A vishing competition and a Black Badge holder.
Chris Kirsch: This is a hacking technique that's often combined with other techniques of hacking into computers and so on. But that human angle can really help get a first foothold into an organization.
Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault returns, and she's interviewing Chris Kirsch, co-founder and CEO of runZero. They're talking about OSINT sources and vishing pretexts from DEFCON's social engineering competition.
Dave Bittner: All right, Joe, before we jump into our stories here, we have a couple of bits of follow-up.
Joe Carrigan: That's correct, Dave. We have some people who wrote in about disposable email addresses. First, Jim writes in to tell us that if you have Yahoo Plus, you can have disposable emails - as many as you want.
Dave Bittner: OK.
Joe Carrigan: And they require you to set up a different base email address, and then you can append different strings after that of your choosing, just like with Gmail. But you have a different base email address for the disposable ones.
Dave Bittner: Oh, OK. That seems smart.
Joe Carrigan: He says - yeah. He says he thinks he has, like, around a hundred and fifty of them right now that he's using, and they all use a different base address. So he's actually got different base addresses. I guess you can set those up as well so they don't expose his true Yahoo login account, which - his account login rev (ph), which is really a good idea.
Dave Bittner: Oh, yeah.
Joe Carrigan: And you can delete them when you're done using them. And if they get compromised, you can delete them then, too. You can delete them any time, really.
Dave Bittner: Right.
Joe Carrigan: That's an added benefit.
Dave Bittner: Yeah.
Joe Carrigan: Richard also wrote in to tell us about SimpleLogin and notes that it was recently acquired by ProtonMail.
Dave Bittner: OK.
Joe Carrigan: And it provides users with email aliasing with varying degrees of anonymity. You can use a generic SimpleLogin email address, or you can have your own domain or subdomain that has an email address on it as well. They'll forward emails to you directly. But you can also automatically create email addresses based on wildcards and regexes - regex - regular express. I can't even say it - regular expressions.
Dave Bittner: (Laughter).
Joe Carrigan: If you are a - if you're a software engineer or you're a Linux programmer or have done anything in Unix and you know what a regular expression is, it's a hard thing to say and they're kind of hard to write unless you know what they are. But once you get the hang of them, they're really, really useful.
Dave Bittner: Oh.
Joe Carrigan: So he has one where he can make up new emails on the fly. He said there's also a management dashboard that allows you to block incoming emails from any group of your aliases - any - or groups of your aliases.
Dave Bittner: Yeah.
Joe Carrigan: On our spam call centers, Jason wrote in to say he heard us talking about your father. I think it was two weeks ago, or was it last week?
Dave Bittner: A couple weeks ago, yeah, yeah.
Joe Carrigan: It's been a while - and the Best Buy scam that he got. He enclosed two links that we'll put in the show notes. But they are to YouTube channels. One of them is for Jim Browning, who is a guy that gets into these guys' networks, and another one is for a group of people who have set up a center where they actually hack into these scam call centers. And Jim Browning is involved with that, as well. So they both have really good introductory videos on the front of the YouTube pages. So we'll put links in the show notes. Check those out. They're really good. Thank you, Jason, for sending them in. I've always been a big fan of Jim Browning.
Dave Bittner: Yeah.
Joe Carrigan: That's not his real name, by the way. He actually goes through a lot of steps to make sure that the scammers don't find out who he is because he's really making a lot of people angry.
Dave Bittner: Yeah.
Joe Carrigan: Also, you know, I'm wondering if these guys have talked to attorneys. And if they haven't, I would recommend that they do. I don't know - this is not something I would do. But if they're comfortable doing it, I'm glad they're doing it 'cause they're really disrupting a lot of things and a lot of crimes. They're getting in the middle of these guys' attacks, which is great.
Dave Bittner: Yeah,
Joe Carrigan: It's good stuff. Check those things out.
Dave Bittner: Yeah. All right, well, thanks to everybody for sending us all of that information. We do appreciate it. Joe, we got some good stories to share this week. Why don't you start things off for us?
Joe Carrigan: Dave, my story comes from darkreading.com. It's written by Ericka Chickowski. And the headline is "For Gaming Companies, Cybersecurity Has Become A Major Value Proposition." The article starts off by saying there are a lot more gamers than ever before, and, you know, I think that if you have a population that's always growing, there's always going to be a lot more gamers than ever before. But I think the point is...
Dave Bittner: Well, I also think COVID drove a lot of people to...
Joe Carrigan: Yeah, exactly. That's one of the things...
Dave Bittner: ...Or attracted a lot of people to gaming. I know a lot of people who were - couldn't wait to get their hands on a Switch to play Animal Crossing during the lockdowns.
Joe Carrigan: Both my kids play that game. I've never - I've watched them play it, and I'm like, I'm not into this. I don't want to do this. This seems too much like work.
Dave Bittner: (Laughter) OK.
(LAUGHTER)
Dave Bittner: Fair enough.
Joe Carrigan: My son-in-law has a game that he and his brother play that is - you have to build a railway system, and you have to actually go out and cut down logs to make railroad ties. Like, there's no way I'm ever playing that (laughter). That doesn't seem like fun, but they love it.
Dave Bittner: Right.
Joe Carrigan: And they play it together and build railroads. It's fun.
Dave Bittner: OK.
Joe Carrigan: Anyway, you're right. As I get back from my digression, it's - they've been - they make a point of saying that in the article, that COVID has drawn a lot of people into gaming. And there is an issue here that these gaming companies compete with streaming services and other forms of entertainment. And if a gamer gets hacked or gets cheated, they may leave for other options, like getting another game or, if they get angry enough, I imagine, just going and watching videos on Netflix for a little while, right?
Dave Bittner: (Laughter) Going to the movies, taking a long walk in the park.
Joe Carrigan: Exactly. Not gaming is the point, right? So...
Dave Bittner: Right. Right, right.
Joe Carrigan: ...The point is that it's very important for these gaming companies to make sure that cheating and hacking are less of an experience problem for the player. I'm going to call them...
Dave Bittner: Right.
Joe Carrigan: ...Players. They're not really users. They're not really customers. I'm going to say players.
Dave Bittner: OK.
Joe Carrigan: There's a guy who's the chief customer experience innovation officer at a company called Arise Gaming, which is a consulting firm that helps gaming companies improve customer satisfaction and gamer engagement for their platforms. His name is Jonathan Shroyer. And he says that if gaming companies are lax in security, their games will not succeed, and the players of these games depend on the trust, credibility and predictability when leveraging a brand's game. I think that means just playing the game.
Dave Bittner: Yeah.
Joe Carrigan: If they find out there was a hacker or fraud or other security issues, then the gaming company will see a dramatic drop in gameplay and, hence, revenue as well.
Dave Bittner: Yeah.
Joe Carrigan: Because people will not spend money on games that can be hacked and where they can spend huge amounts of time acquiring things only to lose them to some scammer or hacker. Akamai says that attacks on player accounts and gaming company websites have increased by 167% in the last year.
Dave Bittner: Wow.
Joe Carrigan: And then Kaspersky released a survey of over 10,000 gamers or of 10,000 gamers in the world - over the - all over the world.
Dave Bittner: Yeah.
Joe Carrigan: And 70% of regular gamers think hacking is a big problem in the gaming world. Seventy percent - that's more than two-thirds. Sixty-three percent said their accounts aren't safe enough from attacks. I have advice for those 63% (laughter). Get - put multifactor authentication on all your accounts. Just do it. Do it right now.
Dave Bittner: Do most gaming platforms allow you to do that?
Joe Carrigan: They do, yeah. They...
Dave Bittner: OK.
Joe Carrigan: Steam - I know that Steam and Epic do. And those are what I think of as gaming platforms and PC platforms. You know, it's an excellent question. What about, like, Xbox and PlayStation and Nintendo? Do those companies - I don't play on consoles very much. I mean...
Dave Bittner: Yeah.
Joe Carrigan: ...My console is - the console I have downstairs is a PS2. I mean, that's the newest thing I have in my house for console gaming.
Dave Bittner: (Laughter) OK. Right.
Joe Carrigan: And it's the one my son left when he moved out, right?
Dave Bittner: Right.
Joe Carrigan: So I'm not playing it.
Dave Bittner: Still got your old Atari 2600 down there playing Pong and Combat (laughter).
Joe Carrigan: I - actually, I do still have my Atari 2600 in the house, Dave.
Dave Bittner: Of course, you do.
(LAUGHTER)
Dave Bittner: Yeah. I'll have to ask my son, although I'm sure some of our listeners will write in also and let us know what the deal is on the consoles 'cause I'm not sure to what degree they allow multifactor, either. You'd think at this point they would, but...
Joe Carrigan: Right.
Dave Bittner: ...I don't know.
Joe Carrigan: Yeah, something. They have to offer something, like a phone...
Dave Bittner: Yeah.
Joe Carrigan: Either like a code from a security app on your phone, or Microsoft might use their Microsoft Authenticator app to log in.
Dave Bittner: Yeah.
Joe Carrigan: I don't know for Xbox. I don't know. I've literally never had an Xbox in my house. I have no idea.
Dave Bittner: (Laughter) I have had many. I'll have to ask my son. He knows.
Joe Carrigan: He does. Thirty percent of people reported that their accounts had been hacked within the last two years.
Dave Bittner: Wow.
Joe Carrigan: And that's a lot, isn't it?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: That's a third of people that responded to this survey. And 89 - almost 90% of gamers said they want game developers to pay more attention to cybersecurity issues. Now, here's a nice crossover with "Hacking Humans," Dave.
Dave Bittner: Yeah.
Joe Carrigan: They had our recent guest, Brett Johnson, chief criminal officer at Arkose Labs, and he said, what you have to realize is criminals attack games for one of three reasons - status, ideology or cash. Most attacks, 98% or more, are cash driven. So criminals are looking for the easiest access that gets them the largest return on investment. So you should not be deluding yourself that they're not after you if you have anything that can be sold of value because these guys, they're using credential stuffing attacks and social engineering scams to break into accounts, access in-game currency and unique items, and then they use third-place marketplaces to sell these in-game assets off-platform for real currency.
Dave Bittner: Right.
Joe Carrigan: So what this does is it creates - the off-platform marketplace creates a great fence operation - right? - for you to sell your stolen goods. But it also presents an opportunity for laundering money, right?
Dave Bittner: Mmm hmm.
Joe Carrigan: Like, what if I built something that was totally useless, right? And then I created two accounts on this off-platform thing and wired a bunch of bitcoin to myself or send a bunch of bitcoin to myself. Now I have all this bitcoin that I just essentially laundered. And if I'm using - doing this properly with keys that are secret and nobody really knows and can't really tie to me, then I may be able to get away with that. I'm not exactly sure if that works with money laundering, but - if that would be a good way. But that's how I think it would go on first. I'd have to think about this more, and I really haven't spent a lot of time 'cause I...
Dave Bittner: Yeah. Well...
Joe Carrigan: ...Have other things to think about.
Dave Bittner: ...It's an interesting idea of sending some money through one of the online gaming platforms...
Joe Carrigan: Yep.
Dave Bittner: ...As a stop along the way.
Joe Carrigan: Sure.
Dave Bittner: That would certainly make it harder to track.
Joe Carrigan: It would.
Dave Bittner: And I wonder how much scrutiny those platforms are under for that sort of thing from law enforcement. Certainly, it's probably on their radar. But...
Joe Carrigan: Yeah. I liken it...
Dave Bittner: What's the priority there?
Joe Carrigan: Yeah. I liken it to an art auction, where - that's also another way that money is laundered because there's the ability to sell internationally to anonymous bidders, which really could just be you on the other end of the phone. I'm selling this portrait I drew or this portrait that I bought. And now I'm going to buy it back from myself for some larger - much larger amount of money. And I'm going to put all my ill-gotten gains into the purchase and then - thus launder the money.
Dave Bittner: Yeah, interesting.
Joe Carrigan: And that does work. I did a little research on that recently just out of my own curiosity, of course, David. It's really the only reason.
Dave Bittner: (Laughter) Right.
Joe Carrigan: But there's one - I'm going to wrap this up here. I know I'm droning on. But the work of security executives is essentially winnowing out the malicious. And there is a statement in this article that says, this is going to take user education, outreach, foresight in design. Foresight in the design - you're going to have to think about security while you're designing the product. Actually, I say think about security earlier than that. Think about it in the requirements phase. What are the security requirements of this system? By the time you've gotten to design, now you're having to change requirements. And of course, a lot of engineering work, which is true.
Dave Bittner: Yeah.
Joe Carrigan: There's a lot of things that have to be done. And that's kind of what I'm talking about with thinking about how you're going to put security in at the outset of the system development. You know, a lot of these games are greenfield projects, you know? They're new projects where you're going to start with a whole new code base. Start with security in that process.
Dave Bittner: Yeah. This is - you know, this is really interesting. I think about - you know, I can't say that I am an active gamer. There are a few games that I enjoy and that I, you know, dabble with and, if I need to kill some time or something, that I'll go to. But I think about how if my gaming experience wasn't very good or I found that I was losing the things that I had saved up in the game or earned or anything like that - or I was having trouble connecting - I mean, to me, that's kind of like if you went to a movie theater and they had lousy sound or projection, you know?
Joe Carrigan: Yeah. Yeah.
Dave Bittner: Like, the movie stopped in the middle. And, you know, the lights came on in the middle of the show. Or the sound kept, you know, fading out or things like that. Well, I'd find another movie house, you know?
Joe Carrigan: Yeah. Yeah. I have - there was a movie I went to one time - it was actually "The A-Team" movie with Liam Neeson, where I went to that movie with my son because, you know, it's a fun movie to go see.
Dave Bittner: Right.
Joe Carrigan: And the sound - you couldn't understand any of the dialogue going on in that theater. I've never been back to the theater.
Dave Bittner: Interesting.
Joe Carrigan: Yeah.
Dave Bittner: Interesting. Yeah.
Joe Carrigan: You're right. And if a game becomes unpleasant for me, I stop playing it.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: That's it.
Dave Bittner: Absolutely. All right. Well, that is an interesting story. We will have a link to that in the show notes. So I'm going to talk about, once again, my dad.
Joe Carrigan: OK.
Dave Bittner: (Laughter) And I hope our listeners aren't tired of hearing about my dad. But, you know...
Joe Carrigan: (Laughter) I'm sure they're not.
Dave Bittner: This is real-life stuff. This is all stuff that has actually happened to my dear father. And I have two incidences to share since the last time we talked about my dad. So I was chatting with my father a couple of weeks ago. We were just talking on the phone, catching up. And, I think, probably some of our listeners know that my mom passed away earlier this year. So you know, we've just been spending extra time with my dad and just making sure that he's got everything he needs. And, you know, because as tough as a time as it is for all of us, it's been particularly hard on him. So I check in on him regularly. And I was doing so. And at the end of the phone call, he said to me, oh, Dave, one more thing. He said, I have a little family issue that I'm hoping you can help me with. I said, of course, you know, anything. What do you need? He says, well, I got an email from your cousin Sandy. OK. He says, and she's asking me to buy something from Amazon. And I don't know how to do that. So can you help me and help me buy the thing she needs from Amazon? And I was like, ho, ho, ho, whoa, whoa, whoa (laughter). I said, OK, slow down, Dad (laughter).
Joe Carrigan: Slow down. Right.
Dave Bittner: What's going on here? What is she - I said, you know, let me guess. Let me guess. She's asking you to buy Amazon gift cards. How did you know?
(LAUGHTER)
Dave Bittner: Oh, Dad. Oh, Dad.
Joe Carrigan: Listeners know how we know.
Dave Bittner: Yeah. Yeah. So my dad forwarded me the whole email exchange here, which I'm going to share with you parts of. So there are some interesting things in here. And this is a - just a classic Amazon gift card scam that is being executed through an email account takeover, right. So I'm guessing that my cousin Sandy probably had lax password hygiene, right? Probably - there was probably a breach. And her password got compromised and her email address. The bad guys got into her email account and probably hit up, you know, most of her - people in her contact list.
Joe Carrigan: Right.
Dave Bittner: So the first message says, sorry to bother. You purchase from Amazon, question mark? Now, what's interesting here is that in the word Amazon, there's a space between the O and the N at the end of the word.
Joe Carrigan: Yeah. And the N and the question mark.
Dave Bittner: Right. And I wonder if that is to help evade filtering. In other words, if an email has the word Amazon in it, does that trigger...
Joe Carrigan: Right. And doesn't come from Amazon...
Dave Bittner: Right. Right. Is that just something - you know, and I suspect it is. So that's the first email - short, sweet, not much to it. So my father responds, and he says, hi, Sandy. Hope is well. I'm doing great. I'm not quite clear on your message. Could you try me again? And then the person pretending to be Sandy writes back and says, it's nice to hear from you. I need to get an Amazon eGift card for my cousin. It's her birthday today. I tried to order it myself, but my card got declined. I had to contact my bank, and I was told I needed to wait three to five days for my new credit card to come in the mail. Can you assist me, place the order on Amazon and have it sent to her email address? This would mean a lot to her. Thanks - Sandra. OK.
Joe Carrigan: OK. So interesting that - this is a coincidence probably. But this is your cousin, and they're saying that their cousin is looking for a gift for the - maybe your dad knows who the cousin is.
Dave Bittner: Yes. Right.
Joe Carrigan: Right.
Dave Bittner: And doesn't say which cousin - just cousin.
Joe Carrigan: My cousin. Yeah.
Dave Bittner: Yeah. And on that side of the family, there's a lot of cousins there. So...
(LAUGHTER)
Joe Carrigan: Yeah.
Dave Bittner: Could be anybody. So my...
Joe Carrigan: I have a side of family like that, yeah.
Dave Bittner: Yeah. So again, my father replies, and he says, I have never used Amazon, and I don't know about computers. Dear listeners, let me just verify this is all true (laughter).
Joe Carrigan: Right. And that's one of the worst things you can say to a scammer.
Dave Bittner: Right, right. Exactly.
Joe Carrigan: 'Cause right now they go, oh, good.
(LAUGHTER)
Dave Bittner: Right, right. No. Yeah, exactly. No, my home doesn't have an alarm system.
Joe Carrigan: Right.
Dave Bittner: So he says, if you have another thought, I will do my best to help. OK. So now the scammers write back, and they say, could you get it from any store around you? I'll refund as soon as I get back. Let me know if you can handle this for me. And my father replied, and he said, I hope so. How much, and who to? And they reply and say, the amount on the Amazon card should be $150. When you've gotten it from the store, kindly take a picture of the back PIN and receipt also, then attach all to me so I can forward it to her. Let me know if you can handle this for me. And that's where it ended because that is the point where my father...
Joe Carrigan: You stepped in.
Dave Bittner: Yeah. Well, and - yes. And my father did not know how to do this. Thank goodness.
Joe Carrigan: Right.
Dave Bittner: (Laughter) Right? And contacted me. And so we put an end to it, and we cut it off, and we reached out to our cousin Sandy to let her know that her email had been compromised. She was not aware that her email had been compromised.
Joe Carrigan: Did you happen to ask her if she saw these messages in her sent folder?
Dave Bittner: No. Actually, I was not the person who reached out to her, so I didn't actually have that conversation.
Joe Carrigan: OK.
Dave Bittner: So it was more of an FYI. But so, you know, this is a classic kind of thing.
Joe Carrigan: Yeah.
Dave Bittner: And I just feel lucky that I got in the middle of it when I did. And it gave me the opportunity to explain to my dad that - what exactly what was going on here and reiterate, 'cause I know I've told him this before, that if anybody asks for any kind of gift cards, that that is a huge red flag.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Right. Your statement is correct. When you hear gift cards, stop.
Dave Bittner: Right.
Joe Carrigan: That's the end of the discussion. We...
Dave Bittner: Right (laughter).
Joe Carrigan: OK, we're done here. Somebody asking me for a gift card, you know, unless I - unless that was immediately preceded by me asking you, what do you want for Christmas or what do you want for your birthday or insert your favorite holiday here, and then you say, I would like an Amazon gift card, that's the only time I'm going to accept that as a valid input, right?
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: All the other time's going to be like, hey, I want an Amazon gift card. Hey, I don't care. That's...
Dave Bittner: Yeah.
Joe Carrigan: That's an invalid moot point at this point...
Dave Bittner: Who is this, and what have you done with my cousin? (Laughter).
Joe Carrigan: Right. Because I know my cousin hates Amazon.
Dave Bittner: (Laughter).
Joe Carrigan: I would just start - wow. You hate Amazon. You're going to go - after what you said at Thanksgiving, you're going to - (laughter).
Dave Bittner: Right.
Joe Carrigan: You're going to buy an Amazon gift card?
Dave Bittner: (Laughter) So...
Joe Carrigan: You really came down hard on Jeff Bezos. I mean...
Dave Bittner: Yeah. So that is Part 1 of the story.
Joe Carrigan: OK.
Dave Bittner: So Part 2 is about a week later. I'm here at my CyberWire office doing my work, minding my own business, when my phone rings, and it is my father calling me. And so I answer the phone, and I can tell he's a little wound up about something, and I'm not sure what's going on. And he says, Dave, I think I have a situation here. OK, all right, well, how can I help? And he had been pestered all morning long on his phone by someone trying to execute a tech support scam with him. And they had him all wound up that he was going to be automatically charged a few hundred dollars for some tech support, that they had his banking information, that it was going to happen, and unless they were able to get the right information from him and, you know, this, that and the other thing, that this charge was going to go through. And my father's response to this was - he started calling his bank...
Joe Carrigan: Right.
Dave Bittner: ...To see if any money had been taken out or if things had been transferred and so on and so forth, started calling his credit card companies. So he's kind of going into a tizzy of activity here, doing his best with what he knows how to do to try to stop this.
Joe Carrigan: Right.
Dave Bittner: And again, you know, his ability to do things are limited. So I suspect, you know, he wasn't giving them the easy answers that they wanted - right? - on the other side...
Joe Carrigan: The scammers, you mean?
Dave Bittner: ...Of the phone call. Right. Right.
Joe Carrigan: Yeah.
Dave Bittner: But so - but here's the part that I think is particularly interesting that makes me want to share this with our listeners, which is when I was in the aftermath of this, when I said to him, Dad, just hang up the phone. You know, if they call back, don't answer.
Joe Carrigan: Right.
Dave Bittner: You just - there's - and he said, but what about the money? Dad, there's no money.
Joe Carrigan: Right. This is...
Dave Bittner: What about the charges to - there's no charges.
Joe Carrigan: This is the same situation that happened with the Best Buy...
Dave Bittner: Yeah.
Joe Carrigan: ...Scam.
Dave Bittner: Yeah. Yeah, pretty much, except in this case, he was actually talking to someone on the other line. Now, here's the interesting part. Here's the little nugget. In my conversation with him, I said, Dad, you know, chances are these folks are from somewhere on the other side of the world. You know, they don't care about you. All they're after is your money. And there's somebody sitting in some kind of bullpen sweatshop trying to scam you. And he said, you know, that's interesting that you said that. I'm glad you said that because the person I was talking to spoke perfect English, but I could hear in the background somebody was talking to him in broken English and telling him everything to do. So every time I would respond, there was a person there telling the other person who spoke good English what to say.
Joe Carrigan: It was a training session almost.
Dave Bittner: Well, it's a training session or - I mean, that's interesting. I had not considered that - could be.
Joe Carrigan: Right.
Dave Bittner: Or it could be that they put the person who had really good English...
Joe Carrigan: Right.
Dave Bittner: ...In front and center, but you had the person in the background who was actually - had the social engineering skills...
Joe Carrigan: Right.
Dave Bittner: ...You know, the ability to...
Joe Carrigan: Knows the scam.
Dave Bittner: ...Answer the questions. Right - knows the scam, the expert on the scam. But that was a little bit of nuance that I hadn't really heard of before. I'm sure it happens. I just hadn't really considered it, you know? I suspect other people have experienced the same thing, but I thought that was an interesting little tidbit from this one that was worth sharing and just another bit to share with your friends and family to - something to look out for, you know?
Joe Carrigan: Yeah. I mean, there are people in - I'm imagining this was probably in India because...
Dave Bittner: Yeah.
Joe Carrigan: ...In India there are people that are very good English speakers...
Dave Bittner: Sure.
Joe Carrigan: ...Because the country has - a lot of their education is run in India.
Dave Bittner: Yep.
Joe Carrigan: You know, they were a British colony for a number of years, like we were...
Dave Bittner: Right.
Joe Carrigan: ...You know, and Ireland. So, you know, a lot of people in these areas speak very good English.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, if you get somebody who is a good actor, they can impersonate an accent.
Dave Bittner: Yeah.
Joe Carrigan: And that's all it takes, is somebody who has the linguistic skills and the, I guess, accent skills. I mean, there is a special area of acting that...
Dave Bittner: Yeah, dialects and things like that. Yeah. Yeah.
Joe Carrigan: Dialects - yeah. Yeah, I mean, 'cause, like, have you ever seen Helena Bonham Carter in "Fight Club"? I didn't know that she was British when I first saw that movie.
Dave Bittner: Right (laughter).
Joe Carrigan: And she is remarkably good in that movie...
Dave Bittner: Right. Right.
Joe Carrigan: ...And comes across as an American. And another one is Idris Elba in "The Wire" sounds like he grew up in Baltimore.
Dave Bittner: Yeah.
Joe Carrigan: It's amazing how good he is.
Dave Bittner: Yeah.
Joe Carrigan: But he's British as well. But, you know, so these skills are out there, and they exist, and they can be developed. So, you know, just because you're talking to somebody who sounds like they grew up next door to you or grew up within the same country you grew up in - that's not a guarantee.
Dave Bittner: Yeah.
Joe Carrigan: It's just not a guarantee.
Dave Bittner: So all's well that ends well with my dad. I mean...
Joe Carrigan: Yeah.
Dave Bittner: ...It's another near miss, and I can't help feeling as though - you know, as I've said here before, that he's kind of a sitting duck. You know, I just educate him as much as possible - you know, got everything that he's got on multifactor authentication.
Joe Carrigan: Yeah.
Dave Bittner: I get - you know, I'm on his bank account, so I get notices if there are large withdrawals or anything, you know?
Joe Carrigan: That's excellent.
Dave Bittner: I've done all the things that I think I can try to do, along with my siblings, to try to look out for him and check in on him and make sure. And part of that is making sure that he's comfortable reaching out when he thinks he has a problem. And so...
Joe Carrigan: That is a big deal.
Dave Bittner: ...I'm happy that he did that.
Joe Carrigan: Yeah. That's good.
Dave Bittner: Yeah, I'm happy that he did that.
Joe Carrigan: Maybe it's time for your dad to get a new phone number.
Dave Bittner: You know, I'm glad you said that, because I was thinking about that as part of the sitting duck thing, because...
Joe Carrigan: Yeah.
Dave Bittner: ...Does his number get put on a list of sitting ducks?
Joe Carrigan: I am almost positive it's on a list of, you know, this is an old guy who's not technically astute, and I have almost gotten him three times.
Dave Bittner: Yeah.
Joe Carrigan: Somebody's going to get him, so they - and I'm sure it gets passed around. It's probably coming out of the same call center.
Dave Bittner: Yeah.
Joe Carrigan: That would be my - or maybe. It may be coming out of the - I'm not going to say probably. It may be coming out of the same call center.
Dave Bittner: Yeah. Yeah. You never know.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, that's the latest family update from me. I'm hoping that these stories...
Joe Carrigan: I'm glad your dad didn't get scammed.
Dave Bittner: Yeah, me too. I'm just hoping that these stories become fewer and farther between and, you know, glad I'm able to look out for him again.
Joe Carrigan: Right.
Dave Bittner: As I say, it's not just me. My siblings are looking out for him as well, so he's got a good support network around him. But, you know, it's really helped me also to have a better understanding of different people's abilities when it comes to these sorts of things and have empathy that people are just coming at this with all different skill levels and life experiences.
Joe Carrigan: Yes.
Dave Bittner: All right. Well, those are our stories this week. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Philippe (ph), who says he would like to hear what our take on this one is. It's a message that looks like it has come from the (laughter) - from the treasurers of the United States treasury verification department, financial transaction verifica (ph)...
Dave Bittner: (Laughter).
Joe Carrigan: And the very - right. That's what it says. And of course, the from address and the reply to address look nothing like email addresses you would expect to receive from the Treasury Department.
Dave Bittner: (Laughter).
Joe Carrigan: One of them ends in .de, one of them ends in .do. And the first line of the email is actually written in Dutch, and it says scroll down for German and Dutch translations.
Dave Bittner: Oh.
Joe Carrigan: But the subject is, recall of your refund. So, Dave, why don't you take it away as Secretary of Treasury Janet Yellen.
Dave Bittner: (Laughter) It says (reading) recall of your fund. I am Janet L. Yellen, secretary for international finance of United States Treasury Department. Be informed that your fund has been recalled back from the offshore payment center. This recall was after the interception of the fraud attempt by some group of suspected fraudulent officials, who was trying to divert the fund to another account by the international remittance office. It was detected after reconciliation of payment files, which was directed by board of directors of the United Nations economic commission and the United States Treasury Department after the financial submitting, which mandated United States Treasury Department to investigate all outstanding and approved payment, which is presently pending with offshore payment centers around the world, which your payment file was among the file and irregularities was detected. The fund was called back based on these findings that upon thorough examination of your debt records, to ascertain the genuineness of the chargeable claims and to determine whether or not the procedures of inheritance or contract were carried out in conformity with the existing regulations, the following discrepancies were duly discovered. One, your payment procedures were being handled in an unusual transaction pattern, which gave the avenue for all these fallacies and also bogus promises, which is totally impossible in any part of the world and also to use it as a blackmail means of extorting money from you. All these contributed to make it impossible for you to receive your fund. Two, there was a large-scale documentary pilferage - procedure diversions using U.N. existing offshore payment exercise - and documentary subversion - procedural hijacking through fraudulent manipulations - all meant to divert your attention by frustrating you outpatients (ph) for possible diversion of your payment to other account. Based on that, your fund has been recalled back by the order of the United States Treasury Department board of directors for immediate re-transfer to your account that will be provided by you. The board of directors of United States Treasury Department has appointed a trusted financial consultant by name, proforssor (ph) Anthony Durant, that will oversee and approve every payment that will be released to any foreign beneficiary. You are required to send this email below. One, receipt of last payment made, if any; two, how much is in your fund; three, international passport for identification; four, last stage of your funds, all documents about the funds. You are advice urgently to contact proforssor Anthony Durant, whom your file has been directed to for final verification and release to your account through our corresponding bank. Your urgent contact to proforssor...
Joe Carrigan: (Laughter).
Dave Bittner: ...Anthony Durant will be highly in your favor based on the finding in your file and also an attempt by some fraudulent officials to divert your funds. Your urgent contact will be in your favor. And also you are advice to stop any communication to any office or person. Be duly guided. Yours sincerely, Janet L. Yellen, secretary, Department of the Treasury.
Joe Carrigan: So there's - this is a long one, and it seems like there's a lot of, like, you know, if you can't dazzle them with brilliance, baffle them with BS in here.
Dave Bittner: Right (laughter).
Joe Carrigan: You know, there's a lot of things that go on in here like, I'm - is that a sentence? I don't know what..
Dave Bittner: Oh, my gosh.
Joe Carrigan: ...Any of those words strung together mean.
Dave Bittner: Right. Evidently, this email is being billed by the use of periods, you know? Like (laughter)...
Joe Carrigan: Right. Yeah, exactly.
Dave Bittner: There aren't - there are very few.
Joe Carrigan: So Philippe wants to know what's going on. Here's what I think, is this is a - I don't know if this is just a phishing email or if this is an email that's going after people that have already been victimized, but it looks like what's called a follow-on scam. A lot of times when people are scammed out of money, the next step in that scam is somebody calling them up to impersonate law enforcement to go, hey, we got some of your money back, but we need to - you know, we need more information from you to get it back to you.
Dave Bittner: Right.
Joe Carrigan: And then they just scam them out of more money with advanced fee scams. And that's what this looks like to me.
Dave Bittner: Yeah.
Joe Carrigan: It's - you know, it's one of those things that really makes me angry, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: Which is one of those things I'm really happy about the guys that had that call center to where they're trying to penetrate the other calls - the scammer call centers.
Dave Bittner: (Laughter) Yeah. They're also - you know, they're asking for your passport here. So there's some identity theft...
Joe Carrigan: Absolutely.
Dave Bittner: ...Attempt.
Joe Carrigan: Absolutely.
Dave Bittner: And maybe banking account information.
Joe Carrigan: Sure. And how much money you have, right (laughter)?
Dave Bittner: Right (laughter).
Joe Carrigan: Yeah (laughter).
Dave Bittner: Are you worth my time?
Joe Carrigan: Right. Exactly. How much money can I scam this guy out of?
Dave Bittner: Yeah. Yeah. All right. Well, it's an interesting one. And again, thanks to Felipe or Philippe, however you pronounce it, for sending this in to us. We do appreciate it. We would love to hear from you. If you have something you would like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, it's always great to welcome Carole Theriault back to the show.
Joe Carrigan: It is, indeed.
Dave Bittner: And this time, she is speaking with Chris Kirsch, who is co-founder and CEO of an organization called runZero. And he has his bona fides when it comes to social engineering at DEF CON. He's quite well known for his skills there. And their conversation...
Joe Carrigan: He has a black badge.
Dave Bittner: Yeah, he has his black badge, which they don't just hand out to anybody (laughter).
Joe Carrigan: Nope. You can - that means he can go to any DEF CON ever in the future.
Dave Bittner: Yeah. So they're talking about open-source intelligent and vishing pretext. So here's Carole Theriault speaking with Chris Kirsch.
Carole Theriault: So today, we welcome Chris Kirsch, co-founder and CEO of runZero. He's been in InfoSec his entire life and holds a DEF CON black badge for social engineering, which means he knows a lot about this stuff, guys. Welcome once again to "Hacking Humans," Chris.
Chris Kirsch: Thank you for having me, Carole.
Carole Theriault: So, Chris, recently you were asked to judge the vishing competition at the social engineering community at DEF CON. This is the world's largest hacking conference. And you were able to collect data at this event. Now, you have published this great article on Medium with all your findings. And I really want to zero in on a specific finding in your research. But first, what do listeners need to know about this DEF CON vishing competition and your role as judge or researcher?
Chris Kirsch: Sure, yeah. So if people are listening to this podcast, they probably have an appreciation of what social engineering is - so kind of using the human angle to security and actually trying to trick humans, right? And most people are familiar with the word phishing with a P-H, which is sending scam emails. What we are talking about here is vishing with a V, which is much lesser known, and that's basically voice phishing. So it means, you know, the equivalent of a prank call but not to prank somebody but to actually extract information or get them to do something.
Carole Theriault: Hmm.
Chris Kirsch: Right? And so this is a hacking technique that's often combined with other techniques of hacking into computers and so on. But that human angle can really help get a first foothold into an organization. And I think we've seen that recently with, you know, the Uber hack. There was a big component of social engineering there and so on. So that's - it can be a big component in getting in.
Carole Theriault: How would a vishing - like, can you just give me an example? Walk me through of vishing attack just so our listeners can - you know, who've never heard the term before can get it.
Chris Kirsch: Sure. So somebody might call you as an end user at a company or even at home. You know, the common attacks at home are, hi, I'm calling from Microsoft, and I'm calling because your computer is slow to, you know, handle your support request, and then they're doing some stuff. In a company, it actually often isn't much different. The pretext - so the reason why people call and, you know, who they pretend to be - can be a little bit different. But what we found in this competition is actually that most people still picked some kind of IT pretext, so, like, an IT help desk reaching out or an IT security survey where they're saying, hey, just wanted to get your feedback or a software satisfaction survey, something like that. They were able to extract a lot of information through that.
Carole Theriault: Right. So they're basically pretending to be something else, and they're trying to extract information in order to be able to bypass the company's security and get into the network. Is that the game?
Chris Kirsch: That's pretty much it, yeah - either get into the digital network or actually get into the building. So about half of the objectives - and objectives are pieces of information that they have to gather - half of those are to get into the network and half of those are actually to get - physically get into the building.
Carole Theriault: Wow. OK. So the one thing that I can imagine here is before you make one of these calls, you've got to do some recon, right? You got to know who you're calling. You've got to know how the lingo inside the company works, I guess.
Chris Kirsch: Exactly. Yeah. You don't just pick up the phone and give it a go. I mean, you know, some very talented people can do that, but your chances of being successful are so much higher if you really do your research. And most contestants here in this competition invested between 40 and 120 hours in online research to figure out things about the company...
Carole Theriault: Wow.
Chris Kirsch: ...Lingo and systems - anything they can find so that they can sound like an insider when they're calling the company.
Carole Theriault: OK. Now, you - in your great article on Medium, you wrote about the top places that these people were going to to try and get some information on the company that they were targeting. And you've put them in order, haven't you?
Chris Kirsch: Yes.
Carole Theriault: So could we start - can we start with the third from the top, please?
Chris Kirsch: Sure. Yeah. So the third from the top, it's a technical term called Google dorking. But what it really means is using advanced Google searches to try and find something. So, for example, you can try - you can modify your Google search to say, I only want to find Excel files or I only want to find things on a specific website and then add search terms. So just think of it as advanced Google searching.
Carole Theriault: Right?
Chris Kirsch: That was No. 3. There was a whole bunch of things where people found things, and that's very common.
Carole Theriault: No. 2?
Chris Kirsch: No. 2 was LinkedIn. A lot of people use that to showcase their skills. They want to look good in front of their peers, prospective employers and so on. And they will talk a lot about the type of technology that they're working on inside a company. So that gives you a ton of information, sometimes right down to the version of the software of something that's being used inside the company. And who is the administrator for that software?
Carole Theriault: Yeah. No, I think that's probably - that's really naughty. I find LinkedIn very scary that way, especially our younger people that are getting on there looking for jobs tend to put every single thing that they've ever achieved. I understand why, but they leave themselves open.
Chris Kirsch: Yeah.
Carole Theriault: That's a whole other podcast. Maybe we should do that sometime.
Chris Kirsch: Yeah. It's not just the younger people. It's actually across generations, really.
Carole Theriault: Really? Wow. And OK. And what was No. 1? What was the No. 1 place that people went and tried to harvest information on a company?
Chris Kirsch: It was really interesting. It was - I don't think it's the No. 1 place they went, but where they found the most once they had something. It was YouTube. Yeah, it was YouTube.
Carole Theriault: It was YouTube. And why?
Chris Kirsch: It's super interesting. So having done this before, I've stalked the YouTube channels of the companies that I was targeting. And it's very hard to go out and search for something specific. But when you have a whole list of things that you're trying to find, and you go through the videos almost frame by frame, you can find things like, you know, recruiting videos where they walk into the building. You see exactly what the access control looks like, what the doors look like, what the badge design is, so they can, you know, at least visually clone the badges. You can see what kind of hardware they're using, what kind of phone systems, often books on the wall with technologies they're using if they're walking past the IT department. And then sometimes things just pinned up in cubicles, you know, information pinned up in cubicles.
Carole Theriault: I've never heard of a reason to use 720p as opposed to 4k before in my life, because of course all these company videos and stuff that people put on YouTube, they tend to be high-end productions, right?
Chris Kirsch: Yeah. And I think one example - one or two contestants actually found SSID, like Wi-Fi passwords in a virtual office tour. And so that was interesting. Yeah.
Carole Theriault: Wow. OK.
Chris Kirsch: And the other thing on YouTube was HR training videos, so some kind of a webcast that they've put up on YouTube. And you can tell a lot from the taskbar in the bottom right. You know, like you see what browser they have, what antivirus they have, what operating system they have, all of these things. If you know what the icons look like, you can really tell a lot from that.
Carole Theriault: Chris, this is so fascinating because I'm thinking our listeners right now, hopefully if they're sitting there having their breakfast or their lunch, have stopped chewing and going, oh, sheesh, maybe I need to review what we've got out there because maybe I'm handing it over, you know, in a beautiful 4K package.
Chris Kirsch: Yeah, yeah, high production value (laughter).
Carole Theriault: Chris, it's always a pleasure to speak with you. This is Chris Kirsch, the co-founder and CEO of runZero. Thank you so much for coming on and sharing this. And listeners, do go check out that article. There's some fascinating findings there. And it's on Medium.
Chris Kirsch: Thank you for having me.
Carole Theriault: A pleasure. This was Carole Theriault for "Hacking Humans."
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Vishing - do I rant about how much I hate these terms, Dave? Do I? No. I don't think I will. I think everybody, I've said this enough. I don't like the term phishing. But that is the term of art.
Dave Bittner: Vishing, smishing.
Joe Carrigan: Phishing I thought was clever, right? P-H-I-S-H - it's like - that harkens back to phone phreaking, where phreaking was spelled with a P-H like phone was.
Dave Bittner: Right.
Joe Carrigan: But vishing now is essentially, it's - I would say is more like phone phreaking - right? - where you call in. This is what Kevin Mitnick made his notoriety doing, calling in to places and providing a pretext of something to try to get information out of people. It's just making phone calls into an organization. And it happens all the time.
Dave Bittner: Yeah.
Joe Carrigan: There was a time I worked in an organization that did work for the government, and we would get these calls from time to time. People would be, you know, impersonating people with job offers, and they'd be calling into our office. We'd always hang up. And - but I'm sure there was somebody who listened and talked. That's really the issue, is not the people that listen, but the people that talk. Home attacks - in the home attacks, of course, like we had with your father in today's stories, the home attack comes as a fake tech support scam or a fake banking thing. Hey, it's your bank. And somebody took a bunch of money out. Oh, no. Let's go log into your computer and see if we can get that back. That's a scam. Don't do it.
Joe Carrigan: In this competition, most people picked IT to impersonate, which I think is interesting. It's a great thing to interpret because for some reason - well, it's because it's not - the people don't live the life I've lived steeped in technology, Dave. And, you know, looking at every gadget going, oh, how does that work? They don't do that. They just go, oh, cool. I can play with this or I can use it to do this. And I'm like, well, I want to know everything down to the transistors on this thing. Most people don't want to know that. So the technology kind of becomes a little bit of an enigma to them. They don't really know.
Joe Carrigan: So when somebody from IT calls and they say something, you have no way of judging whether or not that's true or not. It's not because you're less intelligent than I am. I can almost guarantee that's not the case. But it's because you just haven't done what I've done with your life, and that is spend all your time looking at cool gadgets and wondering how they work and learning how they work and reading how they work and all that stuff, because that bores you. And that's fine. That's absolutely fine if that's how you choose to spend your time. It's just a different perspective. But people are taking advantage of that. It's - here's a very important point that Chris makes in this discussion. In the competition, most contestants spent about 40 to 120 hours doing what's called OSINT. That's open source intelligence gathering.
Dave Bittner: Yeah.
Joe Carrigan: It just means going out and finding information out from places where you can always get information. That is one to three weeks of full-time effort to come up with ways to make it look like you're an insider. And the more time you put into the information gathering or the OSINT phase, the higher your probability of success.
Joe Carrigan: Right. I want to talk about the interesting sources for OSINT. No. 3 was Google searches. That doesn't really surprise me because there's a lot of information that Google indexes that people don't even realize that Google is out there indexing this but they are. Like, they're indexing Excel spreadsheets. Right? I mean, did you think that was happening when you put a web page up and you put Excel spreadsheets up that Google was consuming those spreadsheets, taking them apart, knowing that they're Excel files, indexing them and then putting it back out there, putting out the search results or putting it into their large index of possible search results? And I was very surprised that No. 1 was YouTube and that people took the time to go through painstakingly frame by frame. There's actually keyboard shortcuts. You can do that with a video. And you can look at every single frame of a video and get information out of the frame in the background. And Crole makes a great point here that this is why we - you know, we've made the technological advances now that we can shoot video in 4K. And everything looks great. But now we're putting out a lot of high-res images of everything in the background. So it's just a great source.
Dave Bittner: It's like when when Captain Picard says, on screen, magnify. Right?
Joe Carrigan: Yeah. If you zoom in on a picture, and it has the resolution, you don't need to say enhance, right? It just - it's there.
Dave Bittner: (Laughter).
Joe Carrigan: One of the things that I thought was interesting is I took a look at the article and found some places that I thought were going to be - but I was surprised to see on the list of sources. One is a vendor website, a vendor website providing all kinds of ways to get in? That's interesting. Job postings, that - I didn't expect that. But that makes complete sense to me. And then Street View. Street View was used to get a lot of information. In fact, if you put Street View together with the Google results because I think Street View is a Google product, right?
Joe Carrigan: Yeah.
Joe Carrigan: If you add those together, that was the number - Google was the No. 1 source. But Chris broke it out between Google searches and Street View. So it's - he puts No. 1 as YouTube, by the way, also a Google product. Not as helpful as I thought - I would have expected, the Glassdoor website didn't provide as much information as I was expecting to see. And the Wayback Machine was also not particularly helpful. I thought - I would have expected both of those to score higher than they did. They were actually all tied for last place with one artifact they produced.
Dave Bittner: That is interesting.
Joe Carrigan: Yeah.
Dave Bittner: All right. Well, as always, our thanks to Carole Theriault for bringing that interview to us. And our thanks to Chris Kirsch from runZero for taking the time for us. We do appreciate it.
Joe Carrigan: Yeah. Go check out that article on Medium. It's really good.
Dave Bittner: That is our show. We want to thank everyone for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
