The top 10 brand names most likely used in a phishing scheme.
Omer Dembinsky: What we do see is the actual websites getting more sophisticated, looking very similar to the real websites, the phrasing very similar and just trying to use the user's attention or lack of attention to get their details.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week, and later in the show, Omer Dembinsky. He's a data research manager at Check Point Research. We're talking about their recent report on phishing.
Dave Bittner: All right, Joe, before we jump into our stories, we've got some follow-up this week.
Joe Carrigan: Yeah. In our 200th episode, I asked, how many redirects is too many? And Bob writes in with a little note about the redirect limit. And in Firefox, it's actually in the about:config. There is an HTTP redirection limit that is set at 20 by default.
Dave Bittner: OK.
Joe Carrigan: Now...
Dave Bittner: You can change it.
Joe Carrigan: You can change it in Firefox. Bob said that he looked through configuration for Chrome and couldn't find anything. And I did the same thing and couldn't find it. But I did find a nice Stack Overflow article that has - that is titled exactly that. See, this is that old question. You know, when I go, I wonder something, I should probably just go Google it, right?
Dave Bittner: Yeah, right.
Joe Carrigan: Because they have the answer.
Dave Bittner: Yes. Most of the time they do. Yes.
Joe Carrigan: Right. But there's - in this Stack Overflow article, there's a nice table that somebody's put together. They tested this on Windows 7 64-bit. So I guess this is kind of old. But, like, Chrome has 19 redirects as too many. Firefox has 20 redirects as too many. Opera has 19 redirects as too many. Safari, it's only 16. Internet Explorer, it's - depending on your version, it's either 11 or 121, which is interesting because that's 11 squared, isn't it?
Dave Bittner: Yes. You know, it reminds me of - and I'm dating myself here, but it reminds me of name that tune, you know? Like, I can redirect that page in 16 - I'll do it in 18. All right, redirect that page. Block that redirect.
Joe Carrigan: So they all seem to be around 20 redirects.
Dave Bittner: That seems reasonable.
Joe Carrigan: I think that might be too high.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I would like - you know, this is just my opinion. I think maybe a number like seven or eight might be reasonable.
Dave Bittner: Yeah.
Joe Carrigan: Maybe 20. Maybe there's a reason for doing it at 20. We're going to get more emails about this.
Dave Bittner: Why don't you draft a memo to the engineers at Google, Joe (laughter)?
Joe Carrigan: Yeah, I'll do that again.
Dave Bittner: (Laughter) Anticipate their prompt reply.
Joe Carrigan: How many draft memos have I sent to companies about their security policies? I was just on the phone with one of my companies - one of the companies I do business with, complaining about the fact that I couldn't paste my password from my password manager in because they're under the false assumption that not allowing people to paste a password into a password field is more secure than allowing people to paste it.
Dave Bittner: Yeah. Yeah. Did you give them a piece of your mind (laughter)?
Joe Carrigan: I did, Dave. I did.
Dave Bittner: All right.
Joe Carrigan: And I apologized to the poor person on the phone because he had to listen to me. But I did tell him, you need to tell people that's bad.
Dave Bittner: Yeah.
Joe Carrigan: And he was like, well, thank you. I'll run it up the food chain. Yeah.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Right into the trash with that. We have a crazy old man yelling about something.
Dave Bittner: What else do we have here?
Joe Carrigan: We have a listener who will remain anonymous sharing this anecdote about draconian IP policies. I was also talking about intellectual property policies. He says he's been working for a startup company for five years, and he's the longest running person at the company. Two or three years ago, we got a new lawyer who rewrote our NDA. Highlights of this NDA included that the company owns all IP and copyright of the employee, including what is done outside the company, even if it has nothing to do with the company and did not use any of the company resources. To this, he asks, what if I created the next ILOVEYOU virus? Would the company own that and have to take responsibility? That's an excellent question.
Dave Bittner: Yeah.
Joe Carrigan: What if I do something malicious in my free time? Is that now your responsibility?
Dave Bittner: Yeah. Good question.
Joe Carrigan: That's a great way to come back at this. Another fun highlight of the NDA was a non-compete clause. Normally for them to be enforceable, NDAs, they need to specify a location. The non-compete specifically said, I'm not allowed to work for any similar company anywhere on Earth.
Dave Bittner: OK.
Joe Carrigan: He says congratulations for being technically correct on that (laughter).
Dave Bittner: Yeah. Go work for Elon Musk...
Joe Carrigan: Right? Yeah.
Dave Bittner: ...On the Mars colony.
Joe Carrigan: On Mars.
Dave Bittner: Yeah.
Joe Carrigan: You can do all - you can compete against them all you want on Mars.
Dave Bittner: Right.
Joe Carrigan: The NDA was also written in such a way that the contract was post-dated from the date of hire, which for me was a couple of years. Signing that would have instantly put me in breach of it, right?
Dave Bittner: Brilliant.
Joe Carrigan: Yes. Another stupid clause was forced arbitration - the company HQ at his work location in a U.S. state. The forced arbitration clause stated that if there was to be arbitration, it needed to take place in Northern Ireland.
Dave Bittner: Ah.
Joe Carrigan: (Laughter).
Dave Bittner: Sure.
Joe Carrigan: Right? How are you going to do that?
Dave Bittner: (Laughter).
Joe Carrigan: I mean, you're going to fly everybody from the United States to Northern Ireland - to Belfast, presumably, 'cause I know that Ireland does a lot of stuff. Northern Ireland is actually part of the U.K., though.
Dave Bittner: Yeah.
Joe Carrigan: This listener goes on to say that this NDA was such a dumpster fire that he and some other employees made a stink. And the CEO finally read it himself and then shredded all the signed NDAs (laughter).
Dave Bittner: Well, good. Good for them. Good for them.
Joe Carrigan: Now he says he goes through everything and reads everything he signs with a fine-tooth comb, which was really hard when he was buying a house recently.
Dave Bittner: Yes. Yes (laughter).
Joe Carrigan: I mean, your father was a realtor. I was a realtor for a while.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: The amount of paperwork in buying a house is unbelievable.
Dave Bittner: Yeah. I remember the first time my wife - the first house my wife and I bought. And my father, of course, assisted us with the process. I remember, at closing, you know, there's just this parade of documents for you to sign. And basically, the closing agent would, you know, put the document in front of us, explain what it was. I would glance over to my father, who would nod his head.
Joe Carrigan: Right.
Dave Bittner: And then I would sign it.
(LAUGHTER)
Dave Bittner: Right? Like I was just trusting him 'cause...
Joe Carrigan: Yep.
Dave Bittner: ...There's no way you can read all that.
Joe Carrigan: No.
Dave Bittner: But I think it's great that this listener is reading this stuff. I think a lot of companies - they put this boilerplate in front of you, assuming that people aren't going to read it.
Joe Carrigan: Right.
Dave Bittner: And you have to remember that you can line things out. You don't have to accept all of this.
Joe Carrigan: Right. That's correct.
Dave Bittner: And I think that's the way things are going to change. And NDAs are not legal in some states. So...
Joe Carrigan: Yeah. And they're very difficult to enforce.
Dave Bittner: Yeah, and do not competes and all that stuff.
Joe Carrigan: Yep.
Dave Bittner: So hopefully, we're seeing a change in that. I think - you know, I think one thing that's come from COVID and the situation we're in right now is it seems like more of the advantage has shifted to the workers' side, so hopefully they'll...
Joe Carrigan: Yes. It's that pendulum.
Dave Bittner: Yes. Yes.
Joe Carrigan: And that - I'm happy to see it switch to the workers' side, you know?
Dave Bittner: Yeah, me too.
Joe Carrigan: That's good.
Dave Bittner: All right. We got one more here from a listener - wrote in and said, hi, Dave and Joe. I'm a relatively new listener to the show. I heard you mentioned in passing that digital payment options like Google Pay or Apple Pay are more secure than a traditional card. Could you expand on this? It seems counterintuitive to me, since I often try to keep financial things off my phone. What do you think about this, Joe?
Joe Carrigan: OK, so...
Dave Bittner: Can you explain this?
Joe Carrigan: Yeah. So the transaction is the more secure part.
Dave Bittner: Yeah.
Joe Carrigan: Right? So one of the things that putting a credit card into a machine - or swiping a credit card, as we used to do - one of the problems with that was that somebody could skim your credit card.
Dave Bittner: Right.
Joe Carrigan: And all your credit card information is on that magnetic strip.
Dave Bittner: Yep.
Joe Carrigan: They could then clone your credit card and reuse it. Now that we've gone with the chip system, it's a little harder to do that. But the idea behind this is that when you enter your information into whatever - Google Pay or Apple Pay - that information is kept by that company. And they have to be set up with the credit card company. In fact, I tried entering a second credit card, and it was unsuccessful because the credit card company wasn't going to permit it.
Dave Bittner: OK.
Joe Carrigan: But I do have a credit card on there. So when I go to scan my phone on the payment thing, what happens is the exchange of a token - that is a single-use token.
Dave Bittner: Right.
Joe Carrigan: None of my credit card information gets sent across the network to - via the point-of-sale system, and the merchant never actually has it.
Dave Bittner: Right.
Joe Carrigan: And really, if you think about all the credit card breaches, they don't happen by breaching Visa or MasterCard because those people run really secure networks. They get breached by breaching retailers.
Dave Bittner: Yeah.
Joe Carrigan: We all think of the Target breach. But think of, you know, the - one of my favorite ones to mention is Broadway Deli. I can't remember what city it was in, but they went out of business because they had a credit card breach that was so egregious, people started suing them, and they just couldn't - they couldn't maintain operations.
Dave Bittner: Right.
Joe Carrigan: And that was Seleznev - Roman Seleznev - that did that to them. And he's actually now one of our guests at Club Fed. But it's - that's why it's more secure. You know, if you lose your phone, and somebody else can open it, like, knows your PIN, then yeah, you have - you do have an issue. You know, if you're using a biometric, perhaps it's easier or more secure...
Dave Bittner: Yeah.
Joe Carrigan: ...Than just a PIN. You know, it is a trade-off. It is a trade-off of convenience. You know, something I realized recently when I was using this was that my phone was really easily connecting to the point-of-sale system even before I wanted it to.
Dave Bittner: Oh, really?
Joe Carrigan: Yeah. And that's because they're both powered systems. You know, when I just wave the credit card in front of it, the credit card isn't powered. It's powered by a small field that comes off the...
Dave Bittner: Yeah.
Joe Carrigan: ...Point-of-sale system. But my phone is powered by a battery.
Dave Bittner: Right.
Joe Carrigan: So it can emit a much stronger signal. And just getting it close to the point-of-sale device, it started going - it started showing me a check mark. And I'm like, this person hasn't even finished ringing up my groceries yet. So...
Dave Bittner: (Laughter) That's interesting. I've not noticed that on my iOS device. Like, I have to get, like, right on top of it, usually, to have it recognize it.
Joe Carrigan: Yeah.
Dave Bittner: So - but, you know, all this - just different - probably just differences in hardware.
Joe Carrigan: Yeah.
Dave Bittner: But to get to the point here that our listener's asking about - so it's the fact that your actual information is not being sent across the network...
Joe Carrigan: Right.
Dave Bittner: ...That it's a token that makes it more secure than even using - well, certainly than the old days of using the card.
Joe Carrigan: Right.
Dave Bittner: The chip and PIN systems are more secure. I would say also that if you have your phone secured, that's probably, I mean, more secure than a wallet, right?
Joe Carrigan: Yeah.
Dave Bittner: If you lose your wallet - most people don't have locks on their wallets.
Joe Carrigan: Right.
Dave Bittner: But...
Joe Carrigan: If you lose your wallet, I can take your credit card out and start purchasing things.
Dave Bittner: Right.
Joe Carrigan: But if you lose your phone...
Dave Bittner: But if you lock your phone with biometrics or password or whatever...
Joe Carrigan: Right.
Dave Bittner: ...People aren't going to be able to do that.
Joe Carrigan: Yep.
Dave Bittner: So added security there. Alright, well, thanks to all of our listeners for sending in all of this terrific feedback. We would love to hear from you.
Joe Carrigan: That one came from Ian, by the way.
Dave Bittner: Yes. Our email address is hackinghumans@thecyberwire.com. All right. Let's jump into some stories here. Joe, why don't you start things off for us?
Joe Carrigan: Dave, once again, I have two stories...
Dave Bittner: OK.
Joe Carrigan: ...'Cause I like to talk and hear the sound of my own voice.
Dave Bittner: Excellent.
Joe Carrigan: The first story comes from a friend of mine. I was talking to this friend a couple days ago. We were playing an online game.
Dave Bittner: OK.
Dave Bittner: And this person was telling me that they got in trouble recently with their employer.
Dave Bittner: Uh-oh.
Joe Carrigan: And the reason they got in trouble was because they had not responded to any of IT's messages about installing a new upgrade on her system.
Dave Bittner: Oh.
Joe Carrigan: I'm going to go ahead and say it - on her system.
Dave Bittner: OK.
Joe Carrigan: OK. Now I've just reduced the population by half, but that's OK.
Dave Bittner: OK. Yeah.
Joe Carrigan: So she was telling me that the reason she didn't do that was because she listens to this podcast.
Dave Bittner: (Laughter) Right. OK.
Joe Carrigan: But the thing was she works in a distributed environment. IT is in a different state than she lives in.
Dave Bittner: Yeah.
Joe Carrigan: They were sending her emails, and she was like, this looks like a scam.
Dave Bittner: Sure.
Joe Carrigan: So she was ignoring them.
Dave Bittner: Right.
Joe Carrigan: And then finally, her boss came to her and said, hey. How come you haven't run the update like IT's been asking you? And she said, every single one of those emails looks exactly like a scam email.
Dave Bittner: Yeah.
Joe Carrigan: Right? And I'm not going to answer the phone when these people call and say, hey. It's time for you to run this update. You know what I need? I need you to tell me that it's OK to run this update.
Dave Bittner: Right (laughter).
Joe Carrigan: And I'll reach out to IT and then work with them. And that's what she did, and she ran the update.
Dave Bittner: Seems like mission accomplished (laughter).
Joe Carrigan: Yeah, exactly. I said, yeah, that's a terrible way to do business, in my opinion. And if you want them to have an expert opinion from me, let me know. I'll be happy to call them and tell them.
Dave Bittner: Yeah.
Dave Bittner: You know, hi. This is Joe Carrigan from "Hacking Humans."
Dave Bittner: How do you think IT could have handled this?
Joe Carrigan: IT could have handled this with a better communication process...
Dave Bittner: OK.
Joe Carrigan: ...Because - and that's an excellent question, I can't just sit here and deride IT for, you know, probably what is a very easy way to communicate with people by using email, right?
Dave Bittner: Right, right.
Joe Carrigan: The employees. So what has to happen is IT needs to work with management and go, look. We need to get these upgrades pushed out to all the desktops.
Dave Bittner: Yep.
Joe Carrigan: So I need you, manager, to communicate this to your individual employees, right? This should not be something that IT should be communicating to the individual users.
Dave Bittner: OK.
Joe Carrigan: Management should be saying, everybody needs to go to this address and run this update. And if you need help, please call IT to do it.
Dave Bittner: Right, right. So you have that personal - that person who's more closely connected to you...
Joe Carrigan: Right.
Dave Bittner: ...Leading that.
Joe Carrigan: Yes.
Dave Bittner: Yeah. That's good.
Joe Carrigan: Having some person you've never heard of from IT reach out to an employee is - first off, you run two risks - one, that the upgrade doesn't get done - right? - because people think it's a scam, or two, you condition your employees to do whatever IT says when they call. And that's dangerous.
Dave Bittner: Right, right. No, I think your friend did the right thing.
Joe Carrigan: Yeah, I would agree.
Dave Bittner: Yeah. What else you got?
Joe Carrigan: Ah, I got a story that came in from another listener of the show. This story comes from the New York Post.
Dave Bittner: OK.
Joe Carrigan: And we'll put a link in the show notes. But there is a law firm named Beasley Allen that has filed eight lawsuits against Meta.
Dave Bittner: OK.
Joe Carrigan: They filed these in Colorado, Delaware, Florida, Georgia, Illinois, Missouri, Tennessee and Texas. And they claim that users' prolonged exposure to Meta and its platforms have led to actual or attempted suicide, self-harm, eating disorders, anxiety, depression and reduced ability to sleep, among other health - mental health conditions. They accused Meta of employing addictive psychological tactics to get people to use their platforms more frequently and failing to protect young and at-risk students - users.
Dave Bittner: OK.
Joe Carrigan: I say students because I work in academia, but I meant...
Dave Bittner: Right.
Joe Carrigan: ...Users.
Dave Bittner: OK.
Joe Carrigan: Reps from the law firm said that the defendants knew that their products and related services were dangerous to young and impressionable children and teens, yet they completely disregarded their own information. They implemented sophisticated algorithms designed to encourage frequent access to the platforms and prolonged exposure to harmful content, right? Now, this article focuses mainly on the lawsuits and comments from Frances Haugen or Haugen. I'm not sure how you pronounce her last name. I've only ever read it. But that was last year. You remember her comments from last year when she was releasing Facebook inside documents...
Dave Bittner: Yes.
Joe Carrigan: ...Talking about this? But the thing is this is not new information. In 2018, the BBC had an article on the addictive nature of social media reading, in part, that studies indicate there are links between overusing social media and depression, loneliness and a host of other mental problems.
Dave Bittner: Right.
Joe Carrigan: Also in 2018, the BBC's Science Focus magazine had a great article quoting Chamath Palihapitiya, who was Facebook's former vice president for user growth, saying, I feel tremendous guilt. I think we have created tools that are ripping apart the social fabric of how society works. He added that he himself rarely uses Facebook and that his children, quote, "aren't allowed to use that crap."
Dave Bittner: (Laughter).
Joe Carrigan: And I'm substituting a word there...
Dave Bittner: OK.
Joe Carrigan: ...Because it's a family-friendly show.
Dave Bittner: Sure.
Joe Carrigan: But everybody knows what he said. Sean Parker, who is the founding president of Facebook, said social media literally changes your relationship with society, with each other, and it probably interferes with productivity in weird ways. God only knows what we're doing to our children's brains. So I'm glad that, finally, these lawsuits are being filed against companies like Meta. I would like to see them filed against more companies as well. My - I have long been on this show and on other shows saying social media is bad for you.
Dave Bittner: Yeah.
Joe Carrigan: I've reduced my social media usage. I'm getting closer and closer to just deleting my Facebook account.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It's happening, Dave.
Dave Bittner: Yeah.
Joe Carrigan: You know, I say I keep it just so I can communicate with family. And that's actually coming to the point where it might not be worth the tradeoff.
Dave Bittner: Yeah. I'm not on Facebook anymore.
Joe Carrigan: Yeah, you're...
Dave Bittner: But I will acknowledge that part of the reason I can be off Facebook is because my wife is on Facebook.
Joe Carrigan: Right. Yeah.
Dave Bittner: So I don't miss out on - if something important happens, she'll tell me.
Joe Carrigan: Yes. I thought this article was interesting. I just wanted to bring it up. Remember - social media is dangerous. Keep your kids off of it. You know, one of the things about kids is that they are - teenagers are pack animals.
Dave Bittner: Yeah.
Joe Carrigan: You know? They are. They find their own little packs and their tribes and whatever, and then they start interacting with each other. And if they're part of this pack that's on social media, I think they're really opening themselves up to a lot of emotional damage here.
Dave Bittner: Yeah, I just - I don't know. Having had to - you know, you've got kids. I've got kids. I just don't see how you do that. I don't see how...
Joe Carrigan: Yeah, I don't know.
Dave Bittner: How do you exclude them from that? It's such a part of the fabric of being a teenager these days.
Joe Carrigan: It absolutely is.
Dave Bittner: I don't - I just don't think that's realistic. I don't disagree with you. But I don't know.
Joe Carrigan: But how do we do it? I don't know. I think...
Dave Bittner: Probably, it's like - you know, it's like teenagers smoking cigarettes back in the '50s.
Joe Carrigan: Right.
Dave Bittner: Right? (Laughter) Like, everybody did it to be cool, and in retrospect, we know how bad it was.
Joe Carrigan: Right. Well, that's a great analogy because...
Dave Bittner: Right.
Joe Carrigan: ...You know, I can imagine me saying to - not my kids. My kids are now in their 20s.
Dave Bittner: Yeah.
Joe Carrigan: You know, saying to a kid, would I let you smoke cigarettes? Would that - would I be a bad parent if I let you smoke cigarettes?
Dave Bittner: Yeah.
Joe Carrigan: How is this any different? It's - you know, it's addictive. It's designed to be addictive.
Dave Bittner: Right. Right. But they will feel excluded if they're not allowed to do it.
Joe Carrigan: But they will absolutely feel excluded. And it's - that's why social media companies go after these - go after this demographic.
Dave Bittner: Sure.
Joe Carrigan: It's because it's a vulnerable demographic that's easy to capture.
Dave Bittner: It'd be interesting to see how this plays out. I'm trying to think of other - if there have been any other consumer product kind of lawsuits that had to do with a product manipulating your behavior 'cause this is different than a product causing injury or...
Joe Carrigan: Right.
Dave Bittner: ...Sickness or something like that. But something that merely influences your behavior - I don't know. If any of our listeners can think of something from the past that falls into that category, I'd love to hear it.
Joe Carrigan: Yeah. Me, too.
Dave Bittner: All right. Well, we will have links to all of those stories in the show notes. My story this week - a bit of a quick one here. This is from a - I guess you'd call it a newsletter. It's called MidRange. It's written by a gentleman named Ernie Smith. And it's titled "The Fingerprint You Leave." And this is about - it really centers on a recent project that a developer put on GitHub, GitHub user, and it's called Extension Fingerprints. And basically, this user has put up a little web page that allows you to - allows this website to scan your browser, and it reports back what extensions you're using because...
Joe Carrigan: This is a website that does this or another extension that does it?
Dave Bittner: It's a website that does it.
Joe Carrigan: OK.
Dave Bittner: So you visit this website, and you say, scan me, and it looks - it basically asks your browser to report back, hey, what extensions are you using?
Joe Carrigan: Right.
Dave Bittner: And evidently, this is something that browsers are happy to give up, rat you out about (laughter), right?
Joe Carrigan: Really?
Dave Bittner: Yes. Yes. So, for example, I scanned myself here, and it went through, and it said 0.08% of users share the same extensions. So that's pretty easy to pick me out of a crowd.
Joe Carrigan: Yes.
Dave Bittner: Right? So this is where being an individual is not necessarily a good thing 'cause this is an alternate way for the folks who want to track you online to do so.
Joe Carrigan: Right.
Dave Bittner: This article also points out another website called amiunique.org. And this comes at this in a similar way. It says, learn how identifiable you are on the internet. And it's also a research project looking for the diversity of browsers. So you click a button. It says, view my browser fingerprint.
Joe Carrigan: Let me see if I can do this right now.
Dave Bittner: Yep. And it says, are you unique? And for me, it said, yes, you are unique among the 597,803 fingerprints in our entire dataset. How about you, Joe? Are you unique?
Joe Carrigan: Yes, you are unique among the 597,805 fingerprints in our data set.
Dave Bittner: (Laughter).
Joe Carrigan: Do I have one more?
Dave Bittner: Two more than me.
Joe Carrigan: Two more, OK.
Dave Bittner: So yeah. So - and it lists out some of the things that it's using to tag you. So in my case, I'm on a Macintosh computer. I'm using a Chromium-based browser that's a certain version. I'm - I have things set to English. The article points out that they can use other things like your browser screen resolution. You know, there's all kinds of data that your browser is willing to, again, rat out on you (laughter).
Joe Carrigan: Yeah. The biggest differentiator here for me is that I'm using Chromium OS.
Dave Bittner: Yeah.
Joe Carrigan: Because I'm on a Chromebook 'cause I love my Chromebook for podcasting. It's perfect.
Dave Bittner: Yeah. Yeah. So, you know, I'm not sure there's a whole lot we can do about this, protecting your identity. The point of this, I think, is that there are so many different ways that the folks who want to track you can come at tracking you.
Joe Carrigan: Right.
Dave Bittner: There's so much stuff that you leave behind, your trail, that it's really hard to be truly anonymous...
Joe Carrigan: It is.
Dave Bittner: ...If you're going to be web browsing.
Joe Carrigan: It is. It absolutely is. The fingerprinting problem is a huge problem.
Dave Bittner: Yeah.
Joe Carrigan: And there's not a lot that you can do that can stop this from happening.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: You know, you can disable JavaScript, I guess. You can change your string that that you're reporting, you know, 'cause every time you make a request, it sends a browser string along with it. That's where it gets the - I think that's where it gets the operating system and the - I know that's where it gets the browser in the browser version.
Dave Bittner: Yeah, I guess you could run in a browser that was running on a virtual machine in the cloud or something like that...
Joe Carrigan: Yeah.
Dave Bittner: ...Or, like, that would...
Joe Carrigan: That would help.
Dave Bittner: ...Separate it from your - you and your location.
Joe Carrigan: Yeah.
Dave Bittner: That seems like a lot (laughter).
Joe Carrigan: It is. It is. And it's expensive. Well, there's a cost associated with it.
Dave Bittner: Sure.
Joe Carrigan: You can't do that for free.
Dave Bittner: All right. Well, again, it's just sort of a quick one, but it caught my eye about this particular way to track us online. So we will have links to that in the show notes as well.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Pablo, who writes, Hello, Joseph and Dave. I think Pablo might be the first person to call me Joseph on the show.
Dave Bittner: Yeah, he called you Joseph, but he didn't call me David.
Joe Carrigan: No.
Dave Bittner: So...
Joe Carrigan: Joseph.
Dave Bittner: I don't know what that means.
Joe Carrigan: I don't know.
Dave Bittner: (Laughter).
Joe Carrigan: I'm listening to your excellent podcast since early this year, and I just received this iMessage from a suspicious sender. I just wanted to share this with you guys so maybe you can talk about this kind of scam with your audience. Best regards.
Joe Carrigan: So, Dave, why don't you read this iMessage that Pablo received?
Dave Bittner: OK, it goes like this. This is the Novel Coronavirus Insurance Service based on the current outbreak. The premium for COVID-19 insurance is $1,000. If you're diagnosed with COVID-19, you can get a lump sum of 30 grand. In the case of home isolation or hospital isolation, you can get $300 per day for up to 21 days to consult. Here's my WhatsApp address.
Joe Carrigan: So it's interesting. First off, this does kind of have an air of legitimacy to it because I can imagine insurance companies offering a product like this.
Dave Bittner: I suppose.
Joe Carrigan: However, I think that the ratio of payout of $1,000 to $30,000 is what makes me most suspicious about it. Right? You know how many people have contracted COVID? I mean, it's in the millions.
Dave Bittner: Yeah.
Joe Carrigan: You - insurance companies...
Dave Bittner: Most of them...
Joe Carrigan: Yeah.
Dave Bittner: ...We're coming upon. Right.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: Insurance companies would not be able to offer this kind of service. It's way too much of a risk for them.
Dave Bittner: Yeah.
Joe Carrigan: But I'm cognizant of that kind of thing. Right? You know, I have - that's my critical thinking coming in - right? - and my general knowledge of - 'cause every time I see a business model, I go, how does that work?
Dave Bittner: Yeah.
Joe Carrigan: And insurance companies try to take in as much premium as they can and pay out about that much in benefits.
Dave Bittner: Right.
Joe Carrigan: And then they try to manage their money and make the money on what happens with the money they keep...
Dave Bittner: OK.
Joe Carrigan: ...While they're keeping it. But they need to keep the prices low to be competitive, and they need to pay benefits from time to time. Of course, they'll try to get out of paying every single benefit they can.
Dave Bittner: Sure, sure.
Joe Carrigan: But, you know, a 1 to 30 ratio for getting COVID when half the population has already gotten COVID?
Dave Bittner: Yeah.
Joe Carrigan: You know, I would expect a benefit of around $2,000 for getting COVID at that ratio.
Dave Bittner: Yeah. Yeah. So, I mean, this is playing off of people's fear of COVID.
Joe Carrigan: Right. Absolutely - staying in the news, like we were talking about last week.
Dave Bittner: Also, I'd say for us here in the U.S., it's playing off the fact that insurance is expensive and hard to get here.
Joe Carrigan: Right. It is.
Dave Bittner: So for just - if I can protect me and my family against the financial hit of a COVID infection for $1,000, I might be able to scrape that up.
Joe Carrigan: Right.
Dave Bittner: So, yeah. Yeah, pretty despicable scam.
Joe Carrigan: Yes, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: These guys are scum.
Dave Bittner: All right. Well, thank you, Pablo, for sending that in to us. We do appreciate it. If you have something you'd like us to consider for our Catch of the Day segment, you can email it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Omer Dembinsky. He is a data research manager at Check Point Research, and we are talking about a report that they recently put out. This highlights phishing. Here's my conversation with Omer Dembinsky.
Omer Dembinsky: So we track multiple aspects in the cyber landscape, some on a grand scale of what is happening globally in terms of different threats that are seen on a monthly basis, on an annual basis, and some more specific around certain incidents, either large-scale cyber attacks - for example, recent Log4j vulnerability - or around specific events that are happening globally and are usually taken advantage by cybercriminals to commit fraud and phishing, such as November sales, holidays, et cetera.
Dave Bittner: Well, this version of the report has some interesting results here. Can you share some of the things that really rose to your attention?
Omer Dembinsky: The report that we focus on is looking at, what are the brands that are most imitated by cybercriminals? We look at this on a quarterly basis. Of course, the company, our research team and our protections keep track of this all the time. We just summarize it once a quarter to give the aspects to general public and media to help raise attention to these threats. We see many of the different large brands reappear. In the latest report, we could see two interesting aspects. One is a very large increase in LinkedIn-related phishing attempts to different users. And the second is something that we've been seeing for quite a while, is the wide variety of phishing and fraud-related to shipping companies such as DHL, FedEx, Maersk and other companies.
Dave Bittner: What are you tracking in terms of the evolution of these threats here? Are the actors getting more sophisticated in their techniques?
Omer Dembinsky: So we can see different types of techniques. One is very common - widespread attacks that have the main goal of reaching as many people as possible, hoping some of them will fall for the fraud and hit the links, fill in the details, possibly fill in credit card information or other payment information, which can then be used by the criminals. Because we have many brands that are sending out actual emails themselves for shipments, for payments, the hackers try to lure people with very similar attacks, changing the name of the sender to be similar to the actual company. Those are widespread. We can see that happening a lot. What we do see is the actual websites getting more sophisticated, looking very similar to the real websites, the phrasing very similar and just trying to use the user's attention or lack of attention to get their details.
Dave Bittner: Yeah. I noticed in the research - for example, you have a LinkedIn login page, and it's pretty convincing. To a casual user certainly who is, you know, maybe in a hurry in the midst of their business day, there's nothing that would draw attention to it.
Omer Dembinsky: Yes. And what the criminals can do afterwards is actually take you to the actual website, and then the user doesn't even know that something weird happened. So it just redirects you to the website that you intending to go to or you would expect to go into. Sometimes it's not that. You will just get an error message or stay on the page. But in some cases, the more sophisticated ones will actually seamlessly move you to the actual service that you expected.
Dave Bittner: Now, another one you highlighted was an actual phishing email that was pretending to be Maersk, the shipping company, and that was trying to infect the victim's computer with some malware.
Omer Dembinsky: When the criminals send out these emails, you would usually either have a link to a website trying to gain your personal information or a file. That file might have a link inside of it also. Or it could be immediately a malware. Usually, it will be a first phase of a malware which is getting ready to download something else onto your computer and then run any infection that the attacker is interested in. It can be a ransomware. It can be an info stealer which will wait on your computer and thus gain information to other places, a banking trojan that is more specific to getting banking information and any other thing that they can put their hands on and get onto your computer, either for a short term to gain something or for a long term, if they're interested in getting access - that will be more inclined for organizations and corporate networks.
Dave Bittner: So what are your recommendations here for folks to best protect themselves against this sort of thing?
Omer Dembinsky: So what I also personally always do and what I always recommend around these things is if you get an email from a certain service provider or company, best thing to do, if it's something that you use, go to the actual website. Do the login as you would usually do. And usually, a lot of these notifications will wait for you on the actual website. Another thing that is very commonly used is that the name of the sender will appear to be the company. But if you look closely at the actual email address, you'll see that it's nothing to do with the real company, and people are just obfuscating the name to fool you. And, of course, always think, am I supposed to get this email? Does it make sense? Did I actually order something? And does this meet what I'm expected to get?
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Dave, bad guys impersonate large brands because it increases their likelihood of success.
Dave Bittner: Yeah.
Joe Carrigan: I'm stating the obvious.
Dave Bittner: Yeah.
Joe Carrigan: That's what Joe does very well.
Dave Bittner: (Laughter).
Joe Carrigan: Some of these attacks have the main goal of reaching as many people as possible. These are the guys that are playing the numbers games, right?
Dave Bittner: Right.
Joe Carrigan: I want to send out as many emails - some of those are not going to make it. Some of them are. Some of those people are not going to click, but some of them are. And some of those people are going to catch on that it's a scam, but some of them aren't. And it's - these are the common attacks because they're the most low-effort attacks out there, so there's more people that can do them. Another interesting point from Omer's study here is that the landing websites are getting better, too. I don't know why the landing websites aren't absolutely perfect...
Dave Bittner: (Laughter).
Joe Carrigan: ...Because in order for you to get the login screen for any of these sites, you need to download all that information....
Dave Bittner: Yeah.
Joe Carrigan: ...Right? - with your web browser. You can do that and then get the code and just change it so that it does something different, but looks exactly the same.
Dave Bittner: Yeah.
Joe Carrigan: There's no reason it shouldn't look - I'm probably helping the bad guys here, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: I shouldn't be doing that.
Dave Bittner: They're lazy.
Joe Carrigan: They are. They are - interesting that they sometimes redirect you to the real site, so you don't even suspect that your password's just been harvested, right? So imagine you're - you get a phishing email for, I don't know, Facebook. You wouldn't go click on this, but somebody else would...
Dave Bittner: Sure.
Joe Carrigan: ...Because your Facebook is off or gone. But you click on it, and it says, log in to Facebook, and you log in to Facebook. But you're already logged into Facebook, right? But this website is just harvesting your credentials and isn't Facebook. So you give them your Facebook credentials, and then they redirect you to Facebook, and it looks just like you just logged into Facebook.
Dave Bittner: Right.
Joe Carrigan: That's all it is.
Dave Bittner: Right.
Joe Carrigan: What they're doing here is they're gaining a very precious resource. They're gaining time. Because if you suspect that something's happened - right? - like, you click log in and it goes, oh, error - it errors out - you might be like, what's going on here? And then you might start looking around and say, oh, I just gave my Facebook password to somebody else. Now I have to go to Facebook and change my password. But if you don't see that happen, you don't suspect it's happened, and then they can - they have all the time in the world to leverage the fact that they just stole your password.
Dave Bittner: Right.
Joe Carrigan: Some of these take you to sites that install malicious software. I like how he's talking about the malicious software. It's - they're essentially what we call droppers, which just let you install whatever you want on the endpoint system. So you can install ransomware. You can install a botnet element - whatever - you know, whatever the...
Dave Bittner: Yeah, adware...
Joe Carrigan: ...Client for a botnet is...
Dave Bittner: Yeah, whatever it is.
Joe Carrigan: ...Adware, anything.
Dave Bittner: Yep. Yep.
Joe Carrigan: It's just a way to put any kind of malware on your computer.
Dave Bittner: Right.
Joe Carrigan: I like his advice - if you get the notification, don't click on the link. Go directly to the website. Now, recently, I posted on LinkedIn about our podcast being listed in The New York Times...
Dave Bittner: Yeah.
Joe Carrigan: ...Which was pretty cool...
Dave Bittner: Yeah.
Joe Carrigan: ...By the way. And one of my connections commented on it.
Dave Bittner: Right.
Joe Carrigan: And I got an email in my inbox that said, hey, this guy commented on your post. And I was like, oh, I know that guy. And you know what I did, Dave?
Dave Bittner: Uh-oh.
Joe Carrigan: I clicked that link.
Dave Bittner: (Laughter).
Joe Carrigan: I did it, Dave.
Dave Bittner: You're fired (laughter).
Joe Carrigan: Right. Exactly.
Dave Bittner: We'll be looking for a new co-host...
Joe Carrigan: (Laughter).
Dave Bittner: ...At "Hacking Humans." If you would like to apply, you can email us (laughter).
Joe Carrigan: And - but here's the thing. It was a legitimate LinkedIn link.
Dave Bittner: Right.
Joe Carrigan: Right? And it took me to LinkedIn, and it showed me the comment that this connection made.
Dave Bittner: Yeah.
Joe Carrigan: But as I'm listening to Omer, I'm thinking to myself, this did make sense, but let me do a little threat modeling here. About a year ago, 93% of LinkedIn users had their personal information breached from that site by someone scraping their site...
Dave Bittner: Right.
Joe Carrigan: ...Right? They just - they didn't break into the site. All they did was just start harvesting the information off of it...
Dave Bittner: Right.
Joe Carrigan: ...And built a database and then put it up for sale. So a bad guy with that data set could cruise LinkedIn, see a post that you made, craft an email saying that one of your contacts - one of your connections - one of your actual connections commented on your status or whatever it is, and then send you an email to your actual email address, and it could look entirely legit. And this could be done in an automated fashion. You'd have to write it - somebody would have to write a tool for it.
Dave Bittner: Sure.
Joe Carrigan: But this can absolutely be done...
Dave Bittner: Yeah.
Joe Carrigan: ...With the information that's already available and out there. So you really have to be careful. I mean, I've changed my behavior, but, man, I'm kicking myself for having clicked on a valid link.
Dave Bittner: (Laughter) Well, it just goes to show it happens to the best of us, right?
Joe Carrigan: Right.
Dave Bittner: You had a moment of weakness, Joe (laughter).
Joe Carrigan: I did, Dave. I did.
Dave Bittner: As we all do from time to time (laughter).
Joe Carrigan: You know, it does happen to all of us. And fortunately for me, this was not something that was malicious. It was actually legit.
Dave Bittner: Yeah.
Joe Carrigan: But I shouldn't have done that. I should have just gone to LinkedIn and then looked at my alerts - you know, my - what do they call them? - I guess alerts or whatever.
Dave Bittner: Notifications, whatever.
Joe Carrigan: Notifications - that's the word I'm looking for.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: My notifications - and seeing how many people have commented on it.
Dave Bittner: Yeah. All right, well, again, our thanks to Omer Dembinsky. He is from Check Point Research, and we do appreciate him taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
