Falling for a phishing kit scam.
Larry Cashdollar: WordPress has such a large footprint across the internet, they know that there's got to be a certain percentage of those that can either be compromised through weak credentials or plug-ins that haven't been updated. And so they know they have a field of possible targets that they can scan for and get their phishing sites served from.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Larry Cashdollar. He's a principal security intelligence response engineer at Akamai. We're talking about scams on PayPal.
Dave Bittner: All right, Joe, we're going to jump right into our stories this week. Why don't you start things off for us?
Joe Carrigan: Dave, this story was sent to me by a listener named Jason (ph), so I want to thank Jason because this story is very interesting. There is a software engineer in Tampa. His name is Connor Tumbleson, and he has a blog, and he has a recent blog posting on how he was impersonated. And this is a fascinating blog post. I'm going to tell everybody. We're not going to talk about everything here, like all the investigation that Connor did following up on this.
Dave Bittner: Right.
Joe Carrigan: But - because Connor did a lot of work on this. But we're going to talk about the scam that Connor found out about where somebody was impersonating him.
Dave Bittner: OK.
Joe Carrigan: Now, he found out about it from a random email that he almost threw away. Somebody named Andrew had sent him a message. And I'll read that message here.
Joe Carrigan: (Reading) Hi, Connor. A few days ago, this person named Maris found me on GitHub and reached out to asked me to be his senior software engineer, where my priorities would be communicating with clients. I thought this was a tiny bit strange since I'm a college junior and having a hard time trying to land a software engineering intern offer. But I took it. I knew that I was capable of it. Ah, this was what he was doing. He finds contracting positions, pretends to be a real developer with experience matching that position and wants me to interview as that real developer. So in this case, he found a contracting position. He researched the position and also found you and decided to impersonate you. I'm paraphrasing the email now.
Dave Bittner: So slow down a little because I'm losing the thread on who's who here.
Joe Carrigan: You're losing the thread on what's happening here.
Dave Bittner: Well, who - yeah, so back up a bit. When we say you and...
Joe Carrigan: Right. Yeah, there's a lot of pronouns in here. I'll just clear it up right now.
Dave Bittner: OK.
Joe Carrigan: This person named Maris...
Dave Bittner: Yes.
Joe Carrigan: ...Has found Andrew...
Dave Bittner: OK.
Joe Carrigan: ...And has approached Andrew and has asked Andrew to impersonate Connor in an upcoming job interview that Maris has secured.
Dave Bittner: Wow. OK.
Joe Carrigan: Right? Andrew's like, I'm going to let Connor know about this 'cause it looks like Connor is a real person.
Dave Bittner: Oh.
Joe Carrigan: So Maris sends Andrew this dossier on Connor that essentially has all of his information that's available via open-source intelligence.
Dave Bittner: Right.
Joe Carrigan: I actually reached out to Connor on LinkedIn this morning. I haven't heard back from him, but his resume is on LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: So this guy has built up this dossier on Connor and is asking Andrew to impersonate Connor in a Zoom meeting. Andrew is an ethical person and says, I'm not doing that.
Dave Bittner: That's a weird cold call. Like, hey.
Joe Carrigan: It is.
Dave Bittner: Hello, stranger. I want you to impersonate another stranger. What was the offer to Andrew? What's Andrew get out of this?
Joe Carrigan: I don't know what Andrew gets out. I think he gets - he might get some money out of it. Maybe.
Dave Bittner: Yeah.
Joe Carrigan: I don't know. But actually, there in the article - in the blog post, rather - there's actually chat logs between Andrew and Maris.
Dave Bittner: OK.
Joe Carrigan: And it's - I mean, check out this article. It's really interesting. So, Connor - he has the Zoom link, right?
Dave Bittner: OK.
Joe Carrigan: So he clicks on the Zoom link a little bit early, and the interviewer lets him in, and he introduces himself, tells the interviewer who he is and says, I'm not applying for this job. Somebody is impersonating me, and here's how I found out about it. Right? In the meantime, the guy that is now impersonating Connor connects to the call.
Dave Bittner: Oh, so Andrew's out of the picture.
Joe Carrigan: Andrew's out of the picture.
Dave Bittner: But Maris has found someone else who's...
Joe Carrigan: Maris has found somebody else.
Dave Bittner: ...Willing to try to impersonate Connor.
Joe Carrigan: Correct. And it may actually even have been Maris him or herself.
Dave Bittner: Yes. The plot thickens.
Joe Carrigan: Right.
Dave Bittner: OK.
Joe Carrigan: So the guy - the interviewer is like, OK, what do we do here? And Connor says, let me change my Zoom name and my - and turn my camera off and change my avatar. And the guy says, yeah, fine, fine. And once Connor is done with that, the guy lets the other - the impersonator into the interview...
Joe Carrigan: Right.
Joe Carrigan: ...While Connor is there watching this go on. Right? And it goes on for about two minutes, and Connor is, you know, of course - I don't know how you would feel in this, Dave, but I would be enraged.
Dave Bittner: (Laughter).
Joe Carrigan: Right? And I'm sure that Connor is also enraged 'cause Connor turns his camera on and goes, hi, I'm Connor. Why are you doing this? And the immediate response is the guy drops from the call.
Dave Bittner: Yeah, of course.
Joe Carrigan: So during the course of the communication, there's a great email exchange between Connor and this person. Connor - this person has even gone so far as to create a clone account - email account of Connor's actual email. It's very close. And Connor sends this guy an email. It actually looks like he's sending it to himself. Why did you do this?
Dave Bittner: Yeah.
Joe Carrigan: And the guy responds, sorry for that. I used your profile because you have a great history on GitHub, and you look handsome.
Dave Bittner: (Laughter) Oh, well, carry on, then.
Joe Carrigan: Oh. OK, yeah, well, thank you very much.
Dave Bittner: (Laughter).
Joe Carrigan: Right?
Dave Bittner: Right, right. All is forgiven (laughter).
Joe Carrigan: Right?
Dave Bittner: Flattery will get you everywhere (laughter).
Joe Carrigan: Now that you told me I'm handsome...
Dave Bittner: (Laughter) OK.
Joe Carrigan: So there are some bullet points that Connor has in here about what's going on. He says a person or company sets up a fake Upwork profile, and he's - and then they impersonate a real person, which is what they did to Connor. Now, Upwork is a remote work kind of gig economy job site.
Dave Bittner: Right. Right.
Joe Carrigan: I know people that use it, and they've had great experiences on Upwork.
Dave Bittner: Yeah.
Joe Carrigan: I am sure that Upwork is very interested in getting fraudulent accounts off their space, right?
Dave Bittner: Sure. Sure.
Joe Carrigan: They then apply to jobs in hopes of getting an interview using that fake profile, and then they find somebody on GitHub who's willing to go along with this and be a conspirator in this. And that person then identifies themselves as the person being impersonated to land the job. And Connor has some questions here that are really good questions. Can you really refuse video for the entire contract of the job, right? Like, I'm never going to use video. How do you get paid if you need to submit tax documents? And do you pretend to be this person forever? Those are all good questions. Now, immediately, Dave, I think back to the scam that you and I have discussed a number of times where somebody comes in and they say, yeah, I'm a good software engineer. Here's what I am. And they start getting the paychecks.
Dave Bittner: Right.
Joe Carrigan: They just take the paychecks until they get fired, essentially...
Dave Bittner: Right. Right.
Joe Carrigan: ...Not having any capabilities.
Dave Bittner: Right.
Joe Carrigan: So I don't know if that's the scam here, or maybe the scam is I just impersonate this person forever, and maybe I actually do work and - you know, because I'm pretending to be someone...
Dave Bittner: I can't imagine that they'd actually do the work.
Joe Carrigan: Right.
Dave Bittner: I mean...
Joe Carrigan: It seems like...
Dave Bittner: That just doesn't...
Joe Carrigan: It doesn't.
Dave Bittner: It runs counter to...
Joe Carrigan: Right.
Dave Bittner: ...The scammer's creed, right?
Joe Carrigan: It does.
Dave Bittner: Legitimate, honest work. But...
Joe Carrigan: It does. But check out this article or this blog post that Connor made. It's brilliant. I mean, it's - Connor has done a lot of work and a lot of other follow-up on this. I just wanted to go over the scam here. A couple of things I want to note - if you're hiring somebody on Upwork, insist on video calling. Do not - if they don't want to run their video - 'cause this guy never turned his video on. If they don't want to turn their video on, we're done.
Dave Bittner: Right.
Joe Carrigan: That's the end of this.
Dave Bittner: Right.
Joe Carrigan: Thanks.
Dave Bittner: It's interesting.
Dave Bittner: A couple of things about that - No. 1, it demonstrates that they have a high-speed internet connection, which you probably need for an Upwork job.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: OK.
Joe Carrigan: And I may be overstating that as an effective tool, I guess. But, you know, a high-speed internet connection is going to be required for these kind of jobs.
Dave Bittner: Yeah.
Joe Carrigan: What do you think?
Dave Bittner: Oh, I mean, yes. But I think, you know, there ain't no more dial-up, Joe.
Joe Carrigan: Right.
Dave Bittner: So anybody can go to their public library or their Starbucks or, you know, sit in their car outside of...
Joe Carrigan: Well, yeah, there ain't no more...
Dave Bittner: ...A company that has, you know, lax security on their guest network.
Joe Carrigan: There's no more dial-up in the U.S.
Dave Bittner: Yeah.
Joe Carrigan: But this guy didn't think - didn't seem like he was coming from the U.S.
Dave Bittner: Yeah. OK.
Joe Carrigan: So it's probably some foreign national. One of the things Connor says - he has an accent that he didn't recognize when the guy was on the call. So I don't know where he came from.
Dave Bittner: Right.
Joe Carrigan: But he was probably not coming from U.S. soil.
Dave Bittner: Yeah, it's interesting.
Joe Carrigan: It's a really interesting story.
Dave Bittner: Yeah. I mean, I just - if you're Connor...
Joe Carrigan: Right.
Dave Bittner: ...How do you protect yourself against this sort of thing? You have a public persona.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: He has a public persona.
Dave Bittner: He blogs.
Joe Carrigan: He has a website and a blog.
Dave Bittner: Right.
Joe Carrigan: Right? And it's remarkably easy. I think the only thing you can do - I mean, it's - I don't know 'cause this information's all out there. This guy just used open-source intelligence gathering to find it.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's - the LinkedIn profile is the same thing. LinkedIn is one of the most powerful OSN tools out there.
Dave Bittner: Yeah.
Joe Carrigan: It tells you everything you need to know about somebody you want to impersonate or someone you want to scam.
Dave Bittner: Right. Yeah, that's interesting. And I guess part of it comes down on the people doing the interviewing as well to have something in place to verify that the person they're talking to is actually the person they're talking to.
Joe Carrigan: Right.
Dave Bittner: And, I mean, I think it's reasonable, if you're doing a job interview to say, hey; you know, I've got a couple of things here. As we get started, I'm going to need you to hold your ID up to the camera, or something like that.
Joe Carrigan: Right.
Dave Bittner: You know, just...
Joe Carrigan: Yeah, that's a good idea.
Dave Bittner: So I can, you know - it's something.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: It's something.
Dave Bittner: Sure, anybody can fake an ID, but would a scammer go to that trouble to have that ready? Maybe some would, but...
Joe Carrigan: Yeah.
Dave Bittner: I suspect many would not.
Joe Carrigan: That's a good point because I have my ID. I could easily do that for anybody if they asked...
Dave Bittner: Yeah.
Joe Carrigan: ...Right now. And so could anybody applying for a job.
Dave Bittner: Right.
Joe Carrigan: You know, so if you start getting some kind of excuse like, oh, I just lost my ID 'cause my wallet was stolen - interesting that happened...
Dave Bittner: Right.
Joe Carrigan: ...Right before an interview.
Dave Bittner: Right. And my camera's not working.
Joe Carrigan: Right.
Dave Bittner: And (laughter)...
Joe Carrigan: All right, we're done here. Thank you.
Dave Bittner: Right. And my internet's been spotty all day.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. Yeah. I mean, you know, you got to trust your Spidey sense for some of this, too...
Joe Carrigan: Yep.
Dave Bittner: ...If you're the interviewer. But, yeah, that must be unnerving for Connor, to have...
Joe Carrigan: Oh, Connor talks about how creepy it is...
Dave Bittner: Yeah.
Joe Carrigan: ...Throughout this article, and he says he was very unsettled by it.
Dave Bittner: I'll bet.
Joe Carrigan: Yeah. So, I mean, I've reached out to Connor. I want to talk to him about it.
Dave Bittner: OK.
Joe Carrigan: It's an interesting story.
Dave Bittner: Yeah, maybe a future guest.
Joe Carrigan: Maybe.
Dave Bittner: (Laughter) All right. Well, that is an interesting story for sure. We will have a link to that in the show notes. My story this week, actually, a little bit of good news...
Joe Carrigan: OK.
Dave Bittner: ...Wrapped around some bad news. But this is from the folks over at ProPublica. And the title of the article is "Authorities Raid Alleged Cyber Scam Compounds in Cambodia." Now, you and I have spoken about this idea of pig butchering...
Joe Carrigan: Yes.
Dave Bittner: ...Right? - which is the term of art for when these scammers will, you know, fatten up the pig, who is the victim, before they steal their money.
Joe Carrigan: Right.
Dave Bittner: What's going on here is that after some of the stories about pig butchering, it seems as though the government of Cambodia has been cracking down on these, I think it's fair to call them, sweatshops...
Joe Carrigan: Right.
Dave Bittner: ...That are running these sorts of scams.
Joe Carrigan: They're human trafficking operations.
Dave Bittner: They are human trafficking operations. They bring in folks from other countries, folks who are, you know, looking for opportunity in a country that is not theirs. And they, of course, promise them the world. And then they end up in a terrible situation. They talk about some of these facilities having bars on the windows and, you know, barbed wire fences around them, and so on and so forth. And these folks are put in a position where they're forced to work under - you know, under threats of violence or bad things or, you know, who knows what.
Dave Bittner: And so the government of Cambodia was turning a blind eye to this for a long time. And I think the light that's been shed on it from organizations like ProPublica and other ones made it so that they couldn't just ignore it anymore. And so this article talks about how they've raided in at least three Cambodian cities, and they've freed thousands of workers from buildings, people who they say...
Joe Carrigan: Thousands of workers?
Dave Bittner: Thousands of workers who are detained against their will - and they say this comes from escalating diplomatic pressure, rising scrutiny from local and international press. So I think, you know, it's good that this is happening. They talk about - in one of the buildings, they confiscated nearly 9,000 phones, 800 computers, 16 laptops, four pairs of handcuffs and 10 electric shock devices.
Joe Carrigan: Yikes.
Dave Bittner: Right. Right. So that gives you a little window onto just how horrible...
Joe Carrigan: Yeah.
Dave Bittner: ...This sort of thing can be.
Joe Carrigan: Now, I heard a story involving a Cambodian camp like this...
Dave Bittner: Yeah.
Joe Carrigan: ...Where a - in this - I can't remember where I heard this, so I'm sorry I won't be able to provide any backup for this. But it was - the story was about a man from China who was on vacation in Cambodia at what he thought was a casino.
Dave Bittner: Yes. Yes.
Joe Carrigan: But when he arrived there, he was abducted and forced into this situation.
Dave Bittner: Right. I remember that story as well. They took his passport...
Joe Carrigan: Right.
Dave Bittner: ...By force or, you know - by threat of violence...
Joe Carrigan: Right, yeah.
Dave Bittner: ...I guess is a better way to say it. Yeah. Yeah. And that's exactly what we're talking about here.
Joe Carrigan: Yeah.
Dave Bittner: Now, I suppose - I mean, this article acknowledges that it's a little bit of whack-a-mole here...
Joe Carrigan: Yep, absolutely.
Dave Bittner: ...That in several of these places, they just pack up. They go to a more friendly location.
Joe Carrigan: Yeah, but now they have to - now they're out of people. They have to go get more people.
Dave Bittner: Right.
Joe Carrigan: That slows them down.
Dave Bittner: It does slow them down.
Joe Carrigan: And those - just because it's whack-a-mole doesn't mean you stop doing it because...
Dave Bittner: Right.
Joe Carrigan: ...The thousands of people that you've freed from this, that's excellent.
Dave Bittner: Yeah. Yeah. And so the government - well, the leadership in Cambodia are now saying that we don't want our country to be known for this.
Joe Carrigan: Right.
Dave Bittner: So, again, shining that light on them - the importance of international press - say that Cambodia's prime minister said, do not let Cambodia become a haven of crime, a place of money laundering, a place of human trafficking. So that's good. Send a little shame their way.
Joe Carrigan: Yeah.
Dave Bittner: And make them clean up their act...
Joe Carrigan: Yep.
Dave Bittner: ...And not be able to just ignore this sort of thing when it's going on in their country.
Joe Carrigan: Media scrutiny.
Dave Bittner: Yeah. Yeah. And so, I mean, these sorts of things happen all over the world. But I think it's good news that some folks are cracking down on this. And hopefully, if we can make it harder for them to do business, there'll be fewer of them doing business.
Joe Carrigan: I would hope so.
Dave Bittner: Yeah. All right. So we will have a link to that story in the show notes. Of course, we would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, we have two today.
Dave Bittner: OK.
Joe Carrigan: And the first one comes from Eric, who sent in this email. Why don't you read this one?
Dave Bittner: All right. It says, (Reading) Hi, I greet you. I'm approaching you for a genuine friendship. I adore having rest on the open air, going to forests, parks, seas, etc. I like cooking. My main trait of character is my kindness. I need you. My heart needs you. Tell me more about yourself as you reply me here. Truly, Anita (ph).
Joe Carrigan: All right. This is pretty simple to see what's going on here.
Dave Bittner: I wonder if Anita's last name is Hug-and-kiss.
Joe Carrigan: (Laughter) And she has a sister named Amanda.
Dave Bittner: That's right. That's right. She's trafficking giant pandas.
Joe Carrigan: Right. Yeah, this is obviously the beginning of a romance scam.
Dave Bittner: Yeah.
Joe Carrigan: So it's great. It's really written in terrible English. My favorite thing is, I adore having rest on the open air. I don't even know what that means. It's obviously something that went through some kind of translating software.
Dave Bittner: Right, right. Yeah. I enjoy having rest on the open air. I mean, it's - there's some - yeah, you know, long walks by the seashore and quiet evenings, a glass of wine, candlelight, all of that stuff. Yeah.
Joe Carrigan: All right. So the next one comes from Uberfacts on Twitter.
Dave Bittner: OK.
Joe Carrigan: It's an Instagram DM from the allegedly deceased Queen Elizabeth II, Dave.
Dave Bittner: Oh, OK.
Joe Carrigan: So why don't you...
Dave Bittner: It goes like this.
Joe Carrigan: Yes.
Dave Bittner: (Reading) Hey, it's me, Queen Elizabeth. I am not dead. Charles sent me to a deserted island so he could be king. I don't have access to my royal money, so please Cash App me $300 so I can get back to the U.K. Tea and biscuits.
Joe Carrigan: Tea and biscuits. That's how the queen signs off all her direct messages on Instagram.
Dave Bittner: Well, and I'm impressed that she starts off her correspondence here by saying hey.
Joe Carrigan: Hey - right.
Dave Bittner: Hey.
Joe Carrigan: I don't think that's a word the queen ever said...
Dave Bittner: Right, probably not.
Joe Carrigan: ...Unless she was talking about how she was feeding her horses.
Dave Bittner: Yes, exactly. Exactly. Yes. So the queen is not dead.
Joe Carrigan: Right.
Dave Bittner: And she desperately needs 300 bucks...
Joe Carrigan: Right, $300.
Dave Bittner: ...So she can get back to the U.K. and take her rightful place...
Joe Carrigan: Right.
Dave Bittner: ...Back on the throne.
Joe Carrigan: I saw another one of these that I couldn't find, but it was - the queen was claiming she was isolated with Diana. The next message goes, hey, love, it's me, Diana.
Dave Bittner: Yeah.
Joe Carrigan: I am pretty sure that's a sentence that Diana never said in her life.
Dave Bittner: No - hiding out in one of their many castles.
Joe Carrigan: Right, with Elvis.
Dave Bittner: That's right - and Bigfoot.
Joe Carrigan: Right - and Bigfoot.
Dave Bittner: All right, well, thanks to our listeners for sending this in. Of course, as I mentioned earlier, we would love to hear from you. If you have something you'd like us to use on the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Larry Cashdollar. He is a principal security intelligence response engineer at Akamai, and we were talking about a PayPal scamming kit. Here's my conversation with Larry Cashdollar.
Larry Cashdollar: You know, usually every morning I check - I have some custom honeypots that I run on a segregated network at my home that's part of Akamai's - or I should say the Akamai certs research lab. And I noticed a zip file, which is always - that's like Christmas, seeing a zip file on your honeypot in the file logs. So you're like, oh, cool, it's - you know, there's some actual possible source code here. And I noticed it said it was a PayPal phishing kit, so I'm like, OK, you know, PayPal phishing kit. So I open it up, and I'm usually - you know, most phishing kits, they try and just collect the data. The code tries to mimic the target or victim website as closely as possible in ways - not the code itself, but the look and feel of the website. It tries to mimic the flow and look and feel of the website they're trying to impersonate.
Larry Cashdollar: But this phishing kit had a lot more code involved, which - you know, usually phishing kits are not so big. You know, they're just a couple of PHP files with some - either images or, you know, possible links to other images that they've kept on the internet somewhere in the cloud that they pull down. And this one had all of these PHP files that were attempting to hide the phishing kit from prying eyes. So I hadn't seen this level of sophistication before where the phishing kit was actually checking to see who was being phished or who was connecting to the site. And I thought this was something pretty neat, that this thing was actually trying to prevent itself from being discovered. So that was one of the things that made me interested in examining this kit even further.
Dave Bittner: Yeah. Well, let's walk through it together. I mean, what exactly are they after here, and how do they go about doing it?
Larry Cashdollar: So normal phishing kits - they generally try and steal your username and your password. This phishing kit not only tries to steal your username or your email address and your password, but it pretty much tries to steal your entire identity. It tries to get you to upload pictures of yourself. It tries - or upload pictures of yourself holding your identification cards and your identification cards. It tries to get your PIN number for your ATM. It tries to get your mother's maiden name. It tries to get a lot more information than you would typically expect a phishing kit to grab. So it's more of like - a phishing kit to steal identities is more closely what it was through, or under the guise of trying to authenticate to PayPal. So, you know, it was a pretty invasive kit to try and steal all this information.
Larry Cashdollar: And I - my assumption is that, you know, the authors figured, if you've fooled the victim this far, why not go the full measure and try and steal all their information? You know, this is one of the things that really intrigued me about this - you know, this kit, in particular, was its audacity to try and steal your identification cards and a selfie of you holding the identification card.
Dave Bittner: Which some online verification services use as a way of authentication, right?
Larry Cashdollar: Right. So some - like, cryptocurrency sites ask that you upload your government-issued ID, like your license, but, also, they ask you to upload a selfie of you holding your license to prove that you are the person in possession of your own identity card. So if there's a selfie of me holding my driver's license, you know, that's proof that, you know, I'm not just uploading somebody's driver's license. I'm in possession of this driver's license. My face matches the person's face on the license. So if these actors - these threat actors have this information, they can pretty much make themselves look like - they can impersonate you on these sites that require this type of authentication to create a login.
Dave Bittner: Now, they're taking advantage of WordPress sites here as well. What exactly is going on there?
Larry Cashdollar: I think with WordPress sites, they've already got a working functional site that they've infected. So they know the site is likely running PHP. It's able to parse PHP, most WordPress sites, I would believe, to allow email being sent from that site. So, if I - you know, if I compromise a WordPress site, typically that WordPress site - when a user creates an account, or the administrator does something, that site - it sends an email out to the administrator person's email address saying, hey, you have a new user who's created an account here. This is their information. For most WordPress sites, I imagine that's true. In regard to my honeypot, that's not true. My honeypot is not set up to send email.
Larry Cashdollar: And I think this is one of the features that these attackers are looking for, is a site that allows outbound email, a site that allows PHP parsing and a site that's, you know, already open and on the internet that's - you know, has an active Apache or NGINX working HTTP server to serve the phishing kit from. So I think that's why WordPress was targeted. And I believe that because WordPress has such a large footprint for, you know, the content management system of choice across the internet. They know that there's got to be a certain percentage of those that can either be compromised through weak credentials or plug-ins that haven't been updated. And so they know they have a field of possible targets that they can scan for and get their phishing sites served from.
Dave Bittner: So if I'm a WordPress site owner - you know, I've just spun up a WordPress site for my stamp collecting hobby or something like that.
Larry Cashdollar: Sure.
Dave Bittner: These folks got their hooks in it, I probably wouldn't even notice that anything was amiss?
Larry Cashdollar: I don't think you would probably notice unless you were someone who actively checked their logs and checked the site traffic and then noticed that there was a sudden increase to the - your site that - you know, there was a spike in your traffic that wasn't there, you know, days ago, then you wouldn't really notice.
Dave Bittner: And so in terms of the phishing itself, do you have any insights there as to how they're luring people to this compromised site?
Larry Cashdollar: That I'm not sure about. I'm working with some of the targeted sites' owners to try and see how the sites are - or how these folks are lured to it, and also to see what sort of monetary damage these phishing sites have caused, how successful they are. So that's something that I'm working with other folks in tracking, to see, you know, how successful these phishing campaigns are.
Dave Bittner: And do you have a sense for where the gathered data is being sent?
Larry Cashdollar: It's - according to this site, it's being sent to a - it's either a ProtonMail account or a Gmail account, where this phishing kit sends the information in a ZIP file of the logs. And then some of the logs are actually just sent clear - this email address where, you know, this actor then collects them. And either I'm - my assumption is that they're selling them on the dark web or possibly using them themselves to, you know, either gain access or create accounts as their victims on some of these crypto sites or sites that require that type of authentication where they can impersonate the person they've stolen the credentials from.
Dave Bittner: Well, let's go at, you know, mitigation and protection from two different angles here. I mean, there's the person running the WordPress site, but then there's also the person who's down, you know, in the phishing scam itself who thinks that they're logging into PayPal. Can we start with the WordPress owner? How should they go about protecting themselves?
Larry Cashdollar: They should make sure that they keep a secure, strong password for their administrative credentials. And if they have the ability to, they should try and set up two-factor authentication for their administrative logins to their WordPress site. They should also keep track of what plug-ins they have and make sure that, you know, those plug-ins - if they have any vulnerabilities, that they've updated those plug-ins to the latest patched version. And I'd also keep an eye on your logs. Just watch your log file. Be familiar with what your normal traffic looks like and what any anomalies might be. That's also a good tip to just keep track of what normal access is to your site. And then if you see anything that's odd, then you can say, well, this isn't normal traffic. There's got to be something going on here. Yeah.
Dave Bittner: Yeah. And so what about the folks who think that they're trying to verify their PayPal account? I mean, it seems to me like there's a number of red flags here.
Larry Cashdollar: Yeah. I mean, if the URL you're going to is not PayPal, you know, if the website you're going to is Jim's stamp collecting website on, you know, dot org, then, you know, it's likely that you're being phished, and you should just, you know, get off that page and not submit anything to it. If the site's asking you for a lot of odd information - like, why would you ever need to submit your PIN code for your ATM to anybody, ever? You know, that should never happen. You should never need to submit your ATM pin code to anything online. That PIN code is only for when you're pulling money out of your checking account. It's never to authenticate who you are to any website. So that's another red flag there.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I'm a little bit scared now.
Dave Bittner: OK.
Joe Carrigan: I think this is a remarkable finding that, first of all, Larry used a honeypot to capture a PayPal phishing kit...
Dave Bittner: Right.
Joe Carrigan: ...Finds a kit that has had a lot of effort put into it.
Dave Bittner: Yeah.
Joe Carrigan: But the reason the effort has been put into it is because it's going for big things - interesting that this kit tries to prevent detection.
Dave Bittner: Right.
Joe Carrigan: It looks at who's looking at it. I'd like to know what it does when it notices that - when the conditions are satisfied, that it doesn't want to expose itself, does it just redirect to PayPal?
Dave Bittner: Yeah. I was talking to a researcher about an unrelated bit of malware earlier this week, and she was telling me that they were looking into a bit of malware that, when it determines that it's in a sandbox, it self-destructs.
Joe Carrigan: Right. Yeah. That's - a lot of things do that, and they look for ways they can tell...
Dave Bittner: Yeah.
Joe Carrigan: ...If something is in a sandbox. I don't know what that particular one did, but yeah, they'll try to self-destruct to avoid scrutiny.
Dave Bittner: Right.
Joe Carrigan: I don't know how effective that would be because if - I can do some static analysis on it and just reload it again...
Dave Bittner: Yeah.
Joe Carrigan: ...And try again. I think this is an interesting evolution in the development of phishing kits. I mean, you remember way back when, when viruses did this? You know, they would change something inside of themselves. They were called polymorphic viruses.
Dave Bittner: Yeah.
Joe Carrigan: So the hash would be different because if you were using a hash-based system, you'd have another hash, and it wouldn't show up. And the virus...
Dave Bittner: Right.
Joe Carrigan: ...Could live.
Dave Bittner: Right, right, right, right.
Joe Carrigan: This is - I mean, this is an interesting evolution in a phishing kit. So, in other words, it's receiving a web request and going, I don't want to deal with this. Send this person somewhere else. And then you can't analyze it. It's really bad. It's not just a phishing kit. It's essentially a turnkey identity theft solution. And these pictures that they're trying to get are part of the know your customer requirements for - and I think Larry mentions that. He's talking about crypto exchanges. So my immediate suspicion when I hear this kind of product is that they are trying to establish accounts for the purpose of money laundering because these guys are probably already - this is not their only line of business, if you will.
Dave Bittner: Right.
Joe Carrigan: And this might be a solution for them. I'm speculating wildly here, as I'm wont to do. And the thing about my speculations is they're usually pretty good.
Dave Bittner: Yeah, it's informed speculation (laughter).
Joe Carrigan: Yeah, it's informed speculation. Right. But these guys are probably setting up accounts in these people's names. I don't know - you know, Larry talks about them getting PIN numbers. I don't know how that is useful to them without the access to the actual card.
Dave Bittner: Yeah.
Joe Carrigan: But they do have the PIN number.
Dave Bittner: Right.
Joe Carrigan: Maybe they're assuming that the people reuse the PIN numbers on things.
Dave Bittner: Yeah, could be. Who knows?
Joe Carrigan: It's interesting that they're exploiting WordPress sites.
Dave Bittner: Yeah.
Joe Carrigan: You know, we talk about this at Hopkins from time to time. I was talking about this with Chris Venghaus, our systems engineer. And he was saying that what happens in the shadow IT world is people will set up WordPress sites and just have, you know, their WordPress site running.
Dave Bittner: Yeah.
Joe Carrigan: And Larry talks about this and mitigations. You really can't do that with a WordPress site. You can't - WordPress is not set and forget, particularly if using plug-ins 'cause these plug-ins have vulnerabilities in them frequently.
Dave Bittner: Right.
Joe Carrigan: And WordPress - you know, the people that maintain the product do a pretty good job of updating things. I don't want to malign WordPress here. I think they do a good job of keeping things up to date, but as the user and operator of the system it's your responsibility to check for updates and check for vulnerabilities.
Dave Bittner: Right.
Joe Carrigan: And WordPress does a good job of letting you know when that's the case. But if you don't do that, you know, you're just going to have a site that's eventually going to get compromised.
Dave Bittner: Yeah. Just, you know, interesting little aside here - my wife happens to be a WordPress developer. It's one of the things she does. She has expertise in that domain, and she makes use of a third-party WordPress provider.
Joe Carrigan: Right.
Dave Bittner: So she's running her WordPress sites on basically someone else's platform, and they take an extra level of attention at your security, at, you know, making sure that your plug-ins are up to date, making sure that you have backups that are active and maintained...
Joe Carrigan: Right.
Dave Bittner: ...And all that kind of stuff. So...
Joe Carrigan: Yeah.
Dave Bittner: ...You know, one of the great things about WordPress is that you can spin up a WordPress site very inexpensively. But the point I'm making here is that for, you know, a few bucks more, you can run your WordPress site on someone else's platform...
Joe Carrigan: Right.
Dave Bittner: ...Still have the convenience of WordPress, but take it to the next level when it comes to security. And in my mind, that's money well spent.
Joe Carrigan: I agree with you 100%. I think your wife is doing the exact right thing.
Dave Bittner: Yeah.
Joe Carrigan: And this company - I don't know who it is and, you know...
Dave Bittner: I don't remember the name of it offhand, or I'd mention them, but...
Joe Carrigan: Right. You know, look for somebody like that...
Dave Bittner: Yeah. Yeah.
Joe Carrigan: ...If you're going to host a WordPress site.
Dave Bittner: Right.
Joe Carrigan: Other mitigations are use a strong password and multi-factor authentication if it's available on these sites. And watch the traffic. One of the things that Larry was talking about was that you may not even know that you have a phishing kit on your WordPress site unless you go through and look at it.
Dave Bittner: Right.
Joe Carrigan: You're going to have to inspect it. For the user, the person receiving the phishing mail, the phishing email, the only thing that's going to protect you is just your own security awareness - awareness, awareness, awareness. So keep listening to this show. Don't stop listening.
Dave Bittner: Right (laughter).
Joe Carrigan: Tell your friends to listen to the show, as I often say. But seriously, I mean, know that you're on - if PayPal sends you an email that says, hey, we have a problem with your account, don't click on the link. Just go to paypal.com.
Dave Bittner: Yeah.
Joe Carrigan: It's six letters for the domain, plus a .com, so - what's that? - a total of - I can do math - 10 characters, 10 keystrokes.
Dave Bittner: Yeah. You know, other thing I'll add here on the WordPress part of it is that, you know, there's that old saying, you know, set it and forget it. Or if it ain't broke, don't fix it.
Joe Carrigan: Yeah.
Dave Bittner: That doesn't really apply with software...
Joe Carrigan: It doesn't.
Dave Bittner: ...Because...
Joe Carrigan: Because software can be broken. You need to fix it, and you don't even know it's broken.
Dave Bittner: Well, and also, flaws are discovered over time.
Joe Carrigan: Correct.
Dave Bittner: So something that used to be considered secure - five years later, someone discovers some sort of vulnerability, and now it's - you have an issue...
Joe Carrigan: Yeah.
Dave Bittner: ...That you didn't think you had. So it wasn't broke before, but now it is.
Joe Carrigan: Right.
Dave Bittner: And you may not be aware of it, so that's why you got to keep things up to date. And I get it. Patching is hard to keep up on, but you can't just leave something running out there and think that, you know, it's automatically going to be OK. It just doesn't work that way with software. That's my take anyway. What do you think, Joe?
Joe Carrigan: Yeah, there was a - I'm with you on that, Dave. There is an interesting statistic about an XP Windows box. If you put an XP Windows box out on the internet, it gets compromised within the first, like, two minutes of being exposed.
Dave Bittner: Yes, I've seen that. Yes.
Joe Carrigan: It's - I mean...
Dave Bittner: Before you had an opportunity to download the updates...
Joe Carrigan: Right. Yeah. It's already cold (ph).
Dave Bittner: ...Somebody's hammering on it. Yeah.
Joe Carrigan: Somebody's got it.
Dave Bittner: Right. Right.
Joe Carrigan: It's - and that's the kind of thing. I mean, XP is an extreme example because it's so old.
Dave Bittner: Yeah.
Joe Carrigan: Nobody should be using it anymore. But the thing is, it's still out there running devices.
Dave Bittner: Oh, yeah. Oh, yeah.
Joe Carrigan: And the solution from the vendors who have the XP device, the XP-powered device, is, oh, just put it on a secure network. There is no such thing as a secure network. It just does not exist.
Dave Bittner: Yeah. All right. Well, our thanks to Larry Cashdollar for joining us. He is always a great guest here and over on the CyberWire as well. We do appreciate him taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
