The age old battle between social engineering and banking.
Chip Gibbons: Many organizations - they try to do a combination of both technical security controls - for example, spam filtering, areas like that - as well as they try to do training. In many cases, they're not doing enough.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Chip Gibbons, who's CISO at Thrive Networks, joins us to talk about business email compromise.
Dave Bittner: All right, Joe. We are going to jump right into our stories this week.
Joe Carrigan: Woo, splash.
Dave Bittner: And I have a story - this is another one from Rest of the World (ph), which is a sort of a global news - tech news website. This is my primary source, but I actually followed this story on a couple different places. And this is about how Amazon has authorized sellers in Pakistan. And a wave of scammers followed that. Now, I was unaware that Amazon goes nation by nation and authorizes who can sell on their website.
Joe Carrigan: So...
Dave Bittner: Makes sense.
Joe Carrigan: ...Let me understand this. Amazon has essentially opened up authorized selling in Pakistan.
Dave Bittner: Correct.
Joe Carrigan: In other words, before that, if you were in Pakistan, you could not be an authorized seller.
Dave Bittner: Correct.
Joe Carrigan: But once they flipped the switch...
Dave Bittner: Yeah. I think you could buy other people's stuff. So, for example, the U.S. and China were both nations that were authorized to sell on Amazon globally.
Joe Carrigan: Right, right.
Dave Bittner: But Pakistan had not yet been authorized to do so. So Amazon flipped that switch. And lots of folks started selling on Amazon. And, of course, the vast majority of them are legitimate sellers.
Joe Carrigan: Sure.
Dave Bittner: And this article talks about how it's really been a boon for a lot of people in Pakistan who - to have this opened up to them, they can be entrepreneurs.
Joe Carrigan: Right.
Dave Bittner: And they are. And there's a real market in people who are teaching other people how to do this, the best ways to optimize your goods and the things you sell and to create an online store. So in that way, it's been great. But of course, we can't have nice things.
Joe Carrigan: Right.
Dave Bittner: So there's been a boom of scammers as well. And for the legitimate sellers on Amazon who are from Pakistan, they are concerned that Amazon could throw that switch back again, that they could - that some Pakistani IPs are being blacklisted to sell on Amazon because of the amount of scams that are happening here. This article says that back in May of last year, Amazon shut down about 13,000 Pakistani seller accounts that it suspected of fraud.
Joe Carrigan: Right. But what - why IP addresses?
Dave Bittner: Don't know.
Joe Carrigan: Because if two - if you and I are on similar IP networks...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? - or on the same - we might have, at some network address translation point, the same IP address...
Dave Bittner: Yeah.
Joe Carrigan: ...If we both have the same provider.
Dave Bittner: Yeah. Yeah. I don't know. This article says Pakistani IPs are blacklisted, so says Ayaz Ali, a seller who clocks revenues reaching 60,000 British pounds through last fall. He says you can create an account, and instantly, it's blocked or sometimes never approved. So I guess it's regional, sounds like to me. Like, maybe they're using, you know, geographic means to block IP addresses. But what I really wanted to dig into were the actual scams that they're using here.
Joe Carrigan: Yes, that's actually a - I'd like to hear about that.
Dave Bittner: So one of them is called the kabootar trick. They said that's the most popular Amazon seller scam in Pakistan. And this is the fake delivery scam, right? So the scammer puts something up for sale on Amazon. So you go ahead and buy this thing, and the scam seller will ship you something...
Joe Carrigan: Uh-huh.
Dave Bittner: ...So that there's a tracking number. But it's not the thing that you bought (laughter).
Joe Carrigan: Yep. We've seen this before.
Dave Bittner: Right. Absolutely.
Joe Carrigan: He just goes out to his yard, picks up some piece of trash that's laying around...
Dave Bittner: Right.
Joe Carrigan: ...Puts it into an envelope, mails it to you.
Dave Bittner: Right. And so you get that piece of trash in the mail. You complain to Amazon, and the seller says, no, no, we sent them the thing. Look, here's the tracking number.
Joe Carrigan: Right.
Dave Bittner: And that's how it works.
Joe Carrigan: They profit and clean their yard.
Dave Bittner: That's right (laughter). This article points out that these folks are using Facebook groups to communicate with each other, the scammers. This is where they kind of teach each other, communicate, tell each other what works and what doesn't, which is - I don't know - kind of interesting that there's multi-tiered, you know, online social media. I guess we shouldn't be surprised.
Joe Carrigan: No.
Dave Bittner: This is where (laughter)...
Joe Carrigan: There's another big tech company involved in the malfeasance.
Dave Bittner: Yeah.
Joe Carrigan: Surprise, surprise, surprise.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: And, of course, Facebook is like, oh, we don't condone the activity. I'm sure if you ask them about it, that's what they'll say, but...
Dave Bittner: Yeah, there was one that - this article, I didn't get a clear understanding of it on, so I tried to chase it down on another article. I want to see what you think about this, Joe. So there is a scam that they use using Sam's Club. Now, Sam's Club is one of the membership discount clubs.
Joe Carrigan: Yeah, it's Sam Walton, the founder of Walmart...
Dave Bittner: Right.
Joe Carrigan: ...Opened up a large, like, Costco when Costco and Price Club and Sam's Club were - and BJ's, I guess, were all...
Dave Bittner: Yeah.
Joe Carrigan: Yup.
Dave Bittner: Yeah. So you pay an annual membership fee, and you get access to this warehouse kind of place, you know...
Joe Carrigan: Right.
Dave Bittner: ...Where you can buy stuff, and...
Joe Carrigan: Wonderous.
Dave Bittner: Yes, it is. The joke is that it's the only place you can buy a six-pack of lawn tractors.
Joe Carrigan: Right (laughter).
Dave Bittner: So the way that this scam works is that a Pakistani seller would register a U.S. company, and they would apply for a credit limit on Sam's Club, which, this article says, in some instances will allow a credit limit of up to $10,000 to shop.
Joe Carrigan: Really?
Dave Bittner: Yeah. So the sellers then receive orders from customers on Amazon Marketplace. Then, the scammer would use the credit card limit on the Sam's Club account to purchase and deliver the order to the customer. So this allows scammers to receive payment from the customer, but then, they claim a refund from Sam's Club. That's what I don't understand (laughter) what's going on here.
Joe Carrigan: They claim a refund from Sam's Club?
Dave Bittner: Yeah. So I tried to - I looked at another article about this to try to get...
Joe Carrigan: See, 'cause where I thought this was going, Dave, was then they just shut down the company, don't pay the Sam's Club bill, and get 100% profit at the expense of Sam's Club.
Dave Bittner: Yeah.
Joe Carrigan: But...
Dave Bittner: So I found another article about this. This is from another local - another - this is a news organization that's local to Pakistan. And they refer to this as a filing scam. And I'll just read this. It says (reading) filing is another smartly mischievous trick used by Amazon Pakistan sellers. The sellers on Amazon take orders from customers on their Amazon accounts. Rather than delivering the products from Amazon, they buy the products from other sites like Walmart, Sam's Club and other vendors.
Joe Carrigan: Right.
Dave Bittner: (Reading) This way, sellers get the order on Amazon, buy from other vendors by making secondary accounts, and deliver it to the actual buyers. Thinking about where is the fraud?
Dave Bittner: Yes. Yes, we are (laughter).
Joe Carrigan: Yeah. Yeah. That sounds like business with extra steps, but go ahead.
Dave Bittner: It goes on and says (reading) Pakistan sellers are using the assistance of staff from Sam's Club to get a refund on the delivered goods. Sellers show that buyers did not get the product and demand a refund from secondary vendors. By using the filing technique, sellers get the actual payment from the customers as well as a refund from the vendors.
Dave Bittner: I'm still not a hundred percent clear on (laughter) what's going on here. Do you?
Joe Carrigan: OK. So in other words, is Sam's Club also having authorized resellers? Maybe that's what it is? That sounds like that because they're saying that Sam's Club employees are helping them...
Dave Bittner: Yeah.
Joe Carrigan: ...Get money back from other sellers.
Dave Bittner: So I think what's happening is - all right. So I set up my fake store on Amazon, OK? And you see it, and you say, hey, I want to buy one of those things. I want to buy that widget. And you buy it from me, and I send it to you directly, basically drop ship it to you from my Sam's Club account...
Joe Carrigan: Right.
Dave Bittner: ...Where I have credit.
Joe Carrigan: Yes.
Dave Bittner: OK? It gets delivered to you. But then, I guess, with my cohort who works for Sam's Club, who's in on the scam, somehow we convince Sam's Club that the item did not get delivered. So we get payment from you because you're happy; you got the thing that you wanted.
Joe Carrigan: Right.
Dave Bittner: So you pay for it. But then, we get a refund from Sam's Club by somehow claiming that it never got delivered. That's the scam, as I understand it.
Joe Carrigan: OK.
Dave Bittner: Yeah. Seems like a lot of steps, but..
Joe Carrigan: It does.
Dave Bittner: (Laughter).
Joe Carrigan: And it seems like it's pretty easy to thwart, right?
Dave Bittner: Yeah.
Joe Carrigan: ...By saying - well, I don't know. OK, maybe you could say something like, well, we're not going to refund the money because, frankly, you're a new customer...
Dave Bittner: Could be.
Joe Carrigan: ...And we don't know if this is fraudulent or not. But, I mean, I don't know. This is very, very convoluted.
Dave Bittner: It is. But I guess if you rig up a system...
Joe Carrigan: Yeah.
Dave Bittner: ...To sort of streamline it for yourself, it works, and it must be worth doing. So...
Joe Carrigan: But why not just sell the stuff, take the profit - I mean, maybe they're not making a profit. Maybe that's what the issue is.
Dave Bittner: Mmm-hmm. Right, if you sell it at cost and then...
Joe Carrigan: Right.
Dave Bittner: ...What you're counting on is - 'cause if...
Joe Carrigan: Is getting the money back.
Dave Bittner: Yeah. If you get the full price of the thing, that's better than any...
Joe Carrigan: Right.
Dave Bittner: ...Margin you would have gotten on it.
Joe Carrigan: Yeah, you can change the business model from zero profit to 100% profit.
Dave Bittner: Right. Right, absolutely. So, you know, they list some of the scams that are being done here. And they're the familiar ones. The one we already talked about, the pigeon trick, which is the - you know, the fake shipping thing. The filing one is the one we just talked about. They talk about carding. They talk about - somehow they're doing sales tax fraud. And this is, again, by using American accounts, they can collect sales tax but then not have to pay the sales tax because they're not actually from America...
Joe Carrigan: Right, right.
Dave Bittner: ...And they can't get tracked down and all that - yeah.
Joe Carrigan: Yeah, if you - it's just a way - that would be just a way to increase your revenue.
Dave Bittner: Yeah.
Joe Carrigan: It's simple. You just have a table that says, where am I shipping this? And - or pretend that you're in a state and just add a tax line that you don't ever pay.
Dave Bittner: Yeah.
Joe Carrigan: That's easy to understand.
Dave Bittner: Yeah. Yeah, absolutely.
Joe Carrigan: That one I get (laughter).
Dave Bittner: Yeah, yeah. So interesting - and again, you know, the folks who are doing legitimate business here, their concern is that Amazon might say this is not worth our trouble and just shut it down. I suspect that probably isn't going to happen.
Joe Carrigan: I would think not because if there's a lot of people doing legitimate business on here, it's worth Amazon's time.
Dave Bittner: Yeah. That's what I thought.
Joe Carrigan: They get a cut of every one of these little deals.
Dave Bittner: Right. Right. And it's...
Joe Carrigan: That's what lets Jeff Bezos fly rockets into space.
Dave Bittner: (Laughter) They must have known, too, going into this market - they had some idea...
Joe Carrigan: Right.
Dave Bittner: ...What they were going to expect in terms of that initial surge of scam. And I'm sure they'll try to tamp down on it. But we all know - I mean, Amazon certainly turns a blind eye to a lot of stuff that goes on on their platform - counterfeiting, so on and so forth.
Joe Carrigan: Oh, yeah. Absolutely.
Dave Bittner: They are not strict at all when it comes to a lot of this. So - but you're right, Jeff Bezos gets to fly his rocket. So...
Joe Carrigan: Right.
Dave Bittner: All right. That's my story this week. What do you have for us, Joe?
Joe Carrigan: Dave, My story comes from Drew F. Lawrence over at military.com. And there's a scam going on right now that is targeting new members of the military. And these scams have been - people have posted warnings from these scams at Fort Benning, Huachuca and West Point, which - kind of all over the map.
Dave Bittner: That runs the spectrum of...
Joe Carrigan: It does.
Dave Bittner: Yeah.
Joe Carrigan: And also all over - you know, West Point is a - an officer cadet school.
Dave Bittner: Right.
Joe Carrigan: And the other two are - I guess they have basic training at those two places. The alerts outline a scam in which unknown individuals purporting to be a non-commissioned officer are calling soldiers and asking them for money to fix a, quote, "pay problem." Now, if there are any questions that the soldier or trainee or recruit or whatever they call themselves at that point have, then the person on the other end goes full R. Lee Ermey on them, right? And what are you, a maggot? Starts yelling at them, right? I don't do a good R. Lee Ermey thing.
Dave Bittner: Yeah, yeah. Pulling rank.
Joe Carrigan: Pulling rank, threatening punishment. So far, 74 soldiers have been scammed out of $143,000.
Dave Bittner: Wow.
Joe Carrigan: So the Facebook post from Huachuca, which came out just before the end of the New Year - or end of the - end of last year or New Year - see you next year, Dave. I hate those guys - says that the base's military police have identified a scam at multiple duty stations throughout the Army, within the uniformed service. And I think this is interesting because it seems to me that someone has information that they shouldn't have access to. Somewhere, there's somebody getting access to these new recruits because they're really taking advantage of their ignorance of the situation and their unfamiliarity - their lack of familiarity with the process for things, like getting a call out of the blue from an NCO. You know, there's things that they teach you in these courses, according to - I've never served, but I know people who have. They say one of the things in basic training is on the wall, there is a chain of command that is hung up on the wall that starts with the drill instructor or drill sergeant and goes all the way up to the president, the commander in chief. And it tells you the names of everybody up there.
Dave Bittner: Right.
Joe Carrigan: And you are within your rights to question anybody outside of that chain of command. So - but maybe you didn't have that day at basic training yet. You know, I - like I say, I don't know how this works exactly.
Dave Bittner: Yeah. I could imagine, though, being a new recruit, you're going to be on your best behavior...
Joe Carrigan: Right.
Dave Bittner: ...And perhaps a little intimidated by this whole process.
Joe Carrigan: Yeah.
Dave Bittner: And most of us haven't grown up in that sort of an environment where someone has absolute authority over you.
Joe Carrigan: And that environment is very disorienting...
Dave Bittner: Yeah.
Joe Carrigan: ...To begin with because you're in - they're in the process of essentially remaking you, right? They're taking you and they're going to train you into being what they need you to be, which is a soldier or - in the case of the Army, a soldier.
Dave Bittner: Yeah.
Joe Carrigan: But the - here's what happens on the call. The caller tells the soldier that they are from the DFAS, or the Defense Finance Accounting Service, which is a real accounting service.
Dave Bittner: OK.
Joe Carrigan: OK? I don't know if it's involved in the paying of soldiers. It probably is. But they say there's a problem with the soldier's military pay. And then they tell the soldier that to correct the issue and get the appropriate amount of payback, the soldier has to send money to the caller via a third-party peer-to-peer money app like Cash App, Venmo, PayPal, Zelle or Apple Pay. Right?
Dave Bittner: Raise the red flag (laughter).
Joe Carrigan: Yes. So - but the key aspect of this, of the entire scam, is they're using the fear to get somebody to do what they want.
Dave Bittner: Right.
Joe Carrigan: And, you know, I don't know how you protect against this, aside from what the Army here is doing. And that is, they're telling everybody about this, that this is a scam. And one of the great things about being in the Army or about the Army is that the communication system - if you need to get a communication system down to recruits, you can quickly do that by just having, you know, having that said, at whatever morning meeting everybody has where they have to go out and stand in formation. I don't know what that's called. Like I said, I've never served, Dave. And I'm grateful to all who have, to allow me that luxury.
Joe Carrigan: But, you know, what - there is a way to let people know about this and to tell them that this scam is coming, and they're doing that. But they should also - you know, they should be making this, you know, they should be making this announcement throughout the Army and everybody should be talking about it. It's one of the ways you get rid of these kind of scams is by talking about it. The other way is by putting these people behind bars.
Dave Bittner: Yeah, I - and to your original point, I wonder how they are targeting these folks.
Joe Carrigan: Yeah.
Dave Bittner: I was thinking...
Joe Carrigan: That would be - how are they getting their contact information?
Dave Bittner: Yeah.
Joe Carrigan: I'd like to know that.
Dave Bittner: Is that - to what degree is that public information? I mean, I can see that back in the days when we had local newspapers, you know, you could say, and congratulations to Bob Smith, whose family is so proud of him. He's heading off to basic training to serve our country - you know, that sort of thing. Those announcements existed.
Joe Carrigan: Yeah, are these - it doesn't really say if these people - maybe these people are posting on Facebook...
Dave Bittner: Yeah. Right.
Joe Carrigan: ...Saying, hey, shipping off to the Army today. OK. Some scammer writes that down and calls you a week later with your pay problem, you know, alleged pay problem and tries to scare you into sending them some money via Venmo.
Dave Bittner: Yeah. I mean, I just - I guess I'm - what I'm wondering is there - is there some more efficient public list of new recruits? Is that - is there some database somewhere that is publicly accessible, you know, that we don't - you and I just don't know about?
Joe Carrigan: Right. Yeah.
Dave Bittner: But that it's - because for some reason - you know, kind of like, you know, if you buy or sell your house, it's on the public record.
Joe Carrigan: Right.
Dave Bittner: If you join the military, is that on the public record?
Joe Carrigan: It might be.
Dave Bittner: I don't know the answer to that.
Joe Carrigan: It might very well be.
Dave Bittner: Yeah. Huh. Yeah, well, I hope they find these people...
Joe Carrigan: Me too.
Dave Bittner: ...Because that's a - you know. And it's not like our soldiers, particularly folks who are just starting out their careers in the military - these are not people who are rolling in dough...
Joe Carrigan: No.
Dave Bittner: ...You know?
Joe Carrigan: No. They're 18-year-old kids, usually.
Dave Bittner: Right. Right. Right. Sometimes - I suppose they could get signing bonuses or things like that, but...
Joe Carrigan: Well, that's what these scammers are after.
Dave Bittner: ...You know. Right. Right. Absolutely. All right. Well, that is from military.com. And we will have a link to that story in the show notes. We would love to hear from you. If there's something you'd like us to consider on the show, you can email us. It's hackinghumans@thecyberwire.com. All right, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Manie. It's an email from Manie, but it's not about an email. It's about one of those website tricks. So why don't you read what Manie wrote and I'll comment on the way.
Dave Bittner: OK. It says, hi, Dave and Joe. I may be wrong about this one, but it smells funny. I recently came across an ad on a web page where I wanted to download an HDRI - high dynamic range image - for a 3D project. As you do, right?
Joe Carrigan: Right. Yeah.
Dave Bittner: (Laughter) The ad appeared in the area where you could expect to find a download button.
Joe Carrigan: Stop right there.
Dave Bittner: OK.
Joe Carrigan: I hate this.
Dave Bittner: OK.
Joe Carrigan: I hate this so much. This happens on so many websites, where you go to get some kind of software or some kind of library, whatever it is, something you need to do something. SourceForge, I think, does this...
Dave Bittner: Yeah.
Joe Carrigan: ...Where you go there, and it says, download here. It's a big green button, right? And it - and you click on it, and that's an ad. That's not - the download link is actually a link. It's not - it's a little blue link that you have to click on to get the software. But there's a big ad that looks like a download button.
Dave Bittner: So it's a misdirection?
Joe Carrigan: It's a misdirection.
Dave Bittner: It's deception?
Joe Carrigan: Yep. And these sites do this on purpose.
Dave Bittner: Yeah.
Joe Carrigan: So...
Dave Bittner: OK.
Joe Carrigan: It's part of their business model...
Dave Bittner: All right.
Joe Carrigan: ...Because they get click-throughs on it.
Dave Bittner: (Laughter) Manie goes on and says, when I absentmindedly clicked the ad, which just says download here, it promptly proceeded to ask me for my cell phone number to verify that I am human.
Joe Carrigan: See...
Dave Bittner: This gave me pause.
Joe Carrigan: That would stop the transaction right there. I would immediately have pause here as well.
Dave Bittner: So I went back to the tab of the original page and click the little I that Google puts on its ads to get some more info. I reported this ad as a possible fish, but then I decided to Google the company listed as the advertiser. I'm not going to name the company here. The company, according to LinkedIn, is an emerging leader in premium content delivery, digital marketing, direct carrier billing and micro services. Its primary strategy is to build a large social online community through globally known services and independent, culturally specific localized store. The direct carrier billing part really caught my eye.
Joe Carrigan: Mine too.
Dave Bittner: This is Manie again.
Joe Carrigan: Yep.
Dave Bittner: Could the endgame here be to actually steal directly via carrier billing or just use that as a jumping off point to carry this scam further? Sure, sir, we'll help you get that refund. Just help us install our RAT on your side.
Joe Carrigan: Right. I don't know that it goes that far.
Dave Bittner: Yeah, yeah. But I like the way Manie's thinking.
Joe Carrigan: Right. Yeah. It could.
Dave Bittner: Manie says, I suspect that the scammers, if scammers at all, are not the website owners but someone who's just using them as tools. I'm not set up to investigate this type of thing, but I thought you might find this interesting.
Joe Carrigan: Well, let's - let me do some wild speculation here.
Dave Bittner: OK.
Joe Carrigan: First off, we're not going to name the company because the company may actually be a legitimate business doing something, but it does have the word offshore in their name. So I'm going to point that out.
Dave Bittner: OK.
Joe Carrigan: I want to commend Manie here because the one thing - this entire statement that they make - it's an emerging market leader in premium content delivery, digital marketing, direct carrier billing and microservices. And then it goes on to talk about how trying to commit - that's all BS. The only thing that matters there is direct carrier billing, right? They're going to bill the carrier for a service. That's why they want your cell phone when you click on it. You're just signing up for some cell phone service. They're going to bill your carrier - maybe it's a small amount every month. And - but if I can bill you for $0.50 a month through your carrier, you may never even notice that. When was the last time you looked at your mobile bill, Dave?
Dave Bittner: (Laughter).
Joe Carrigan: I was just thinking, I haven't looked at my mobile bill in a long time.
Dave Bittner: Yeah.
Joe Carrigan: It's not that far out of whack.
Dave Bittner: Yeah.
Joe Carrigan: I see how much they charge me every month on the credit card, and I go, that looks right, and I move on. I think that's what this is. They're just trying to get you - because I think in that - after you enter your phone number, there is a little thing that says - a check box that says, I agree, already checked. And all you have to do is click submit, and then you sign up for some service that either annoys you or just bills you quietly for the next eon.
Dave Bittner: Yeah. Can we move up to the high level, though, here that we should be skeptical of these types of websites at all? I mean, we've all seen these.
Joe Carrigan: Yeah.
Dave Bittner: You go on the web, and you want something for free.
Joe Carrigan: Right.
Dave Bittner: You know?
Joe Carrigan: Right.
Dave Bittner: And in this case, it's an image.
Joe Carrigan: Right. And it's SourceForge's...
Dave Bittner: And I think we've all been there.
Joe Carrigan: It's software.
Dave Bittner: Right. And so you go - but I've certainly seen - you know, back in the golden age of shareware, you know, you would have sites just like this where you want to get something for free. But until - but, you know, they'll make you jump through hoops to try to get it. And that just seems to me like that's what this is. Would Manie be better off finding a place that wanted to sell him this image for a small fee rather than risk whatever is happening on this particular site potentially?
Joe Carrigan: I don't know. You know what? I just went to SourceForge and looked this up. I'm sorry. It was not SourceForge. SourceForge - actually, the big, green download button is a big, green download button. But it's another site. I can't remember what it is. But it was a similar - SourceForge actually does it right. So I'm sorry, SourceForge. That was incorrect. I don't know. I go - I will use these sites. Yeah. For an HDRI file, that's probably a data file. So I don't know that there's anything malicious in it unless there's a vulnerability in your software that you're going to open it with that can be exploited that way, which - we've seen those kind of things before.
Dave Bittner: Yeah.
Joe Carrigan: So be mindful of that. The very first thing I do with everything I download from one of these sites is put it right in VirusTotal, see what happens. Put it - and even if it's a data file, I've done that. It comes back and goes, we didn't find anything. But especially if you're going to be downloading applications or libraries...
Dave Bittner: Yeah.
Joe Carrigan: ...That are freely available on there - like, for example, there's an MP3 conversion library that used to have to be - it couldn't be distributed for profit or something like that. So all these converters told you to go out and download the MP3 file...
Dave Bittner: Sure. Yeah. I remember that. Sure.
Joe Carrigan: ...The MP3 DLL. Well, I'd go out and do that, and - but every single time, I'd scan that thing with a virus scanner before I ran it, before I installed it.
Dave Bittner: Yeah. Yeah. Yeah, I guess it's worth mentioning or reiterating that, particularly when it comes to - these days...
Joe Carrigan: Right.
Dave Bittner: ...Particularly when it comes to downloading software, and by software I mean pirated software...
Joe Carrigan: Right.
Dave Bittner: ...And also movies...
Joe Carrigan: Yeah.
Dave Bittner: ...That odds are they are dirty, dirty, dirty.
Joe Carrigan: Right. But this probably isn't a pirated software thing.
Dave Bittner: No, no, no.
Joe Carrigan: This is probably just an image that's available on some 3D-sharing site...
Dave Bittner: Right.
Joe Carrigan: ...That - the company's business model is, we're a platform for sharing these kind of 3D images. People upload them. It's a community, but they have to profit somehow. So they profit with these ads.
Dave Bittner: Yeah.
Joe Carrigan: And these ads are just terrible. They shouldn't be doing that.
Dave Bittner: (Laughter) Right. It's the most annoying way to profit there is.
Joe Carrigan: It is. It is.
Dave Bittner: (Laughter) All right. Well, our thanks to Manie for sending that in. We do appreciate it. And, again, we'd love to hear from you. You can email us at hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Chip Gibbons. He is the CISO at a company called Thrive Networks. And our conversation centered around business email compromise. Here's my conversation with Chip Gibbons.
Chip Gibbons: What we've noticed is business email compromise is growing exponentially every year. It's one of the fastest-growing areas of compromise within a business, also the most common area of compromise within a business. It is easy for an attacker to get into a network via email or, in some cases, you know, smishing, or SMS phishing. It's an easy way to bypass a lot of the controls that IT security has in place now.
Dave Bittner: And how are organizations responding to this? Or what sort of things are they putting in place?
Chip Gibbons: Many organizations, they try to do a combination of both technical and security controls - for example, spam filtering, areas like that, as well as they try to do training. In many cases, they're not doing enough. For example, for training, I think a lot of people, they're used to a 45-minute, once-a-year, annual training on what not to click for an email. That is not enough - I mean, in reality, almost too long because people just can't focus on security awareness training for 45 minutes without, you know, their mind wandering. So what we have found is almost short, quick monthly trainings give a little bit more to the end user so they can take something back without, you know, zoning out for 45 minutes.
Dave Bittner: Well, how do you balance that out? I mean, obviously, you want to get your employees up to speed and give them a good overview of what's expected of them. But as you say, you also don't want to hit them with an avalanche of information. How do you dial it in?
Chip Gibbons: That's where it starts getting a little tricky. But if you focus on specific attacks and how they're accomplished, it actually can really bring or draw the end user into, you know, what they should be looking for. For example, if you start talking about W-2 attacks and how that can affect them in real life, people are more apt to listen to it and follow along. If you're combining W-2 attacks with SMS attacks with some other type of attack, it's too much. So if you break it down into bite-sized chunks that are maybe five, seven minutes long once a month, it's not as much of a hit on the business over - you know, over a year. It's only five, seven minutes every month. Most people can take that as, you know, it's not a long period of time. But they get a lot of detail in those five, seven minutes.
Dave Bittner: You mentioned a W-2 attack. Can you describe for us what exactly that is and maybe some of the other common attacks that you and your colleagues track?
Chip Gibbons: Yeah, so W-2 attacks - so what can happen is an executive or somebody else within the company or maybe even looks like you will contact HR trying to change where your salary's going - you know, your bank routing numbers, whatnot. A W-2 attack can also be utilized as a way to put in false tax returns as you so they can get - you know, an attacker get - can get money back from the government, but it's really not you - those areas where, you know, people don't really think about it as an attack mechanism.
Chip Gibbons: What we're seeing is anywhere there's money involved and any type of the organization, be it salaries, be it W-2 tax forms or even vendor accounts, that's a big area for an area for an attack. For example, like, a vendor account compromise are very common these days. What you do is - an attacker will get into a vendor's email system. They'll send you new routing codes that you need to, you know, pay the bill with a new routing number or whatnot. It's an easy way to have you start sending money to the wrong place, and the vendors doesn't know the difference. They might not notice for a month that suddenly you're not paying them, but you think you've been paying them all along.
Dave Bittner: What are some routines that organizations can put in place to try to protect themselves against these sorts of things?
Chip Gibbons: So one of the things we always recommend is if you're - if you ever see something in an email or other type of, you know, communication mechanism, SMS or whatnot, that is a change to what is normally happening - so a change to the routing number, a change to where you're sending money - always follow up with a phone call or a different communication mechanism. So if you're - for example, if you're - internally you use Teams and somebody contacts you - your CEO contacts you via email, follow up with Teams, or follow up with a phone call asking, did they actually ask for this change? - because if you follow up with the same communication mechanism, it could be that, you know, that email has been compromised and you're just now communicating via the attacker, which is not going to give you, obviously, the right information.
Dave Bittner: How much of this involves, you know, the organizations that you engaged with for your - the services that your employees use? I'm thinking about the basics, you know, things like email, endpoint protection, those sorts of things. I guess where I'm coming from is it strikes me that, you know, sort of daily, run-of-the-mill spam is mostly a solved problem that we rely on our email providers to do a good job with, and it seems like they do. To what degree are they able to protect us from some of these more sophisticated things?
Chip Gibbons: Right. So I think some of the standard spam filtering techniques - they do remove a good portion of these attacks. But then you have better attackers that really understand how email flows, how these spam filters work. They're able to bypass it. And, you know, that is - they see it as their job. That is what they're doing to make money to bypass spam filters and get into other accounts. Now, there have been much better type of heuristic filters out there that some companies have started to put in place. So, for example, if you, Dave, and I have never contacted before and suddenly you're emailing me out of the blue to change your routing number or do something that would be abnormal, then it might put you - you know, either put you in a quarantine section, or it might put a big red banner out on the email saying, you've never contacted this person before. But if you've contacted other people within my organization before and it's the first time you're contacting me, that wouldn't be as abnormal. So there are some companies out there that are really focusing on the heuristics of how emails have been flowing within the organization into what domains they've been flowing to.
Dave Bittner: And suppose that you've either been compromised or maybe you suspect that you've been compromised. What should you do then? What kind of steps should you take?
Chip Gibbons: So one of the things that we recommend is if you believe you've been compromised, obviously you want to bring in an outside provider if you don't have inside staff to be able to dig in and do the forensics on this. But you want to find out truly what the attackers got into and what they might have seen. Or if you have a good confidence level that you have been attacked and some data has been exfiltrated, you absolutely want to notify the authorities as well as the people whose data might have been compromised.
Chip Gibbons: It used to be, you know, years ago that it was a badge of shame that you would have - you know, that you got compromised. That's not the case anymore. People get compromised. And it's an area of growth, and it's an area where you can do better. But many companies would prefer to know that you'd been compromised because then they can put systems in place. They can make sure. Oh, yes, I just got an email from you asking you to do something that was odd. And now I'll make sure I keep an eye on it. Or they put some things in place that will help them understand that, you know, if they see anything abnormal from your account, they're flagging it. So it is no longer the case that you don't want to be notifying vendors or you want to hold off. We always recommend you notify your vendors, you notify your clients. Something - you know, this has happened. These are the steps we're putting in place. These are how we're securing your data.
Dave Bittner: What about the culture that you have in place for your employees? I mean, I can imagine that, you know, an employee who finds themself victim of this - they - in a lot of organizations, they might be hesitant to say anything or even report it because they're afraid that they'll get in trouble.
Chip Gibbons: Right. And that's where a top-down approach from the C-level executives on down - that security is important for the organization and not just that we're showing the world that we're secure, but internally, if we see something, we make sure that everybody understands how it happened. There's not always a reason to blame somebody else that they clicked on a link or that they fell for a phishing scam. They happen. It happens all the time. It can get the best of us.
Chip Gibbons: What is important is that people understand that - and executives understand that somebody might have gone to school for finance. They didn't go to school for understanding phishing emails and paying, you know, really good attention to how they - you know, how they come out. That's IT's job. That's security's job. And it's not really the end user's fault necessarily that they got phished. In many cases, security might have - or could have done a better job teaching them what to look out for and maybe had better solutions in place. So I think that, you know, if somebody falls for a phishing scam, there shouldn't be blame put on the end user. There should be an understanding within the organization that there is areas of improvement, and this is what we need to do.
Dave Bittner: Where do you suppose we're headed here? Do you sense that we're headed in a good direction, or is this something that's going to be with us for the time being, for the time to come?
Chip Gibbons: Unfortunately, I think this is going to be with us for a while to come because it's very much a whack-a-mole at this stage of the game in that we're fixing one problem, and the attackers solve it with another one. For example, a lot of our clients now are putting in conditional access. So if you're logging in normally from, let's say, the U.S. to your email account and you suddenly log in from Finland, it's going to block you. Well, the attackers start to realize this, and then they will VPN and try to, you know, attack you from the U.S. It does stop some of the - you know, some of the attackers because not all of them are going to start switching around and attacking from different locations to see what works. But there is very much a cat-and-mouse game of, I'm putting this in place. They put something else in place. I do think that, in the long run, this is really an email type of communication problem. And email, when it was built, as we all know, was not secure.
Dave Bittner: Joe, what do you think?
Joe Carrigan: All right. I want to open this with definitions again, and I want to say this again. And Chip gets it right here, as one would expect he would. Business email compromise is not just someone impersonating a person from an outside email address. That's just impersonation.
Dave Bittner: Right.
Joe Carrigan: You will frequently hear people call impersonation - simple impersonation - business email compromise. And this seems to me like when somebody goes, we were subjected to a sophisticated cyberattack...
Dave Bittner: Right.
Joe Carrigan: ...From an advanced actor.
Dave Bittner: Right.
Joe Carrigan: They don't want to say, we fell victim to somebody sending an email from a newly created Gmail account.
Dave Bittner: (Laughter).
Joe Carrigan: They say, we were victim of a business email compromise attack. Oh, those are very hard and...
Dave Bittner: Must have been a nation-state actor.
Joe Carrigan: Right. Must have been a nation-state actor.
Dave Bittner: Right.
Joe Carrigan: But that is incorrect. Business email compromise is remarkably devastating because it involves a takeover of a bona fide business email account. And I really wish, as a community, we would insist on that term being used properly.
Dave Bittner: OK.
Joe Carrigan: If executed properly, these things are very effective.
Dave Bittner: Yeah.
Joe Carrigan: And that points to the first thing that Chip says, is that there has been an exponential increase in these kind of attacks. There's been an exponential increase exactly because these things are remarkably effective.
Dave Bittner: Yeah.
Joe Carrigan: They are - I call business email compromise the king of social engineering attacks. It's just my name for it 'cause I'm clever and I like to come up with cool words. It works so well, and it bypasses so many controls that are in place. And with the advent of these suites, like Microsoft 365 and Google Workplace, a successful business email compromise attack is so much more. If I can get access to your Gmail account on a Google Workplace, I have access to your documents. I have access to your chat records. I have access to everything.
Dave Bittner: Right.
Joe Carrigan: It's almost the keys to the kingdom.
Dave Bittner: Yeah.
Joe Carrigan: Same with Microsoft. I can impersonate you now, not only through your email, but also through Teams. And if you use your email address to reset a Slack password, I can impersonate you through Slack. I - there's all kinds of things I can do.
Dave Bittner: Right.
Joe Carrigan: Or, God forbid, if you re-use your password for Slack.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Chip talks about training, and I think training is - Chip is spot on here. The training needs to be consistent and engaging, and it needs to happen as frequently as possible when I - that's what I mean when I say consistent. You want the event - the phishing event or the phone call event or even a simple changing of a password event - you want that event to be as close in time as possible to training. The best way to assure that is frequent training - right? - because you never know when the attack is coming. So if you have frequent training - short, engaging training segments over the course of the year - then when that attack comes, somebody goes, wait, but we just saw this last week.
Dave Bittner: Right. Right, it's top of mind.
Joe Carrigan: Top of mind, exactly. Making training relevant to an employee's financial situation may help bring it home, too. He talks about the W-2 attacks...
Dave Bittner: Oh, yeah. Yeah.
Joe Carrigan: ...That he calls them. I'm not sure I like the term. I mean, yeah, filing a fake tax return is - if somebody does that for you and you're owed a refund by the IRS, that's a real problem. You're going to be months now getting your money. The IRS will make you whole. They take care of the - it's a fraud problem for the government, not necessarily for you. But they have to investigate it to make sure that, you know, that you're being the - that you're the honest one. Fraud has occurred here, and you've got to prove to them now, it wasn't me.
Dave Bittner: Right.
Joe Carrigan: So there's time with that. Same with getting your paycheck rerouted somewhere else. Yeah, that's probably a business problem. But there's going to be a couple of days where you were expecting a paycheck, and you're not getting one. You don't have the money in your account. How is that going to impact you? You know, you're going to get the money, but these things are going to be - have have real influence on your lives.
Dave Bittner: Right, right.
Joe Carrigan: So I think...
Dave Bittner: Your landlord and mortgage company may not be so forgiving (laughter).
Joe Carrigan: Right. Exactly. So I think saying that kind of helps the employee take ownership of it. I'm not saying that, you know, you're going to - you're not going to screw the employee out of their money. And if you - if you're going to do that - you shouldn't do that. That's terrible. Don't do that. But it's going to take time, and that time has real impact.
Dave Bittner: Right.
Joe Carrigan: When someone is working on a business email compromise attack, they're going to craft specifically - or they can go through the process of crafting specifically tailored messages. I don't think there's a spam filter in the world that's going to catch a specifically tailored message because it's going to be the first time this filter has ever seen this message, and it's going to look just like a normal message. There might be some things in there that are a little bit telltale, but, you know, maybe the links, maybe the URLs, maybe that is - but if I'm setting up a new attack, I'm going to have all these new indicators of compromise out there that haven't been seen before.
Dave Bittner: Right.
Joe Carrigan: They're - and if I'm an attacker, I'm going to rotate those with high frequency because they're cheap.
Dave Bittner: Yeah. Absolutely.
Joe Carrigan: So be mindful of that. My two recommendations, two things - policy and FIDO multifactor authentication. When I say policy, think beyond your organization. Business email compromise at a vendor site or at a customer site or even an employee's personal email, compromise can have real impact on you. You know, if I compromise some employee's personal email account and then send in an email and you look at it and go, yeah, that's right, this is the employee's personal email account that I have on file, and I'm going to go ahead and change their banking records or their banking, you know, their direct deposit information form like they're asking here...
Dave Bittner: Right. Right.
Joe Carrigan: ...That's going to cost you. So your policy has to have a check for that in place that involves something that isn't just an email back going, is this really you? Don't do that. Maybe a phone call - a phone call to a number on file also verifying that the number on file hasn't been changed recently. That's another thing I want to talk about here because if I compromise someone's business account, I can go in there and change their cellphone number. And that way, if you call the office and the person that you're calling doesn't happen to be in there, and then you go in and you say, well, what's their cellphone number, I'll call their cellphone number, that calls the scammer, right?
Dave Bittner: Right.
Joe Carrigan: So there should be some flag of indicating when that was changed and also a record of what the last one was. So, you know, think about these things because there are going to be real impacts when they come - when it happens. Because, like I said, if they get access to the suite product, whatever it is, that's the keys to the kingdom.
Dave Bittner: Yeah.
Joe Carrigan: But I really want to focus on the FIDO MFA. This is so cheap and so low friction when you compare it to how well it works.
Dave Bittner: And spell it out here. What's FIDO?
Joe Carrigan: FIDO is fast identity online.
Dave Bittner: OK.
Joe Carrigan: And we've talked about it before as YubiKeys.
Dave Bittner: Right.
Joe Carrigan: So a YubiKey is, like, 45 bucks. But I looked this up today, Dave - did you know that Adafruit sells a FIDO key for $10?
Dave Bittner: Wow.
Joe Carrigan: Ten dollars. I'm not sure I would recommend the Adafruit version. I don't know what the - you know, I mean, it's - I would - I'm not not recommending it.
Dave Bittner: (Laughter) You just have no experience with it.
Joe Carrigan: I just have no experience with it.
Dave Bittner: Yeah. Fair enough.
Joe Carrigan: And it's an open-source software platform. And while I am a big fan of Adafruit and everything that goes on there, I don't know that I would rely on that as an enterprise solution.
Dave Bittner: Yeah.
Joe Carrigan: Remember, when you're ever going to - when you're going to equip people with these, equip them with two and tell them to sign up for all their accounts with both keys and keep one safe.
Dave Bittner: Right.
Joe Carrigan: That's a big part of how this works. Chip thinks this is going to be a long-term problem, and I agree. And the biggest problem is that companies are not using things like YubiKeys. That's the biggest problem. You change that - you enact that policy, and it stops, like, almost 100% of these attacks.
Dave Bittner: Well, that's what I was going to say. I remember I - I don't know. It could have been a year ago now. You and I did a story about - Google had put out a bunch of statistics from their own studies. I think it was their own internal use.
Joe Carrigan: Right. That was the Titan Key.
Dave Bittner: And basically - right. If you're using a hardware key like this, it just stops it. Like, they had no...
Joe Carrigan: Right. Right.
Dave Bittner: ...Nobody got through this. You know, it wasn't, like, 90%. No, it was 100%, you know.
Joe Carrigan: Right. It works. There are still ways to get around it. But now what you have to do is you have to break into the network. You have to do ARP spoofing. And you have to capture session tokens, right?
Dave Bittner: Yeah. You're no longer the low-hanging fruit.
Joe Carrigan: Yeah. You're no longer - now you're - now somebody is required to have actual mad hacking skills to get into your email account.
Dave Bittner: Right. Right. All right. Well, again, our thanks to Chip Gibbons for joining us. We do appreciate him sharing his time and expertise.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
