Combating social engineering.
Ann Johnson: We as an industry have a ways to go to remove as much friction as we can from the user experience, and then users will be using stronger authentication much more freely.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Ann Johnson. She is a security executive at Microsoft, and she is also the host of the "Afternoon Cyber Tea" podcast.
Dave Bittner: All right, Joe, before we dig into our stories this week, we've got some follow-up here, a couple items. Why don't you start us off here?
Joe Carrigan: So Michael sent us this clip by Duval Guillaume. The clip is old, but it's - it's, like, from 2012. But it's a really good clip.
Dave Bittner: Yeah.
Joe Carrigan: So we're going to put a link in the show notes. It's on YouTube, but I'll give you a description of it, right? It's this yurt - right? - which is like a Mongolian tent.
Dave Bittner: Right. Fancy tent, yeah.
Joe Carrigan: Right. Nice big tent.
Dave Bittner: Yeah.
Joe Carrigan: And they seek out these volunteers to come in and get a psychic reading from this guy Dave.
Dave Bittner: OK.
Joe Carrigan: Right? And Dave starts jumping around. And Dave's got long hair, and he's wearing all white, and he looks the part of some kind of...
Dave Bittner: Like a mystic.
Joe Carrigan: Like a mystic, exactly.
Dave Bittner: Yeah (laughter). OK.
Joe Carrigan: And he starts telling people everything about their lives, right?
Dave Bittner: Oh.
Joe Carrigan: Like, things like, last month you spent 3,00 euros - not 3,000. Good God. You'd die from that. Three hundred euros on alcohol.
Dave Bittner: (Laughter) Right. OK.
Joe Carrigan: Right? And the people are like, this is amazing. How do you know this?
Dave Bittner: Yeah.
Joe Carrigan: But he keeps doing all these, like, psychic predictions. And at the end of each interview, he drops a curtain in the yurt. And there behind it are a bunch of guys in ski masks working at computers just looking at these people's social media pages (laughter). Right?
Dave Bittner: Right, right.
Joe Carrigan: And it's a banking commercial about all the information that you put out on social media. And I had not seen this before. And Michael raises an excellent question - how have you guys never seen this before?
(LAUGHTER)
Joe Carrigan: I don't know.
Dave Bittner: I think I had seen it before, but it is a good one. And...
Joe Carrigan: It is. It's great.
Dave Bittner: Yeah, I guess it's a sort of - a step beyond cold reading, which a lot of these...
Joe Carrigan: Yeah. Yeah, a lot of the...
Dave Bittner: Self-proclaimed psychics do.
Joe Carrigan: Absolutely.
Dave Bittner: Yeah.
Joe Carrigan: I wanted to talk about - I think last week I discussed my retirement plan, and I said, we'll have to talk about that someday.
Dave Bittner: Yeah.
Joe Carrigan: But my retirement plan is I'm going to open a psychic shop, and I'm just going to sit there and listen to people.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: And I'm going to tell them what's going on just by having an outside opinion, right?
Dave Bittner: OK. Right.
Joe Carrigan: But I'm going to tell them that I'm psychic.
Dave Bittner: Oh, OK.
Joe Carrigan: Right? Because that's going to get them to - there's a certain group of people out there that will only believe you if you're psychic.
Dave Bittner: Yeah.
Joe Carrigan: Right? Like, I think my boyfriend's cheating on you - on me. Well, why do you think that? Well, he won't let me look at his phone. He's always missing when I try to get him - OK. All right, the spirits are telling me your boyfriend is cheating on you.
(LAUGHTER)
Dave Bittner: OK. So you're going to use your powers of deductive reasoning...
Joe Carrigan: Yes.
Dave Bittner: ...And slap a psychic sticker on it...
Joe Carrigan: Yup.
Dave Bittner: ...And profit.
Joe Carrigan: That's right.
Dave Bittner: OK.
Joe Carrigan: I'm not going to charge a lot.
Dave Bittner: (Laughter) Fair enough.
Joe Carrigan: You know?
Dave Bittner: Yeah. Pretty simple.
Joe Carrigan: And I'm not going to do anything harmful to somebody.
Dave Bittner: No, no, of course.
Joe Carrigan: I'm going to - you know, if somebody says, I need some psychic healing, I'm going to - like, there's no such thing as psychic healing. Go see a doctor.
Dave Bittner: Yeah. Right. OK. Good enough.
Joe Carrigan: Right.
Dave Bittner: All right, well, we'll do a remote from your location when you do that.
Joe Carrigan: Right.
Dave Bittner: Maybe you just like - beachfront would be good, right?
Joe Carrigan: It would be nice.
Dave Bittner: Maybe you could set up your own yurt on the beach.
Joe Carrigan: Hey.
Dave Bittner: (Laughter).
Joe Carrigan: Dave, I think we're hitting on something here.
Dave Bittner: (Laughter) That's right. That's right. Grow your hair long.
Joe Carrigan: Yeah, grow my hair long. That'll look great with my...
Dave Bittner: Long, mystic beard.
Joe Carrigan: You...
Dave Bittner: Sure.
Joe Carrigan: Dave, you have this glorious, luxurious head of hair that is
Dave Bittner: I do, yes (laughter).
Joe Carrigan: ...Still the original color.
Dave Bittner: Yeah.
Joe Carrigan: And mine has thinned and grayed.
Dave Bittner: Oh, OK.
Joe Carrigan: So if I grow it long, I just don't think it's going to look good.
Dave Bittner: Well...
Joe Carrigan: I'll have to go with the shaved head look.
Dave Bittner: You never - oh, there you go. OK. Sure, sure. That's the other way to go.
Joe Carrigan: Yeah.
Dave Bittner: You could go that way. Not everybody could pull that off, but on you, it'd probably work.
Joe Carrigan: No, my wife says I look like Uncle Fester when I do it, but - (laughter).
Dave Bittner: Yeah. All right, I could see that as well. All right, well, thanks to Michael for sending that into us. As Joe said, we'll have a link to that clip in the show notes.
Dave Bittner: We got another kind note from a listener. This is from a listener named Seth who says, just a quick note about what you mentioned in your latest episode about legitimate-use cases for macros in Office documents. In a previous job, I had been tasked with creating a series of spreadsheets for a chain of retail stores to report their nightly figures. The stores would make their entries on their own spreadsheets, and then HQ would open the master spreadsheet the next morning. This master had data links to each store's version of their sheet. Because of the complexity of this elaborate web of spreadsheets, there were certain tasks that required exact guidelines to be followed. However, the skill set of the people interacting with the data was too low to expect this kind of precision. So the spreadsheets had multiple macros built in to handle - dumbed down - most of these tasks so that anyone could do them. This meant that each of these locations had to operate with macros enabled all the time.
Joe Carrigan: I see.
Dave Bittner: Says, I'm not sure this is a great example of why macros should be allowed, but it came to mind during your discussion.
Joe Carrigan: No, that's exactly the kind of information I'm looking for.
Dave Bittner: Yeah.
Joe Carrigan: That's why I asked the question to the listeners. This is a great example of why you need it 'cause let's - you can put anything into a spreadsheet cell at all.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Sure.
Joe Carrigan: So if you need data validation in order for a function to work, I can see that being a use case for macros because if I don't put the right kind of data into a cell, I get just a bunch of #REFs - right? - little errors that show up elsewhere in the spreadsheet.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: But if I don't know where those thing are or I don't see them or I don't care...
Dave Bittner: Yeah.
Joe Carrigan: ...It'll never happen. You're going to need to do - so data validation is a perfectly good use case for macros.
Dave Bittner: Yeah.
Joe Carrigan: Should we still be using them? Probably not. I think now you might need a web application to do that...
Dave Bittner: Yeah.
Joe Carrigan: ...And just pull it out of the database.
Dave Bittner: No, but it's a good example.
Joe Carrigan: It's a good example.
Dave Bittner: Good use case.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: Thanks, Seth.
Dave Bittner: So thank you for sending that in. We appreciate it.
Dave Bittner: We would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, let's jump into our stories here. I'm going to kick things off for us. I have something - this is from CPO Magazine, and it's written by Scott Ikeda, and it's titled "A Phishing Scam Nets $23.5 Million from the DoD, and a California Man has been Arrested for Siphoning Money from Contractors."
Joe Carrigan: I see.
Dave Bittner: So this is all about a gentleman from Northridge, Calif. - one Sercan Oyuntur. And he worked for a contractor that supplies jet fuel to the DoD for operations in Southeast Asia. And he conspired with someone else who was a person from New Jersey who owned a used car dealership.
Joe Carrigan: (Laughter).
Dave Bittner: Write your own joke.
Joe Carrigan: Right (laughter).
Dave Bittner: Who created a shell company to try to divert the money from the DoD vendors. And they stole over $23.5 million before they got caught. This article says that they had some co-conspirators in Turkey and Germany. And what they did was they - it started out with a phishing scam, and they sent emails to vendors that pretended to be from the GSA, from the government. And then they gave them a lookalike login page.
Joe Carrigan: Right.
Dave Bittner: And so once they got the login credentials, then they would use their access to the accounts, and they would have the payments rerouted to the shell company that they'd set up in New Jersey as part of this car dealership. Now, you might imagine that if you are a mild-mannered owner of a car dealership and all of a sudden millions of dollars start coming into your account, that may attract some attention...
Joe Carrigan: Yes.
Dave Bittner: ...From the bank.
Joe Carrigan: Yes.
Dave Bittner: And indeed, it did (laughter).
Joe Carrigan: I would be concerned about that exact issue.
Dave Bittner: Right. So they tried to transfer the proceeds to a bank account for the used car dealership, and they weren't - they made up some fake papers that indicated that the auto dealership had been awarded a DoD contract, as used car dealerships often do.
Joe Carrigan: Right.
Dave Bittner: But someone - the hero of this story is someone at the bank who said - just sensed something was up, something was not right. And the person at the bank reached out to the authorities, and that really unraveled the whole thing. So the person who headed up this scam has been charged, hasn't been sentenced yet but could have up to 30 years in prison, could be fined over $3 million. Another interesting thing here is - part of their scam, they used a lookalike URL - or a look-enough-alike URL (laughter)...
Joe Carrigan: Right.
Dave Bittner: ...To get people to log in. The official website is dla.mil. So dot-mil is a military domain.
Joe Carrigan: Right.
Dave Bittner: And the one they created was dia-mil.com. So close enough that on first glance people would look at it and they'd go, oh, that's - it's the DIA. That's who I'm doing business with. There's mil in there, so it's the military. You know, nothing overtly suspicious about a dot-com, so maybe this is just how they're doing it. Who knows?
Joe Carrigan: Right.
Dave Bittner: Maybe a third-party contractor's running the website. Blah, blah, blah, blah, blah, right?
Joe Carrigan: It's all reasonable.
Dave Bittner: Yeah. Easy enough to overlook.
Joe Carrigan: Right.
Dave Bittner: And that was part of their scam as well. So lots of things to take home from this, Joe. What are your thoughts here?
Joe Carrigan: My first thought, Dave, is that we are missing out on an opportunity.
(LAUGHTER)
Dave Bittner: OK.
Joe Carrigan: I'm just kidding. Of course not. This is terrible. This is - you know, I'm glad these guys got caught. Kudos to the guy at the bank for realizing something's not right here. Why did these guys try to get away with, like, $23 million? I mean, was that - how long were they doing this? Does the article say that?
Dave Bittner: It was over the course of a couple of years.
Joe Carrigan: OK.
Dave Bittner: But, you know, it's a good point, but I think it's just greed.
Joe Carrigan: Yeah.
Dave Bittner: You think about how many times could someone get away with a crime if they were satisfied at only committing one crime.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Yep, they could just do it.
Dave Bittner: Yeah, they could - if they just stole it - $100,000, right?
Joe Carrigan: Right.
Dave Bittner: Which is, I would say - venture to say $100,000 is enough money that that could make a difference in most people's lives.
Joe Carrigan: Yes.
Dave Bittner: Right? (Laughter) So if you had the discipline to only steal $100,000, maybe you could get away with it - not saying it's the right thing to do, but maybe you could get away with it. But I think they steal $100,000, and they go, huh, well, that was easy.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: Let's steal another $100,000.
Dave Bittner: Right, right. And then they...
Joe Carrigan: Well, let's do that...
Dave Bittner: ...Get away with it and...
Joe Carrigan: ...Two hundred more times, and we'll wind up with $20 million.
Dave Bittner: Not only do I get a new car, but my wife gets a new car.
Joe Carrigan: Right.
Dave Bittner: And my kids get - you know, we'll pay off their college and their loans and their - and the house.
Joe Carrigan: And my buddies in Turkey will also make out like bandits.
Dave Bittner: Exactly.
Joe Carrigan: Those people are probably never going to get caught.
Dave Bittner: Yeah, that's a good point. That's a good point.
Joe Carrigan: Yep.
Dave Bittner: Yeah. So a couple lessons here, I guess. You know, obviously, this all started with a phish.
Joe Carrigan: Right.
Dave Bittner: So be aware of that. You know, check those domains. Just - I would think multifactor authentication would have probably...
Joe Carrigan: Yep.
Dave Bittner: ...Shut this down.
Joe Carrigan: Would've stopped a lot of this on the tracks.
Dave Bittner: I don't know if they - if the DOD makes that available on their logins, but if they don't, they should.
Joe Carrigan: They make it available on a lot of - they make it a requirement for a lot of logins, like system logins. You need a common access card, a CAC, to get into a lot of the networks. But...
Dave Bittner: OK.
Joe Carrigan: ...If you're talking about making payments, that's a good question...
Dave Bittner: Yeah.
Joe Carrigan: ...Because if I'm transferring money out, you know, that - a CAC won't stop somebody who's compromising the inside and doesn't know it. You know, they're an insider threat. They're giving money to somebody they shouldn't be giving it to.
Dave Bittner: Right.
Joe Carrigan: But they're not - they're a victim. They're not a conspirator, right?
Dave Bittner: Yeah.
Joe Carrigan: So a CAC won't stop that. They'll use - even if they log into their machine using a CAC, they're still going to conduct the malicious activity for the attacker.
Dave Bittner: Yeah.
Joe Carrigan: It doesn't help that way.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. That's my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, I have two stories. One is going to be very brief, but - you know who Seth Green is?
Dave Bittner: I do, yeah.
Joe Carrigan: Yeah - actor...
Dave Bittner: Actor, yeah.
Joe Carrigan: ...Comedian...
Dave Bittner: Yeah.
Joe Carrigan: ...Creator of one of my favorite shows, "Robot Chicken."
Dave Bittner: Oh, yeah. Yeah, yeah, yeah.
Joe Carrigan: It's a great show.
Dave Bittner: Yup.
Joe Carrigan: Apparently, Seth Green lost about $300,000 in NFTs recently by connecting his wallet to a malicious site.
Dave Bittner: OK.
Joe Carrigan: Now, I'm not fully versed in what's happening here...
Dave Bittner: (Laughter).
Joe Carrigan: ...Right?
Dave Bittner: My - first of all, my initial reaction is Seth Green probably lost over $300,000 in NFTs by buying NFTs.
(LAUGHTER)
Dave Bittner: But go on. And that's my own cynical approach to NFTs, but go on.
Joe Carrigan: But I went to OpenSea today and looked around, and it says create an NFT. If you want to create an NFT, you have to connect an ethereum wallet to it.
Dave Bittner: OK.
Joe Carrigan: I don't understand any of this. You know what I going to do, Dave? I'm going to create some NFTs.
Dave Bittner: Why? Why don't you just give me that money instead...
Joe Carrigan: No, no. I'm going to create...
Dave Bittner: ...Of sort of throwing it on...
Joe Carrigan: ...NFTs, Dave. I'm not going to buy NFTs.
Dave Bittner: It's still going to cost you something to do, though, doesn't it?
Joe Carrigan: Does it?
Dave Bittner: I - look, nothing in this world is free, Joe. It'll cost you a little bit of your soul (laughter).
Joe Carrigan: Just a little bit (laughter)?
Dave Bittner: Just a little bit. And we all know you don't have that much to spare, so...
Joe Carrigan: (Laughter) Right. We'll see how this goes.
Dave Bittner: Just tread lightly, yeah.
Joe Carrigan: If this does wind - if I can create NFTs for free and sell them for money, I'm going to try to do that.
Dave Bittner: OK.
Joe Carrigan: But if I have to pay, like - you have - if I have to buy an ethereum, one...
Dave Bittner: Yeah.
Joe Carrigan: ...Ether, to create NFTs, I'm not doing that.
Dave Bittner: OK.
Joe Carrigan: That's not going to happen.
Dave Bittner: All right. So you're doing an experiment.
Joe Carrigan: I'm doing an experiment.
Dave Bittner: All right.
Joe Carrigan: We'll see how this goes. I'll report back at some later episode.
Dave Bittner: OK. Well, I wish you well.
Joe Carrigan: But I have a plan.
Dave Bittner: OK. That's what they all say.
Joe Carrigan: That's what we all say. That's right.
Dave Bittner: (Laughter) What did Mike Tyson say?
Joe Carrigan: Everybody has a plan until they get punched in the mouth (laughter).
Dave Bittner: Right, right. So...
Joe Carrigan: That's one of my favorite Mike Tyson quotes.
Dave Bittner: ...Good luck.
Joe Carrigan: It is.
Dave Bittner: Well, we're all sitting on the edge of our seats to hear how Joe's NFT adventure goes.
Joe Carrigan: Right.
Dave Bittner: So, we'll - we're looking forward to you reporting back on that.
Joe Carrigan: We'll see what happens here.
Dave Bittner: All right.
Joe Carrigan: It may be two weeks, it may be three weeks, but I'll have something to report in a little bit.
Dave Bittner: I'm going to hold you to it.
Joe Carrigan: And it may be, well, I found out I had to buy an ether, so I'm not doing that.
Dave Bittner: OK.
Joe Carrigan: That might be the outcome.
Dave Bittner: But you're not going to get away with not - if - like, if something terrible and shameful happens to you, you're obligated to tell us about it.
Joe Carrigan: Oh, absolutely.
Dave Bittner: (Laughter).
Joe Carrigan: Absolutely. I'm going to take this one for the team, for the "Hacking Humans" team...
Dave Bittner: OK.
Joe Carrigan: ...Find out what's going on here and see how this works.
Dave Bittner: All right.
Joe Carrigan: All right. So my actual story today comes from BleepingComputer. It is titled "Phishing Websites Now Use Chatbots To Steal Your Credentials," and this comes from Bill Toulas, OK? So we all know what phishing websites are, right? They're landing pages where you try to - where they - where bad guys try to steal your credentials for something.
Dave Bittner: Yeah.
Joe Carrigan: But this operation is pretty sophisticated, and it was discovered by researchers at Trustwave who shared it with BleepingComputer before publication. So we're actually getting a sneak peek at this.
Dave Bittner: OK.
Joe Carrigan: It's pretty good. It starts with an email. And take a guess at what kind of phishing lure is used.
Dave Bittner: Oh, gosh. All right. I'll say it has something to do with my payroll.
Joe Carrigan: No, that's a very effective one, but it's...
Dave Bittner: Yeah.
Joe Carrigan: ...Actually a delivery - a DHL delivery impersonation...
Dave Bittner: Ah, OK. Yep.
Joe Carrigan: ...Which is another very popular one. So it was really just...
Dave Bittner: Sure.
Joe Carrigan: ...A shot in the dark there, but good guess. It starts with an email that says your package cannot be delivered today due to an exceptional situation beyond our control or because access to the delivery address is impossible. There's a big red button in the middle of the email that says, please follow our instructions. And you click on that, and it opens up a PDF file that contains links to the phishing site, right? And the link - it looks - this PDF looks almost like another website. But once you get on there, there's a chat bot. And the chat bot always says the same thing. And it says, hey, thank you for - thanks for confirming the tracking number. Here's a picture of the package. And they just show you a picture of the package. And it says, would you indicate whether we should deliver this package to a home or business address? And if you respond home address, it says thanks, and then it walks you through the rest of the process, which involves entering your DHL login credentials, right? And then during that process, it has a CAPTCHA in there that you're supposed to read because - or, you know, interpret because that's adding to legitimacy. Then you're finally taken to a secure pay page that contains a credit card payment information where you cough up your cardholder name, credit card number, expiration date and CVV code from the back of the card. And then you click this pay now button, and they send you a text message and ask you to verify the authenticity of the transaction by entering the code they texted you. And so now they have your cellphone number. They have your credit card details. They have your name. They probably have some kind of address for you. These guys have gotten a lot of information from you.
Dave Bittner: Right.
Joe Carrigan: And they've probably charged you something for giving that information to them. So just be aware of this campaign out there that's working like this. These chat bots look real. They're not real. It's all a phishing attempt. And they're - you know, it's just a phishing email and then a credential harvesting, plus a credit card and identity theft ring. And this is a really powerful campaign that nets a lot of information for these bad guys.
Dave Bittner: Can I just share something with you?
Joe Carrigan: Sure.
Dave Bittner: I hate chat bots.
Joe Carrigan: Oh.
Dave Bittner: I hate chat bots.
Joe Carrigan: I hate them, too.
Dave Bittner: Yeah. Every time I go to a business - and for some reason, a lot of cybersecurity companies love chat bots.
Joe Carrigan: Yeah.
Dave Bittner: Like, so you log on. They send me some research or something. I log on. I go to read the research, and down in the bottom corner is this company's - their own version of Clippy...
Dave Bittner: Right. (Laughter).
Dave Bittner: ...Saying hi, welcome to our site. Come on. Look around. Is there anything I can help you with? No. Leave me alone. I just want to reach - I just want to read your research.
Joe Carrigan: Right.
Dave Bittner: Well, while you're here, why don't you check out - no, just leave me alone. I just want to read the research. You sure you're doing OK?
Joe Carrigan: (Laughter).
Dave Bittner: Like, shut up. I just want to read the research. I guess there's data that shows that chat bots lead to better interaction or help people find the things that they want or whatever. But let me tell you for me personally, chat bots are a real turnoff. I just don't like them.
Joe Carrigan: I get the impression that there's some marketing guy out there that thinks - or some group of marketing people out there that think that chat bots are helpful in directing the website user to where you want them to be.
Dave Bittner: I guess.
Joe Carrigan: You know, I always look at marketing people - and maybe I'm a little bit cynical here. It's not really caring what the customer experience is but making sure that the customers are exposed to all the product information they can be exposed to - right? - which, to be fair, is the marketing person's job, right?
Dave Bittner: Yeah.
Joe Carrigan: But you're right. These chat bots - I find them intrusive.
Dave Bittner: Yeah.
Joe Carrigan: I can't say - I go to a chat bot, and I just start trying to type functions into it, like exit parentheses, close parentheses.
Dave Bittner: (Laughter) Right.
Joe Carrigan: See if there's anything in there.
Dave Bittner: Yeah.
Joe Carrigan: Does that work?
Dave Bittner: Yeah. Yeah. So all right. Well, we will have a link to this story in the show notes. Again, we would love to hear from you. If you have something that you would like for us to consider for the show, you can send it to us at hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Sadik, who writes, I don't use Gmail or Google anymore, but I do check my old Gmail address in order to not miss anything. I've been getting messages similar to the following one. I didn't do any extensive research about it, but as a cybersecurity professional, this one beats me. I don't know what the trick is here. Perhaps you can include it on your podcast. I didn't check out the phone number here, but the previous phone numbers didn't reveal anything either. So, Dave, why don't you read this one? There's a lot of bold in this one.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: And it's intermittently dispersed throughout the - so every time there's bold, why don't you emphasize that word?
Dave Bittner: All right. So it starts out, and it says, Dear valuable user, we hope you're enjoying our Norton service. This is to remind you that your subscription is about to expire. Extend your subscription now, and we can keep going. You will be charged $207.65 when your membership extended. Purchase details, order date, payment mode, ID number. If you have any questions about your subscription or would just like to contact us - there's a phone number - we'd love to hear from you. Regards, Norton billing support.
Joe Carrigan: (Laughter) So, Sadik, how this works is if you call this number, you'll get somebody who - the idea is that they're going to - you're going to try to cancel the transaction.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right. So the call to action here...
Joe Carrigan: Right...
Dave Bittner: ..Is, holy crap, I'm about to be charged for something I didn't buy.
Joe Carrigan: Precisely.
Dave Bittner: I better fix that.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: So you call the number. And they go, well, we need to make sure that the software is not installed on your computer. Let's open up a virtual terminal. Here. Go install this software and let me on your computer. That's - you know, that's the game.
Dave Bittner: Right.
Joe Carrigan: And it's a bad game to play with these guys.
Dave Bittner: Interesting. All right, well, again, thank you to Sadik for sending that in to us. We do appreciate you taking the time.
Dave Bittner: Joe, I recently had the pleasure of speaking with Ann Johnson. She is a security executive at Microsoft. She is also host of the "Afternoon Cyber Tea" podcast, which is part of the CyberWire Network.
Joe Carrigan: It is indeed.
Dave Bittner: Always a pleasure when I get to chat with Ann. Here's my conversation with Ann Johnson.
Ann Johnson: You know, it's an interesting question when you think about social engineering because I remember probably 2002 - it might have been 2003 - there was a Harvard Business Review article that talked about the September 11 attacks in the United States and talked about how they were largely social engineering attacks by the actors that actually ended up boarding the plane - that they had tested everything, that they socially engineered their way past airport security, past ticketing, and really using human psychology to actually launch that attack. And they made the parallel to cyberattacks. And we have been discussing social engineering. And why the timing hits me as we had only been discussing social engineering for probably a few years prior to that. And just to see how the actual concept of social engineering is this concept that, you know, folks can use both physical attacks as well as cyberattacks - it resonated with me at that point in time. So we're at least 20 years plus into talking about social engineering.
Dave Bittner: Yeah, it's funny. I mean, I remember thinking back to my own early days, you know, back in the - I guess the '80s - the 8-bit computer era, you know, with phone phreaks. And so much of the things that they were up to was social engineering to make your way across what was the telephone - the global telephone network at the time but calling up and pretending to be someone you weren't.
Ann Johnson: Yeah, exactly. So, I mean - and if you just think back to espionage - core espionage, right? - I mean, core espionage is social engineering. So we just gave it this fancy, new term. But at the end of the day, it's really the manipulation of human beings to do something they wouldn't normally do to further whatever nefarious cause you want to further.
Dave Bittner: And as you look at things today, I mean, when - where we stand, what's your take on the state of things when it comes to social engineering and the scams we see?
Ann Johnson: You know, it's interesting because I can tell you - and I'm going to give you a little bit of a personal anecdote - I think today alone - and it's not even quite noon on the West Coast, which is where I'm based - I have received six different phishing, smishing attacks - so texts to me trying to lure me to click on some type of link that are actually not simply generic. There's something that feels a little more targeted. And I'm talking to folks I know in the industry about the proliferation of smishing type attacks, as well as social engineering attacks related to account fraud, trying to get the redirected monies. You know, you get an email from, you know, a small company - supposedly your CFO - and they want you to send money to an account - or your CEO - so send money to this account. We - I will tell you that from a state of the industry standpoint, I think we're doing a reasonable - and that's the word I'll use - job with core phishing attacks, because phishing attacks have also become very sophisticated in that you can't count on typos and those type of things anymore, and the company logos look legitimate. But I think our technology and our machine learning engines have gotten pretty smart in detecting core phishing attacks. But, you know, much like anything else, once you stop the actors from using one vector, they're going to use another vector. And it's the same type of attacks, right? And these, you know, account takeover attacks and money redirect attacks - and like I said, this proliferation - and it's been only in the past 60, 90 days of smishing attacks have really been on the increase.
Dave Bittner: You know, you, as an executive at Microsoft - you know, Microsoft has the sort of dubious distinction of having a particular scam that uses Microsoft's name - the Microsoft Tech Support Scam - where people call up and pretend to be from Microsoft. And I suppose that's sort of the two sides of the coin of being such a large presence in the industry that, you know, folks are actually summoning your - using your good name against you.
Ann Johnson: Well, it is. And if you think that the IRS every year around this time - you know, the U.S. Internal Revenue Service, which, you know, is our tax service, right? Everyone files their taxes around this time of year. And the IRS also, you know, constantly is parading the public of, you know, the IRS will never call you. The IRS is never going to ask you over the phone for your Social Security number. You see it from police agencies. You see it from, you know, fire departments. We're never going to raise money doing this. Your bank - your banks will tell you, we're never going to call you. All of these things are relatively easy targets for an unsophisticated, you know, general population that doesn't, you know, really use this technology but just isn't super sophisticated with it. And the Microsoft, you know, attacks against - we're the support agent. You owe us money. I get emails probably daily. Some are blocked, some aren't. But, you know, people want me to renew my subscription for something I never had a subscription for or trying - yeah - or trying to steal credentials. Your X - you know, your such and such account is locked. Well, I never had that account, so it's probably not locked.
Dave Bittner: Right.
Ann Johnson: But I'm a more sophisticated user, right? And I supposedly can look for these things and not be caught by them. But I - sometimes it doesn't matter because the attacks are so targeted, so sophisticated.
Dave Bittner: Have you found yourself, you know, going down that path or, you know, caught yourself at the last moment, saying, oh, I almost fell for that one?
Ann Johnson: You know, it's funny. I - recently, I was looking at something, and I - to answer your question, almost. But I realized my bank would have never - it looked legit. I got an email that looked, like, legitimately came from my bank. It legitimate - and I said, you know what? My bank just wouldn't do that, right? But it took me a minute. I wasn't going to click the link. I was just - I paused. And the one thing people have to realize is that urgency. The bad actors use urgency. You must click this link now. I'll tell you a quick little story about my husband. He - and this was probably 10 years ago - he called me in a panic, and he said - and I always handle our taxes. And he said, we've been audited, and if I don't send $500, you know, right away via credit card - I got a phone call, and if I don't send the $500 to pay off this audit, you know, they're going to, you know, take further action. I'm like, OK, slow down, you know? This is a known scam. But he was - 'cause he didn't handle our taxes, and he thought that I hadn't paid something. And he just - he was, like, literally almost fell for it. No fault of his own. The person on the phone sounded so legitimate to him that they were going to raise the fines or take further action or confiscate properties. Like, Ann, we need to give the credit card. But, you know, he paused long enough to call me and ask, right? And that's what they don't count on. You know, they got him live on the phone, and they launched this whole - and he's like, look, we're going to have to call you back. And the other person's trying to deter him from calling back, right? If someone is behaving like that - even if you're not technologically sophisticated, if someone's trying to pressure you in the moment to do something, trust your gut, trust your instincts and pause. What I tell my family is, if you ever get a call from someone claiming to be your bank or the credit card company, say, oh, you know - be very polite and respectful, say, OK, I'll call you back, and then call them back on the number that's either on the - you know, your known - a known number on the back of your credit card or the bank's legitimate number from their website and call back. I said, but don't ever take the inbound call and take action from an inbound call or an inbound email.
Dave Bittner: You know, I think the point you bring up about pausing is so critical and also having someone to bounce these things off of, to have a buddy who you can say, so this thing is happening, and I'm not sure what to make of this. So many scams I think could be slowed down or stopped if we just took the time to do that.
Ann Johnson: It's true. And we're getting to the point where, you know, we're having digital natives - right? - coming into the workforce. You know, the younger millennials, the older Gen Z - they're digital natives, so they're going to be less susceptible to these things. But then a generation like, you know, the boomers or this - even the silent generation - right? - that, you know, have exited the workforce - you know, I'm a solid member of Gen X. We started with technology, you know, in high school - right? - you know, first computers.
Dave Bittner: I'm with you.
Ann Johnson: Yeah.
Dave Bittner: I'm with you.
Ann Johnson: Yeah.
Dave Bittner: Yeah (laughter).
Ann Johnson: We started with computers in high school, so we're not digital natives, but we are a little more aware. But all that means is the actors are going to have to be more sophisticated, right? They're going to find different ways. They're not going away. They're not going out of business. They're going to find different ways to steal money from people, and they will continue to persist. And one of the things - we probably don't have time to do in depth here - but, you know, crypto is a big enabler of fraud because once a transaction is done, it's theoretically untraceable, and it's gone. And that - as you know, we've seen a huge increase in ransomware that's almost directly tied to crypto. We're going to - as more and more people start, you know, developing crypto accounts and starting to put their funds in those types of things, we're going to see more and more attacks launched with NFTs and crypto and just the theft of things that could be converted to money - right? - or converted to digital currency, at least.
Dave Bittner: What do you suppose is on the horizon here? I mean, we have these efforts to go passwordless, you know, things like that. Do you suppose they're going to gain traction?
Ann Johnson: Yeah, absolutely. So we launched, as you know, our passwordless initiatives for our consumer accounts last fall. And we have - know that there is a need, but there's a tremendous amount of education that's still required. Getting people - it was funny because I'll tell you this. There's this industry impetus around Fido 2 that's wonderful and around authenticators. The challenge now is, I was working with an account outside of Microsoft today, and I realized that I have three different authenticators on my phone now. I don't think you're - yeah, I don't think your average user is going to want to manage three different authenticators, right?
Dave Bittner: No.
Ann Johnson: Yeah. So I think that we still have a need for it to drive simplification and standards in the industry and some type of methodology that people are comfortable and able - it's easy to use, right? Passwordless adoption is going to significantly increase when we have more ease of use for end users because, you know, those of us who are - and you know this. I was at RSA for 14 years, so I can appreciate all kinds of 2FA, multifactor auth, but I understand it super well. Even your average cybersecurity user isn't exactly an expert in, you know, authentication methodology, and that's leading us to this place where we need to continue to be on a mission to be passwordless. But the adoption rates have to be driven by ease of use, and having three authenticators is a suboptimal experience.
Dave Bittner: Yeah. I believe I have been in that boat where I've said to myself, which authenticator did I use for this account? And I - you know, I find myself banging my head against the desk sometimes. I think even like, you know, I - like yourself, I consider myself on the sophisticated side of the user spectrum. I would put you above me, certainly. But I think what's interesting is that even at that level, when the stuff doesn't work, it is so frustrating when it is a roadblock getting in your way of just wanting to do the things you want to do on your devices. And, you know, the trust is so easily given up when you run into one of those frustrating situations.
Ann Johnson: Yeah. So I'll tell you something funny, and my husband knows I pick on him every once in a while about security. He was a tech - he's retired now, but he was a tech guy but not a security person. He was really super frustrated with a particular app - and I'm not going to name the vendor that he had on his phone - where he had to - where he - I had insisted he enabled strong authentication to the app. So, you know, he enabled strong authentication to the app. But then he also had to re-authenticate at the time of transaction. And that friction for him - I said, yes, but all you have to do - and this was the time when we were still using our thumbs on our phone more than our faces. I said, yeah, but all you have to do is put your thumb on the, you know, thumb on the home button one more time. This is like...
Dave Bittner: Right. Right.
Ann Johnson: But even for him, this, you know, somebody who had been in tech his whole career, that was too much friction. He was really angry that I had made him set it up like that. And he's like, I just can't believe you did this. And I said, well, you know, you want to authenticate again at the time of transaction for something - this app that could be a larger transaction. You know, again, we, as an industry, have a ways to go to remove as much friction as we can from the user experience. And then users will be using stronger authentication much more freely.
Dave Bittner: What role do you suppose, you know, the leading organizations, the Microsofts of the world, have to play in this? Is this a situation where Microsoft can say, hey, we're doing away with passwords, so, you know, you got to get on the boat here?
Ann Johnson: So we've done so much. So our first - you know, our first approach is obviously to work with all the third parties that support FIDO2. We have the Microsoft, you know, authenticator that we have put out. We have Windows Hello for business that you can use, you know, facial recognition, as an example. And we're working with all of the different FIDO2 vendors, like YubiKeys if someone wants to carry a key, right?
Ann Johnson: We want to make - we - and we've built technology into our Azure Active Directory to support passwordless configuration. So you can choose what type of passwordless methodology or what type of passwordless authenticator you want to use. That's the first step - right? - is making it really pervasive and adopting as many industry standards that we can so that the people who are building applications can build to it.
Ann Johnson: The second step is doing things like enabling it in our consumer accounts. Now you can choose to be passwordless on your consumer account and just use your authenticator or use whatever experiences that you choose to use because, again, we've built those integrations in Adalja Active Directory. The third step, Dave, is what you said, saying, now we're only passwordless. We're not there yet because we still need to remove some friction from the industry. But step one is making the experience better by having a lot of alternatives and adopting user standards. Step two is then adopting it ourselves within both our work and our consumer accounts. Step three - we'll come to the point where we say, OK your only option is passwordless. We're not quite there yet.
Dave Bittner: Are you optimistic that we can get there, that this is going to be something in the future we'll look back on and look at those days and say, you know, how did we ever stand for that?
Ann Johnson: You know, it's - I want to be optimistic. Let me tell you, as someone who's started her career in strong authentication - and we only saw a significant improvement in even enterprise users using it during COVID because they were required to because they were working from home so much. But we still haven't - you know, we still, all these years later, haven't really come to the place where there's this massive acceleration. I believe that we will get there because it will be easier, especially from a consumer experience. You use strong authentication every day on your consumer device. You don't even know it if you have a smartphone, right? If we can just talk about it in those terms and make it consumable and make it accessible for people, then we will get there. But it's been a slow ramp so far, so I'm just remaining optimistic that at some point in time we will finally cross the chasm and be there and have much, you know, greater than 67% adoption.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Social engineering has been around forever. That's one of the early points, as Ann talks about how it started becoming something that we've looked into since the early 2000s. And from a cybersecurity industry standpoint, that's probably correct.
Dave Bittner: Yeah.
Joe Carrigan: But this is nothing new. And, you know, we've even had episodes where I talk about old scams that have been going on since the, you know, the last - or last two centuries ago.
Dave Bittner: Yeah, yeah.
Joe Carrigan: So it's nothing new. And you brought up phone phreaks. And Kevin Mitnick - all of his hacking was essentially just social engineering.
Dave Bittner: Right.
Joe Carrigan: You know, calling up and pretexting them so much so now that it's actually illegal - it's a crime to pretext critical infrastructure organizations. And Kevin is responsible for that.
(LAUGHTER)
Dave Bittner: Well, it's good to be known for something.
Joe Carrigan: Yes, yes.
Dave Bittner: Claim to fame.
Joe Carrigan: Phishing has gotten a lot better over the - over time. It's always going to get better.
Dave Bittner: Yeah.
Joe Carrigan: So has our defensive stuff, which is also always going to get better. It is an arms race. I hate using that term because it sounds so cliche, but that's exactly what it is.
Dave Bittner: Yeah.
Joe Carrigan: It's always - OK - they're doing this. I'm going to do this. They're doing - OK - they're going to do this. I'm going to do that. These bad guys will adapt, and now they're attacking via SMS messages or by the term I hate - smishing.
Dave Bittner: (Laughter).
Joe Carrigan: Doesn't really tell you what it is - just fake SMS messages. But the reason they're going to do SMS is because the defenses aren't as good, right? I still get malicious SMS messages, and I do have a good amount of defense on them. I actually go to my spam folder from time to time and look at them to see if there's any good Catches of the Day in there.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: But it's interesting that these guys are now adapting and going to SMS, I think.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Targeted and sophisticated attacks are going to be remarkably effective. If somebody took the time to write an email tailored to you and - hey, Dave, this is so-and-so. I met you at this conference. And they have some open source intelligence that says you went to this conference. Like, you're going to RSA, right?
Dave Bittner: Yeah.
Joe Carrigan: If somebody contacts you over the summer and goes, hey, Dave, I hooked up with you at RSA. Here's something - that's all going to make sense to you...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? It's - so yeah, the more tailored a message is, yeah, the more effort it takes to write it. And you can't broadly disseminate that message, but it's much more effective.
Dave Bittner: Right.
Joe Carrigan: Urgency is key. I love the story Ann tells about her husband calling her in a panic, going, look. These guys are going to charge us - and Ann telling him calm down. That's not what's happening here.
Dave Bittner: Yeah.
Joe Carrigan: What's amazing is that he was able to get off the phone with them in the first place. So he was able to do that. So good for him. These guys are going to put you in a pressure cooker and keep you there as long as they can, just so that you pay up. That's really what the end game is every single time. The pause is absolutely necessary. You know, even if you're on the phone with the actual IRS because you've called them or something, you can always say, all right; let me go talk to my accountant or my wife, and I'll get back to you.
Dave Bittner: Right.
Joe Carrigan: And there may be deadlines, and those deadlines may be real, but an IRS agent is never going to say, if you don't pay, we're seizing you.
Dave Bittner: Right.
Joe Carrigan: Now, my son is actually an accountant - does a lot of tax work now.
Dave Bittner: Yeah.
Joe Carrigan: One of the big things he says is that people are afraid the IRS is going to put them in jail. But the IRS doesn't want to put you in jail because then you can't pay your taxes.
Dave Bittner: Right, right, right. Yeah.
Joe Carrigan: They want the money - is what they want.
Dave Bittner: Yeah.
Joe Carrigan: So any threat from somebody claiming to be from the IRS to put you in prison is not accurate. That's really not what the IRS wants.
Dave Bittner: Right.
Joe Carrigan: They would rather you pay the money.
Dave Bittner: Yeah.
Joe Carrigan: Ann makes an excellent point about the multifactor authentication bit, and you and her had a nice discussion here. She has three different authenticators on her phone. I have two on my phone and my YubiKeys. And these are all my multifactor authentication things.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, I'm sitting here thinking - and it hadn't even occurred to me that, yeah, this is not a - this is not an optimal solution. But that's exactly right. This is not good. We're getting - we need to unify this somehow.
Dave Bittner: Right.
Joe Carrigan: I think the FIDO Alliance goes a long way to doing that, and I think that with this universal two factor or - that may actually become just universal authentication eventually.
Dave Bittner: Yeah.
Joe Carrigan: That's great, because, Dave, I can't wait for passwords to die.
Dave Bittner: (Laughter)
Joe Carrigan: I cannot wait for it.
Dave Bittner: I'm with you. I'm with you. As much as I feel, you know, for the folks who are in the password manager business...
Joe Carrigan: Right.
Dave Bittner: ...Perhaps it is one of those industries, you know, like buggy whips that is transitional and then we'll soon look back on fondly and say, oh, I remember when we used to do that (laughter).
Joe Carrigan: Yes.
Dave Bittner: Absolutely. All right, well, our thanks to Ann Johnson for joining us. We appreciate her taking the time. And of course, if you have not yet done so, you should check out her podcast. It's called "Afternoon Cyber Tea." It is worth a listen. And I should mention also that Microsoft is a CyberWire partner.
Dave Bittner: All right, well, that is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.