A travel surge and a host of different scams.
Greg Otto: The travel boom as people getting back - trying to get back to real life - cybercriminals realize that, and they're not going to try to leave this stone unturned when it comes to pulling people's money away from that and into their own coffers.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Greg Otto, who is chief cybercrime reporter for Intel 471 - we're talking about travel scams.
Dave Bittner: All right, Joe. Before we dig into our stories, we've got a little bit of a follow-up here. You want to take us through that?
Joe Carrigan: Yes. First, I want to tell our listeners that I will be at the Grace Hopper conference this year. So if any listeners are attending, I invite you to stop by the Johns Hopkins University booth and introduce yourselves.
Dave Bittner: Very nice.
Joe Carrigan: I'd like to see you. Kevin (ph) writes in, said just listened to the deepfakes episode, which was a while ago, I think.
Dave Bittner: Yeah.
Joe Carrigan: And the fear I have is that even if someone doesn't think they believe it or thinks they know it's false, the idea, the image and the impression is now implanted in their brain and in their subconscious. This is an interesting assertion here. He goes on, and that will always influence their perception of reality. Think about political cartoons. They exaggerate someone's attributes. So even if you are looking at the real person, you can't not see those exaggerations. Remember Gerald Ford? Did he fall down often? No. But thanks to Chevy Chase and "Saturday Night Live" - "SNL" - should just say "SNL." That's a lot easier to say than "Saturday Night Live."
Dave Bittner: Yeah.
Joe Carrigan: ...Everybody thought that Ford was a klutz. Kevin says it was scary, but I think it's more interesting. It's an astute observation, Kevin, I think.
Dave Bittner: Yeah.
Joe Carrigan: You know, even if you know that what you're looking at is a fake, that does have impact.
Dave Bittner: Yeah, absolutely. I mean, and I guess - is it fair to say a lot of this is rhetoric? That's - you know, that's...
Joe Carrigan: Oh, 100% fair to say.
Dave Bittner: ...Or political discourse. There's that.
Joe Carrigan: Yeah. Yeah.
Dave Bittner: But I - yeah, I think there's something to this, the planting of that seed, even just doubt or uncertainty. You know, sometimes that's a good thing, I think.
Joe Carrigan: Yeah.
Dave Bittner: Quite often it's a good thing, but...
Joe Carrigan: I would love to have doubt and uncertainty in all of our elected officials.
Dave Bittner: (Laughter) Right.
Joe Carrigan: I want people to have that in every single elected - every single public office holder in the country.
Dave Bittner: Yeah.
Joe Carrigan: You should view them with doubt and uncertainty.
Dave Bittner: Yes. Yes, absolutely.
Joe Carrigan: You know, I...
Dave Bittner: ...Unless it was, like, Fred Rogers or...
Joe Carrigan: Right, well - yeah, Fred Rogers is long gone and never held public office...
Dave Bittner: Right, right.
Joe Carrigan: ...And actually did good work.
Dave Bittner: Yeah.
Joe Carrigan: I'm grateful for his contributions. But people like Fred Rogers don't go into office.
Dave Bittner: No, no. And they're few and far between.
Joe Carrigan: Right.
Dave Bittner: Yeah, absolutely.
Joe Carrigan: The thing that this made me think of was there an episode of "The Simpsons" where George Herbert Walker Bush moves in across the street in a suddenly unexplained mansion.
Dave Bittner: Right. Right.
Joe Carrigan: And he and Homer start having battles. And eventually Bush moves out, and Ford moves in, and they make the joke, the fall down joke. This is 20 years after his presidency - 30? I don't know how long it was - a long time.
Dave Bittner: Yeah.
Joe Carrigan: Right? They still make that joke about him.
Dave Bittner: Well, and what it also reminds me of is that when we think of these impersonations of people - when we think of celebrities...
Joe Carrigan: Right.
Dave Bittner: ...We often think about the impersonation of them, not them...
Joe Carrigan: Right.
Dave Bittner: ...Because it is the gift of the mimic to be able to distill those things. You know, you had Dana Carvey with George Herbert Walker Bush, saying, (imitating George H.W. Bush) not going to do it.
Joe Carrigan: Right.
Dave Bittner: (Imitating George H.W. Bush) Not going to do it. Wouldn't be prudent.
Joe Carrigan: That's a great point.
Dave Bittner: And it's a distillation. It's not the same sort of thing. I've heard people say that - who is it? - (imitating Ed Sullivan) going to be a really big show.
Joe Carrigan: Right. That was Ed Sullivan.
Dave Bittner: Ed Sullivan - right. Like, Ed Sullivan didn't actually sound like that. When most people are doing Ed Sullivan, they're not doing Ed Sullivan. They're doing the guy who popularized the impersonation of Ed Sullivan.
Joe Carrigan: Yeah.
Dave Bittner: And I think that's a lot of what happens here, so...
Joe Carrigan: You know who really loved Dana Carvey's George Herbert Walker Bush impression? It was George Herbert Walker Bush.
Dave Bittner: Oh, is that right? Well, that's good.
Joe Carrigan: He actually invited him to the White House one day and said, hey, call the Secret Service agents in here. And he did, and they came in, and Bush thought that was hilarious.
Dave Bittner: Yeah. Well, it's good to have a sense of humor about yourself.
Joe Carrigan: Yeah. Oh, he did have a sense of humor.
Dave Bittner: Somewhere there's somebody out there, Joe, who's doing a Joe Carrigan impersonation, a dead-on Joe Carrigan impersonation - one of our fans.
Joe Carrigan: Man, I would love to hear that.
Dave Bittner: (Laughter).
Joe Carrigan: If somebody has taken the time to - I mean, look at the smile on my face, Dave.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Just me thinking about that really makes me happy. I would love to hear it.
Dave Bittner: Yeah. Yeah. All right, well, thank you, Kevin, for writing in. As Joe says, this is an astute observation. We would love to hear from you. If you have something you'd like us to discuss on the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right. Let's dig into our stories here. My story comes from The Washington Post. This is written by Justin Jouvenal and Michael Brice-Saddler. The title of the article is "D.C. Government Auditor Involved in Romance Scheme, Prosecutors Say." Interesting allegations here - a gentleman named Charles Egunjobi, who worked as an auditor with the D.C. government - and he is accused of operating a money-laundering scheme for a romance scam that brought in nearly $2 million from mostly elderly victims. The person who ran the scheme was a different person, who was a government contractor and - wait for it, Joe - a special deputy U.S. marshal.
Joe Carrigan: Really?
Dave Bittner: Yeah.
Joe Carrigan: See; what did I just say about having suspicion and doubt about all the people...
Dave Bittner: Right, right.
Joe Carrigan: These aren't elected people, but still...
Dave Bittner: Yeah. But - so this person would strike up relationships with women online. He would pose as a member of the armed forces and, you know, classic - I mean...
Joe Carrigan: Yep.
Dave Bittner: That's as textbook as we have seen here. And these two gentlemen...
Joe Carrigan: Gentlemen.
Dave Bittner: ...Do this. The other - the alleged co-conspirator is Isidore Iwuagwu, both local to us in the Maryland area. They talk about one of the cases claiming to be in the U.S. Army. Again, this is all just - it's like they're reading a script, right?
Joe Carrigan: Right, like they've listened to "Hacking Humans"...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...For the past five years.
Dave Bittner: Right, exactly.
Joe Carrigan: Right.
Dave Bittner: Says he's stationed in a U.S. Army base. There's pictures of them dressed in his military uniform, of course professing his love for this poor woman. She reciprocates. And he says that he's part of a unit that raided a terrorist organization, and they recovered millions of dollars in cash in gold. And he wanted to share this wealth with the love of his life, this woman. But in order to do that, she needed to pay $67,000 to a logistics company to help get the cash in gold shipped back to the U.S.
Joe Carrigan: Right.
Dave Bittner: Now...
Joe Carrigan: Like an advance fee scam. So it's a romance scam mixed with an advance fee scam.
Dave Bittner: It is. There's some good news here. The woman tried to send the money, but the banks detected it. The banks figured out that it was a scam, and they cancelled the transfer.
Joe Carrigan: Excellent.
Dave Bittner: And that's how evidently the jig was up. And they started looking at these two folks.
Joe Carrigan: Very good. Whoever that bank is, you have my appreciation - wonderful.
Dave Bittner: Yeah. This article points out again that this person worked for the Justice Department. He provided security at government facilities, which meant that he was authorized to carry a firearm.
Joe Carrigan: Yikes.
Dave Bittner: He had the power to arrest people because he'd been deputized as a special deputy U.S. marshal. Now...
Joe Carrigan: That will probably never be the case again.
Dave Bittner: Well, you know, look. These are just allegations...
Joe Carrigan: Right.
Dave Bittner: ...At this point.
Joe Carrigan: That's right. If he's convicted, that will probably be the case here.
Dave Bittner: Yeah, everybody's due their fair time in court.
Joe Carrigan: Correct.
Dave Bittner: But my personal opinion is that if it comes to pass that these two folks get convicted of this, I hope they get the book thrown at them because...
Joe Carrigan: Yeah.
Dave Bittner: ...This is - to me, this is special - this is especially egregious that someone who was put in a position of...
Joe Carrigan: Public trust.
Dave Bittner: ...Law enforcement - public trust - that is the right way to say it...
Joe Carrigan: Yeah.
Dave Bittner: ...Has used that or - I don't know - cast that aside...
Joe Carrigan: Right.
Dave Bittner: ...And done these scams. So, you know - good that they were caught. Hopefully some of these folks who got scammed out of their money will be made whole. I honestly doubt they'll be made whole, but maybe they'll get some of their money back and...
Joe Carrigan: How much they get - $2 million?
Dave Bittner: Nearly $2 million - yeah, yeah. That's a lot of money. All right. So, again, that is from The Washington Post. We will have a link to that in the show notes. That is my story this week. Joe, what do you have for us?
Joe Carrigan: Well, Dave, we should maybe collaborate a little bit more. I have two stories, but my first story is very similar to yours. It's from David Propper over at the New York Post.
Dave Bittner: OK.
Joe Carrigan: And he has a story about a Texas woman named Dominique Golden, who is 31. She's from Houston, and she netted $2.6 million in romance scams.
Dave Bittner: Wow. First of all, Dominique Golden sounds like...
Joe Carrigan: Right.
Dave Bittner: ...The pen name of a romance novel author...
Joe Carrigan: It does.
Dave Bittner: ...Or something. Doesn't it?
Joe Carrigan: It does.
Dave Bittner: It's a good name (laughter).
Joe Carrigan: She reeled in 1.26 million in cash, checks and money orders and wire transfers and then used that to buy luxury cars like a 2018 Bentley, a 2017 Mercedes E-Class and then something I've never understood the value of - Rolex watches.
Dave Bittner: Oh, yeah. Wow.
Joe Carrigan: She has agreed to forfeit those prized possessions along with 16-inch gold chains, a 24-inch gold chain and three guns...
Dave Bittner: Oh, wow.
Joe Carrigan: ...Because she lives in Texas. You ever...
Dave Bittner: (Laughter) Right. When you cross the state line, you're automatically issued...
Joe Carrigan: Right.
Dave Bittner: ...A couple of firearms just because.
Joe Carrigan: Have you been to a gun store in Texas?
Dave Bittner: I don't know that I've ever been in a gun store, Joe.
Joe Carrigan: OK.
Dave Bittner: I mean, I've been to, like - what's the big place over at Arundel Mills, the big sporting goods store?
Joe Carrigan: Oh, Dick's - oh, no, not Dick's.
Dave Bittner: No, no, no.
Joe Carrigan: That's Bass Pro Shops.
Dave Bittner: Bass Pro Shops.
Joe Carrigan: Bass Pro - right.
Dave Bittner: So I've been to a Bass Pro Shops, where they sell plenty of guns.
Joe Carrigan: Right.
Dave Bittner: And I have taken the time to walk by and just sort of check out - but as you can guess, I'm not particularly a gun person.
Joe Carrigan: Right.
Dave Bittner: You know, I don't really have a problem with responsible firearm ownership or anything like that. I'm not an anti-gun nut.
Joe Carrigan: Right.
Dave Bittner: But, no, I have not had the pleasure of of being in a gun store in Texas. I take it you have.
Joe Carrigan: I have. Yes.
Dave Bittner: (Laughter).
Joe Carrigan: I have. I went into one because I go to Texas frequently. I have friends down there that I visit.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, we are talking about doing some hunting down there because one of my friends has a ranch, and there are pest animals that need controlling.
Dave Bittner: OK. Yeah.
Joe Carrigan: So, you know, I wanted to see if I could - I just wanted to see what was available down there. It's an experience, Dave.
Joe Carrigan: Yeah.
Joe Carrigan: You should. If you ever - I mean, I don't think it's a dangerous experience.
Dave Bittner: No.
Joe Carrigan: But it's definitely...
Dave Bittner: No.
Joe Carrigan: ...Something worth doing. Anyway, she was also required to give up $11,000 from her Houston home and money that she had tucked away in the Bentley. Apparently, she just had wads of cash lying around.
Dave Bittner: Just stuff the glove compartment full of hundred-dollar bills...
Joe Carrigan: Right.
Dave Bittner: ...As you do if you have a Bentley.
Joe Carrigan: So she also opened mailboxes under assumed names, like, at Mail Boxes, Etc. I guess that's gone now. Isn't it just the UPS store?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: So she - it looks like she has been busted.
Dave Bittner: God. I mean, talk about not flying - laying low or flying under the radar.
Joe Carrigan: Right - excellent point. That's one of the things I've always - you know, there's that little guy in the back of my head that goes, we could be criminals. All we have to do is not talk about it, not be flashy, right?
Dave Bittner: (Laughter) Right. Or just do it once.
Joe Carrigan: Right. Or just do it once. You'll probably get away with it if you do it once.
Dave Bittner: Yeah, yeah.
Joe Carrigan: These guys do it over and over again.
Dave Bittner: Yeah.
Joe Carrigan: The next story comes from Bill Shannon, who is at WTAJ up in Pennsylvania. And he's talking about Pennsylvania State Police who are warning residents about what they call quick-moving scam artists traveling from city to city and scamming just regular people as they go through.
Dave Bittner: (Laughter). You are unaware of the caliber of disaster indicated by the presence of a pool table in your community.
(LAUGHTER)
Dave Bittner: Go on.
Joe Carrigan: So these guys are running counterfeit jewelry scams. They're doing quick-change schemes at local retail locations. They're snatching cellphones. They're going into gym lockers and taking stuff out of there. They're doing jewelry store distraction thefts. And they're putting skimming devices on ATMs and checkout - self-checkout registers.
Dave Bittner: Wow. So they've diversified their scam portfolio.
Joe Carrigan: Yeah. Pennsylvania State Police reminds people to stay vigilant and aware of their surroundings and consider the following recommendations. Number one, use caution if approached by an individual attempting to sell gold jewelry. While it may be stamped 18K, it's likely not real. So I've said before my wife and my son have experience in the jewelry industry. And one of the things that was a bone of contention in our household was that my wife would maintain that you can't stamp any any jewelry with a 14-karat stamp or whatever karat unless it actually meets those requirements. And her father and I would look at her and go, sure you can.
(LAUGHTER)
Joe Carrigan: It's easy.
Dave Bittner: Let's go step in the garage.
Joe Carrigan: Right. Exactly.
Dave Bittner: (Laughter).
Joe Carrigan: I'll make a 14K stamp.
Dave Bittner: Right.
Joe Carrigan: And I'll hit a piece of aluminum with it and tell you it's 14-karat gold.
Dave Bittner: Yeah.
Joe Carrigan: And there is this idea that this stamp on the gold is somehow a verification of the money or of the value, rather...
Dave Bittner: Yeah.
Joe Carrigan: ...Of this gold. The gold - the actual content - gold content in a piece of gold. Pure gold is 24 karats...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? So if it's 12 karat, it's half gold, half other metals. And it has to do with the weight of - I don't know how exactly it's figured out, but that's about how it works.
Dave Bittner: OK.
Joe Carrigan: But there's nothing that stops people from just stamping these things.
Dave Bittner: Sure.
Joe Carrigan: I've never understood why people put any faith in those stamps at all.
Dave Bittner: (Laughter). It's like certificates of authenticity.
Joe Carrigan: Right, yeah.
Dave Bittner: (Laughter) I got a laser printer.
Joe Carrigan: Exactly, right?
Dave Bittner: Yeah (laughter).
Joe Carrigan: I'll give you a certificate of authenticity for it.
Dave Bittner: Right. What do you want it to say?
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: So, I mean, I wanted to touch on both these stories. One, it looks like they've busted a bad guy down in Texas...
Dave Bittner: Yeah.
Joe Carrigan: ...Who's been scamming men out of money. You know, remember that romance scams are an equal-opportunity scam.
Dave Bittner: Sure.
Joe Carrigan: You know, they will go after men. They'll go after women. It doesn't matter to them. As long as you have money, that's all they care about.
Dave Bittner: Yeah, yeah. Everybody wants to love and be loved.
Joe Carrigan: Yep.
Dave Bittner: And that's just - that's that's the human condition, isn't it?
Joe Carrigan: It is.
Dave Bittner: Yeah.
Joe Carrigan: A big part of it.
Dave Bittner: Yeah. All right. Well, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Our Catch of the Day comes from Jon. in California, who writes, (reading) hi, Dave and Joe, I thought this was quite fishy, as I absolutely did not apply for this position. And the location of the job gives it away. Love your podcast. Jon. So Dave, I'm not sure - I'm not - I'm, like, probably 95% sure this is a scam. But I could also see this being legitimate, which might be why it's a good Catch of The Day.
Dave Bittner: Huh. OK, Well, it goes like this. (Reading) Our company is giving back concerning application on a career builder project. Payment - $93,300 to $114,300 a year. Employment location - local. Period - long term. Post role - purchasing coordinator. Position summary - your key duties will include the management of vendor's base and goods purchased from outside sources. You will negotiate agreements which will help to deliver value to our stakeholders, ensuring service, quality and added value, which maximizing the supplier's capabilities. General responsibilities and duties include - secures quotes from qualified vendors of required resources to obtain most favorable price terms and services to meet production plan. Prepare plans and discuss long-term contracts and pricing. Maintain supply chain activity, including controlling supplier selection, inducting, evaluating and tracking vendor price quality and delivery activity. Control logistics to be sure of goods' timely shipment with required documentation. Necessary skills - employment eligibility in the U.S. or permanent resident status. Must be detail-oriented, methodical and well-organized. Ability to do duties in a group. Have an ability to build morale in group commitments to goals and objectives. Must be able to work flexible schedule, overtime, weekends. Ability to work flexible schedule 24/7. Skills on Microsoft Office - Outlook, Excel, Word - and office equipment. Legal DL and driver background as required. To begin the application process, please attach your resume. Notice - only persons with resume will be looked through.
Joe Carrigan: (Laughter) So actually, now I'm 100% sure it's a scam...
Dave Bittner: (Laughter).
Joe Carrigan: ...Now that I've gone through this.
Dave Bittner: Yeah?
Joe Carrigan: Yeah, this is almost certainly some kind of employment scam. Or if it isn't an employment scam, it's a job you don't want.
Dave Bittner: (Laughter).
Joe Carrigan: You know, you have to be able to work 24/7. No (laughter). I'm not doing that.
Dave Bittner: Seems a bit much. Yeah.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I'm not doing that, not for any amount of salary, let alone a - what would be considered a well above the median salary here, although it's listed not as salary or as wages, but as payment, right? The employment role - or employment location - this is what Jon was pointing out - is local.
Dave Bittner: (Laughter).
Joe Carrigan: Doesn't say remote. Says local, right?
Dave Bittner: (Laughter) Right. Local could be anywhere.
Joe Carrigan: Right. Exactly. These guys just put that in there so people fill in the blanks in their head. That's one of the things these scam artists try to do is get you to fill in your own blanks.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: There is a lot of bad English in this that hopefully nobody ever posting a job would ever put out. But, you know, some business owners, English isn't their first language. Maybe they would put this out.
Dave Bittner: Right.
Joe Carrigan: Right? But yes, this is almost certainly a scam. First off, they want you to send a resume to a different address than the address that it came from. That's a red flag. These addresses are Yahoo! addresses and Gmail addresses, not corporate email addresses. That's a red flag. The fact that they want a resume and demand it and say, your application won't be considered without one - that's probably just so they can gather your information. Your resume has a ton of information about you on there. You know, I was...
Dave Bittner: Yeah.
Joe Carrigan: Recently, about a year ago, my wife was looking for a new job, and I said, look - just put your name, your cellphone number and your email address on it. They don't need to know your address. They just don't need it. They don't need it until you're filling out your paperwork for working there.
Dave Bittner: Yeah, it's an interesting point.
Joe Carrigan: Right.
Dave Bittner: All right. Well, thanks, John, for sending that in. We do appreciate it. Again, we would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com.
Joe Carrigan: You know what I might do, Dave?
Dave Bittner: What's that?
Joe Carrigan: ...Is I might make up a resume that's just like, you know, my greatest achievement - my crowning achievement in my career is my vast collection of office supplies and then send it to these guys.
Dave Bittner: (Laughter).
Joe Carrigan: You know, they - just make a complete farcical...
Dave Bittner: Right, right (laughter).
Dave Bittner: Joe, I recently had the pleasure of speaking with Greg Otto. He is the chief cybercrime reporter for security company Intel 471, and our conversation centers on travel scams. Here's my conversation with Greg Otto.
Greg Otto: You know, we see the world at least trying to leave the COVID pandemic in their rearview mirror. And because cybercriminals rarely let a societal trend go by without trying to scam their way into, you know, some misbegotten money, we wanted to look to to say, hmm, there's - you know, if there's an uptick in travel around the world, we wonder if cybercriminals are following that trend, considering that it's loosely tied to the pandemic. You know, when we saw - when the pandemic started, cybercriminals created fake COVID exposure apps. When vaccines came out, we saw that they latched on to vaccines in terms of trying to push scams that way. So as travel starts to head back to pre-pandemic norms, of course, cybercriminals are not far behind, offering all types of travel scams and going after people's travel data and terms to make more money on the cybercrime underground.
Dave Bittner: Well, let's dig into some of the specific things you all are tracking here. What grabbed your attention?
Greg Otto: Off the top, the targeting of travel accounts is something that is top of mind. Multiple actors across cybercrime forums are selling credentials tied to travel-related websites, specifically those that log mileage reward accounts. This was a big thing pre-pandemic where cybercriminals learned that, you know, all these reward miles and frequent flier miles, they have value. Even though they're not something that is necessarily on the level of money, they do have value. And a lot of these travel companies, whether it's the airlines, travel agents, anything in between, you know, you can redeem these miles for free flights. And they have to store them somewhere, so they're stored in the technology that these companies use, and cybercriminals are trying to access these accounts to steal these mileage points and then kind of just cash them out on their own - you know, turn around, sell them, you know, for 10, 20, $0.30 on the dollar on the cybercrime underground. And, you know, any money that they can pull from them, that's great 'cause it's not theirs, and it's all profit. So we've observed actors posting advertisements seeking help in targeting the accounts that have, you know, at least 100,000 miles. And, you know, these respective rewards points can be resold to other actors looking to conduct similar types of travel fraud activity with these mileage points.
Dave Bittner: Yeah, it's particularly interesting. I think a lot of folks, you know, keep an eye on their bank account and probably have different alerts, you know, to trigger if something unusual happens, but I can imagine a lot of people don't keep as close an eye on their miles. So it seems to me like this could be something where if something did get breached, it might take a little while for someone to even notice.
Greg Otto: Right. And there is always, on the cybercrime underground, the effort to try to find a victimless crime, I guess. And this one is a little bit different than, you know, having your credit card stolen or, you know, some other PII stolen, where these are just mileage points where, you know, nobody's going to go bankrupt because they lost 100,000 frequent flier miles. However, if that can be traded for value, then why wouldn't cybercriminals try to, you know, gain something out of it? But you're not going to have people that are going to be so upset. If you talk to somebody that flies a lot and they say, well, I'm going to have my frequent flyer miles stolen or I'm going to have my credit card stolen, they're probably not going to be happy with any of that. But if they had to choose, they're probably going to take their frequent flyer miles.
Greg Otto: The companies that oversee this, of course, they want to guard that. But again, it's not a credit card number or, you know, some type of payment information that is floating out there. So there's a little bit of a sweet spot for cybercriminals and everybody involved in the scheme to say, OK, there is not a lot of monetary loss here, but then again, there is still some value there. So they have found the value and want to steal it for their own right.
Dave Bittner: Yeah, I could imagine. Also, it's a situation where, you know, it's not like law enforcement is going to be closing down borders to go after folks who are, you know, stealing mileage, right?
Greg Otto: Right.
Dave Bittner: Yeah. One of the other things that you all track here are ransomware attacks, which certainly have been in the news. How does that intersect with travel?
Greg Otto: So I think that intersects with travel because of the possibilities in delays that are going on. I mean, look. We see all the delays. The pandemic is not over yet. And we've seen, you know, across the world that the airline industry has been hit pretty hard with the delays that can come from having their staff recovering from COVID-19 infections. But we've also seen ransomware attacks that have focused on causing delays in the same vein that, you know, COVID cancellations can do. But we have not seen a heightened direct threat to the industry at large over the first few months of the year. But the risk remains because of other attacks that can happen.
Greg Otto: I go back to August 2021, when LockBit 2.0 breached Accenture. They demanded like a $50 million ransom payment. But, you know, Accenture is a huge international professional services firm. And, of course, they're going to work with companies in all different sectors, including the travel industry. Later in August, LockBit 2.0 breached a regional airline based in Thailand with credentials that are allegedly obtained from the Accenture breach. So, you know, software supply chains are still a really big threat and ransomware groups know this. And the bigger companies that they hit, the long tail of ransomware attacks that we're going to see. I mean, and even as our report was being crafted, we saw an attempted ransomware attack impact the IT systems of a low-cost airline headquartered in India. It forced the company to cancel and delay flights just as if there was a COVID delay. There is not a direct threat to the industry at large. Software supply chains exist. And there really is a long tail. And these ransomware attacks know how to exploit them.
Dave Bittner: And one of the other things that you all highlight here is the war in Ukraine. I think a lot of people have been surprised, you know, the degree to which that activity, you know, half a world away has bled into a lot of other areas of people's lives around the world.
Greg Otto: Yeah. The travel scams and the cybercrime being conducted as a result of Russia's invasion on Ukraine, it's not quite in the same category as some of the other things that we've talked about, because a lot of it has to do with, you know, criminals who are using insiders for illegal migration purposes. I mean, a lot of borders are shut down in that area, I think like Moldova, Romania, things like that.
Greg Otto: A lot of, like, underground travel fraud with regards to Ukraine is happening just to facilitate the movement across borders. I mean, we've seen actors claim that insiders say illegal border crossings for Ukrainian males between 18 to 60 over the Ukrainian-Moldovan border. And then also, you know, with ramifications dealing with the war in Ukraine, we saw Killnet, which I know has gained a lot of attention lately, the pro-Russian activist group conducting attacks against targets in Romania because Romania is supplying support to Ukraine. So we've seen travel-related entities impacted like the Romania-based Air Traffic Service Administration and airports in Bucharest. So as long as the conflict continues in Ukraine, we would expect that any sort of travel or logistics companies or organizations that are helping the Ukrainian effort, that they would run the risk of Killnet trying to affect their operations in some way.
Dave Bittner: So, based on the information that you all have gathered here, what are your recommendations? How should people best protect themselves?
Greg Otto: So maintaining awareness of techniques and how these scams perpetuate is really paramount. You know, using technology to identify false identities when booking travel, really being up to date on anti-fraud and anti-phishing filtering can go a long way to preventing actors from taking over high-value accounts, especially those with a large amount of frequent flier miles that we talked about. And then if you're an individual that is looking to travel, you know, refraining from responding to unsolicited vacation offers and being smart about payments and booking directly through reputable service and prevent the likelihood of being scammed. Because, like I said, the travel boom, as people getting back - trying to get back to real life, cybercriminals realize that. And they're not going to try to leave this stone unturned when it comes to pulling people's money away from that and into their own coffers.
Dave Bittner: Joe, what do you think?
Joe Carrigan: It's interesting that right out of the gate in the beginning of this interview, we hear again that these bad guys watch what's going on and target trends in behavior. Increased travel is no different. We're all getting back to traveling. I've got two trips coming up very soon.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: I'm going to be at the Grace Hopper conference, and I'm going to go down to Texas again, right? Maybe I'll go into another gun store, but probably not.
(LAUGHTER)
Dave Bittner: Been there, done that.
Joe Carrigan: You've been there, done that. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I'm going to do something new, I think. So yeah. As we're increasing on - as we're increasing our travel, getting back into the normal travel of things - I saw a news story this morning that - or - yeah, Memorial Day weekend was the biggest travel day in three years. And I was like, well, yeah, because nobody's been traveling for the past two years, right? So it makes sense. Bad guys noticed this, and they're getting back into the travel scam game...
Dave Bittner: Yeah.
Joe Carrigan: ...Including going after rewards points. Now, you know, rewards points can be exchanged for things like gift cards. Did you know that? You can - you don't have to spend it on flights. You can spend it on gift cards, magazine subscriptions. There's a ton of stuff that you can put your miles towards. In fact, you know, these things have value, and maybe they're targeted because they may not mean as much to the people that have them, right? And a great example about that is your point about not knowing the balance. I know about how much money I have in my accounts - my bank account.
Dave Bittner: Right.
Joe Carrigan: Right? I know how much money is about in my 403(b) and in my other retirement accounts. I know what's there.
Dave Bittner: Yeah.
Joe Carrigan: I had to go and look up what my mileage balance was, my miles balance at my affinity program with the airline I use. I had to - I didn't have that in my head. It's not front of mind for me.
Dave Bittner: Yeah.
Joe Carrigan: So, you know, if somebody had siphoned off 10,000 of those miles, I would have known.
Dave Bittner: Right.
Joe Carrigan: I would have been like, oh, OK. I have that many miles. And it would have been less.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Companies may not care as much about it either - right? - because it's not a credit card number.
Dave Bittner: Right.
Joe Carrigan: Maybe the customers don't really care. If you - you know, if you breach credit card numbers, people are going to be upset about that. But if you - if customers lose these miles because of their own operational security shortfalls, then, you know, the company might be like, oh, well. And the company can always just go, well, we'll just give you miles back, you know?
Dave Bittner: Yeah. Right.
Joe Carrigan: I mean, I don't know if it costs them anything. It probably is a loss for them.
Dave Bittner: There's probably some kind of accounting thing they have to do...
Joe Carrigan: Yeah.
Dave Bittner: ...Because it does have value. But I mean, to your earlier point, if I lost, I don't know, 5,000 or 10,000 miles, I probably won't even notice...
Joe Carrigan: Right.
Dave Bittner: ...You know?
Joe Carrigan: The story about the small airline getting hit because Accenture was breached is kind of troubling to me. You know, this is something that I don't think that a lot of people in the security industry think about, is the exposure because of vendors and customers. You know, if you have customers and vendors who have access to your systems and they get breached, then you need to update your - those access tokens, whatever those are, because this case here - these guys just - when they when they exfiltrated that data from Accenture, they said, oh, look. Here's some login credentials for a small airline. I'm just going to walk in there and put ransomware on their computers and demand money from them.
Dave Bittner: Right.
Joe Carrigan: That was a no-brainer for these bad guys. But, you know, I don't know what to say about this, aside from just, you know, every single one of these companies that you do business with, you should have an agreement with them that they have to notify you when they have a breach.
Dave Bittner: Yeah.
Joe Carrigan: They have to send you a letter or something. They have to call you, do something. So now you go, OK, so you've been breached, So we're changing the credentials.
Dave Bittner: Yeah. I mean, it's the classic third-party risk kind of thing.
Joe Carrigan: Yeah.
Dave Bittner: And I think one of the challenges is, how do you - how far back do you go? You know, you've got your suppliers. They've got their suppliers. They've got their suppliers. It's a spiderweb.
Joe Carrigan: I think it's safe - if you go - well, actually, that's a good question 'cause let's say that you give your information to company A, and then company A gives that same information to company B and company begets breached.
Dave Bittner: Yeah.
Joe Carrigan: And now some - and say that's log in credentials. They shouldn't be sharing the log in credentials. But let's say they just included them with something they shouldn't have...
Dave Bittner: Yeah.
Joe Carrigan: ...And it gets - I mean, yeah. That's an excellent question.
Dave Bittner: I think a lot of it is ask - making sure you ask the suppliers those questions. You know, what are you sharing - I'm sharing this with you. Who are you sharing this with?..
Joe Carrigan: Right.
Dave Bittner: ...That sort of thing. Just make sure. And then...
Joe Carrigan: And you can absolutely stop this dead in the tracks by requiring multifactor authentication with a hardware token.
Dave Bittner: Yep.
Joe Carrigan: And then nobody gets in.
Dave Bittner: Yeah.
Joe Carrigan: You say, if you're going to access our systems, you need to use some hardware token to get in.
Dave Bittner: Yeah. Absolutely.
Joe Carrigan: Finally, the protection - the best protection against this is awareness. And I like what Greg says here. He says awareness is paramount - paramount - to this. So you need to you need to be aware of all these things these bad guys can do, and just keep an eye on it. And one of the greatest ways you can continue to increase your awareness is by listening to shows like "Hacking Humans."
(LAUGHTER)
Joe Carrigan: So keep listening.
Dave Bittner: You're preaching to the choir, Joe.
Joe Carrigan: That's right. I am preaching to the choir. But I'm telling everybody, don't stop listening, or bad things will happen.
Dave Bittner: And tell your friends (laughter).
Joe Carrigan: Tell your friends. That's right.
Dave Bittner: Right - your loved ones.
Joe Carrigan: See, I go for threatening our listeners and say...
Dave Bittner: Yes.
Joe Carrigan: ...Don't stop listening, or back things will happen.
Dave Bittner: Your co-workers. Yes. Your neighbors. Just shout it from the rooftops.
Joe Carrigan: Right.
Dave Bittner: Yes. absolutely.
Dave Bittner: All right. Well, our thanks to Greg Otto from Intel 471 for taking the time with us. We do appreciate it.
Dave Bittner: That is our show. We want to thank all of you for listening. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
