 and 3 UTC, we delivered these emails out slowly.
Matthew Conner: After a week, we left the emails live for another week to catch those people who might've been on annual leave or just busy and hadn't got around to it to see if we'd capture them. At the conclusion, then stripped away all of the information relating to those organizations. So we anonymized it and then began to explore that data en masse. That's where we kind of came up with some of the results that we found.
Dave Bittner: Yeah. I mean, it's a fairly substantial sample size here. You targeted over 82,000 individuals. As the data started to come in, what was your response here? Were there - was it what you expected, or were there some surprises?
Matthew Conner: So the simplest response was one - the simplest way to view the results was what I expected. Because we had the four different emails, we could easily track which of these emails is performing best. I'm saying it performing best positively, but, really, it's what's more dangerous. And - yeah. And so we weren't surprised at the results there.
Matthew Conner: The internal HR mimic email was, by far, the most effective. All of the emails were completely generic. They had no application to the client - the people who we were targeting there. We didn't use, like, a real HR person. We didn't try and spoof their domain. We didn't try and put a logo in. And the same with all of the other emails. We didn't use existing companies, third parties that we would be using familiarity for. So the familiarity was only in the language and the style of the email.
Matthew Conner: But even with a completely generic email - we just called ourselves from HR - that still delivered a really high click rate. And that wasn't too much of a surprise for us because of all of the emails, this was the one that had real personal impact. The rest - there was a bit of loss aversion. There was some, like, authority, bit of urgency, perhaps. But this was the one that me, as the employee - something might actually change for me here. I might lose some annual leave days. I might just have to rebook them. There might be some genuine effect to me. So we'd - we predicted that this one was going to be the most effective. And, indeed, it very much was.
Matthew Conner: Now, what I would say is because we had to make those emails generic, some of the others performed, I think, more poorly than a real-world example would. So the document share and the service notification emails - they usually play on the familiarity of the brand. You get an email that looks like it's from Microsoft and says, your system will shut down if you don't click this link or something a bit more - you know, a bit sharper than that. We didn't want to use third party for a couple of different reasons, but primarily because if one of our customers, one of our clients used G Suite, well, it's not going to work quite as well for them. And we didn't want to use the same scaffolding and put different facades on it. So we used completely generic. So I do think for - if there's a real attacker out there, they probably wouldn't use a generic file share. They'd use OneDrive, or they'd use SharePoint or something like that. So I think that would - you would see - scarily, you would see the numbers go up even more. Similarly, for the internal HR mimic, if we had spoofed the domain a little bit, if I'd found someone from HR and put their face at the bottom or in, you know, in the little bubble that you see on your client, that would have been even more effective. So yeah, that was a primary thing that we were able to track as the results were coming in.
Matthew Conner: It really surprised us, but with hindsight, it maybe shouldn't have - was that the parity between those people who have had or who work in information security themselves - those in IT, those in DevOps, those people who understand a lot more about how these computer systems work versus someone from finance or someone from sales who use this information technology but doesn't necessarily need to know how and why it works - that they were just as susceptible as everyone else. That was - that kind of shocked us. And that was something that I think - that's what really, to me, challenges the received wisdom of the whole industry, which, in summary, is knowledge is not enough to prevent phishing attacks. Knowledge about phishing and about the techniques that people use and what to look out for - it's critical. You have to have it, but it's not enough.
Matthew Conner: And that really speaks to the experience I've had in my commercial time as well, where we would deliver endless amounts of training about, look out for this dodgy sender domain. Hover your mouse over the link here. Look out for spelling mistakes and grammatical errors. And we train people over and over and over again, but they - and they still fell victim. So clearly, to me, knowledge isn't enough. We need something more.
Dave Bittner: One of the things that you tracked was the ability for people to report these emails and that that made a difference as well.
Matthew Conner: Absolutely. Yeah. This was such a clear finding for me. And it - this I don't think challenges the wisdom of the industry. I think this really supports the strong message that most people who work in security are purporting at the moment, which is you have to make the reporting process for your staff as simple as possible. The people that we tested that had a nice, neat button - click that, and it'll whiz your email off for somebody else to examine it - they reported emails. One organization was - close to 50% of those emails got reported.
Matthew Conner: Whereas those people who had to save the email off, attach it as an attachment to another email and forward it onto a shared mailbox that they've probably forgotten and have to look up - very few people reported. Where this really showed was - one organization had a couple of groups, not just departments, but groups of people had a button that they were slowly rolling out, and the rest of the business didn't yet. Now, those people who had the button reported - again, about 50% of people were reporting this. Whereas I think it was about 11% in everyone else. So they - they're the same organization. They're in the same department, maybe in the same team. But those people who have a button are - I think it's four times more likely to report emails.
Dave Bittner: Wow.
Matthew Conner: To me, it's - that's a critical point. Everyone, if you've got employees and they're receiving emails, make sure they've got a really straightforward and simple way to report those emails as suspicious.
Dave Bittner: Well, let's go through some of the take-homes here. I mean, based on the information that you gathered, what are your recommendations?
Matthew Conner: Absolutely. So that - as I've just finished those - is one of my key. I think it's one of the simpler ones to do and, honestly, one of the more, like, cost-effective ones to do. Make sure staff have a really simple way to report emails. There are free options out there. Grab one of them. Install it in your clients, and provide that information for your staff. More than that, though, I think if we - if you really want to start trying to solve this problem, you really see this as a risk - which I think every business should. If you look at the numbers of how much is lost in a single year - so I think it was the FBI said 7 billion was lost, something like that, through overall - all attacks. But a large portion of those started with phishing attacks - is go that extra step in trying to solve this problem for your staff.
Matthew Conner: For me, why doesn't the knowledge prevent people from clicking on links or opening documents or providing credentials? It's because it falls out of their mind. They don't recognize it when it's actually happening. I think the key element you can do is you can teach them to observe their own behavior. So I could spend a day a week providing you with the latest phishing attacks. And this is what it looks like. And this one's a COVID-19 one. And this one's to do with a Ukraine fundraiser. And they always look - every time, they look different, but the skeleton of them's the same. It's always looking for something that you want to get, something that you want to avoid, using some sort of authority or authenticity, using familiarity, and especially with some time urgency.
Matthew Conner: And for me, if you can start to teach your staff to identify when they feel that pull - oh, I've got to do something now. I've got to reply to this. I've got to open that document. As soon as they feel that pull, push. That's my key message. When you feel a pull, push. Take a second. Take a breath. Start to think about this, and go and speak - and hopefully you've then got the backup, the support within your organization so somebody can report it. But if they're not quite sure yet, can they share that in a - you know, in a Slack channel or a Teams group? Have they got someone that they can clearly, like, find to share this with? - share a screenshot and say, I've just received this email. What do you think? That kind of cultural support is essential. If you're just doing - delivering training that tells people, look out for sender, don't click this, and - you might be meeting regulatory requirements but you won't be solving the problem. You've got to go that step further.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: This is an interesting study. I took a look at this study. It's a pretty good study. And I like the way it was set up. Eighty-two thousand people.
Dave Bittner: Yeah. That's a good...
Joe Carrigan: That's a good sample size...
Dave Bittner: ...Yeah, exactly.
Joe Carrigan: ...Right? And if you look at this with adversarial thinking, Matthew says best - he really means, you know, most dangerous or the worst, as...
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: ...He says. I think it's fascinating that the internal HR memo was the most effective. Actually, I'm not surprised by that. But this was a minimal effort, generic template thing. Did you look at the study?
Dave Bittner: No.
Joe Carrigan: You know what the effectiveness of this was? Twenty-two percent.
Dave Bittner: Wow.
Joe Carrigan: Twenty-two percent of the people that got this email clicked on it. That is remarkably high...
Dave Bittner: Yeah.
Joe Carrigan: ...I think.
Dave Bittner: One in five. One in four or five, yeah.
Joe Carrigan: Right. So, you know, if I'm a scammer, that's all I'm sending is those. So now everybody watch out for emails from your HR department.
Dave Bittner: (Laughter) They could be from Joe.
Joe Carrigan: They could be from me, that's right.
Dave Bittner: (Laughter) That's right.
Joe Carrigan: I think that using generic templates is good for the study. It gives you a solid baseline...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? But if somebody were to target your company specifically - and he said there's only four organizations that participated in this, which means on average, these people had - or these companies had 20,000 people working for them, which is a good target - right? - a good-sized target. If I'm going to target 20,000 people, you can bet I am making these things personalized.
Dave Bittner: Yeah.
Joe Carrigan: I'm coming up with - I might even register a domain. I'm going to steal the logos. I'm going to make an HR letter that looks like it's - I'm going to find out who your director of HR is.
Dave Bittner: Right.
Joe Carrigan: And if I do that, I guarantee you I get more than a 22% click rate.
Dave Bittner: It also strikes me that a company of that - if you're in a company that has 20,000 people, just by necessity, a lot of the communications you get from the company are going to be generic...
Joe Carrigan: Yep.
Dave Bittner: ...Because there's no way they can personalize it for everyone.
Joe Carrigan: That's 100% correct.
Dave Bittner: So you're going to be used to things being a little sterile, a little clinical.
Joe Carrigan: Yes, you are.
Dave Bittner: Yeah. And I think that makes it more likely that you might fall for something.
Joe Carrigan: I think you're right.
Dave Bittner: Yeah.
Joe Carrigan: I think that's a good observation.
Dave Bittner: What else?
Joe Carrigan: I think it's interesting that IT, security and DevOps were just as susceptible as everyone else.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah, yeah.
Joe Carrigan: We're not special.
Dave Bittner: No, everybody's human.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: One of the big takeaways from this thing is - I have two big takeaways from this interview. No. 1, user interface is key when it comes to reporting spam or suspicious emails, right? He says - Matthew was talking about the - if you can just click a button on the email that - on the email interface that says, send this off to the spam team, that is four times better than having something where you have to save it as an attachment and send it off.
Dave Bittner: Right, right.
Joe Carrigan: You know, it's - I've done both of those, and it's - I'm really unlikely to do it with the second one.
Dave Bittner: Sure.
Joe Carrigan: I do it because I'm diligent.
Dave Bittner: (Laughter).
Joe Carrigan: But - and because...
Dave Bittner: But you get blisters on your fingers...
Joe Carrigan: But I get blisters on my fingers, right.
Dave Bittner: ...From - yeah, sure.
Joe Carrigan: Yeah.
Dave Bittner: Right.
Joe Carrigan: I like what he says here - when you feel a pull, push. That's a good way to remember things. One of the key things - the other key takeaway from this is that people are going to stop thinking about security stuff when they're far away from the training, right? That's why your security awareness training needs to be as continuous as possible...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? It's much better to have the short weekly or monthly training event that's - you know, it takes just a couple of minutes, than it is to have the annual event...
Dave Bittner: Yeah.
Joe Carrigan: ...Where everybody gets inundated with things because, you know, I'll bet if you looked at a chart of clicking after that event - if you just tracked phishing susceptibility, once you have that event, it goes down for some period of time...
Dave Bittner: Right.
Joe Carrigan: ...Right?
Dave Bittner: Right.
Joe Carrigan: Once you have that training event. And then it slowly creeps back up. That's a study I'd like to see someone do.
Dave Bittner: Yeah.
Joe Carrigan: So if maybe F-Secure was listening right now, maybe they can do that study next.
Dave Bittner: (Laughter) Oh, they're the - they must be listening, too...
Joe Carrigan: Right.
Dave Bittner: ...Because everybody does. Yeah. I mean, some of the numbers coming out of these are - I mean, there's just bananas, right?
Joe Carrigan: Bananas.
Dave Bittner: And I mean, there are lots of good things about bananas. Bananas are tasty, they are nutritious, they - they're very portable...
Joe Carrigan: Yes.
Dave Bittner: ...They're fairly durable. I'm trying to think of any downsides to bananas. What - any downsides to bananas, Joe?
Joe Carrigan: Banana is not magnetic.
Dave Bittner: Good point.
Joe Carrigan: Yep.
Dave Bittner: Good point. All right. Well, our thanks to Matthew Connor from Conscientious Security for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
