Podcasts
Hacking Humans
Ep 212
Hacking Humans 9.15.22
Ep 212 | 9.15.22

Is inflation affecting the Dark Web?

Show Notes
Transcript

Dov Lerner: If a lot of, let's say, tech companies or generally people are unemployed - right? - if tech companies have layoffs, what might end up happening is that people will have to turn to crime in order to make money.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Dov Lerner, the security research lead at Cybersixgill - we're discussing dark web market dynamics, particularly how things have been affected by inflation. 

Dave Bittner: All right, Joe. Before we dig into our stories this week, we've got a bit of follow-up here. Why don't you start things off for us? 

Joe Carrigan: We do, indeed. Just a reminder that if you're listening to this show the day it comes out, that next week I will be at the Grace Hopper conference. So I invite you to come by the JHU booth and introduce yourself. Of course, that's just an invitation. You can totally ignore this if you like, as most people do with my invitations, Dave. 

Dave Bittner: All right, fair enough. 

Joe Carrigan: But we also have a letter from a listener, and the listener writes, Hi, Dave and Joe, I have a story for you about my grandmother of 97 years old. She was tricked by scammers the other day - very sad. I would agree. You know, these guys don't care who they go after, and they don't have a problem going after a 97-year-old woman. But the story continues. She lives on her own in Stockholm, Sweden, and is pretty much the least technical person that you have ever met. The last piece of technology she purchased was a microwave oven in the '90s. OK, so that's pretty nontechnical, Dave. So the... 

Dave Bittner: (Laughter) It's still flashing, 12, 12, 12, 12. 

(LAUGHTER) 

Joe Carrigan: So the use of bank cards is an uncomfortable concept for her. Living in Sweden, you must have a debit card, as cash is increasingly not accepted. Now, that's interesting. I don't know how that would fly in the United States, but in Sweden, apparently, it's very accepted, and you have to have a debit card. So the other night, a man, a smooth voice, calls her claiming to be from the bank card central - there are no such organizations - saying that someone had withdrawn a value equivalent to about $60 from her account, and he has been tasked to help her reimburse that same amount. They spoke for 45 minutes, and he not only manages to make her reveal her PIN code - he also convinces her that a colleague will need to drop by to take photos of her jewelry collection. A lady then rings the door and is led into the apartment. My grandmother shows her where her jewelry is kept and allows the lady to take photos. The man is still on the phone and diverts my grandmother while the lady disappears with both jewelry and bank card. 

Joe Carrigan: She immediately realizes that she has been robbed and calls my mother for help, who in turn calls me. Forty-five minutes after them leaving her apartment, I block the bank card, but it's too late. They've already managed to withdraw a maximum amount of 1,500 USD in total from four separate ATMs. It's tragic. She is completely devastated and feels stupid for falling for their scam, especially after hearing from her friends the same day that they had tried the scam on other elderly people in the community and failed. Thanks for a good podcast. All the best, Pelle - or Pele (ph). I don't know how that's pronounced. I'm sorry. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Yeah, this is terrible. I've heard stories of other people who have lost jewelry. And the thing about losing jewelry is when you spend time acquiring jewelry, your plan is, I'm going to pass this down to my children and my grandchildren, right? And this is just heartbreaking. I've heard stories about this from friends of mine who've had similar situations - not from an unknown scammer, but from somebody inside, you know, like, almost like an inside operator. And it's heartbreaking to me because I think of all the times I've seen people going, this was my grandmother's ring. Well, now this lady doesn't get the chance to have her grandchildren say that. 

Dave Bittner: Right. Right. 

Joe Carrigan: And I don't know. This - family is kind of important to me, and, you know, being able to remember family is very important to me. And this is heartbreaking. I find this very, very sad indeed. So I'm sorry this happened. 

Dave Bittner: Yeah. 

Joe Carrigan: Keep an eye out for it. The hard thing about this is that, you know, this lady is 97 years old, and you think about the time that she grew up in. There was no such thing as an ATM when she was a kid or even when she was an adult for most of her adult life. ATM started in the '80s, right? 

Dave Bittner: Yeah. 

Joe Carrigan: That was only 40 years ago. So for - she's 97, so for the vast - or for the majority of her life, there were no ATMs. 

Dave Bittner: Right, right. The thing I think about with this in terms of being able to forewarn your friends and relatives and loved ones is, you know, what if - the thing - letting a stranger into your house... 

Joe Carrigan: Yes. 

Dave Bittner: ...Right? 

Joe Carrigan: Bad idea. 

Dave Bittner: Obviously a big red flag, a bad idea. But I would say remind your loved ones that before they let a stranger in their house to have someone else with them - you know, a neighbor, a friend, a loved - preferably a child. Now, if - I don't know how far away this woman was from her daughter, from her grandson or whatever, but... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Even having more than one person to be able to, first of all, run it by them, right? Because that would probably have nipped this in the bud. 

Joe Carrigan: Right. 

Dave Bittner: But also to have another person with you - just never - just thinking particularly of an elderly woman, I mean, it could have been a lot worse, and we're happy it wasn't. 

Joe Carrigan: Right. Right. 

Dave Bittner: But, you know, it's another thing you could do to try to slow things down. And it could also put the scammers off. If you say, oh, well, you know, yes, you can come over, but I'm going to invite my son to meet you at the door, you know, they may think twice about, oh, you know, I'm going to have to deal with someone else. 

Joe Carrigan: Right. 

Dave Bittner: Who knows? But that's one thing that might help. 

Joe Carrigan: Yeah. Yeah. I mean, this guy on the phone got her into a rhythm and quickly got her under his control using... 

Dave Bittner: Yeah. 

Joe Carrigan: ...These techniques that we talk about from time to time - immediately scaring her with a $60 loss and trying to - and I'm here to help. It's what I call the social engineering one-two punch. You've got a problem. I'm going to help you solve it. And it's remarkably effective. And, in fact, it's a marketing technique. When I talk about this in my talks, I say it's a legitimate marketing technique. You think back to Steve Jobs when he said, you have all this music that you can't take with you anywhere. I have an iPod. 

Dave Bittner: Right, right (laughter). 

Joe Carrigan: And everybody went, oh, I'll take the iPod, Steve. 

Dave Bittner: (Laughter) Right. Shut up and take my money. 

Joe Carrigan: Right, exactly. This is the exact same psychological trick as marketing - that marketer's use. And it's effective... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And it works really well. Which is why this guy - your grandmother is not stupid, you know. And I understand exactly why she feels that way. Whenever we get scammed about - on anything, we always feel, I should have seen that coming. But, you know, it's - you're not in the right frame of mind to think - to defend yourself in these cases. 

Dave Bittner: Yeah. 

Joe Carrigan: This is why we say, slow down, stop, talk to somebody. 

Dave Bittner: Yeah. All right. Well, thank you for sending in that story. Of course, we would love to hear from all of you. You can email us. It's hackinghumans@thecyberwire.com. All right, Joe, let's dig into our stories this week. Why don't you start things off for us? 

Joe Carrigan: I will. This one comes to us from a listener named Kyle, who sent this to us. And it is a blog post from Jeffrey Appel. And I have to get down into the weeds a little bit. I know that we try not to be a technical podcast, but I do have to - I'll explain a little bit, and I'll try to explain this as best I can in layman's terms. But there is an issue with the web, and - in that the web is what we call, stateless. Now, what does that mean? That means when you make a request to a web server, it opens up a communication channel, and the web server will accept a communication from just about anybody. And then once you have received everything from the web server, that channel shuts down, generally speaking. Now, there are other things that you can keep on the backend that actually establish client-server connections, but the web part of it, the http, or ht - yeah, http, that's what it is - that part is over and done with. 

Joe Carrigan: So if you think about other ways of logging into things, like if you think about when you - back in - very long time ago when we would have terminals that would connect to other computers like - are very much like SSH, or even Telnet, those were not stateless. You would open a connection and you'd stay on that connection during your entire interaction with the server. So you would have what's called a session, where you would authenticate. And you would - when you were done, you'd close the connection, and then the session would be over. But the web can't do that because every single connection to a webpage has to be a new connection. So they have to have something that maintains the session at a higher level on what's called the OSI model. And if you look up the OSI model, you can see there's the different layers of connectivity. And I - like, I'm trying to do this without getting technical, so... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...It's kind of difficult, but - so in other words, the party responsible for maintaining the session is not the, you know, the layer of the network. It's actually the web browser maintains the connection, along with a web server, based on an agreed upon set of data that are stored in these cookies. So this is why cookies exist on a web server. Now, cookies have been terribly abused by tech companies to, essentially, track us and build models of us. But that's just a story for another day. But the - if you have the cookies, you have the session. So that brings me to this blog post from Jeffrey Appel. The title of the blog post is "Protect Against AiTM MFA Phishing Attacks Using Microsoft Technology." So it's talking about a new set of phishing attacks. And this AiTM is what they call attacker in the middle. And it is being used to bypass multifactor authentication. 

Joe Carrigan: Now, in the past, I have talked about multifactor authentication, and basically there are three different layers of it or three different types of it in levels. There is the one-time password that gets sent to you via an SMS message. Then there's a one-time password that is time-based, time-derived. That is, you agree upon a seed, and based on what time it is, you'll have a different number. You've all seen these. We've all seen these. Either these are the applications on your phone like Google Authenticator or Microsoft Authenticator. Or they're also the little keys that you have that you take with you, like from HID or from RSA, the little tokens that come up with random numbers every now and then. 

Dave Bittner: Right. 

Joe Carrigan: They're actually pseudo-random numbers. But both of those are being attacked in this phishing methodology. So what these guys do - there are these three kits that Jeffrey is talking about here, three phishing kits that are specifically crafted to work as proxies to - when you receive the phishing email, the only clue that you have that you're on a phishing email or a phishing website is the URL. Everything else looks exactly the same because the proxy is sitting in the middle acting like a, essentially, a proxy web server for you. In other words, it goes out to whatever site you're being phished for and collects the webpage and then passes it back to you as a served-out page. And it doesn't have to do anything. 

Joe Carrigan: And these are very common and very old technologies that are out there. They're just being used maliciously now. So when you log in, it goes back to whatever service it is that you're logging into and gets - logs in for you, gets the session cookies and then once you - you can actually continue to operate using this proxy. But at any point in time, these guys can take those session cookies and be off on their way, right? And they can do whatever they want. It's - so they have control of your session. Now, let me ask you a question, Dave. When you log into Gmail, how long is your session good for? 

Dave Bittner: The end of time (laughter). 

Joe Carrigan: Right. OK. (Laughter) The end of time - that's right. That's what I'm thinking about this. I have very few websites that when I go to they time out. Basically, all my financial websites will eventually time out. But, like, my Gmail account... 

Dave Bittner: Right. 

Joe Carrigan: ...It doesn't time out. My Microsoft - you know, my Microsoft login for my personal stuff - that almost never times out. I mean, it's amazing how long these things last. So if these guys can get into, like, your enterprise domain or whatever and they can steal your session, they have a session for as long as you do. It's just - it's absolutely terrifying how this works. Now, there are a few ways to defend against this. And I want to talk about the list that Jeffrey puts in here. One is a phish-resistant multifactor authentication solution, and he mentions like a FIDO solution, which is what we talk about frequently and recommend because it's easy for the user. And the other one is a certificate-based authentication, which is also a very good means of protecting against this kind of attack. Although, yeah, I don't think a phish - a certificate can be used in an attack or in the middle attack. I'll have to double check that. But I think it works pretty much, like, the same way as a FIDO - the FIDO - in fact, FIDO is essentially certificate authentication, certificate-based authentication. 

Dave Bittner: OK. 

Joe Carrigan: But then the other things he lists here are conditional access - right? - which - where the user's coming from. Maybe the user can't access from some proxy server. Proxies are actually pretty easy to detect on the web side, on the server side. There are methods that they can use for doing that so you can't access from a proxy. So if you're using a Microsoft 365 or a Microsoft Active Directory, he recommends monitoring and protecting it with Microsoft 365 Defender and Active Directory Identity Protection and then building in alerting roles. But here's what I want to talk about. Only one of these defenses are user-level, meaning that the user is depending upon the service provider to be secure. And here's a question for you, Dave. How do - how good does that usually work out for people? 

Dave Bittner: (Laughter) I would say it's a toss-up maybe. 

Joe Carrigan: Right. It's a toss-up, and still you're dependent upon them allowing you to use a FIDO key or certificate-based authentication. If they don't offer that ability, if they don't write that - they don't integrate into the web server, you're still - there's not much you can do as an individual user to protect yourself against these kind of attacks. So we'll put a link to this in the show notes. This article does get pretty far down in the weeds, a lot deeper than I went down. So, you know, it may be useful to our listeners to read it. It may not be. 

Joe Carrigan: But the bottom line here is you need to practice your best security hygiene, particularly when it comes to phishing attacks because there are ways around most of these - many of the multifactor authentication - anything that gives you a number, there's a way to get that out of you. And this is one of those ways. So be mindful of it. Try not to click on the phishing links that say, hey, you need to log in. You know, if you're already logged in through your Gmail and you get another login that says - or another email that says you need to log in to your Gmail again, and you click on it, and you - I should be logged into this, let that be a red flag. Think about it. Be aware of this being out there. And just - that's really your best defense is awareness here. 

Dave Bittner: What about a hardware key? I mean, is - does that circumvent all of this... 

Joe Carrigan: Yeah. Yeah. That's the... 

Dave Bittner: ...If I'm using a YubiKey or something like that? 

Joe Carrigan: Yeah. Yubikey is - I'm sorry. Yubikey is a FIDO Alliance product. So that's - it's essentially certificate-based authentication. So yes, that will protect you. That's the one thing that you can use. But, like I said, you - the service provider has to implement that on their end as well. And if they haven't implemented that, you can buy all the YubiKeys you want and plug them in... 

Dave Bittner: Right. 

Joe Carrigan: ...And they go, oh, we don't know what that is. So, yeah, they have to implement it. 

Dave Bittner: So maybe let that be a part of your decision-making of who you want to... 

Joe Carrigan: Yes. Indeed. 

Dave Bittner: ...Work with, that they make those things available. 

Joe Carrigan: And don't reuse passwords. Yeah, don't reuse passwords because if that password does get compromised during the process - so remember, this is a proxy, which means they have access to everything that's in your stream. So when you send your username and password, they're probably harvesting that as well because the certificate you're - they're using is their certificate. They decode that information in order to send it on to the service provider. So they get that. So don't reuse passwords on these sites, either. That's another defense. 

Dave Bittner: Yeah. All right. Well, we will have a link to that blog post in the show notes. My story this week actually is a YouTube video. 

Joe Carrigan: Oh. 

Dave Bittner: Dr. Jessica Barker, who is CEO of Cygenta - I'm pretty sure we've had her as a guest on our show. 

Joe Carrigan: I think we have. 

Dave Bittner: I know I've - yeah, I know I've spoken to her on CyberWire. I've had the pleasure of meeting her in person at RSA and had several interactions with her. She is - really knows her stuff, and she recently posted a YouTube video highlighting some of the scams that are coming at people on the WhatsApp app and how to avoid them. So WhatsApp is one of the most popular mobile messaging apps in the world. They say that they have over 2 billion active users. Seems like a lot. 

Joe Carrigan: Yeah. 

Dave Bittner: But - so of course that attracts criminals. 

Joe Carrigan: Sure it does. 

Dave Bittner: And so in this video, Dr. Barker goes through some of the prime ones that she and her colleagues at Cygenta have been tracking. The first one is cybercriminals who are impersonating loved ones. And they call these mum-and-dad scams. Just as an aside, Dr. Jessica is British, so that's... 

Joe Carrigan: Ah. 

Dave Bittner: ...Where they say mum instead of mom like a normal person. 

Joe Carrigan: Right, yes... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...The correct pronunciation of... 

Dave Bittner: Right. 

Joe Carrigan: ...Mom. 

Dave Bittner: Don't get me started on aluminum. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So this is where... 

Joe Carrigan: Extra syllables and whatnot. 

Dave Bittner: (Laughter) Yeah. This is - we should go easy on them. They just lost their... 

Joe Carrigan: Yes. 

Dave Bittner: ...Queen, so - yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: So this is a form of impersonation fraud where a cybercriminal pretends to be a loved one in order to trick the relative into having them send money. So... 

Joe Carrigan: Oh. 

Dave Bittner: ...They'll contact a WhatsApp user, say that they've lost their phone or they got a new number, and then they'll convince them that they're in some kind of need - some kind of immediate financial need - and they'll ask for cash. And of course, it's all a scam. 

Joe Carrigan: Right. This is... 

Dave Bittner: One... 

Joe Carrigan: ...Very similar to the phone calls that come in. You know... 

Dave Bittner: Right. 

Joe Carrigan: ...Like the grandparent phone calls. 

Dave Bittner: Yeah. 

Joe Carrigan: It's the same scam, just on a different platform. 

Dave Bittner: Yeah. Another one - not completely unrelated to what you were talking about - is a two-factor authentication scam. This is where they will trigger someone to get a - an authentication code. So someone will try to log into - let's say if I were trying to scam you, Joe, I would try to log into your account, which would trigger an authentication code. Then I would message you and say, hey, that code was sent to the wrong person by mistake. Just send it on to me, and all will be good (laughter). 

Joe Carrigan: Right... 

Dave Bittner: And so... 

Joe Carrigan: ...Never... 

Dave Bittner: ...Then... 

Joe Carrigan: ...Never... 

Dave Bittner: ...You send the... 

Joe Carrigan: ...Never do that. 

Dave Bittner: ...Code, I log in using the code, and now I have your account. 

Joe Carrigan: Right. Yeah, never send those... 

Dave Bittner: Another one... 

Joe Carrigan: ...Codes on to somebody else. It's - just don't do that. It's... 

Dave Bittner: Yeah. 

Joe Carrigan: If somebody asks you for a code that you received via SMS, you just go, nope. That - just - you need to go in, reconfigure it, and set it up right. And that should be your answer. 

Dave Bittner: Yeah. And then another one that she covers is they refer to as fake links and the fear of missing out - good old FOMO. 

Joe Carrigan: FOMO. 

Dave Bittner: And this is where they will send you some links and say that you could win a prize or get a special offer from a well-known brand. Sometimes they will play on fears. You know, they did this with COVID-19, where... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...They'll send you a message that says you've been exposed to one of the variants. Sometimes they'll, again, play on that fear of missing out, where they'll say that, oh, there's a special version of WhatsApp that you can download. This is only going out to a few special, elite people who get to test it out first. And of course, there is no special version of the app. They're just trying to get you to click through to get... 

Joe Carrigan: Right. 

Dave Bittner: ...Your logon credentials and steal your account. 

Joe Carrigan: Or possibly have you install a malicious version of the app. 

Dave Bittner: Absolutely. So I think the usual sorts of advice here that we always talk about - of course, two-factor authentication is important. Don't share those verification codes, as you mentioned. 

Joe Carrigan: Right. 

Dave Bittner: And double-check. If someone claims to be a loved one, try to verify it in another way. Give them an old-fashioned phone call and try to connect with them outside of the app with which they are trying to get the request for the money. 

Joe Carrigan: Right. So when you get this, they're going to say, well, I can't talk to you 'cause I've lost my phone. Call the number anyway and see if your loved one answers. Because if your loved one answers, then they haven't lost their phone. 

Dave Bittner: It's a good point. 

Joe Carrigan: Yeah. 

Dave Bittner: It's a good point. Yeah. And you can say, well, maybe I'll - you know, maybe I'll help find your phone by calling it... 

Joe Carrigan: Right. 

Dave Bittner: ...Maybe someone found it. 

Joe Carrigan: I'm going to call it right now and... 

Dave Bittner: It'll make a noise. 

Joe Carrigan: ...See if anybody's picked it up. 

Dave Bittner: Yeah. 

Joe Carrigan: See if it... 

Dave Bittner: Yeah. 

Joe Carrigan: 'Cause, you know, I can't tell you - I've found a number of phones. And usually I pick them up, and I just stand around or, you know, do what I'm doing - go about what I'm doing. And that phone rings - right? - 'cause that's the first thing you do when you lose your phone. And... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...I answer it, and I go, hello, I found your phone. And they go, oh, good. And I say, where would you like me to take it? And, you know... 

Dave Bittner: That's right. That's right. 

Joe Carrigan: ...That's how it goes. 

Dave Bittner: Yeah. I've heard folks also say that if you find an iOS device, you can use the woman who lives inside the device whose name I'm not going to mention so as... 

Joe Carrigan: Right. Yeah, don't say that. 

Dave Bittner: ...To not trigger every device within listening distance of me - but if you summon the little woman who lives inside the device and say, call mom, if you have - if mom's listed in your contacts, it will call mom without having to unlock the phone. And so you can try to connect with the person that way. 

Joe Carrigan: Yeah. That's a good idea. 

Dave Bittner: All right. Well, we will have a link to Dr. Jessica Barker's YouTube video here. Again, she is the CEO of Cygenta. Definitely worth a look there. And also worth sharing around to your friends and family. It's a good, concise guide and one of those things - doesn't take a lot of time, but you can get a lot out of it. So we'll have that in the show notes. 

Joe Carrigan: I think that's a great idea. Put this on on your social media pages. Go, hey, look at what Dr. Jessica Barker says. Spread this word. 

Dave Bittner: Yeah. 

Joe Carrigan: And when people make - when people like Dr. Barker make videos, when Rachel Tobac makes a video and you see that, share it. Share with people because usually they're good videos, and they convey everything in a great - like you said, concise and abbreviated form. Just - it's like training, Dave. It's training for the masses. 

Dave Bittner: (Laughter) But it's fun. 

Joe Carrigan: Right. And it's fun, which training should be. Training should be fun. 

Dave Bittner: Right. Right. All right, Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Our Catch of the Day comes from Vlad, who writes, I have spotted an interesting email in my spam folder - interesting as the corrupt bank officials allegedly tried to divert payment to me in my personal account. These scammers don't make any sense. I wonder if anyone falls for this. Well, I'm telling you, Vlad, they do fall for this. Keep up the good work. I enjoy your podcast. Dave, this is a message from the European Investment Bank who apparently maintains an email at gmail.com. 

Dave Bittner: As you do. Sure. 

Joe Carrigan: Right. Right. 

Dave Bittner: All right. It goes like this. 

Dave Bittner: (Reading) Attention to fund beneficiary. We have been authorized by the European Investment Bank from London and the IMF to investigate the reason for the unnecessary delay of funds authorized by law. During our investigation, we discovered that your payment was delayed by corrupt bank officials who tried to divert your funds to your personal accounts. To prevent this dubious act, we have agreed with the European Investment Bank in London and the International Monetary Fund. We are able to manage and monitor this payment. Avoid desperate situations with banks and other authorities and criminal cases. We have received an irrevocable payment guarantee for your MFI payment. We hereby inform you that the European Investment Bank has decided to reimburse you in the amount of U.S. dollars $1 million and transfer it to your bank account by bank transfer via - please contact the corresponding bank secretary, Mr. Claude Yovel Jeanne (ph) via the email below. Be sure to contact the above bank without delay for the final release and transfer of your funds. The European Investment Bank must transfer its funds to your bank account without delay. I anticipate your urgent reply. 

Joe Carrigan: So there is a number of great things about this email. First, the English is a little bit odd, right? But, you know, if you're sending this to somebody in Europe and English is not their first language, maybe that gets by you. 

Dave Bittner: Sure. 

Joe Carrigan: A couple of things here. Like I said, the email's coming from a Gmail address and it says European Investment Bank and then parenthetically with the Gmail address. And then the guy they want you to email - this Claude Jeanne - he has a a Yahoo address. He doesn't have an IMF or European Investment Bank - is there such a thing as the European Investment Bank? 

Dave Bittner: Who knows? 

Joe Carrigan: I don't know. But there is something called the IMF, the International Monetary Fund. They, as far as I know, they don't do, like, individual banking stuff. They're like national lending, I think, like lending to countries. Isn't that right? 

Dave Bittner: Yeah. 

Joe Carrigan: They're not interested in your individual transactions. That's not what they do. But no, you know, they throw around words like International Monetary Fund. Hey, I've heard of that. I didn't know these guys were looking out for me. That's what this is for. So Vlad's original question, does this work on people? It does. It works on people. And it's actually designed to be a little far fetched so that the people that do respond to this are the people exactly that it will work on. 

Dave Bittner: Yeah. 

Joe Carrigan: So - but this is a good catch. I like this one. It's got a lot of things that make me chuckle. But of course, with most of these, as with most of these things, it's somebody trying to scam you out of - this is just an advance fee scam. So you're going to say, I got a million dollars coming to me. And they're like, oh, yes, you need to pay 600 bucks to get that million dollars released to you. And then after - if you pay the 600 bucks, all it is is more demands for money until you don't have any money or realize it's a scam. 

Dave Bittner: Right. Right. All right. Well, our thanks to Vlad for sending that in to us. Again, we would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Dov Lerner. He is the security research lead at Cybersixgill. And our conversation centers on the dark web, some of the dynamics there and how they're dealing with inflation. Here's my conversation with Dov Lerner. 

Dov Lerner: So the dark web is a huge economy, right? No one can really know the full size and scope of it. But there's a tremendous amount of transactions that take place over the dark web money that goes back and forth. The reason that we can't see it is because while actors write on forums they're buying something, selling something, markets sell things as well. A lot of these transactions happen over direct messages. So I think any research of the dark web needs to be humble and honest and know that there's way more happening than any person could have visibility into. 

Dov Lerner: Having said that, the market dynamics of the dark web - two things I can say are that while the transactions on the dark web are, let's say, consummated in cryptocurrency, meaning when actors are buying or selling, they're going to be paying in cryptocurrency - generally Bitcoin, but also Etherium we see a lot. Prices are listed in dollars. And that's important because when a price is listed in dollars, that means that it's resilient to the volatility of cryptocurrency. And I think that was there by design because this isn't the first time that crypto has crashed. It's also gone way up, right? So Bitcoin and other cryptocurrencies are not good for being the listed price of things - right? - because that makes them change value. So if someone's selling malware, someone selling access to a system, if someone's selling narcotics or weapons, the prices are listed in dollars. And that makes the dark web much more resilient to inflation or, let's say, fluctuations in cryptocurrency prices. 

Dave Bittner: And is that something where the buyers and sellers learned that lesson, or has it been set in dollars from the outset? 

Dov Lerner: It's been set in dollars from the outset. As long as I can look back, items are listed in dollars. 

Dave Bittner: I see. 

Dov Lerner: So - or sometimes in euros, sometimes in pounds, right? But they're listed in fiat. Very, very, very infrequently will we see something listed in Bitcoin. 

Dave Bittner: And what is your sense in terms of what sets the prices? What sort of things do the sellers use to come to their terms? 

Dov Lerner: The dark web is a huge, unregulated market, and so it's really being set by supply and demand. That's what's setting the prices. So if something is very difficult to achieve - for example, access to a company - right? - initial access brokers are charging thousands of dollars for access. But if something is much easier to achieve - let's say shell access to a domain - you can buy that for $10. So actually, that's one of the ways that we can tell how prevalent a particular crime is based on the pricing, right? If it's, again, something that's very, very low-supply, high-demand, then the price is going to be high. And if we see the price of something is very low, then we're considering that to be something that's all over the place, you know, you can find in high supply but low demand. 

Dov Lerner: So actually, one example of this is compromised credit cards. Every year we've seen the number of compromised credit cards in the dark web for the last three years going down tremendously. Several years ago, we had 150 million cards a year, and then it went down in 2020 to about 110 million. And then last year it was, I believe, something along the lines of 50 million, and now it's projected to be lower. So the number of compromised credit cards is going down. However, we look at the price of a compromised credit card, and that's also going down. A year ago, it was $16 for a card, and this year it's averaging on $13 a card. 

Dov Lerner: So if we see the supply going down and the price going down, then we can make a conclusion that the demand is also going down. And my guess for why the demand for a compromised credit card is going down is because they're less and less usable, that the credit card issuers are becoming better at detecting fraud and stopping fraud. And therefore, the chances that someone will buy a compromised credit card and be able to extract value money from it are lower. So based on those data points of the number of cards and the price of the card, we can actually make a really cool conclusion about the demand. 

Dave Bittner: Are there any types of items that are in high demand right now, where you see prices going up? 

Dov Lerner: So we looked, actually, I mean, in terms of inflation, right? We look to see if prices are going up because of inflation, and we weren't able to find anything. I looked - just to see, you know, I looked for compromised credit cards. And as I said, the prices are continuing to go down. I looked for a gram of cocaine, and I found that since January, the median price of one gram of cocaine has remained around 70, $80. So that's fairly consistent. There's no indication that there is inflation. I would say because this is a black market and sellers are selling things at very high margin, then it's less affected by inflation, right? Things affected by inflation are generally low-margin items, right? So a gallon of gas, a gallon of milk - those are things that are very sensitive to inflation. But when an actor is making 500% profit on something - so if they make 450% profit, that's still very good, right? They can accept the blow. So they don't necessarily need to raise prices. So things like malware for sale or shell access for sale - all sorts of things we haven't really seen any effect of inflation. 

Dave Bittner: What if, you know, for example, we head into some kind of economic downturn? Do you expect that that will hit the dark web as well? Will it be a lagging indicator? 

Dov Lerner: So that's a great question. I mean, on one hand, you would say if there's less money going around, then people would have less money to spend on buying and selling items, right? So there's less capital to spend on malware or things like that, right? So that's one angle to look at it. But the opposite angle, I think, is also very important, where if a lot of, let's say, tech companies or generally people are unemployed and an array of tech companies have layoffs, what may end up happening is that people will have to turn to crime in order to make money. It's interesting to think that maybe if - again, if there's higher unemployment - if we see raises in layoffs and things like that, then we might see an uptick in cybercrime. Another thing to keep in mind is that crime in general, scams in general - whether it's cybercrime or the old, you know, call someone - scam over the phone - play very much on hope and fear. This is how scams work in social engineering. And so if there's a time with heightened hope and fear, then a lot of - more people might fall victim to cybercrime. 

Dov Lerner: The parallel that we have is during the crash - the market crash of March, April 2020, right? So when COVID just hit, and we had the lockdowns and this new disease and pandemic and everything, we saw a tremendous uptick in cybercrime. And not only did we see an uptick in cybercrime, we actually saw that there were - I believe the number is 44% - more actors on underground forums from January 2020 to March, April - right? - meaning there were more people on the dark web who were active. And we saw upticks in cybercrime and everything, from compromised RDP to money laundering services - everything that would indicate that cybercrime is spiking. We haven't seen that yet. Maybe we're going to see it, or maybe we're not, right? Right now, the economy is down but not in total free-fall mode. Hopefully we won't get there. But if it does, then maybe that's what will happen. Again, it's hard to tell what a recession will do to the dark web. We haven't really seen a true recession during the time that the dark web has existed, right? I mean, in 2008, the dark web was really just in its infancy. It's nothing like what it is now. So it's really hard to tell. 

Dave Bittner: To what degree does law enforcement loom over the dark web, you know, if at all? 

Dov Lerner: So law enforcement is definitely watching what's going on. A lot of the issues are that these markets and these actors are so - there are just so many of them that law enforcement can't go after everyone. So while we saw that - for example, the federal government - the U.S. federal government went after some of the larger ransomware groups, and those are the groups that are stealing tens of millions of dollars from companies - hundreds of millions of dollars. So that will get the attention of the federal government. But the typical dark web actor is not stealing tens of millions of dollars. They're stealing, maybe, hundreds of thousands in their small scams and - you know, whether it's phishing or smaller-scale ransomware or malware deployment - things like that. 

Dov Lerner: And so law enforcement doesn't have the capacity to shut down every single dark web actor, right? These are actors who are acting anonymously, not in the U.S, generally. So just because law enforcement sees what's going on doesn't mean that they have the capacity to shut down all cybercrime. Obviously, these forums and markets are being hosted on bulletproof servers, and we've seen several examples in the last few months where a forum gets kicked off of a host, and everyone thinks that, OK, great, the forum is gone, and then it pops up a few days later somewhere else. So it's very difficult. It's a game of whack-a-mole. 

Dave Bittner: You know, for your average person out there who's just trying to maintain their safety and security online, to what degree should they worry about the goings on on the dark web? 

Dov Lerner: For the average person, worry about the dark web just as much as you worry about the rest of cybercrime. It doesn't need to be a specific worry on its own. And use good, complex passwords. Don't recycle passwords. Don't click on email attachments that you don't know the sender. And even if you know the sender, be wary of things. Be wary of downloading apps from - you know, from not the app store or apps without a lot of - you know, a lot of installations, right? These are typical good cyber hygiene tips that work across the board. I think that's really the - you know, just use good passwords is really one of the most important things that everyone can do. So yeah, typical person doesn't really need to worry specifically about the dark web. Corporations, organizations, on the other hand, absolutely need to. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: You know, Dave, I haven't used this catchphrase in a long time, but that was a great interview. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: I've actually tried to stop using that 'cause it sounds like I said that every single time. But anyway, no, that was a really great interview. I'm always absolutely fascinated by the economics of the dark markets that are out there - the nefarious, the criminal markets. 

Dave Bittner: Yeah. 

Joe Carrigan: And Dov makes a great point here. We don't know the size of these markets. People are going to make these exchanges over direct messages, and they're going to be using end-to-end encryption chat. They're going to be using things like Telegram and Signal to conduct their business. And we're never going to see where that money goes. They don't - it's not like when there's a dark market, these guys get on there and go, OK, get me your bitcoin address, and I'll send you some bitcoin, and you send me the cocaine. That's - nobody does that. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: They have that conversation on Telegram or on Signal, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I find it interesting that the prices are listed in dollars and less frequently in euros and pounds, but it's nice to know the dollar is still king, Dave. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But it's interesting that they do it in fiat currencies because bitcoin and other cryptocurrencies are very volatile. And these guys - you know, in the end, these guys are just like every other criminal. They are interested in money. They're not interested in bitcoin. Bitcoin is just a means to an end. 

Dave Bittner: Right. 

Joe Carrigan: And the market is just like any other market. These prices are set by market forces. And I really, really, really was interested in what he said about credit cards. They're becoming more difficult to compromise, and then they're also becoming more difficult to use once they're compromised. And Dov makes a great observation here that credit cards are becoming more scarce, and their prices are still dropping. This means that demand must also be dropping, and demand must be dropping faster than supply is dropping. Because if demand drops at the same rate the supply drops, then the prices remain stable. But the prices are falling. I'm - now I'm getting into the economic weeds here, Dave. I may have mentioned this before. I was an economics major for a very brief period of time, but I really enjoyed the subject matter. 

Dave Bittner: OK. 

Joe Carrigan: So the question becomes, you know, is the supply dropping because the resource is becoming harder to obtain, or is supply dropping because demand is dropping? Dov says that it's both, and he's the researcher in this field, so I'm going to go with his conclusion and agree with that. It probably is both. It probably is both. If prices are not going up due to inflation, then prices are actually going down. That's another point I'd like to make. That's another holdover from my economics days. You know, 'cause your buying power for a dollar is decreasing every time inflation rises, and high-margin items can absorb profit a lot. And there is a lot of margin in these products. 

Joe Carrigan: That's a - you know, cocaine, any drug - the biggest cost of producing that drug is moving it. You know, drugs - like, cocaine in particular - there's a great show that's on National Geographic called "Drugs, Inc." that, you know, shows you the outline of all these different drugs, from - you know, in the first couple of seasons, they were - it was awesome because it had - it took, you know, a disinterested view of the economic situation and - or of the business process and the economic situation for everybody in the supply chain of these various drugs, and I thought it was absolutely fascinating. And, yeah, you're looking at a lot of human suffering, which is tough to look at, but if you can detach from that a little bit and watch - I don't know. I'm digressing again, as I always do... 

Dave Bittner: Well, thanks for sharing (laughter). 

Joe Carrigan: ...But I love that show. It's a good show. But the point is that humanity is a continuum, right? And the vast majority of people will never turn to crime. But there are some people who live on the edges who would rather not be criminal but will be if they need to be. So, you know, there's always going to be the criminal element - the people that just go, this is what I do, and I'm going to do this stuff until I get caught. And then there's the people that live in that little gray area between the rest of society. And they go, well, maybe I could be criminal. 

Dave Bittner: Yeah. 

Joe Carrigan: So yeah, this will increase crime, and they're going to use things like the hope and fear. Large upticks in cybercrime occur when there's a large crisis, and Dov cites the pandemic. That was a huge spike in cybercrime. Something else that's going to happen very soon, and it has to do with hope is - and we're - I think we're already starting to see these kind of attacks. The Biden administration now has done student loan forgiveness. So a large percentage of the population that has student loans can get $10,000 or $20,000 forgiven. 

Dave Bittner: Right. 

Joe Carrigan: You are absolutely going to see people reaching out to you trying to scam you out of money for this because that's - this is another opportunity. And these guys watch the news. They know what's going on. 

Dave Bittner: Yeah. 

Joe Carrigan: So if anybody calls you about that, don't listen to them. That's not how you get student loan forgiveness. Nobody's going to - the government will never call you to give you money. You always have to apply for it. Law enforcement is out there, but they're not looking at the small actors that are only - you know, these small actors that only steal hundreds of thousands of dollars. They're going after the people who steal millions of dollars. It's chump change, Dave. The listeners to this podcast probably do not need to specifically worry about the darknet and what's going on there in particular. Just understand that it exists, and this is where bad guys are buying and selling and interacting. It's not where they attack you from. Corporations should keep an eye on it because this is where they're going to be trading the information they steal from you. 

Dave Bittner: Right. 

Joe Carrigan: This is where they're going to be discussing that they're targeting you. But an individual person - probably not, probably not so much - you know, you don't need to spend a lot of sleepless nights worrying about the dark web. 

Dave Bittner: Yeah. 

Joe Carrigan: Just understand that that's where the information about you is going to come from, and it's more important for you to be aware of the actual attack vectors - you know, the things we talk about on this show. 

Dave Bittner: Yeah. 

Joe Carrigan: And then, finally, he talks about underground crypto exchanges. These - the - he was watching, like, 30-some of these things. And they're all gone now. Every single one of them is gone. Again, it's market forces. People hate losing money, and bad guys are no different. If they see that their cryptocurrency's being devalued, they're going to try to turn that into fiat currency as quickly as possible. I don't know how they do that with an underground exchange. You know, also, I don't know how much I would trust an underground exchange. And underground exchange is a great opportunity for an exit scam. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, sure, give me your money. I'll hold on to it and then just disappear because, as we say many times with cryptocurrency, if you don't own the keys, you don't own the crypto. Somebody else does. 

Dave Bittner: Yeah. All right. Well, our thanks to Dov Lerner from Cybersixgill for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.