Making the world a safer online place.
Raj Sarkar: What has happened during the pandemic is there was a 20% surge in gaming, meaning more gamers who are less seasoned have joined the gaming communities. As a result, more hackers are targeting the gamers right now.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Raj Sarkar - he's CMO of 1Password - and Julien Benichou - he's senior director of Partnership, Strategy and Execution for Gen.G Esports - we're talking about their collaboration to better secure the credentials of gamers.
Dave Bittner: All right, Joe, before we get into our stories this week, we've got some follow-up here. Why don't you take us through what we've got?
Joe Carrigan: So first off, Ryan (ph) writes in about our Catch of the Day from last week. He says, Hi, Dave and Joe. Much like others who have emailed you, I'm a longtime listener, but from little old New Zealand. You ever been to New Zealand?
Dave Bittner: No, but it's on my list.
Joe Carrigan: It is. Mine too.
Dave Bittner: I think like a lot of folks, I was captivated from what - everything I saw in the "Lord of the Rings" movies.
Joe Carrigan: Yeah.
Dave Bittner: And I was like, oh, man, I got to check that place out. Unfortunately, Joe - I don't know if you know this - New Zealand is very far away.
Joe Carrigan: It is. Yeah, it's a long flight.
Dave Bittner: So it's about as far as you can get from where we are on a spherical planet.
Joe Carrigan: Yes.
Dave Bittner: So it takes a while. You got to really want it, but...
Joe Carrigan: Yeah.
Dave Bittner: ...I do.
Joe Carrigan: I do want it.
Dave Bittner: Yeah.
Joe Carrigan: Ryan goes on to say, Out of all the security-related podcasts I listen to weekly, yours is at the top. Oh, well, thank you, Ryan.
Dave Bittner: Very nice.
Joe Carrigan: So many laughs to be had - I think it's great that you can approach the topic with some level of jovialness. Well, that's what we try to do. Right? I just finished listening to your latest podcast, "A Return to Office Means" - this is Episode 206.
Dave Bittner: Yeah.
Joe Carrigan: I'm not going to read the whole title. But he says, My ears perked up when you spoke about the Apple ID Catch of the Day. Weeks prior, I too received a similar email, but as a longtime Google Android user, I immediately dismissed the idea of my Apple account being locked.
Dave Bittner: All right.
Joe Carrigan: However, this email did make me look hard, as it was very well done for a phishing email. So much so that I - he actually put together a slide pack for this and sent it along for his organization to raise awareness of the issue. What struck me with this particular phishing email was the way the scammers had sent the phishing email to Apple's legitimate email address and then BCC'd my email address. So when you see it, you're going to see Apple's email address at the top - very clever trick and very astute observation from Ryan. Isn't that interesting? Keep up the good work. Look forward to more laughs.
Dave Bittner: So they sent it to - they sent the thing to Apple, knowing that it would go into a black hole at Apple...
Joe Carrigan: Sure. Yeah. Nobody cares, right?
Dave Bittner: Right. Right. But you'll see that Apple address, the real Apple address at the top, and in a quick glance...
Joe Carrigan: Right.
Dave Bittner: ...That looks legit.
Joe Carrigan: Right. It's like they must have sent it to themselves as well as to me.
Dave Bittner: Right.
Joe Carrigan: Right? I've seen this practice with an online game I play. I play an online play-by-email game, believe it or not - a very slow-paced game. But the guy that runs the game will send out an email to himself and blind carbon copy everybody else in the game.
Dave Bittner: Right.
Joe Carrigan: So that that way, if you hit reply all, it only goes back to him. Right? It's a good way to keep those annoying reply-all emails from happening.
Dave Bittner: Yes. Yes.
Joe Carrigan: So it - this adds credibility to it by seeing the Apple email in the to address...
Dave Bittner: Yeah, that's interesting.
Joe Carrigan: ...Or yes, the to address.
Dave Bittner: Huh. All right. Very good.
Joe Carrigan: We have another bit of feedback from Dwayne (ph), who writes in about our story we covered with the QuickBook invoicing. He says, Hi, guys. I hope you guys are both doing well. Love the show. Following up on the use of QuickBooks by scammers, other invoicing services are being used in this way. In June, my wife was targeted by a campaign using the Wave invoicing service, impersonating Norton for the renewal of antivirus subscriptions. Then he goes on to send a link about where he posted this on Twitter. And Wave actually responded on Twitter, as did Norton. I took a look at this on Twitter. Dave, you know, I don't spend a lot of time on social media.
Dave Bittner: Yeah.
Joe Carrigan: But I did quickly realize I'm scrolling through Twitter again, Dave.
Dave Bittner: Welcome back.
Joe Carrigan: Right? I said, I got to stop this. Turn it off. But I did see Dwayne's post, and they did respond.
Dave Bittner: OK.
Joe Carrigan: So thank you, Dwayne, for sending that in. And that is a good reminder that it's not just QuickBooks. It's anybody, anybody that has a service like this. It could be, you know - there's other invoicing - there's one called FreshBooks, I know, that a friend of mine uses...
Dave Bittner: Yup.
Joe Carrigan: ...That is timekeeping and invoicing for consultants.
Joe Carrigan: Yeah.
Joe Carrigan: There's Wave that Dwayne is talking about. There's other ones out there. Anybody - any of the - anybody that lets somebody set up a temporary account - that's what these scammers are going to do. They're going to set up a temporary account or, you know, a trial account, and they're going to send out invoices, and they're going to impersonate big brands.
Joe Carrigan: Yeah. So you got to be extra vigilant.
Joe Carrigan: Indeed.
Dave Bittner: Yeah. All right. Well, thanks to everyone for sending in this feedback. We do appreciate it. And of course, we'd love to hear from you. If you have something you'd like for us to consider sharing on the show, you can write us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into our stories this week. I'm going to kick things off for us. This is an article that came from the MIT Technology Review, a article by Patrick Howell O'Neill. And it's titled "How Governments Seize Millions in Stolen Cryptocurrency." So as you and I have talked about many times, you know, cryptocurrency is kind of the - oh, I don't know. Is it the fuel that enables a lot of these scams? Is it the lubrication that makes the - like, what's the proper analogy?
Joe Carrigan: That's a good question. I think it's the lubrication. The greed is the fuel, Dave.
Dave Bittner: OK.
Joe Carrigan: The greed is the fuel.
Dave Bittner: Very good, very good.
Joe Carrigan: The lubrication - I would say lubrication because it makes it a lot more frictionless for the scammers.
Dave Bittner: Right. And were it not for cryptocurrency, the scammers would have a lot more difficult time.
Joe Carrigan: They'd have to use the banking system, which is heavily regulated.
Dave Bittner: Right, right, a lot harder to - all that stuff.
Joe Carrigan: Right.
Dave Bittner: So this story is about - when law enforcement decides that they want to try to claw back some of these funds, how do they go about doing it? And it's a really interesting overview of what happens here. A couple of things that I wasn't familiar with, just a couple of terms that were new to me - I mean, you know, we've talked many times here about the tumblers.
Joe Carrigan: Yes.
Dave Bittner: That - Joe, you want to give us a quick explanation of that?
Joe Carrigan: So a tumbler is - let's say you have a bunch of bitcoin you need to essentially obfuscate the origin of, right?
Dave Bittner: Right, right.
Joe Carrigan: You got it in a scam. You got, like, six bitcoin in a scam, which is - what? - $100,000 these days.
Dave Bittner: Yeah.
Joe Carrigan: So you take that to a tumbler service, and they put it in as six bitcoin, and they give you back a receipt of some kind that lets you withdraw six bitcoin at a later date. Now, you don't go out and withdraw six bitcoin. You withdraw half a bitcoin, then one bitcoin and then 0.75 of a bitcoin. And each time you do this, you get a new receipt. And you can you can continue to withdraw until you get all of your money back out. Or maybe you leave a little bit in there so it doesn't show up on any aggregator or blockchain explorer as this is where the money went.
Dave Bittner: So a couple of things they mentioned here that I was not familiar with. One of them - they referred to something called a peel chain.
Joe Carrigan: I'm not familiar with that, either.
Dave Bittner: That's P-E-E-L. And that is when you move cryptocurrency through thousands of transactions to obfuscate the source and destination - so just hopping, hopping, hopping, hopping, hopping, you know?
Joe Carrigan: Yeah. I mean, that - if you're doing that over and over and over again, that - I don't think that's particularly difficult to track.
Dave Bittner: Well, we'll get to that.
Joe Carrigan: OK.
Dave Bittner: So another thing they talk about is chain hopping, which is just going across different blockchains.
Joe Carrigan: That strikes me as being more difficult to track.
Dave Bittner: Yeah, yeah. So this article talks about some tools that are available to help surveil these blockchains. And they mentioned companies like Chainalysis. And I think - I'm pretty sure I've interviewed some folks from there.
Joe Carrigan: Yeah, I think you've had somebody on from Chainalysis...
Dave Bittner: Yeah.
Joe Carrigan: ...Talking about how they're used by law enforcement to find where this money goes.
Dave Bittner: Right. And there's another one they mentioned called TRM Labs, another one called Elliptic. And they have software tools that basically analyze cryptocurrency platforms. And so I guess - I mean, that makes sense, right?
Joe Carrigan: Right.
Dave Bittner: One of the things about blockchain stuff is that it's all there.
Joe Carrigan: The blockchain is public. Yeah.
Dave Bittner: (Laughter) Right. So...
Joe Carrigan: Unless you're on a privacy-preserving cryptocurrency...
Dave Bittner: Yeah.
Joe Carrigan: ...That's correct.
Dave Bittner: So these folks take all that information, and I guess they make it available in a way that mere mortals can understand it and analyze it. And so if you're law enforcement, you can use these tools. I guess if you're anybody, you can use these tools to try to track down the flow of these cryptocurrencies from one place to another. So that's the tracing part. But then there's actually - you know, how do they seize the money?
Joe Carrigan: Yeah, how do they get the money?
Dave Bittner: Right. And this article talks about three ways that the government can lawfully access and seize their funds.
Joe Carrigan: Oh, I think I know one of the ways.
(LAUGHTER)
Dave Bittner: OK. What's that?
Joe Carrigan: Is it - there's actually a term of art for this, Dave. I just submitted a paper where I was reminded of the term of art by one of the students I was working - it's called rubber-hose cryptanalysis.
Dave Bittner: Oh, OK.
Joe Carrigan: And that is the idea that there - this is the root of the problem, that there is no such thing as a perfectly secure system. Even a strong cryptographic system is not perfectly secure because if I tie you down in a chair and hit you with a rubber hose long enough, eventually you're going to tell me the keys to your wallet.
Dave Bittner: (Laughter) OK.
Joe Carrigan: That's what it is. So - I mean - but it's not the same kind of thing. You're not hitting them with a rubber hose. You're just showing them how they're going to spend the rest of their lives in prison.
Dave Bittner: I see.
Joe Carrigan: Right? It's the same threat model, though.
Dave Bittner: Right, right.
Joe Carrigan: Is that one of the ideas - one of the things?
Dave Bittner: Well, yeah. I mean, so there's the regular path of law enforcement, right?
Joe Carrigan: Right.
Dave Bittner: I mean, you - basically, law enforcement gathers up their evidence. They have their probable cause. They go in front of a judge, and they say, please give us a warrant. And then they're able to talk to the folks who run, you know, these cryptocurrency services and say, you know, hey; give us your dough.
Joe Carrigan: Right.
Dave Bittner: You know, give us the situation.
Joe Carrigan: That's another good point. If this cryptocurrency isn't an exchange...
Dave Bittner: Yeah.
Joe Carrigan: ...As I said before, if you don't own the keys, you don't own the cryptocurrency.
Dave Bittner: Right.
Joe Carrigan: They can just seize it - right? - because that crypto exchange is going to be like, well, law enforcement's saying I got to give them Joe's money.
Dave Bittner: Yeah.
Joe Carrigan: So here's all Joe's cryptocurrency. Have a nice day. Thank you very much.
Dave Bittner: Right.
Joe Carrigan: And my account goes to zero, and they show me the warrant. And I go...
Dave Bittner: Nothing to see here, right?
Joe Carrigan: ...Oh. Yeah, right.
Dave Bittner: Right. So another method they use is they - let's say they grab another member of your team of bad guys, and they convince that person, hey; listen. You don't want to spend the rest of your life in jail.
Joe Carrigan: Right.
Dave Bittner: We're not really after you. It's Joe that we want.
Joe Carrigan: Yes.
Dave Bittner: And so that person becomes, you know, a friendly witness as part of a plea agreement or something like that. That person turns over the keys, and there you go.
Joe Carrigan: Right.
Dave Bittner: And then the third way is if they actually go in and compromise the target's security.
Joe Carrigan: Yes, which is what they did with the oil pipeline just a couple years ago. They shut down...
Dave Bittner: Right. Right.
Joe Carrigan: They actually recovered that cryptocurrency not from the ransomware gang but from the affiliate gang. And the split there was, like, 70-30.
Dave Bittner: Right.
Joe Carrigan: So the ransomware gang got 30%, and they never got that money back. But the affiliates had 70%, and they just had their key sitting out on a cloud storage somewhere. And the feds found it and were just like, oh, look at this. That's our cryptocurrency now.
Dave Bittner: Right - zoink (ph).
Joe Carrigan: Right.
Dave Bittner: (Laughter) Yeah. And this article points out that a lot of times that's more in the category of nation-states who have the resources...
Joe Carrigan: Right.
Dave Bittner: ...To go in and, you know, have serious-level hacking and trying to decrypt passwords and things like that.
Joe Carrigan: It may not even be hacking. They may be executing another search warrant like on Google or something and saying, I need to see the cloud drive storage of this guy's - the cloud storage of these accounts.
Dave Bittner: Yeah.
Joe Carrigan: And Google goes, OK, here's - you have a warrant? Here it is. And they - oh, look. Here stored among this are just plaintext keys. And then law enforcement may be looking through those files and go, oh, look here. Here are the keys.
Dave Bittner: Right.
Joe Carrigan: And, I mean, that's another way they can get them.
Dave Bittner: Yeah. Some other interesting things from this article - the folks over at Chainalysis have some stats. They said that the mixers have moved over $50 million a month on average this year, which is twice as what they did last year.
Joe Carrigan: Is that per mixer, or is that all the mixers?
Dave Bittner: No idea. I think that - my sense is that that's total. That's the aggregate of the various mixers that they track.
Joe Carrigan: They're moving $50 million a month - pretty good exit scam, if you ask me.
Dave Bittner: (Laughter).
Joe Carrigan: That's what - you know, if I were a cybercriminal, that would be my worry - is that there would be an exit scam on a tumbler. I would have to - yeah, so I guess the answer to that is diversify your tumblers, from a criminal perspective. I don't know. I don't want to help these guys out any more than I do, Dave.
Dave Bittner: (Laughter) And then they go on and say that, you know, one of the things they're seeing is just there are a lot more attacks than there used to be. So it's just - as we say here so many times, you know, the hackers or - the hackers. Not the hackers - the bad guys...
Joe Carrigan: The bad guys, right.
Dave Bittner: They evolve their techniques.
Joe Carrigan: Yep.
Dave Bittner: And that's what they're seeing here as well. So interesting article - I will include a link to that in the show notes. Again, that's from MIT Technology Review, and it's titled "How Government Sees Millions in Stolen Cryptocurrency." Joe, what do you have for us this week?
Joe Carrigan: Dave, I have a story from MarketWatch. This comes from Lukas Alpert over at MarketWatch. And the title of the story is "Jeweler Who Sold Trump-Maples Ring Sentenced to 12 Years in a Multimillion Dollar Yellow Rose Diamond Scam." Now, the Trump-Maples relationship is an old relationship. Donald Trump and Marla Maples got married years ago.
Dave Bittner: Yeah.
Dave Bittner: They're now divorced, right?
Dave Bittner: Yeah.
Dave Bittner: I don't know why that's in the headlines - probably because it grabs attention, right?
Dave Bittner: Sure (laughter).
Joe Carrigan: But, again, remember that Lukas doesn't write the headlines. This is - he's just pointing out this guy is a jeweler to the stars, if you will.
Dave Bittner: OK.
Joe Carrigan: This guy's name is Joseph DuMouchelle. And what happened was he wound up in a little bit of trouble. And he's based out of Michigan. And he was - there was this oil baron that he owed money to.
Dave Bittner: As you do (laughter).
Joe Carrigan: Right. He owed this guy about $400,000.
Dave Bittner: OK.
Joe Carrigan: I don't know about you, Dave, but there's nobody I owe $400,000 to.
Dave Bittner: No, no (laughter).
Joe Carrigan: I would be really nervous if I owed somebody $400,000.
Dave Bittner: Right, other than, like, my mortgage company (laughter).
Joe Carrigan: I don't even owe that much on my mortgage...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...Which is amazing to me.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: This guy owes this much to a guy that deals in oil.
Dave Bittner: Yeah.
Joe Carrigan: So what he does is he goes to this oil guy and says, hey. I got an opportunity to buy the - this diamond. And apparently diamonds are named, right? This one's called the Yellow Rose - makes me think it's a Texas diamond.
Dave Bittner: Yeah.
Joe Carrigan: I don't know, but it is a large diamond.
Dave Bittner: As you would imagine. Yes.
Joe Carrigan: Right.
Dave Bittner: (Laughter) Right.
Joe Carrigan: It is a 77-carat diamond.
Dave Bittner: Holy smokes.
Joe Carrigan: Any guesses to how much he says a 77-carat diamond sells for?
Dave Bittner: First of all, I want to say former President Trump - not known for his subtlety, so...
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: Actually, I don't think this is the same diamond.
Dave Bittner: Oh, OK.
Joe Carrigan: This is a different diamond.
Dave Bittner: Oh, OK.
Joe Carrigan: I think this is just the guy that sold Trump his wedding ring for Marla Maples, his engagement ring.
Dave Bittner: Oh, I see. So that's why he's - his notoriety comes from that, but this is a different incident.
Joe Carrigan: Right. This is a different incident and a different diamond.
Dave Bittner: OK - 77 carats. I have no - I mean, it's been a while since I've been in the diamond market, Joe, so I don't know.
Joe Carrigan: Right - $12 million.
Dave Bittner: Wow. OK.
Joe Carrigan: Now, I'm not a diamond guy. My wife and my son are big into diamonds. They are both - actually, at some point in time, they've both sold jewelry. So they know they know all the stuff about diamonds. I've never actually seen the value of diamonds.
Dave Bittner: Yeah.
Joe Carrigan: I just don't get it.
Dave Bittner: Yeah. I'm with you.
Joe Carrigan: Right. But my wife and son completely disagree with me (laughter).
Dave Bittner: Fair enough (laughter).
Joe Carrigan: It's a very contentious topic of conversation around the table.
Dave Bittner: I see.
Joe Carrigan: But this oil guy's name is Thomas Ritter.
Dave Bittner: OK.
Joe Carrigan: And DuMouchelle goes to Thomas Ritter and goes, I got this opportunity. I'm going to buy this diamond for $12 million. And then I'm going to sell it for $16 million. And then if you finance this deal, I'll give you your $400,000 back, plus, probably, a little bit more, right?
Dave Bittner: (Laughter) OK.
Joe Carrigan: So Ritter says, OK. Great. What do we do? And he goes, here's the bank account. DuMouchelle goes, here's the bank account for the guy that's - that I'm buying the diamond from. Just transfer $12 million to his account...
Dave Bittner: Uh-oh.
Joe Carrigan: ...Right? And Ritter goes, you got it, and transfers $12 million to an account actually controlled by DuMouchelle...
Dave Bittner: Oh.
Joe Carrigan: ...Who then proceeds to spend $12 million (laughter).
Dave Bittner: Oh, no.
Joe Carrigan: I - have you - there's an Adam Sandler movie out there called "Uncut Stones," I think it's called...
Dave Bittner: Yeah. Yeah.
Joe Carrigan: ...Something like that.
Dave Bittner: Yeah.
Joe Carrigan: I had to turn that off because...
Dave Bittner: OK (laughter).
Joe Carrigan: ...I started watching it, and it's kind of the similar kind of story, where Adam Sandler is just getting himself into trouble right out of the gate. I mean, I actually have a lot of respect for Adam Sandler as an actor now after watching the little bit of that movie I did.
Dave Bittner: Yeah.
Joe Carrigan: I was like, he is doing this so well, I can't watch it.
Dave Bittner: OK.
Joe Carrigan: (Laughter) I got to turn his off. I'm getting too stressed out.
Dave Bittner: OK.
Joe Carrigan: So after spending the money, he starts telling Ritter, oh, the money's coming. The money's coming.
Dave Bittner: Oh.
Joe Carrigan: Well, it didn't take long before the feds just arrested this guy.
Dave Bittner: Oh.
Joe Carrigan: And he is going to spend 12 years in a - in prison now because of this.
Dave Bittner: Wow.
Joe Carrigan: So the point here is we talk a lot about the fear motivator and the romance motivator. But we often - we - one of the motivators we skip over is the greed motivator. We don't skip over it. We don't talk about it as much, I would say.
Dave Bittner: Yeah.
Joe Carrigan: And here's a prime example. I am sure that Mr. Ritter was looking to get his $400,000 back...
Dave Bittner: Right.
Joe Carrigan: ...And, also, probably looking to make a little bit of extra money on it...
Dave Bittner: Yeah.
Joe Carrigan: ...Saw that there was $4 million of margin in this deal that didn't exist and coughed up $12 million for this opportunity that did not exist. Now, here's the other thing. This is a well-respected and well-known jeweler. So this guy is - already has clout and has a rapport with just about everybody. And now things have gone kind of downhill for this guy.
Dave Bittner: Right.
Joe Carrigan: This reminds me a lot of the Bernie Madoff scam...
Dave Bittner: Oh.
Joe Carrigan: ...Right? You remember Bernie Madoff?
Dave Bittner: Sure.
Joe Carrigan: I mean, he's now a guest of our federal government for the rest of his life as well.
Dave Bittner: Yeah.
Joe Carrigan: But he was actually for some period of time a very successful and real investor until he started a Ponzi scheme.
Dave Bittner: (Laughter) Don't you think some of this, Joe, is probably a sunk cost fallacy?
Joe Carrigan: And that's another another piece of it. Yeah - the sunk cost fallacy. Rather than just walking away from $400,000 and going, I'm just never going to get that money back...
Dave Bittner: Right.
Joe Carrigan: ...This guy goes, OK, well, maybe - you know, maybe I'll - I don't know. That's a good question. The more - as I'm thinking about this, maybe he - maybe there is a sunk cost fallacy portion of it.
Dave Bittner: Yeah.
Joe Carrigan: But I'll bet this jeweler promised Ritter more money than $400,000.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But...
Dave Bittner: But that was rolled into it.
Joe Carrigan: Rolled into it, yeah.
Dave Bittner: Listen.
Joe Carrigan: So probably - yes. There probably is a sunk cost fallacy portion of it as well.
Dave Bittner: Here's a way everybody can win.
Joe Carrigan: Right.
Dave Bittner: You'll get your $400,000 back.
Joe Carrigan: Exactly.
Dave Bittner: We'll all make some money. We'll have a good time.
Joe Carrigan: Yeah.
Dave Bittner: All I need is to borrow...
Joe Carrigan: Right.
Dave Bittner: ...$12 million...
Joe Carrigan: (Laughter) $12 million....
Dave Bittner: ...From you.
Joe Carrigan: ...$12 million dollars with the Dr. Evil...
Dave Bittner: And we - you know, it could be that that - for the person who got scammed here, maybe that was play money. Maybe that was disposable income. But still, it ain't chump change (laughter).
Joe Carrigan: No, it ain't. And I don't know. I hope this - you know, I hope that that was play money for this guy, that it doesn't send him - you know, send him into destitution. I kind of doubt it does.
Dave Bittner: Yeah.
Joe Carrigan: But maybe he's able to recover some of it. I don't know what happened.
Dave Bittner: Yeah.
Joe Carrigan: There's not a lot of talk about the forensic path of the money. Even the richest among us can still fall victim to greed, I guess.
Dave Bittner: Yeah. And it's a good reminder, too, that if somebody - that this is a common tactic, where someone will get you on the hook for a relatively small amount.
Joe Carrigan: Yes.
Dave Bittner: And then they start stringing you along for more and more and more.
Joe Carrigan: You know, that's a common tactic also in espionage and tradecraft.
Dave Bittner: Oh, yeah.
Joe Carrigan: You know, they'll ask you for something simple. And then once you give them something small and simple, they'll use that as leverage to force you to give them more and more information.
Dave Bittner: Right. All right. Well, that's interesting. We'll have a link to that in the show notes.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Jeremy. And it's more of a story than a - just a simple sample of phishing. But I thought it was a good story.
Dave Bittner: OK.
Joe Carrigan: So why don't you go ahead and read what Jeremy wrote us?
Dave Bittner: All right. Jeremy writes, I thought you might get a kick out of this since you've covered gift card scams in your podcasts. I received an email from one of my mom's friends the other day. I thought it was odd, but I received emails from the individual before and have been in IT for over 20 years, so it's not unusual to receive help-me requests from friends and relatives.
Joe Carrigan: I got one of those...
Dave Bittner: Yeah.
Joe Carrigan: ...Just last week, Dave.
Dave Bittner: Yeah. I think we can relate, Jeremy.
Joe Carrigan: Yes.
Dave Bittner: Before opening the email, I reached out to my mom to verify the address, and it checked out. I've worked in cybersecurity for about the past five-ish years, so I'm immediately suspicious about random emails. But I had already read the message when it arrived in my inbox by hitting the dropdown on my smartphone notification. There were no links or attachments, only the following. Hello, how are you? Kindly let me know if you are online. OK. So the verbiage itself was enough to let me know it wasn't my mom's friend.
Joe Carrigan: Right.
Dave Bittner: Next...
Joe Carrigan: Nobody talks like that here in America.
Dave Bittner: (Laughter). Next, I know replying to the email would let an adversary know they sent to a valid email account, but I have several security measures in place, including MFA and a complex password that I change on a regular basis. And, of course, I write it down and hide it under my keyboard.
Joe Carrigan: (Laughter)
Dave Bittner: That's best practices. That's - absolutely. Very good. Jeremy goes on and says, I simply replied with, hello, how are you? - and received a reply less than 12 hours later with the following response. Actually, I need some couple of gift cards, but I can't do that myself because I will be working till late night. Can you pick up some Google Play gift cards from the nearest store and have it attached to me? I will reimburse you.
Joe Carrigan: This is the new guy at the scam center, Dave (laughter).
Dave Bittner: Right. Can't imagine why he's - everyone else is doing so much better than he is.
Joe Carrigan: Right.
Dave Bittner: Jeremy says, I think I laughed out loud when I read it because I had just listened to a podcast where you mention this exact thing. So at this point, I flagged the message as spam and kindly...
Joe Carrigan: (Laughter) Kindly.
Dave Bittner: ...Let my mom know that her friend's email account had most likely been compromised. It amazes me how emails like this actually work. And, really, if you're going to attempt to convince someone to get you gift cards, you may consider hiring a translator to assist with your conversational English skills. Thanks for the great info on your podcast. They really help me get through my daily commute, from Jeremy in Maryland. Yeah. Well, thank you, Jeremy.
Joe Carrigan: Yeah. It's great. I love the absolute terrible English here. You know, I've often thought that there is a business model for somebody that is a little less scrupulous than you and I are, Dave, that they could go out, and they could just say, hey, I'll just proofread your stuff before you send it to an American audience. And, you know, for $5, I'll make sure that you send something that doesn't make you look like you are just starting out doing this.
Dave Bittner: Right. Yeah, I agree. Let's say - I think we've clearly demonstrated there's a need.
Joe Carrigan: Right? (Laughter) There's definitely a market.
Dave Bittner: Although we don't want to help these folks, so (laughter)...
Joe Carrigan: Right. No, we do not. So don't do that, dear listener. Our listeners would never do that, Dave.
Dave Bittner: No, no, no.
Joe Carrigan: They would never do that.
Dave Bittner: No, no. All good. They're all good people.
Joe Carrigan: Yes, they are.
Dave Bittner: All right.
Joe Carrigan: Every last one.
Dave Bittner: Well, again, thanks to Jeremy for sending that in. We would love to hear from you. If you have something that you would like us to consider for our Catch of the Day, send us an email to hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with a couple of folks. I spoke with Raj Sarkar. He is CMO of the company 1Password. And I also - on the line I had Julien Benichou, who is senior director of partnerships, strategy and execution at Gen.G Esports, which is an electronic, you know, online gaming and sports organization. So these two organizations have teamed up to try to better secure the credentials of gamers. Here's my conversation with Raj and Julien.
Julien Benichou: I would say that folks that are playing their games online, while they obviously have some tech knowledge, have a little bit of a gap when it comes to their security. We still find that a lot of passwords are relatively weak when it comes to their gaming accounts, and we see a lot of people get their accounts stolen from them. This is a very common problem throughout the industry, where people who've spent a lot of money on their accounts, getting their skins, characters, items, whatever it is virtually end up losing those things, and they end up getting sold. So we thought this is a really pertinent kind of partnership between 1Password and Gen.G - kind of let people know that, hey, password security is really important, and don't lose everything that you've worked so hard to gain.
Dave Bittner: And, Raj, you know, you and your colleagues are in the password protection business. So what are the challenges here when it comes to folks on the gaming side of things?
Raj Sarkar: Yeah, so what has happened during the pandemic is there was a 20% surge in gaming, meaning more gamers who are less seasoned have joined the gaming communities. As a result, more hackers are targeting the gamers right now. And the other thing about gamers is, you know, speed matters. So they don't want to slow down to meet strict security protocols. So they want to move really, really fast. And the other interesting thing about gamers is, you know, a lot of gamers have virtual goods, and they don't monitor their virtual goods and tokens like they check their bank accounts. So the virtual valuables have become easier to hack than, you know, accounts, for example.
Dave Bittner: Well, forgive my ignorance here, but to what degree is multifactor authentication available on the larger gaming platforms?
Julien Benichou: I'd say it's relatively well available now, especially after there had been so many data hacks in the last few years. A lot of the bigger publishers have made it a priority of theirs. Now, it is not required, I would say, by most gaming companies. And a lot of the times, even some of the more simplistic passwords are all you need to create a gaming account, such as on different kind of bigger gaming platforms. So I'd say right now, it is possible but not standard.
Dave Bittner: Raj, you know, when I think about interacting with a password manager, there are two places I primarily do it - on my desktop within the browser itself and then on my mobile device, you know, through a dedicated app. Is that a bit of a speed bump for folks who are using their gaming consoles?
Raj Sarkar: Oh, you mean accessing it directly via their gaming consoles?
Dave Bittner: Yeah, yeah.
Raj Sarkar: Yeah, yeah, yeah, yeah. You're absolutely right. Because, you know, if you're - like, we currently - there is no way for us to support, like, gaming consoles. But if you are - a lot of gamers also access their games via the browser, for example. Like, a majority of the games out there basically nowadays, you know, it's supported by a browser. And people still, like, can, you know, access all their goods via the - virtual goods via their browser as well. So they could still use 1Password, you know, to make sure that, for example, they're not reusing their passwords in different games. Because what we have seen is in general in the gaming community, like I said, that a lot of gamers move really, really fast. As a result, they don't remember when they're signing up for accounts. They just use, you know, whatever password comes to mind. So this is where, you know, 1Password can really help.
Julien Benichou: I can just add on to that. A lot of games are actually - and game collections are actually available via browser, as Raj was talking about. So a big part of the gaming experience is actually going into your browser and handling a few things. So, for example, you can access a lot of your Steam account via your browser. A lot of your Riot account happens via your browser. There's a lot of elements to some of the bigger gaming platforms where you do go through your browser in order to kind of make changes to your account.
Dave Bittner: I see. Well, let's talk about this effort that you all have embarked on here. This is the Quest for the Lost Console, and it is a scavenger hunt. Can you explain to us what exactly is this about?
Julien Benichou: Yeah, I can. I guess in a literal sense, as you put it, it's sort of a mix between a scavenger hunt and an escape room. You know, when we were first talking to 1Password, I came up with the idea of, hey, what's a really fun way for us to kind of show password security and also have people kind of have a good time? And I, when I was younger, would play a lot of online escape room games. That was a big - like, that was a big pastime of mine, basically these games on browsers. And I thought, hey, a lot of times in those, you have to figure out passwords, and you got to kind of put your mind to the test in order to get that. And it kind of just goes to show the importance of having a good password. So that's sort of the origin of the idea, at least how it came from me. In terms of the game itself, you know, we just wanted to kind of bring forward a bunch of - like, a fantastical element and a fun element, all while still kind of putting forward this idea of, wow, this is so cool, and this is such a way for me to kind of remember passwords and realize the importance of having strong passwords, especially as the game gets harder and harder as you continue playing.
Dave Bittner: Can you describe for us how a user would engage with it?
Julien Benichou: The first thing that a user engages with would be our landing page, which has a bunch of different information, both about 1Password, Gen.G, password protection and security, etc., etc. We also had a bunch of gaming influencers involved that would do streams alongside us kind of advertising and showing off the game. And particularly, we actually gave all of them clues to different areas. Eventually, let's say, you move on to actually playing the game. It's got a pretty distinct and unique art style, I would say, and you have to go through different levels using different clues in the environment in order to figure out what the password is to move on. So, for example, the first level is a gate that you come across to get you into the mansion where we are hiding the lost console, aka the grand prize of the competition, a PlayStation 5 in this case.
Dave Bittner: Well, that's a pretty good incentive, I'd say, for folks to jump in and join in the game. I have to say, as someone who grew up doing, you know, old-school text adventures, this sounds right up my alley, this sort of puzzle solving and that sort of thing. Raj, what do you hope the takehomes here are? I mean, for folks who engage with this, are we looking for just a better awareness and active engagement with things like password managers?
Raj Sarkar: Yeah, I think the first and foremost thing we wanted to do is basically raise the awareness on how important is password security and do it in a way which is fun, like a scavenger hunt and like escape - you know, escape room-style puzzles. The goal here is if you basically go and go through the puzzles, they - also, we - you know, interesting way to learn more about 1Password. So there's some, like, 1Password features that get featured in the puzzles as well. So we would - basically, the goal here was education around how the importance of online security is when it comes to gaming.
Dave Bittner: Julien, how about for you? What are you hoping people take away from this?
Julien Benichou: I'm really just hoping, A, that people kind of understand that a strong password can really make or break the difference between getting to that next stage for people, right? I've had so many of my friends and people kind of come through and play some of these levels and realize, like, wow, some of the passwords that you put in here - and I'll give a little hint here for some of them - you know, are case sensitive, right? And that's really what stumped them on some of these levels. And it just goes to show how important some of the things are, such as case sensitive or special characters in making passwords stronger. So that's one goal. And then obviously, I - as you mentioned, Dave, I played a lot of those kind of, like, text-based adventures and - as well. So I'm also just hoping that people really enjoy themselves and find this to be an experience that they remember and kind of remember 1Password and Gen.G as having kind of put forward something that they liked. And it wasn't just straight up, like, here's an ad.
Dave Bittner: Yeah. You know, Raj, it also strikes me that - you know, from my own experience with a password manager - that I guess I had a little hesitation before I engaged with it. But then once I got into it and I started to see how it works and really, ultimately, how it made my life easier and more secure, you kind of look back and you wonder, how did you ever live without it? And so I think it's clever how through gameplay you're actually showing people how to interact with these sorts of tools. To me, that seems like a great way to kind of give them a taste of what they're in for.
Raj Sarkar: Exactly. You nailed it. I think one of the biggest thing - what we have learned around password managers are people usually don't think about using password managers. They, you know, reuse and recycle passwords a lot. And then usually they take it seriously when, for example, you know, someone hacks into one of their accounts - right? - or their identity gets stolen. So what we are trying to do right now and our end goal - our goal here is - and Gen.G partnership is one example of it - like, how can we make, you know, security, you know, accessible for everyone? How can we demystify security, online security? And that was one of the end goal of doing the partnership with Gen.G. And you'll see more of these going forward. I don't know if you have any - like, either of you have watched our Ryan Reynolds ad. And the reason, you know, we use Ryan Reynolds for our first 1Password commercial was basically we want to make sure that it reaches a lot of those people who are not tech savvy and understand the importance of, you know, password manager when it comes to online security.
Dave Bittner: Joe, what do you think?
Joe Carrigan: They open with saying - talking about how they - during the pandemic more people started gaming.
Dave Bittner: Right.
Joe Carrigan: And I will say, Dave, I started doing a little more gaming during the pandemic. I've been a gamer for years...
Dave Bittner: Yeah.
Joe Carrigan: ...Since I've had a computer, right? 1992, I started playing video games on my computer. And - but during the pandemic, I actually started playing, like, Fortnite, right? And I enjoy that game. It's pretty fun. And, you know, I got - I have a couple of friends that - I'll see them online, I'll jump in and play with them as well. It's a great platform to play on.
Dave Bittner: Yeah.
Joe Carrigan: It's free to play, and it's fun. So I see why these things are more common, and I agree with that statement.
Dave Bittner: Yeah.
Joe Carrigan: I mean, I'm part of that group of people that came into it. I think it's really interesting and kind of puzzling to me how much people value what they have in in-game items, how much value they place on it. I have other people I play games with. You know, I've told you I played that online game or the play-by-email game.
Dave Bittner: Yeah.
Joe Carrigan: And I had another friend of mine, and we were talking like, what would you do if you had $1,000 you wanted to - that you just got right now? And one of them said I'd buy some in-game gold, $1,000 of in-game gold. And I was like, you've got to be kidding me. You'd spend - I just never understood a lot of the value of these things. But some people will do this, and a lot of people do it. And because these things are valuable and sometimes transferable, they're a target for these scams.
Dave Bittner: Right.
Joe Carrigan: Right? People don't really realize how much they may have put into it until it comes time to rebuild something. Right? Like, have you ever - do you play a lot of games?
Dave Bittner: The games I play tend to not be multiplayer games.
Joe Carrigan: OK.
Dave Bittner: Yeah.
Joe Carrigan: But have you ever played a - like, a long game?
Dave Bittner: Yeah. Oh, sure.
Joe Carrigan: And then you're, like, halfway through it, and then something goes wrong...
Dave Bittner: Yes.
Joe Carrigan: ...And you have to start over again...
Dave Bittner: Yes.
Joe Carrigan: ...And how frustrating that is?
Dave Bittner: Yes.
Joe Carrigan: Imagine that, but now you've got an inventory of stuff you paid for. And you have to - you may not even realize how much money you've spent on these items.
Dave Bittner: Right.
Joe Carrigan: And now you have to rebuild your list of items again.
Dave Bittner: Yes. That would be very frustrating.
Joe Carrigan: Very frustrating.
Dave Bittner: It is a good chance I would walk away and...
Joe Carrigan: Right.
Dave Bittner: ...Never play that game again.
Joe Carrigan: That is probably exactly what I would do.
Dave Bittner: Yeah.
Joe Carrigan: I wouldn't play that game for years unless, you know...
Dave Bittner: Right. Right. If there's one thing you're good at, Joe, it's holding a grudge.
Joe Carrigan: I tend to be a very resentful person. People don't pay attention to these items as closely as they do to their bank account.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: I mean - and it's - that makes 100% sense to me, right? I mean...
Dave Bittner: Sure.
Joe Carrigan: ...Your bank account is where - you know, your bank account is money that can be exchanged for goods and services. If you're going to sell something out of your gaming inventory, that's a process. That's almost...
Dave Bittner: This is literally play money.
Joe Carrigan: Right. Exactly. It's play money.
Dave Bittner: It's play money. Yeah.
Joe Carrigan: It does have value, but these scammers can - they have processes in place that probably automate all this stuff.
Dave Bittner: Yeah.
Joe Carrigan: Using a password on a non-PC device is a pain.
Dave Bittner: Oh, yeah.
Joe Carrigan: It is awful. And I don't have this problem, Dave, because I'm part of what they call the PC master race.
Dave Bittner: Go on.
Joe Carrigan: I play - I don't play games on consoles very much.
Dave Bittner: Oh, I see.
Joe Carrigan: I only play them on games. So you can play Fortnite on consoles. I don't.
Dave Bittner: I see.
Joe Carrigan: The people I play with, I play with - and actually they listen to this podcast, so I'll say, hello, Chad (ph) - they play on consoles.
Dave Bittner: Yeah.
Joe Carrigan: And I don't. So - but I have the exact same problem with my streaming services. Right? And putting a password on a streaming service is miserable.
Dave Bittner: Yeah.
Joe Carrigan: That's why I like HBO Max as a streaming service because it says here's a code. Authenticate on your web browser.
Dave Bittner: Right.
Joe Carrigan: It's great.
Dave Bittner: Right.
Joe Carrigan: But other services - like, Disney+ doesn't have that.
Dave Bittner: Yeah, I have - I mean, just a quick tip. It's one of the reasons I like using Apple TV. It's an expensive device, but one of the benefits of it is you can connect it to your mobile device.
Joe Carrigan: Ah.
Dave Bittner: So - which has a keyboard, right?
Joe Carrigan: Yeah.
Dave Bittner: So when you need to put a password in, you can whip out your phone and type it in there rather than having to scroll, click, scroll, click...
Joe Carrigan: Right.
Dave Bittner: ...Scroll, click.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. It's a pain.
Joe Carrigan: You know what, Dave? Apple - one of the things Apple does very well is manage user experience.
Dave Bittner: Yeah.
Joe Carrigan: They make it seem so simple, so easy. My wife and I were just complaining about - my wife was complaining about her phone. She has the same phone I do. We both have the Google - latest Google Pixel phones.
Dave Bittner: OK.
Joe Carrigan: And frankly, we're not impressed with them, you know? They - and, you know, I've never heard an Apple iPhone user complain about the use of their iPhone. And I don't know, Dave. We might be doing it soon.
Dave Bittner: Yeah, well, come on over.
Joe Carrigan: Yeah.
Dave Bittner: It's awfully nice over here.
Joe Carrigan: Yes.
Dave Bittner: Anyway, back to our interview here, what else struck you, Joe?
Joe Carrigan: So they have come up with this game, this online escape room game.
Dave Bittner: Yeah.
Joe Carrigan: These - do you remember the first online - did you ever play any of these?
Dave Bittner: No. Well, I mean, look, I came up in the era of text adventure games.
Joe Carrigan: Right.
Dave Bittner: So before there was an online, you know, we were playing Zork and those kinds of things.
Joe Carrigan: And Scott Adams Adventure.
Dave Bittner: Yeah.
Joe Carrigan: Not Scott Adams from Dilbert, but the other Scott Adams, the software engineer.
Dave Bittner: Right. You know, Lost Dutchman's Gold was another one I played.
Joe Carrigan: Yeah.
Dave Bittner: And there was Pyramid, Madness in the Minotaur. And it was all these...
Joe Carrigan: Text-based games.
Dave Bittner: ...Text-based games. Yeah, a lot of fun.
Joe Carrigan: That was the first thing I programmed when I learned how to program when I was a kid. I wrote a text-based adventure game.
Dave Bittner: Yeah.
Joe Carrigan: It was terrible. But...
Dave Bittner: But they're great fun. I mean...
Joe Carrigan: They are.
Dave Bittner: ...You know, they were, anyway.
Joe Carrigan: They are. Well, I remember the first online escape room game. I can't find it anywhere. It was called Sub Room, and it was online. It was beautiful. So I'm interested to see what this one looks like. I haven't checked it out yet, but I will. But also, what I want to check out is their Ryan Reynolds ad 'cause - I don't know, I'm kind of a Ryan Reynolds fanboy.
Dave Bittner: OK.
Joe Carrigan: You know, he's not a - I don't think he's a great, like, actor in terms of, like, he's not - he's no Kathy Bates, right?
Dave Bittner: Yeah.
Joe Carrigan: But he is - I really enjoy watching everything he does.
Dave Bittner: OK.
Joe Carrigan: I've not seen anything that I look at Ryan Reynolds and go that - well, except maybe "Green Lantern." But...
Dave Bittner: He's very good at being Ryan Reynolds.
Joe Carrigan: He's very good at being Ryan Reynolds, and I like Ryan Reynolds.
Dave Bittner: Fair enough.
Joe Carrigan: The main point of this entire interview is use a password manager, which I think is probably one of the top two things you do if you're worried about authentication. The first thing you do is use multi-factor authentication. The second thing you do is use a password manager.
Dave Bittner: Yeah.
Joe Carrigan: And I do secure all of my gaming accounts with multi-factor authentication, as well as all the email accounts that they send email to. And I would also recommend not just your gaming accounts, but your email accounts because if something happens, that's what these guys are going to attack next, is your email account.
Dave Bittner: Yeah.
Joe Carrigan: So if you can secure that - 'cause think about it, 'cause what happens when you forget your password? You get an email sent to you.
Dave Bittner: Right.
Joe Carrigan: And if you don't have that email secured with a unique password, then you're vulnerable to social engineering attacks based on password reuse.
Dave Bittner: Yeah. All right. Well, again, our thanks to Raj Sarkar and Julien Benichou for taking the time for us. We do appreciate it.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
