Hacking Humans 7.28.22
Ep 206 | 7.28.22

A return to office means a return to email scams.


Romain Basset: Even if my email address is imgoingtohackyou666@gmail.com but my display name is, you know, John Smith and John Smith is the CEO of my target, what my target will see is John Smith.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Romain Basset. He's director of customer service at Vade, and he's talking about initial contact spear phishing. All right, Joe, before we jump into our stories this week, I understand we have a little bit of follow-up. 

Joe Carrigan: Dave, I have opened a can of worms I truly regret opening. 

Dave Bittner: Uh-oh. 

Joe Carrigan: And that is the question of, is it Dave and Joe or Joe and Dave? And we've decided it was going to be... 

Dave Bittner: (Laughter) I have my opinion. 

Joe Carrigan: Of course. 

Dave Bittner: (Laughter). 

Joe Carrigan: And last week, we agreed Dave and Joe, but Will wrote in... 

Dave Bittner: Yeah. 

Joe Carrigan: ...On this topic and said it's tic-tac-toe for a reason and not toe-tic-tac. It's the A, then the O. And he gives a couple of other examples of these vowel repetitions, and it's called - it's actually - Will points to this - what he calls a fairly horrible Wikipedia page, and it's called ablaut reduplication - ablaut. 

Dave Bittner: Oh, OK, yeah, ablaut. 

Joe Carrigan: Ablaut - A-B-L-A-U-T - reduplication. Now, I found a great article on it on aceseditors.org. And examples of it are, like, wish-wash, dilly-dally, flimflam. You see it in a lot of marketing, like Kit Kat and TikTok. 

Dave Bittner: Oh, sure, yeah, yeah, yeah. 

Joe Carrigan: It's the same sound, but the vowels change, right? And it sticks with people. But his point is that it's easier to say the O vowel last, right? And you usually see that, like in TikTok. 

Dave Bittner: The folks at Kodak would disagree, but other than that (laughter)... 

Joe Carrigan: Well, Kodak - wasn't Kodak a name? 

Dave Bittner: I think - no, I think Kodak was a... 

Joe Carrigan: No, Eastwick (ph) was a name. 

Dave Bittner: I think Kodak was the name of - it was the sound of the lens clicking, Kodak. Kodak was - I think - well, legend has - I've certainly read a legend that that's where the name came from. But I'm not sure. 

Joe Carrigan: Not sure. That might be apocryphal, as they say. 

Dave Bittner: Could be, yeah. 

Joe Carrigan: So anyway, the issue is now settled. It is Dave and Joe. 

Dave Bittner: (Laughter). 

Joe Carrigan: So thank you, everybody, for writing in. 

Dave Bittner: So now we have scientific evidence. 

Joe Carrigan: Right. 

Dave Bittner: We can sleep well at night (laughter). 

Joe Carrigan: Yes. I was sleeping just fine until I opened this can of worms... ...And realized what I'd done. 

Dave Bittner: I see (laughter) OK, very good. 

Joe Carrigan: ...And realized what I'd done. 

Dave Bittner: Well, thank you, Will, for writing in and settling that once and for all. All right. Well, let's jump into some stories here, Joe. Why don't you kick things off for us? 

Joe Carrigan: Dave, first, I want to start off with some good news. This comes from Trish Hartman at Channel Six Action News WPVI. 

Dave Bittner: OK. 

Joe Carrigan: And she says that Kate McClure - you remember who Kate McClure is? 

Dave Bittner: Remind me. 

Joe Carrigan: OK. So a couple of years ago, there was the... 

Dave Bittner: Is she related to Troy McClure? 

Joe Carrigan: No. 

Dave Bittner: OK. 

Joe Carrigan: Only if. If only. 

Dave Bittner: (Laughter). 

Joe Carrigan: Hi, I'm Troy McClure. What a great character that was. I really miss Phil Hartman. 

Dave Bittner: The late Phil Hartman, yep. 

Joe Carrigan: Yeah. A couple of years ago, there was this story about these people who allegedly had a homeless veteran, and they were raising money for him. And they started a GoFundMe page and got $400,000 donated, and then they just took the money and spent it. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: And then he wound up suing the - the vet wound up suing them saying, hey, they took all my money. And it turns out it was a big scam. Well, Kate McClure was the woman of the couple in that - involved in that scam. And she just got sentenced to one year and a day in federal prison. 

Dave Bittner: Oh, OK. 

Joe Carrigan: So her counterpart got sentenced to 27 months. So that is now closed. And she will now be a guest of the federal government for the next year and a day. 

Dave Bittner: OK. All right. Justice is done. 

Joe Carrigan: That's right. 

Dave Bittner: OK. 

Joe Carrigan: So I'm happy to see that. 

Dave Bittner: Yeah. 

Joe Carrigan: My story today comes from 10/11 NOW, which is apparently two television stations or radio stations out west, KOLN and KGIN. K-Gin (ph) would be a good call letter, right? 

Dave Bittner: (Laughter) Right. This is K-Gin (inaudible) I love you guys. 

Joe Carrigan: But they're out there in Nebraska. And this is a very unfortunate story about a woman in Lincoln, Neb., who was scammed out of over - well, close to $150,000. 

Dave Bittner: Wow. 

Joe Carrigan: It starts with a phone call back on July 11 where a stranger said there'd been unauthorized purchase of a laptop on her Amazon account. You know, I got one of these calls just recently. 

Dave Bittner: Really? 

Joe Carrigan: Yeah, I did. 

Dave Bittner: An actual phone call. 

Joe Carrigan: An actual phone call, somebody saying there's been an unauthorized purchase of an iPhone on your Amazon account. 

Dave Bittner: (Laughter) Did you immediately say Amazon has no human beings in customer service? 


Joe Carrigan: Amazon certainly doesn't want to talk to you. 

Dave Bittner: Right. 

Joe Carrigan: They do everything they can to avoid it. But actually when you need to talk to them, you can - if you can navigate that - I will admit that that system is difficult to navigate, but once you learn how to do it, they can be pretty responsive. 

Dave Bittner: Oh, OK. 

Joe Carrigan: But they don't just call you out of the blue... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Like these guys did to me. And they said, this is Amazon customer service. And I said, if you'd like to dispute the charge, hit one, and immediately I hit one. And this guy comes on the phone, and he goes, this is Amazon customer support. And I'm like, no, it isn't. He goes, yes, it is. I'm like, let me know - what's the scam here? What's the end game? Do you try to get some kind of malware installed on my phone or something? And then the guy just issued a string of profanities, and I go, it doesn't really sound like you're Amazon. 

Dave Bittner: No (laughter), either that or their training has slipped quite a bit. 

Joe Carrigan: Right, exactly. It wasn't Amazon. I didn't do my old lady voice because my voice was actually not in shape. If our listeners caught last episode, I wasn't feeling at the top of my game. That's when this happened. 

Dave Bittner: OK. 

Joe Carrigan: So but if they call me back again, they will get to talk to Mabel Johnson (ph). 

Dave Bittner: All right. 

Joe Carrigan: But this woman, who is not Mabel Johnson, is a 68-year-old woman, and she received a call from a stranger saying there had been an unauthorized purchase of this laptop on her Amazon account. She was then directed to follow messaging prompts and was transferred to someone else, who identified himself as a DEA agent... 

Dave Bittner: Oh. 

Joe Carrigan: ...A drug enforcement agency here in the U.S. She was told by this person that several credit cards and bank accounts had been opened up in her name across several states. She was then told to withdraw as much money as she could from her bank, which would be placed into a different account to verify that it wasn't laundered. And according to police, she deposited $25,000 in this other account, which was, of course, in the bad guy's controls. Right? 

Dave Bittner: Right. 

Joe Carrigan: So that money was essentially transferred out of that bank. 

Dave Bittner: Wow. 

Joe Carrigan: Lincoln Police Department said that the next day she was contacted by a DEA agent, the same DEA agent again, who told her that she needed to withdraw more money, and then she put another $5,000 out. She was directed to place the money in bags outside of her home, and an agent would be by to pick them up and then allegedly provide her with a cashier's check, right? But that didn't happen. The money was just picked up and - you know, leave the money outside the door. We'll come pick it up. The next day she gets contacted again and is instructed to purchase $120,000 in gold - physical gold... 

Dave Bittner: Wow. 

Joe Carrigan: ...And is instructed two days later to put that outside of her door, and an agent would come by and pick it up. 

Dave Bittner: I don't - where does one go to buy gold? 

Joe Carrigan: I don't know. 

Dave Bittner: I don't know either. 

Joe Carrigan: That's an excellent question. 

Dave Bittner: I guess if you're a gold buyer, you know. You just go down to, you know, Gold R Us. 

Joe Carrigan: Right. 

Dave Bittner: And you buy a brick of gold. But it's just not something I've ever - I mean, I suppose anywhere you - you know, anyone who deals in precious coins and gems and things like that - I suspect you can just buy a block of gold, but I have to admit, I've never really thought about it. 

Joe Carrigan: I know you can buy little ounces of gold. 

Dave Bittner: Yeah. 

Joe Carrigan: But I don't know where you go to buy those. 

Dave Bittner: Yeah. 

Joe Carrigan: I've seen them. You know, you get the little... 

Dave Bittner: Yeah. 

Joe Carrigan: You know, it's like - it's a stamped - has a stamp on it and everything. 

Dave Bittner: Yeah, yeah, yeah. 

Joe Carrigan: I've never bought them because I don't know how to tell if it's gold without, you know, pulling the old Archimedes thing out. 

Dave Bittner: But I bet the scammers told her where she could just... 

Joe Carrigan: Right. 

Dave Bittner: ...Where she could go to buy it - just gold. 

Joe Carrigan: You know what? You're probably 100% correct. They also told her, leave that outside your door. Someone will be by to pick it up, and someone came by and picked it up. 

Dave Bittner: Wow. 

Joe Carrigan: Then that's when she got suspicious and called police. Unfortunately, she's now out $150,000. But Dave, this is not an international scam. This is a local scam. Somebody nearby has that gold... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And has that cash. The cash has probably been moved already, but the gold - that's going to be a little bit harder to sell or - maybe. I don't know. A hundred - what does 150 - $120,000 in gold look like? It's not a lot of gold. Right? 

Dave Bittner: I don't know. 

Joe Carrigan: What's the price of gold right now? 

Dave Bittner: No idea. 

Joe Carrigan: Let's - why don't we do this? I'll Google that. So doing a little bit of quick math, that $120,000 in gold is about 70 troy ounces 'cause gold is sold in troy ounces, as opposed to a regular ounce. 

Dave Bittner: OK. 

Joe Carrigan: I don't know if they're actually different, but that's how it's measured. 

Dave Bittner: Yeah. 

Joe Carrigan: But that would be - according to Google, that is about 4.8 pounds of gold. 

Dave Bittner: OK. 

Joe Carrigan: So 5 pounds - not a lot of gold walking around. So maybe that gold is gone. 

Dave Bittner: You put it in your pocket. 

Joe Carrigan: Yeah, you can. 

Dave Bittner: Yeah. 

Joe Carrigan: Right. 

Dave Bittner: Wow. 

Joe Carrigan: It's how you get $120,000 to fit in your pocket easily. I don't know how to tell people to defend themselves other than be cautious of the initial call that comes from Amazon that isn't from Amazon. Reach out to your elderly family members, and tell them this is not how this works. Nobody verifies that money is laundered or not laundered by putting it into another account. That's not how money laundering works. Now, see, that - but that - to me that makes sense, right? But I sit here and think I literally spend probably at least an hour a week thinking about money laundering... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You know, but it - because it fascinates me and how people can do that and get away with it. 

Dave Bittner: Yeah. 

Joe Carrigan: So. 

Dave Bittner: One thing I think of here is, like, you know, as my folks were getting up there, one thing we did, you know, since we're in an era of bank apps... 

Joe Carrigan: Right. 

Dave Bittner: ...I was able to get on my parents' bank accounts and set up the apps so if anything over a certain transaction amount occurs, I get an alert. 

Joe Carrigan: Yeah. 

Dave Bittner: So in this case, you know, this woman was transferring thousands of dollars. I would have been notified... 

Joe Carrigan: Right. 

Dave Bittner: ...About that. So even if it's... 

Joe Carrigan: Yes, as soon you pull - as soon as she got the $25,000 out. 

Dave Bittner: Yeah. So if it's a - even, you know, in my case, it's a child. But it could be a trusted friend. It could be... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, a financial advisor, a lawyer, you know, just somebody who's not you to be able to have your back... 

Joe Carrigan: Right. 

Dave Bittner: ...When something like this happens, as we say over and over again, to just kind of slow things down a little bit. 

Joe Carrigan: Absolutely. 

Dave Bittner: So that's something I would recommend. 

Joe Carrigan: I would agree with that. That's a good recommendation. 

Dave Bittner: Yeah. All right, well, we will have a link to that story in the show notes. My story this week comes from The Washington Post. This is a story written by Heather Kelly - a little different for us this week. It's titled "The Nonstop Scam Economy is Costing Us More Than Just Money." Relentless waves of sophisticated phone and online scams are affecting people's mental health. So we're talking about kind of the human element of this. The story starts off with a woman named Pamela who, because she is under treatment for cancer, is not able to ignore her phone ringing... 

Joe Carrigan: Right. 

Dave Bittner: ...Because she doesn't know. It could be a doctor. 

Joe Carrigan: Absolutely. 

Dave Bittner: It could be a hospital. Just - so she has to answer the phone. 

Joe Carrigan: Yeah. Cancer treatment is a daily ordeal. 

Dave Bittner: Yeah. 

Joe Carrigan: You have to be there every day for something, particularly if you're going through radiation. Chemotherapy not so much, but radiation - you got to be there every day at a specific time. 

Dave Bittner: Yeah. 

Joe Carrigan: And if something's going to change, you need to answer your phone. 

Dave Bittner: So she's getting about 20 spam phone calls a day on her mobile phone. And, of course... 

Joe Carrigan: She has to answer every single one of them. 

Dave Bittner: Right. And to add insult to injury, the calls seem to be specific. She says she's gotten calls about funeral insurance, so... 

Joe Carrigan: Really? 

Dave Bittner: Yeah. So it could be random, but it could also be that, you know... 

Joe Carrigan: She's on some list somewhere. 

Dave Bittner: ...She's on a list. 

Joe Carrigan: Right. 

Dave Bittner: So this is someone who has a medical issue or... 

Joe Carrigan: Right. 

Dave Bittner: ...Someone - yeah, so - which is just ghoulish. 

Joe Carrigan: I agree. It's sick. 

Dave Bittner: Yeah. Yeah. So the story goes on, talks about how the Federal Trade Commission says that consumers reported about $5.8 billion in fraud to them, which was a 70% increase over the previous year. 

Joe Carrigan: Wow. 

Dave Bittner: They checked in with the folks who make the RoboKiller app, which is a call that screens phone calls on your - or an app that screens phone calls. 

Joe Carrigan: Yep. 

Dave Bittner: Unofficial endorsement. I actually use that app, and it works. It works for me - cuts down on a lot of scam calls that I get. 

Joe Carrigan: That's pretty good. 

Dave Bittner: But the RoboKiller folks say that the average smartphone owner will get an estimated 42 spam texts and 28 spam calls per month. So back in 2019, the large phone carriers - they all agreed to start using this technology called STIR/SHAKEN, which I'm sure is an acronym for something. 

Joe Carrigan: Yes, from the department of acronyms. 

Dave Bittner: Yes. 

Joe Carrigan: Yeah. 

Dave Bittner: But - and that is supposed to cut down on robocalls and spoofed numbers. 

Joe Carrigan: Right. 

Dave Bittner: But the smaller carriers... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Haven't had to abide by it. 

Joe Carrigan: The big carriers are not really the problem here. 

Dave Bittner: Well, so the bad actors just switch to the small carriers. 

Joe Carrigan: Right. And we've had stories on here in the past about not just small carriers but phone - I don't know if they're carriers, but they're like voiceover IP providers. 

Dave Bittner: Yeah. 

Joe Carrigan: They have a name. I can't remember what the name is. But it's - they let anybody have a local number anywhere. 

Dave Bittner: Right. 

Joe Carrigan: And that's where these guys come from. 

Dave Bittner: Yeah. So the smaller carriers are supposed to be on board with STIR/SHAKEN throughout this year. So hopefully, you know, that will provide some relief. This article points out that the Federal Trade Commission has proposed some rules to address robotexts, but it's still making its way through the system. 

Joe Carrigan: Yeah. Government regulation is slow to react, and the bad guys are quick to react. It's going to be a constant problem with that. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, I can't help but think that there's some kind of technological solution here. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, that - phones are like email in that they're both awful, right? If anybody has your email address or your phone number, they can touch your inbox or your phone, right? They can - maybe - you know, maybe you have all kinds of filters that stop that from happening. But without those filters, they just have access to you. 

Dave Bittner: Yeah. 

Joe Carrigan: And that - I don't know. There's got to be a way, like, where we can do some kind of - you know, everybody has to have a public key and a private key, and I have to have your public key in my phone before I can get a phone call from you. 

Dave Bittner: Well, there's - I mean, so, for example, on my phone - and as you and I have talked about, I'm on planet iPhone. 

Joe Carrigan: Right. 

Dave Bittner: So on my iPhone, a couple of things that I've done - I only take calls from people who are in my address book. 

Joe Carrigan: Right. Yep. 

Dave Bittner: So in order for my phone to ring or to alert me, you have to already be in my address book. So that's step one. 

Joe Carrigan: That's good stuff. 

Dave Bittner: And that helps a lot. And then step two is, like I said, I have this RoboKiller app installed. And the way that works is when a call comes in, it checks the number against its own database. 

Joe Carrigan: Right. 

Dave Bittner: And so all the users of RoboKiller - they kind of crowdsource it... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Who can report and say, hey; this was a scam number. And so it quickly gets in their database. And I don't even see that. 

Joe Carrigan: Yeah. 

Dave Bittner: It doesn't even come through. 

Joe Carrigan: Actually, Android has that feature built into it. 

Dave Bittner: Is that right? 

Joe Carrigan: Yeah. So I get a lot of scam likely calls, and I get a lot of scam calls that don't even ring my phone. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah, I see a little thing come up that says, hey, someone's calling. We're checking it. And then it just - call ended is what I get. 

Dave Bittner: Right. So I can't remember the last time I actually answered my - well, I can't remember the last time I answered my phone. 

Joe Carrigan: (Laughter). 

Dave Bittner: But I can't remember the last time I... 

Joe Carrigan: Phone? Who uses that? 

Dave Bittner: (Laughter) Yeah. I can't remember the last time I answered my phone and actually spoke to a scammer or a call - or a car warranty person or, you know, anything like that. The flipside to that is there are calls that I've received that go right to my voicemail, and it is probably someone I would have wanted to talk to. But, you know, the voicemail comes through. I see who it is. I call them back. 

Joe Carrigan: Right. 

Dave Bittner: So I don't consider that to be a huge burden. 

Joe Carrigan: And then if you want to talk to them again, you put them in your address book... 

Dave Bittner: Exactly. 

Joe Carrigan: ...Or contacts. 

Dave Bittner: And then they move to the head of the line. 

Joe Carrigan: Right. 

Dave Bittner: So I think we are - we have some tools at our disposal. Certainly, the technology providers know this is a problem. So the different platform providers are doing their best to try to help us with this. And then... 

Joe Carrigan: Right. 

Dave Bittner: ...I guess you can take it to the next level with a third-party app or something like that. But I think that you and I are in agreement that we're left scratching our heads as to why the powers that be in the regulatory area have been so slow in making a serious dent in this. 

Joe Carrigan: Well, I'm not scratching my head as to that, because... 

Dave Bittner: (Laughter) Because you're much more cynical than me. 

Joe Carrigan: Yeah, I'm much more cynical and... 

Dave Bittner: Right. 

Joe Carrigan: ...I believe that government is, by its nature, inefficient and... 

Dave Bittner: (Laughter) OK. Fair enough. 

Joe Carrigan: ...And that's OK. I mean, that's fine. 

Dave Bittner: Right. 

Joe Carrigan: You know, there are things that government's good at, and there are things that are - government is not good at. 

Dave Bittner: Yeah. 

Joe Carrigan: And this is one of the things they're just not good - and they're never going to be good at it because as soon as they make a new regulation, the bad guys are going to be like, well, we'll just get around that regulation. I mean, look at the payday loan business. 

Dave Bittner: Right. 

Joe Carrigan: Governments - state governments all around the country have been trying to regulate those guys out of business. And every time they change the regulation, these guys just adapt. 

Dave Bittner: Yeah. 

Joe Carrigan: And they come up with a - with the same issue - the same product again that just meets the new regulatory requirement. It's a very common - I don't know. It's a common problem. 

Dave Bittner: Yeah. 

Joe Carrigan: I think there has to be a technical solution to this problem. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't think a regulatory solution is ever going to catch up to what - I'm pessimistic about the ability of a regulatory solution to catch up... 

Dave Bittner: Sure. 

Joe Carrigan: ...Unless the government does something it's actually very good at and starts punishing people, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Starts putting people in prison for calling them, starts getting people extradited to the United States where they can face time in prison... 

Dave Bittner: Yeah. 

Joe Carrigan: ...in the United States prison for - and they can't - you know, can't get out of it. That's - that would put a stop to it. But I don't know that I want to do that to people, you know? 

Dave Bittner: Yeah. 

Joe Carrigan: It's... 

Dave Bittner: It's complicated, Joe (laughter). 

Joe Carrigan: It's not - it - this is - like almost every issue out there, Dave, this is a complicated and nuanced issue. 

Dave Bittner: OK. Well, I will have a link to this story in the show notes. Again, this is from The Washington Post, written by Heather Kelly. I will have a link to all of our stories in the show notes. We would love to hear from you. If you have something you'd like us to consider for the show, you can send it to us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it's time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Alex, who writes, David and Joe - also known as Joseph and Dave. Dave, look. Right here on the table, there's another one of those worms. I didn't get them away. 

Dave Bittner: (Laughter). 

Joe Carrigan: That can of worms. 

Dave Bittner: I see. They're wriggling all over. 

Joe Carrigan: Yes. That was a callback to the earlier part. Anyway, he says, I got this email at my - that my Apple ID was locked this morning. While I do have Apple devices, my ID is not associated with the emails the scammer sent this to. However, it appears very real at first. Noticeably, the poor English - rather incomplete sentences. The text is smaller than the Verify button, and I could see someone not reading and just clicking the Verify button. And the sender is not Apple ID. The email behind it is simply just gibberish, right? They just created some Gmail account. 

Dave Bittner: Yeah. 

Joe Carrigan: I'm not sure if that matters to someone who's panicking, however. 

Dave Bittner: Right. 

Joe Carrigan: It does not, Alex. You're one 100% correct. That's the goal of this thing. It is just to show you, hey, your Apple ID is locked. Click here to verify, and then they steal your username and password. But go ahead, Dave. Why don't you read this email here that Alex received. 

Dave Bittner: Sure. It says, your Apple ID has been locked on Saturday, July 2, 2022, for security reasons because of too many failed login attempts. You cannot access your account on any Apple services. Verification is required before 24 hours to get re-access your account. The purpose of this email is to ensure that we update you and important actions are taken. The security of your account is important to us. If you don't recognize this activity... 

Joe Carrigan: What? 

Dave Bittner: That's it. 

Joe Carrigan: If I don't recognize this activity, what? 

Dave Bittner: (Laughter) Tell me. What's going to happen, Joe? 

Joe Carrigan: I better click that button. That might actually be part of the tactic here, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: It might actually be part of the - you know, your mind starts filling in the blanks here. 

Dave Bittner: Could be. 

Joe Carrigan: Alex was kind enough to send along the email that - the email address that came with it. He had to go to a different page of the email interface to look at this... 

Joe Carrigan: Right. 

Joe Carrigan: ...Because he's looking at this on a cellphone... 

Dave Bittner: Yeah. 

Joe Carrigan: ...A mobile device... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is, you know, indicative of the problem. 

Dave Bittner: Yeah. 

Joe Carrigan: But thank you, Alex, for sending this in. This is great. I hope nobody clicks on the link, and I hope that everybody uses multi-factor authentication with a hardware token to secure their Apple accounts. 

Dave Bittner: Oh, you know what? That reminds me, about a week ago, I started getting notifications from Apple... 

Joe Carrigan: Yeah? 

Dave Bittner: ...That somebody was trying to reset my Apple ID password. 

Joe Carrigan: Really? 

Dave Bittner: But I have multifactor activated, so... 

Joe Carrigan: They weren't successful. 

Dave Bittner: They were not successful. But I kept getting the reset notice. You know, here's your multifactor ID - you know, that sort of thing. So I just ignored it, and they moved on. But, you know... 

Joe Carrigan: One of our listeners probably doing that, Dave. 

Dave Bittner: Interesting - I know. I know. Interesting that someone was trying, but I'm glad I had multifactor. So there you go. 

Joe Carrigan: Yup. 

Dave Bittner: All right. Well, that is our Catch of the Day. Again, we appreciate you writing in and sharing that with us. And we would love to hear from you. It's hackinghuman@thecyberwire.com. 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Romain Basset. He is director of customer service at Vade. And we are talking about spear phishing, specifically initial contact spear phishing. Here's my conversation with Romain Basset. 

Romain Basset: So spear phishing - initially, what it meant was a narrow attack, hence the name - right? - because you have phishing, which is sending an email, malicious email to a lot of different people to try to trick them, and spear phishing, which is targeting one or fewer people. I would think that the name - the definition, rather - has evolved. And now what most of the people mean by spear phishing is really user impersonation. And this is really what it is about - so someone pretending to be your CEO, your CFO, someone from suppliers, someone from a customer who you know, a coworker; and that is spear phishing right now. 

Romain Basset: Initial contact spear phishing is a subcategory, and it's a trend that we've seen in the past, I would say, two to three years - emerging and not really being very much visible. And initial contact means that when one receives a spear phishing attempt, it's not directly asking for a wire transfer or confidential information. It is rather - sorry - establishing your relationship. Hey, I'm stuck in meeting all days. Would you be able to help me? I can only take emails, not calls. That's kind of initial contact. So you don't have the request immediately from the hacker, from the scammer. But you get someone who's probably trying to establish a relationship with their target. That's what it means. 

Dave Bittner: Now, there's a technical aspect to this as well, right? I mean, when - if I reply to an email that's come to me, that kick some things into action behind the scenes, yes? 

Romain Basset: I'm sorry. What do you mean? 

Dave Bittner: Well, in terms of my email system perhaps thinking... 

Romain Basset: Yeah. 

Dave Bittner: ...That now this sender is legit. 

Romain Basset: Oh, yeah, yeah. Absolutely. Yeah. Let's get back to that. Yes, absolutely. Some systems will think that because the target, the recipient has replied, then it has to be a legitimate sender. So for the hackers, you know, two birds, one stone - because in the one way, he or she is establishing their relationship, and also, he or she gets, you know, the stamp of approval from whatever email security system might be in place. All right. The recipient replied. It might be someone they know. It's good. 

Dave Bittner: Can you walk us through what a typical one of these engagements might look like? I'm here looking at my email, going through, checking my email, and something comes in. What would it look like? 

Romain Basset: Yeah. It's generally - first, it's generally coming from allegedly an executive from the organization you're working with - so the CEO, CFO, top manager. And that's one common, you know, property of those attacks. And second, it's, like, a two-sentence email, which also is important for a lot of reasons. But it's like, hey - you know, hey, John. This is Amy. I'm stuck in meeting all days. Or, hey, I'm really busy. We need your help. Are you available? So it's one or two sentences. One is saying, you know, they can't take calls. They're busy. And the other one - or the other part of the one sentence is asking for it. But it's really, really short, which is interesting also from a technical perspective because any security solution - they won't to have to analyze links, attachments, a lengthy text or many emails because there will be just one. So it's harder for any security solution of any kind to say, all right. That's a spear phishing attempt. 

Dave Bittner: So I'm busy at work, and this comes in. And, of course, I want to be helpful. I want to help, you know, the powers that be at my company. So I reply, and I say, sure. How can I help? What happens next? 

Romain Basset: Yeah. That's generally when the target gets the actual request, which, you know, also has evolved over time. Back in the days, it was all about wire transfer. So, you know, assume that you were my target. You reply to me. My follow-up email to you could have been three, four, five years ago. Hey, you know, we have this confidential deal. No one knows about it. Please, you know, get this amount of money wired to this account. And here's the routing number. Here's the account number. I trust you not to mention that to anybody. It's a highly confidential, you know, deal or merger or acquisition. That's what - you know, what could see a few years back. 

Romain Basset: And now it's generally around gift cards. Hey, I want to reward our sales team. Or I want to, you know, reward Sam from accounting - outstanding work. Can you please purchase, you know, three, five, ten Amazon gift cards, Apple gift cards and send over to me the codes behind them? Thank you. That's the typical - and then you get much more advanced scam. If it's something that has been, you know, thought of and built, and companies have been targeted, then they can ask for a very specific - not necessarily, you know, financial gains, but confidential information. How about that document, you know, the RFP or the contract with, you know, customer ABC or, you know, the patent proposal that we have? Could you please forward that to me? I'm with our lawyer, and he or she needs to review it - that kind of thing. 

Dave Bittner: Well, where do we stand in terms of the prevalence of this sort of thing? Is it growing? 

Romain Basset: Yeah. That - it's really interesting. It's growing in two ways. And, you know, you could even - let's actually take a step back. It's really interesting as a question because five years ago, when one would think about phishing - so let's call phishing what, you know, we would consider brand impersonation - so Netflix, BOA, PayPal. Five years ago, the entire organization would receive a phishing email. And, you know, only a handful of employees would receive spear phishing attempts. And it's like there's some sort of - not necessarily, you know, shift, but trains going in the opposite direction, when right now - phishing attempts - only a handful of employees will receive that, you know, M365 your-account-has-been-locked phishing attempt; whereas we're seeing more and more employees receiving the same spear phishing attempts. So not only we're seeing more attempts, but also, we're seeing more people being targeted by the same attempts - quite the opposite of what we would see with phishing, for instance. 

Dave Bittner: So in terms of how the bad guys are able to put these sorts of things in place - I mean, we hear a lot about, you know, things being offered as a service, right? Can they go in and purchase a turnkey way to send these out into the world? 

Romain Basset: To be honest, I've yet to see, like, a spear phishing, you know, SaaS-based service. It is for sure that, you know, one can use SaaS, you know, for ransomware, DDoS, to purchase phishing kits as well. That is entirely, you know, doable today. Spear phishing - I don't think I've seen it - or we've seen it - already at Vade. But on the other side, it's rather, you know, easy to do because, if you think about it, you can use a Gmail address, right? And anybody can, you know, simply register a Gmail address. You absolutely don't care about that email address because what appears on our cellphone or in Outlook is what we call the display name. It's not a full email address. So effectively, even if my email address is, Imgoingtohackyou666@gmail.com but my display name is, you know, John Smith, and John Smith is the CEO of my target, what my target will see is John Smith. If they look into, you know, the small details, eventually, they might see it's coming from a bogus Gmail address. But they won't do that because we're seeing so many emails. And it's an important message. We're going to focus on the content, not on the address. 

Dave Bittner: Well, let's talk about some of the ways that people can protect themselves against this. I mean, are there - I suspect this is probably a multitier thing. Are there technical solutions? Is training a part of this? 

Romain Basset: Yes. Yes, yes. Absolutely. What's actually interesting is that you can see that, you know, companies - I've already did stuff to protect against spear phishing. Why am I saying that? Well, because the wire transfer spear phishing attempt is much less likely to be seen today than it was, you know, three, four, five years ago. Why? - because, essentially, live security. But you've seen finance departments now. They have processes. When they receive such a request over email, in the process, they have to follow up with a call, not to the number in the email necessarily, but to the number they know from the supplier, from the CEO, from, you know, whoever that may be. And so we've seen that, oh, those are going down. So why? Because within companies, organizations, there have been more processes put in place, you know, in the accounting and finance department against those. 

Romain Basset: So one could say it's training. But it's not necessarily cybersecurity training. It could be, like, you know, accounting or finance processes. But back to your point - yes, it's a multitiered. So it's going to be user awareness training. And it's true that, you know, there are not necessarily too many options right now if you're on the lookout for spear phishing training. More and more are becoming available, which is a good thing, right? But it's today, so it's mostly around phishing awareness training, not spear phishing. But it's getting there. It's getting there. So that's one. 

Romain Basset: And two, it's going to be, you know, whatever cybersecurity tools you may have. And definitely, because of the nature of the threat, AI is important. And why am I saying that? We're talking about one or two emails, no links, no attachments, two sentences, you know? And you need some sort of intelligence, some sort of thinking to be able to understand, oh, hold on, it's not coming from John Smith the CEO. It's coming from an outside email address. And it's not the personal email address of John Smith the CEO, who's sending it over from Gmail because, you know, he's calling out sick. It's someone pretending to be John Smith the CEO. Sending from a Gmail - it's not about him or her being sick. It's about, you know, something that is important, something that is urgent. And it's not necessarily the same signature that John Smith would use - you know, the small signs that eventually lead to, oh, OK, there are too many of those, you know, low-hanging - you know, low signals that the AI is going to pick it up. 

Dave Bittner: Is it fair to say that anything involving gift cards should be a big, waving red flag to anybody in an organization? 

Romain Basset: Yeah, that's a good point. Indeed - or at least, you know, follow up with a call or, you know, email the email that you know. But definitely - and, you know, if you - not to go on a tangent, but there's other variations to that. So we talked about the wire transfer, the gift cards, and there's another trend which is banking information updates. So the spearphisher will impersonate an employee - and not necessarily the CEO or CFO in that case - any employee - and email the HR team or the accounting department right before payroll and say, hey, you know, I just switched banks. I've closed my former bank account. It's no longer available. Here's my new, you know, routing number, account number. Please wire my next, you know, salary to this account. Thank you. And it's really tough because no gift card, no wire transfer. And, you know, so that's another trend. And that's where you see also that hackers - they're more and more creative. They always find a new trick, right? 

Dave Bittner: Yeah, absolutely. So what are the take-homes for you? What do you want people to take away from this information that you put out there? 

Romain Basset: Yeah. I mean, in general, always lean on the cautious side of things and, you know, better think than rush, so that's one. Do not reply immediately. Do not take action immediately, especially in, you know, today's world where everyone is working from home. Like, you can ask your colleague who is right there, hey, can you look at that email? It seems strange. You're by yourself, you know, in your kitchen, so take some time. That's one. Two, put in place processes. And we've seen millions of examples where actual processes in the accounting, you know, team or finance team saved from a disaster because those guys, they had been in place, you know, full web codes or specific criteria for, you know, emails requesting wire transfer, requesting banking information of date and, you know, spearphishers were not aware of those, and their requests, you know, would fell short thanks to the processes in those departments. So it's not necessarily close (ph) to cybersecurity, right? But it leads to a better cybersecurity. And then train. Train your employees. You know, train the people you work with. And I guess, you know, put in pace solutions, of course. And the last one would be, you know, be on the lookout because what I'm telling you today, you know, maybe in a year will be completely irrelevant because those guys will have come up with more advanced and more creative ways to get to your employees and to get them to reply. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: I want to open up by saying that jargon is great because it allows for the quick communication of complex ideas, but it can also be a barrier to understanding as well. So let's refresh some terms for our newer listeners who may not be familiar 'cause we do run a show here that is not very really technical. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? So some listeners may not have a technical background. 

Dave Bittner: Right. 

Joe Carrigan: Phishing, as Romain said, was just a broad casting of nets out. You can think of it like fishing with a net. You're just throwing one email out to hundreds, thousands, millions of people. 

Dave Bittner: Yeah. 

Joe Carrigan: And then there's a derivative of that called smishing, which is doing the same thing but with a text message. 

Dave Bittner: Right. 

Joe Carrigan: And the smishing comes from the SMS. I'm not a big fan of that. I still think it's kind of the same thing, phishing. And then there is spearphishing, which is where you're targeting the individual user, and you're crafting a message just for one person. And it's a great analogy because you are actually thinking about it differently, right? Rather than throwing your net out and seeing what you get, you're going after one thing in particular. Sometimes you'll hear this referred to as whaling as well, and the distinction there is that when you're whaling, you're actually looking for a bigger fish, even though whales are technically mammals, not actually fish. 

Dave Bittner: OK, fair enough. 

Joe Carrigan: So there's the background. 

Dave Bittner: Yeah. 

Joe Carrigan: The - I like one of the things he says - starts off is impersonation is a tactic that's frequently used in these spearphishing attacks. It's also frequently used in broad phishing attacks. It's the initial contact that's used to - in an attempt to build this rapport. And it usually comes from some bigwig, and it's short, right? Hey, are you available right now? This is the method that got me in the story that I hate telling. But because we have so many courageous people, so many stories on this show about courageous people that come forward and tell their stories, I can't sit here and go, no, no, this never happens to me. I have to continually tell this story from now until the day I die... 

Dave Bittner: Yeah. 

Joe Carrigan: ...About at the time I got an email that looked like it came from my boss, Dr. Dahbura (ph), at JHU, and it just said, are you available? I instantly grabbed my notebook. I replied to it and said, yep, on my way, and went down to his office, where his office was dark, and he wasn't there. And our admin - our chief of admin comes out, and she looks at me and goes, I think that was a scam email. I was like, ugh. 

Dave Bittner: (Laughter). 

Joe Carrigan: They got me. 

Dave Bittner: Right. 

Joe Carrigan: They got me, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: I like to think that had that gone on, I would have realized it was a scam because it was probably - we were getting hit with a lot of gift card scams at that point in time. So I probably would have gone, oh, this is a scam. I hope that's what would have happened. 

Dave Bittner: Yeah. 

Joe Carrigan: But I don't really know... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right, because I didn't go through with it any further. 

Dave Bittner: Right. 

Joe Carrigan: And once it was reported, our email team blocked the email, and they couldn't send messages anymore. Romain talks about the confidential deal. This is a technique that is common in a lot of social engineering attacks called isolation. What they're trying to do is get you to not tell anybody about it. One of the best defenses against this kind of attack is policy - good policy and training on that policy. 

Dave Bittner: Yeah. 

Joe Carrigan: Your technology is not going to do a lot of good once somebody is in direct communication with your employees. Your employees had better know what the policy is and be trained in acting on it and know, we don't do confidential deals. Or if you do confidential deals, you still have to talk to somebody else about it, right? There's no such thing as a confidential deal that only the CEO and you know about. 

Dave Bittner: Right. 

Joe Carrigan: Right? That's never going to happen. I'm glad to see - or hear - Romain say that there have been some policy updates that have stopped this kind of attack from happening because companies have lost huge amounts of money from this - business email compromise. If someone gets into an email account that is owned by somebody - a bigwig at the company - which is one of the biggest targets of these kind of attacks - and they start sending emails from that person's actual email account, those losses can be in the millions. I mean, they could be huge. So companies are adapting to that, and they are - they're putting policies in place that prevent that. And Romain says that they're going down. 

Dave Bittner: Yeah. 

Joe Carrigan: I would like to see that in the crime statistics. You know, I would like to see the next crime report. I hope that he's right there. 

Dave Bittner: Yeah. 

Joe Carrigan: Once again, in the interview here, we hear about the same thing we heard about in the Catch of the Day. I love it when these things kind of serendipitously weave together, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I was talking about mobile devices and the limited real estate. You don't see the name - the email address of the email you get on your phone, just like Alex's email. It said it came from Apple ID, but he had to click through it to show you the gibberish email that was coming from some, you know, third-party mail provider, some web-based mail provider. If you don't click through and look at that, if you don't take that active step to do that, you'll never see the email. 

Dave Bittner: Right. 

Joe Carrigan: You'll never see the email address because the real estate on the phone is so limited as compared to our computer monitors. How big is that monitor you're looking at, Dave? It's enormous. 

Dave Bittner: Oh, it's - yeah, it's probably, oh, I don't know, 80, 90 inches, something like that. 

Joe Carrigan: Yeah. It's glorious. 

Dave Bittner: It's big, yeah. Yeah. 

Joe Carrigan: It's round, too. 

Dave Bittner: (Laughter) It wraps around. Yeah, I got - I guess there was a local IMAX screen that was shutting down. So I went, I got a good deal... 

Joe Carrigan: Ah, yes. 

Dave Bittner: ...And installed it here in the office. 

Joe Carrigan: But it is very hot in this room, though. 

Dave Bittner: It is. Well, you know, what are you going to do? 4K projection generates some heat. 

Joe Carrigan: Yes, it does. 

Dave Bittner: But I like it. I like it. 

Joe Carrigan: Romain's final point is very important. These bad guys are going to adapt. He says that everything I'm telling you now is probably not going to be valid in a year. I don't know that that's 100% true. A lot of the general underlying principles are going to be the same. But he's 100% correct. The tactics are going to change. They're not going to be the same next year. 

Dave Bittner: Yeah. 

Joe Carrigan: It's going to be some other lure, some other hook. It's going to be something different. And what it is, I'm not exactly sure. But, you know, it's going to be along the same lines of, hey, I'm the boss; you got to help me out. 

Dave Bittner: Yeah. And I guess the hope is that as we chip away at their opportunities that - will there come a time when they decide to move on to something else, you know? And I don't know what that something else will be. 

Joe Carrigan: Yeah. Well, they will probably never stop conducting themselves as criminals. 

Dave Bittner: No. 

Joe Carrigan: There will probably always be a criminal element out there. 

Dave Bittner: Right. And there are places where the money is. 

Joe Carrigan: Right. 

Dave Bittner: So they're going to target those places, but... 

Joe Carrigan: That's right. Who was the bank robber that said, why do you rob banks? That's where the money is. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: I want to say Dillinger. But I don't think I was right. 

Dave Bittner: I don't remember. Yeah. But yeah, exactly. So I don't know. I mean, it's - you're right. It's probably never going to end, but maybe we can make it so much of a nuisance for them... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That the folks who get hit with this are few and far between. 

Joe Carrigan: Yeah. That would be best. 

Dave Bittner: Yeah. All right. Well, our thanks to Romain Basset for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.