Outsmarting the scammers.
Nadine Michaelides: Because that's what the social engineers are doing. They're thinking outside of the box. So we need to think like that, too.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, Nadine Michaelides from Anima People. We speak about preventing insider threats using behavioral science.
Dave Bittner: All right, Joe, before we jump into our stories here, we've got some follow-up. What do we got here?
Joe Carrigan: Well, Dave, you remember last week I talked about the story about buying my wife an iron, right?
Dave Bittner: Yes. Yes, I do. Yes.
Joe Carrigan: So she could be a - so she can quilt things.
Dave Bittner: Right.
Joe Carrigan: She actually has a Facebook page for her quilting stuff.
Dave Bittner: OK.
Joe Carrigan: And somebody reached out to her by the name of Coffman Frank - right? - which is interesting that their - they have a first name for a last name and a last name for a first name.
Dave Bittner: I was thinking the same thing.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: And it starts off great. It's - because this page has a picture of my wife's smiling face on it, and she's - I think she's a very attractive woman, of course. It says hello, pretty lady. How are you doing? I hope you have a great. Now, I am an administrator on this page, so I get this message on my Facebook Messenger, too. And I immediately go, a great what? And he doesn't respond. I said, great what, Coffman Frank? Don't leave me hanging, Coffman Frank. And he says, a great day, my dear. Oh, thank you, Coffman Frank. You have a great day, too. And he says, OK. You have a beautiful name. Where are you from? And I say, the U.S. Where are you? And he goes, oh, nice place to live. Am from Hawaii. It's my pleasure to meet you. How is everything over there and the weather condition? So what do you do for a living? And you know what I said? I said I have a podcast where I talk about people who try to trick or scam people online. You should check it out.
Dave Bittner: Nice.
Joe Carrigan: And he responds, really? I said, yes, really. What do you do for a living? I say, well, the podcast, for one thing. Don't you want to know what the podcast is called? Now this is where it gets interesting, Dave. And this is why this is not a Catch of the Day, but a follow-up thing. He goes, is called alaye - A-L-A-Y-E. I don't know what that means. So I say a couple more things to him, but my daughter was in on this as well. She's also an administrator. She Googles alaye. You know what that means, Dave?
Dave Bittner: I do not.
Joe Carrigan: It is a West African term, and it means, like - it's like, big man. What's up, big man? But it's a term that scammers use when they think they've encountered another scammer online. It's a code word.
Dave Bittner: I see.
Joe Carrigan: So this guy saying alaye, he got the vibe that I was a scammer...
Dave Bittner: So it's kind of like a fist bump to you. Hey (laughter).
Joe Carrigan: Right. Exactly. So eventually, I said alaye indeed and moved on.
Dave Bittner: You're in the club, Joe.
Joe Carrigan: That's right.
Dave Bittner: You don't need this podcast anymore.
Joe Carrigan: That's right. Now, I'm in the scammer club.
Dave Bittner: Just retire, and just make your way around the world enjoying that sweet, sweet scam money, right?
Joe Carrigan: Next time one of these guys texts me or my wife's page I'm going to go, what up, alaye?
Dave Bittner: OK. Yeah.
Joe Carrigan: And see what happens.
Dave Bittner: That's good to know.
Joe Carrigan: Yeah. And maybe that's what we can do for everybody.
Dave Bittner: Yeah. What else have we got?
Joe Carrigan: We have a letter from Richard who writes in - writes a long missive. Dave, you want to read this one?
Dave Bittner: Sure. It says, hi, Dave and Joe. Whenever the business email compromise thing comes up, I think about this question. Why have we not adopted cryptographic email signatures? On the few occasions when I've had this set up properly with some other people, I get a great big, red banner in my email client warning me if I get an email without a valid signature. Even FIDO2 WebAuthn doesn't give me this. It might protect the account, but doesn't affirm the identity of the sender in the same way.
Joe Carrigan: That's correct.
Dave Bittner: I'd be curious to know your thoughts. There's a couple of reasons I can think of, but they seem insufficient to explain the lack of movement on this. One, the technical types and their leadership think that everyone will have to deeply understand asymmetric encryption to be able to use a system based on something like PGP signing. And it's too complicated, so it'll never catch on. And we'd never be able to make the tools based on it that people could understand how to use. Second, it seems like it's a collective action problem. It needs some piece of software infrastructure to be built, maintained and operated - infrastructure that's of critical importance and has some serious engineering involved to do it right. No one seems to want to pay for this or step up and take on the liability. And he says government would seem to be the obvious candidate to do this, but they seem to lack the technical know-how in the right places.
Joe Carrigan: Yeah.
Dave Bittner: Let's pick it up here. There's - it's - there's a lot more to this email that we don't have time to dig into...
Joe Carrigan: Right.
Dave Bittner: ...But I think we've got enough to know...
Joe Carrigan: Yeah. This is an excellent question. I've worked in organizations where management all had to have certificates on their email.
Dave Bittner: Yes.
Joe Carrigan: And if they sent email out that did not contain the certificate, you very quickly saw them send the email again with the certificate.
Dave Bittner: As a kind of smack on the wrist or something?
Joe Carrigan: Somebody would say - somebody would send an email to them and say, is this you? Because this isn't signed. And they'd just go in and copy and paste the email and send it again with the signature.
Dave Bittner: Right.
Joe Carrigan: This was - this particular organization I was at was using Outlook. And it's - you can do it in Outlook pretty simply.
Dave Bittner: Yes.
Joe Carrigan: You don't need to have the users manage their - do their key management. You can have IT do that for them.
Dave Bittner: Yeah.
Joe Carrigan: There are tools out there that do this. Those already exist. This is an excellent question that Richard is writing. Why has this not been adopted more? It would be a great way to secure the - you know, to secure the emails being sent. Although, I don't know that it helps you much in email account takeover if that is fairly automated in a system that is, like, a web-based email. Maybe if you have to have another password that they enter to sign emails...
Dave Bittner: Yeah.
Joe Carrigan: ...With the private keys. But I don't think you have to do that with the way Outlook does it. I think the keys just sign it.
Dave Bittner: Yeah.
Joe Carrigan: But you have to have the keys present on your computer to sign the emails.
Dave Bittner: I'm familiar with what you're talking about with Outlook. I have experienced that myself. But I've also experienced the flip side, which I think is what Richard's describing here, is which - and I'm going back a ways. You know, someone would try to do this, use PGP on their email.
Joe Carrigan: Right.
Dave Bittner: And you'd get an email from them, and it'd just be like, oh.
Joe Carrigan: You can't open the email.
Dave Bittner: (Laughter) Right, right. So it never reached the point where it was built in. Even the option of having it would be built in. And I think if we were going to have this, that would be the first way to have it is that it could be optional, an extra little bit of assurance so that if you got an email from someone and it were properly signed and all that kind of stuff...
Joe Carrigan: Right.
Dave Bittner: ...There'd be a little flag that would say, hey, you know, we can verify this email came through. It was encrypted. It is who they say they are. And just so you know, that's what we think about this. And that would be great.
Joe Carrigan: Yeah. It would be - yeah. If these things were signed with certificates from some trusted root authority...
Dave Bittner: Right.
Joe Carrigan: ...Which I think that's how it works. But the infrastructure may not be there. And if - you're right. If you send me an email, and I don't have that set up, not configured on my system, what happens?
Dave Bittner: Yeah. I mean, there needs to be some kind of a fallback.
Joe Carrigan: Right.
Dave Bittner: And maybe the fallback says, hey, we couldn't verify this, or this came through this way or, you know, whatever.
Joe Carrigan: Right.
Dave Bittner: It's my - I do believe that - I think Gmail is now encrypting everything internally. So if you're emailing between Gmail users...
Joe Carrigan: Right.
Dave Bittner: ...I believe there's encryption happening there now. And I think that's in the past year or so that that's become the default.
Joe Carrigan: I remember reading something about that, but I don't know the technical details.
Dave Bittner: Yeah. But I think Richard's point is excellent, that why haven't - why hasn't this happened, you know?
Joe Carrigan: Right. It's a good question.
Dave Bittner: And I suspect it's because...
Joe Carrigan: It's inertia.
Dave Bittner: ...Email - yeah. Email's been around for so long in kind of the federated nature of email. It'd be a hard thing to get everybody to sign on to. But you're - but he's absolutely right. And it's surprising to me, and I share his frustration that there hasn't been some kind of a simple solution that's gotten any sort of serious traction.
Joe Carrigan: I agree. It's - there should be - this should be integrated into a lot of our clients that we use.
Dave Bittner: I wonder, too, if - is it just that there are other alternatives now, that it could be that the vast majority of people are going about their day using email just fine without it?
Joe Carrigan: Right.
Dave Bittner: You know? And so it may be - is it overwhelmingly a solution in search of a problem?
Joe Carrigan: Right.
Dave Bittner: Could be.
Joe Carrigan: Yeah, we do...
Dave Bittner: And the people who need encryption know how to get it.
Joe Carrigan: At Harbor Labs, we use an end-to-end encrypted chat for most of our communication now.
Dave Bittner: Right.
Joe Carrigan: We don't really use email very much. I mean, the only time we use email is to communicate with outside customers. Internally, we don't send emails around to talk about projects.
Dave Bittner: Right. Yeah.
Joe Carrigan: We get on the chat system, and we talk there.
Dave Bittner: Right. Yeah. And certainly things like Slack and Microsoft Teams and all the different things that do that, you know, they have varying degrees of security themselves.
Joe Carrigan: Yeah.
Dave Bittner: But you're right, they've largely replaced emails for that kind of communication.
Joe Carrigan: That is 100% correct.
Dave Bittner: I think for the better.
Joe Carrigan: Yes. I would agree.
Dave Bittner: Yeah. All right. Well, thank you, Richard, for sending that in. We do appreciate it. And we would love to hear from you if there's something you'd like us to discuss here on the show. You can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I'm going to kick things off here with our stories this week. And mine comes from the folks over at BleepingComputer. And it's a story titled "Hackers Push Malware Via Google Search Ads for VLC, 7-Zip and CCleaner." It's written by Ionut Lascu (ph) - or I believe it's Ilascu. Hard to tell when there's a capital I and a lower case L next to each other.
Joe Carrigan: Yeah (laughter).
Dave Bittner: And my wife's name is Ilana, so she deals with that every day.
(LAUGHTER)
Dave Bittner: But this is interesting, and it's been getting some attention here. It would seem that there are scammers who are taking advantage of Google's ad system to buy ads for popular bits of software and sort of utilitarian bits of software...
Joe Carrigan: Right.
Dave Bittner: ...Things that people would use. This article talks about things like Notepad, VLC media player, those sorts of things, things that people would commonly search for.
Joe Carrigan: Right.
Dave Bittner: What the scammers do is they buy ads that purport to be the download pages for those apps. Then they spin up their own versions of those apps' pages. So as you've pointed out here many times, it's really easy to clone someone's website.
Joe Carrigan: Correct.
Dave Bittner: The way that the web works, you can - you have access to that code. So they may clone a legitimate website, spin it up on their own URL, and they'll often use a lookalike URL. And so someone who's out there searching for one of these bits of software, the first thing that will come up in their Google search, because it's a paid ad, will be taking them to one of these scam sites.
Joe Carrigan: That's right. That's how Google's business model works on this, Dave.
Dave Bittner: Yeah.
Joe Carrigan: Do you remember when Google first started selling ads based on the searches that people entered?
Dave Bittner: I do.
Joe Carrigan: Do you remember where the ads were?
Dave Bittner: They were off to the side.
Joe Carrigan: They were off to the right.
Dave Bittner: Yeah.
Joe Carrigan: That's correct.
Dave Bittner: That's right.
Joe Carrigan: They didn't look like search results.
Dave Bittner: Right.
Joe Carrigan: But Google said, we can add more value for the customer. And remember, that's not you. That's the guy paying them...
Dave Bittner: Yeah.
Joe Carrigan: ...Or the company paying them. So we can add more value to the customer if we make these things look like search results. Oh, and we'll tell the user - that's you, the product - we'll tell the product that this is an ad by putting a very small ad next to it, A-D, right?
Dave Bittner: Right. By putting creamy white text on a white background.
Joe Carrigan: Right. Exactly. You should have known that was an ad.
Dave Bittner: (Laughter) Right.
Joe Carrigan: We told you.
Dave Bittner: Right, right, right. So what happens is then the person goes through, and they think that they're getting this software. And quite often one of two things happens. Either it's a credential harvesting attempt...
Joe Carrigan: Right.
Dave Bittner: ...So they'll try to get you to log in to something. But what seems to be happening here is they will have a modified version of the software.
Joe Carrigan: Oh, even better.
Dave Bittner: Right. So...
Joe Carrigan: So this is like, almost like the game - the cracked game software.
Dave Bittner: Yes.
Joe Carrigan: You know, I want to go out, and I don't want to pay for Call of Duty: Modern Warfare 6 or whatever it is now. I don't play Call of Duty, so I don't know. But I want to go out and get that. But I don't want to pay the 80 bucks for the game with all the content. I'll just go get a cracked version. Well, guess what? That's probably going to have malware on it.
Dave Bittner: Right.
Joe Carrigan: But now there's free software out there.
Dave Bittner: Yes.
Joe Carrigan: And these things like Notepad++, which is a great application, by the way - I use it. I install it on all my Windows machines right away - VLC, which is a media player; 7-Zip, another great application...
Dave Bittner: Yeah.
Joe Carrigan: It does so much. 7-Zip will unzip just about anything. It's wonderful. So it really - these are - these two applications in particular are applications I'm a big fan of. And these guys are going after the users of those applications.
Dave Bittner: Yeah. So what'll happen is you will download what you think is a legit version of it.
Joe Carrigan: Yep.
Dave Bittner: And it may indeed function perfectly fine.
Joe Carrigan: It is probably altered versions of the original software.
Dave Bittner: Right. But lurking within that software is the malware...
Joe Carrigan: Right.
Dave Bittner: ...Which will do all the things that malware does. And typically, they're just - they - once they're in, you know, they're scraping for all the information they can get off of your machine.
Joe Carrigan: Yep.
Dave Bittner: So I was a bit curious about this. And so I did a little searching on my own. One of the pieces of software they talk about here is an open-source 3D modeling and rendering package called Blender. Are you familiar with Blender?
Joe Carrigan: Yes. I have installed Blender.
Dave Bittner: Yeah.
Joe Carrigan: I got a 3D printer for Christmas, Dave, so trying to do some 3D modeling now.
Dave Bittner: OK. So they talk about Blender here, and they show some of the search results that they got for Blender. So I did a search for Blender 3D myself, and I did it in two different browsers. So first, I did it in the Brave browser, which I will say is my current browser of choice.
Joe Carrigan: Racking up those basic attention tokens, Dave?
Dave Bittner: You know, I kind of ignore that part of it. I know they're there. And actually, Jason and Brian over on "Grumpy Old Geeks" give me a hard time about it because of that part of it, but I don't use that part of it. But I enjoy the stuff that's built in to Brave to block ads and all the security things that are built into it.
Joe Carrigan: Right.
Dave Bittner: And it's a Chromium-based browser.
Joe Carrigan: It is.
Dave Bittner: So it works well with all the stuff you need it to work on. So I did a search for it in Brave, and the first thing that came up was the actual blender.org website, the one from the company.
Joe Carrigan: On Brave.
Dave Bittner: On Brave and doing a Google search.
Joe Carrigan: OK.
Dave Bittner: So I go to google.com, I type in Blender 3D, and the first thing that comes up is blender.org. Now, this is because Brave is blocking the ads.
Joe Carrigan: Right. They're not letting the Google ads come through.
Dave Bittner: Correct. Yea, Brave.
Joe Carrigan: Yes.
Dave Bittner: So then I went over to Safari, Apple's, you know, branded - their own browser, and I did a search for Blender 3D. And sure enough, the first three results are all ads. And they say Blender 3D download, and it's from blender3d-software.com. Another one says Blender 2023 download. It's from blender3ds-download.org. There's one that says Blender 3D models. It's from blender.online, and the N has a little accent mark above it - so not a real N, Joe.
Joe Carrigan: Not a real N, no, that's a different Unicode character.
Dave Bittner: Yeah. And so the fourth one is the actual blender.org organization.
Joe Carrigan: Yes.
Dave Bittner: Now, here's another little tidbit here is that in this article that we're referencing, they say they reached out to Google, and Google took down the ads for all these malicious sites.
Joe Carrigan: Probably issued a stern statement that we don't support this kind of behavior.
Dave Bittner: Right. But as we record this, one of the ad results that I got is the exact same malicious ad that they're showing in the article here. So...
Joe Carrigan: (Laughter) Great.
Dave Bittner: ...I'm guessing Google did a little round of Whac-A-Mole...
Joe Carrigan: Yup.
Dave Bittner: ...And it's back.
Joe Carrigan: Sure.
Dave Bittner: To me, it seems like job one for Google should be the first result in my search on Google should not be something that has the potential to harm me.
Joe Carrigan: Right. I would agree with that 100%. That should be job one for Google.
Dave Bittner: Yeah.
Joe Carrigan: Even if it is an ad...
Dave Bittner: Right.
Joe Carrigan: ...It shouldn't be something that's going to install malware on your computer.
Dave Bittner: Right.
Joe Carrigan: Because now, how do I trust Google?
Dave Bittner: Exactly.
Joe Carrigan: Right.
Dave Bittner: Exactly. So I've seen some security folks this week on some of the social media platforms saying that, you know, ad blockers are cybersecurity.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: I would agree.
Dave Bittner: Yeah. Yeah. Yes. I get the social contract of you're getting this stuff for free. So in exchange, you should be able to see ads. But in my mind, in this case, Google is not upholding their end of the deal.
Joe Carrigan: Yeah.
Dave Bittner: Right? If they can't prevent - if they can't take the effort to make sure that the ads aren't safe, then I'm going to block those ads.
Joe Carrigan: Absolutely. I think that's a fair trade-off. It's - you know, I...
Dave Bittner: I may go so far as to not use Google also. Right?
Joe Carrigan: Yeah. I would like it if the ads were just clearly - more clearly marked as ads and were not designed to look like search results. And I'm looking at this, Dave...
Dave Bittner: Yeah.
Joe Carrigan: ...And it does have a clear mark that it says ad - A-D and then a space and then a bullet point and then the link.
Dave Bittner: Right.
Joe Carrigan: But the rest of the search result - you probably don't look at the URL when you load up the search results. And there's a picture in this article that has those three ads, and then you're talking about - I'm looking at the Blender article right - or the Blender search results right now.
Dave Bittner: Yeah.
Joe Carrigan: And they are almost indistinguishable from the actual legitimate search results. And that is by design. And that's Google doing what's best for their customers and not for their product.
Dave Bittner: Yes.
Joe Carrigan: And that's - I want to reiterate that. You are not the customer of Google. You are the product for Google.
Dave Bittner: Yeah. Yeah. So something to keep an eye out for. Again, I would say my take on this is absolutely you - there is a great case for running ad-blocking software.
Joe Carrigan: Yeah.
Dave Bittner: And you know, if you want to - I have no problem with an ad-driven market, but this ain't it.
Joe Carrigan: Right.
Dave Bittner: (Laughter) Right. You know, I see an ad on a billboard while I'm driving by or on my TV or listen to one on my radio or see one in a magazine, I don't - I'm not concerned about it getting on my computer and stealing all my stuff. And you'd think a company as big as Google - it's that old thing we keep saying. They're going to say, well, we can't do that at scale. Well, then you shouldn't be doing it.
Joe Carrigan: Right. Yeah.
Dave Bittner: So...
Joe Carrigan: Because you already are doing that at scale.
Dave Bittner: Yeah.
Joe Carrigan: And what you're doing now at scale is pushing out malicious software at scale.
Dave Bittner: Right.
Joe Carrigan: You're doing that just fine.
Dave Bittner: Yeah. Yeah. All right. So we will have a link to that story in the show notes there. Interesting read - definitely worth checking out there. Again, from the folks over at BleepingComputer. Joe, what do you have for us this week?
Joe Carrigan: Dave, I have two stories today because they're both kind of short. First one comes from WIBX, which is up in Marcy, New York. I guess that would be considered upstate, right?
Dave Bittner: I suppose, yeah.
Joe Carrigan: Everything that's not in New York City is upstate to people.
Dave Bittner: (Laughter) That's right. That's right.
Joe Carrigan: But this story is warning about scammers who have mobile printers and are printing up fake parking tickets, putting them on people's windshields, and then they have these websites that collect payment from the victims. Now, I don't know about you, Dave. When was the last time you got a parking ticket?
Dave Bittner: Oh, goodness. I don't get them very often. My wife, on the other hand...
Joe Carrigan: (Laughter).
Dave Bittner: So I guess I could say I'm familiar with them. I sometimes deal with them.
Joe Carrigan: Yes.
Dave Bittner: So...
Joe Carrigan: I had to deal with one this summer because the great city of Gettysburg, Pennsylvania, has people whose job it is to go around and write parking tickets.
Dave Bittner: Yeah.
Joe Carrigan: Of course. I mean, that's what they do. And you can see them during the summer. They're out there. The winter - they're not there as much.
Dave Bittner: OK.
Joe Carrigan: Right? Because there's not as many people violating the parking.
Dave Bittner: Right.
Joe Carrigan: But I went into a restaurant, and I forgot - I went - we got seated at a table. I go, oh, I got to go feed the meter.
Dave Bittner: Yeah.
Joe Carrigan: And as I'm going out, the guy is walking away from my car, and there's a ticket on my window.
Dave Bittner: Ah.
Joe Carrigan: I didn't feed the meter, though.
Dave Bittner: (Laughter).
Joe Carrigan: I was like, well, you're getting that money from me, but you're not getting the parking money.
Dave Bittner: Right. Right.
Joe Carrigan: So there is an interesting thing about that ticket was that they said, if you pay it within 24 hours, it's $25. But if you pay it within 30 days, it's $40.
Dave Bittner: Oh, OK.
Joe Carrigan: So it was incentivizing me to pay the ticket.
Dave Bittner: Right.
Joe Carrigan: And I'm wondering - these guys might have something similar to that. I don't know if they do or not. This is speculation, but they could improve the effectiveness of their plan if they did this. And I'm helping these guys out, so maybe I shouldn't be saying this.
Dave Bittner: I would imagine there's probably, like, a QR code on the ticket, and it, you know, takes you to a legitimate-looking website.
Joe Carrigan: Yep. But what's happening is these guys are walking around with the same technology that these parking - the actual legitimate parking guys have for these jurisdictions, and they are just printing out parking tickets and putting them on people's cars. And then the idea is that people will pay them.
Dave Bittner: Right.
Joe Carrigan: And of course, once you enter your credit card information into the system, they have that, too. So you're probably going to get carded, as well.
Dave Bittner: Oof. Yeah.
Joe Carrigan: And I don't mean they're going to ask to see your ID. I mean, they're going to - your card is going to be sold.
Dave Bittner: Right.
Joe Carrigan: My other story comes from Gianna DaPra at WTOV Channel 9, and she is talking about something going on in the panhandle - the northern panhandle of West Virginia. There is - it's in Marshall County. It is a scam where somebody is dropping off on people's doorsteps - they have a picture of this guy dropping off on people's doorsteps a flyer that says you've been selected as one of 100,000 people to receive a - like, a $300 or - no, I'm sorry, $50 - and it says USD, right? - nobody in America says USD.
Dave Bittner: (Laughter).
Joe Carrigan: When we say dollars, we just say dollars.
Dave Bittner: That's right.
Joe Carrigan: Just like people in Canada - they say...
Dave Bittner: Right.
Joe Carrigan: ...Dollars, and they mean Canadian dollars. And people in Australia say dollars, and they mean Australian dollars.
Dave Bittner: Yeah.
Joe Carrigan: The only time I'm talking U.S. dollars is when I'm talking to somebody in Australia or Canada, right?
Dave Bittner: Yeah.
Joe Carrigan: But if I was talking - if I was somebody from Walmart, I wouldn't tell an American, you got a gift card for $50 U.S. dollars. And that's one of the tells that this is not real. But attached to this piece of paper is - you want to guess?
Dave Bittner: A Walmart gift card?
Joe Carrigan: No.
Dave Bittner: Oh.
Joe Carrigan: A USB drive.
Dave Bittner: What?
Joe Carrigan: Yep.
(LAUGHTER)
Joe Carrigan: A USB drive. And the instructions say...
Dave Bittner: A brand new Mercedes Benz.
Joe Carrigan: Right.
Dave Bittner: (Laughter) OK.
Joe Carrigan: The instructions say, put this into your computer and then call this number. Or - and don't - nobody should do this. Nobody should ever do this.
Dave Bittner: Wow.
Joe Carrigan: Somebody gives you a USB drive - you know, I don't even take the USB drives at conferences anymore.
Dave Bittner: Yeah.
Joe Carrigan: I just think that there's - you know, I did take one one time. And I put it into a computer, and it had, like, multiple partitions on it. And I was like, hmm, this is a security company that just gave me this. I wonder what I just did. These guys were pretty advanced, too.
Dave Bittner: Well, and we've heard stories about, you know, bargain basement USB drives coming over...
Joe Carrigan: Right.
Dave Bittner: ...That already have malware installed...
Joe Carrigan: They're - yeah.
Dave Bittner: ...On them before...
Joe Carrigan: That's part of the business model of...
Dave Bittner: ...You put anything on them.
Joe Carrigan: ...The manufacturer...
Dave Bittner: Yeah.
Joe Carrigan: ...'Cause they're just selling these things - they're selling them at a loss because they - or maybe not a loss - maybe at cost - because they know their profit model is coming from the malicious software that they're going to install.
Dave Bittner: Huh. So I'm minding my own business.
Joe Carrigan: Right.
Dave Bittner: I leave my house. There's a flyer on my door.
Joe Carrigan: Yep.
Dave Bittner: Attached to the flyer is a USB drive...
Joe Carrigan: Right, with the...
Dave Bittner: ...And it says, good news, you're a winner.
Joe Carrigan: Right.
Dave Bittner: All you got to do is stick this in your computer...
Joe Carrigan: Right.
Dave Bittner: ...And profit.
Joe Carrigan: Yep. And the Marshall County police are asking anybody that received them not to plug it in. Don't plug it in.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: Don't call the number.
Dave Bittner: Wow.
Joe Carrigan: And that's my advice, too. Now, this is - you know, this is not a free scam. This is not like an email scam or something like that. First off, somebody has to invest the time to walk around and hand these things out.
Dave Bittner: Well, it's bold, too, because, you know, how many - I'd say - I don't know - 1 out of 4 of my neighbors has a Ring camera now.
Joe Carrigan: Oh, they got a picture of this guy, Dave...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...From a Ring camera. It looks like they got a picture from a Ring camera.
Dave Bittner: Right.
Joe Carrigan: He's wearing gloves so he doesn't leave fingerprints behind. But...
Dave Bittner: Is he wearing a mask?
Joe Carrigan: Yeah, I don't think he's wearing a mask in this picture, Dave. It's - you know, you can see his face pretty well. It should be easy to ID the guy. Maybe they'll - maybe the cops will swing around and pick him up.
Dave Bittner: He might not even be in on the scam. You know, it might just be somebody who said...
Joe Carrigan: He may not.
Dave Bittner: ...Hey, I'll give you - you know, I'll give you 20 bucks to go blanket this neighborhood with these flyers.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: And that that could be it. Somebody - he just could be some guy that they asked to do that. I mean...
Dave Bittner: Yeah.
Joe Carrigan: ...That's - if I was going to run that scam, that is exactly what I would do. You wouldn't catch me on somebody's porch cam.
Dave Bittner: Right, right.
Joe Carrigan: It would be some poor schmo that got tricked into doing it.
Dave Bittner: You know, your previous story about the fake parking tickets reminds me of a story I heard a while back about - it was about a strip mall that put in their own parking meters. So the meters looked like they were municipal parking meters.
Joe Carrigan: (Laughter) Really?
Dave Bittner: Yeah, but they were not. They - the strip mall owner just put in a bunch of parking meters. So there was no enforcement...
Joe Carrigan: Right.
Dave Bittner: ...You know? But people see parking meters, they feed the meters. So it was a way for the strip mall owner to make a little extra money just by having - and the parking meters didn't say, you know, you have to, you know...
Joe Carrigan: (Laughter) Yeah.
Dave Bittner: ...You get a ticket if you don't pay the meter.
Joe Carrigan: Right.
Dave Bittner: They were just sitting there, and people would...
Joe Carrigan: Just...
Dave Bittner: Yeah.
Joe Carrigan: Somebody just put parking meters out there...
Dave Bittner: Right.
Joe Carrigan: ...And people paid it.
Dave Bittner: Right, which I think is simultaneously clever and despicable.
Joe Carrigan: Yes. How much is a parking meter, Dave?
Dave Bittner: Oh, I - depends on - I don't know. How sharp a saw do you have, Joe?
Joe Carrigan: (Laughter) That's a good question.
Dave Bittner: Right? How...
Joe Carrigan: I have an angle grinder, Dave.
Dave Bittner: Yeah. So, I mean...
Joe Carrigan: I could get those things right off of those tubes.
Dave Bittner: I - yeah, I would bet anybody out there'd try to - you know, who's going to stop you, right?
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: I imagine the problem with an angle grinder is it does make a lot of noise (laughter). So the trick there is you got to wear a yellow vest and look...
Dave Bittner: Right.
Joe Carrigan: ...Like you work for the county, pull up in a truck...
Dave Bittner: Yep.
Joe Carrigan: ...That has blinking lights on it.
Dave Bittner: Yeah, a little minivan.
Joe Carrigan: Right.
Dave Bittner: Yeah. Yeah, exactly. Yeah. Yeah.
Joe Carrigan: (Laughter).
Dave Bittner: All right. Well, good stories this week. Again, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us at hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Penny, who writes, this one almost got me even though I haven't used McAfee for five to seven years. It's still installed on my personal laptop that I never use, which is why this email made me do a double-take.
Joe Carrigan: So I picked this one because it's exactly the kind of thing that these things look for.
Dave Bittner: Yeah.
Joe Carrigan: And Penny's experience is what they're banking on.
Dave Bittner: OK. It says, dear customer, we want to inform you that the PC and network protection package you selected has expired today and will renew on January 9, 2023. The requested plan updates is restarted, and the $329.99 membership fee is deducted from the available balance, which will appear on statement shortly. This notice indicates that you authorized the auto-debit payments during the activation procedure, and the same fee will be paid the following year. And then there's a - like, an 800 number...
Joe Carrigan: Right.
Dave Bittner: ...Actually an 833 number to call to - if you have any questions. It says, please be informed that you have two business days to contact us if you decide not to renew the membership. To check your billing, change your payment information or stop using the services and receive a complete refund, contact us.
Joe Carrigan: Yes. So it's interesting to note that the 833 portion of this phone number is not in parentheses, as it normally is, but in curly braces.
Dave Bittner: Oh, yeah.
Joe Carrigan: Which is a...
Dave Bittner: Kind of evade some scanning stuff?
Joe Carrigan: ...Yep, trying to evade some things. Penny goes on to say, things that made me suspicious - other than my own email, there are no actual links in the message, so it would have relied on me trusting the number to call. Just Google-searching the phone number actually makes it clear that this is associated with scam numbers. So good job, Penny. First thing she does is plug that number into Google and see what happens.
Dave Bittner: Yep.
Joe Carrigan: The email actually isn't from the person listed as signing the message - an email from Hadley (ph) and the message is from John - another good catch. The fact that there is a hard deadline - that is another good observation. That's called the artificial time constraint in social engineering attacks.
Dave Bittner: Yep.
Joe Carrigan: It is a staple of the scammer. I just got this email on the 9, which apparently is the renewal date, and I have two business days to call to postpone the renewal. And she says artificial time crunch, and yep, that's right. All that being said, I did end up checking with a friend to ensure that my assessment was correct and this is likely a phishing attempt. Love the show and all that you do. Yes, Penny, I guarantee you this is a phishing attempt. Good catch, and thank you for sending it to us.
Dave Bittner: (Laughter) Can we just say hats off to Penny because she's just did just about everything right here?
Joe Carrigan: This is - yeah, 100%.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: Yeah. Penny, I'm your biggest fan. This is awesome.
Dave Bittner: Including sending it to us, so...
Joe Carrigan: Right. Yep. Exactly.
Dave Bittner: (Laughter) Thank you.
Joe Carrigan: You did everything right from front to back here, Penny.
Dave Bittner: That's right. That's right. All right. Well, again, thank you for sending that in. And we would love to hear from you. If you've got something you want us to consider, send us that email.
Dave Bittner: I recently had the pleasure of speaking with Nadine Michaelides from Anima People, and our discussion focused on preventing insider threats using behavioral science. Here's our conversation.
Nadine Michaelides: Well, I realized that there's a massive assumption that people are motivated towards cybersecurity. I think it's brilliant that there's so much work around awareness and security culture, but unfortunately, there are situations when people are not necessarily motivated towards being conducive in terms of cybersecurity behavior. So the piece of work that I wanted to look into and research and then develop solutions was why those people might not be adapting behavior, and how do we recognize and identify those individuals in order to prevent attacks from happening?
Dave Bittner: Well, take us through that. I mean, how did you approach that research, and what things did you discover?
Nadine Michaelides: Well, I started off, actually, by looking at something called the psychological contract, which is basically - it sits above or separate to the employment contract between an employee and an employer. And what that basically includes is everything else other than what's in black-and-white. So it's not the hours of work or location of work or the salary, but it's the expectation that you will be promoted if you work really hard, that you'll have a great relationship with your manager, that you'll be respected internally, that - it could be many little things, like working flexibly on a Friday so that you can pick up your kids from school. So anything that isn't in black-and-white in a contract is called the psychological contract. And my research at University College London was looking into what happens when there's a psychological contract breach. What happens when those expectations between the employer and the employee break down? How does that affect their motivation towards being cybersecure and protecting the organization from harm?
Nadine Michaelides: I mean, really it's - we can think of it logically and say, well, no [expletive], Sherlock. You know, if I'm not happy in my job or, you know, I'm really not achieving what I want to achieve or there's something really dreadful that's happened that's made me really annoyed at work, then of course they're not going to go above the call of duty to fulfill those extra tasks that perhaps aren't even included in their job description. So that's kind of the research area that I went into. And I did several pieces of work, both from a qualitative and quantitative perspective, and I very much found that that, yes, that was very much true. People are less inclined towards cybersecurity behavior if they've had these psychological contract breaches. So it stemmed from there, and now I've developed solutions which go far above and beyond simply just looking at psychological contract breaches but other psychological factors that could be precursors to people being a risk later on throughout their career within the organization.
Dave Bittner: You know, I've seen - when people talk about employment, I guess at one end of the spectrum, folks talk about the feeling of safe places, that their work is a place where they feel as though they can make a mistake and not be unduly punished for it. I guess at the other end of the spectrum, gosh, I - there's a Reddit group called Malicious Compliance.
Nadine Michaelides: OK. Right. Yes.
Dave Bittner: I'm...
Nadine Michaelides: So psychological safety is the term we would use in organizational psychology or occupational psychology. And of course, we're much more likely to try new things, to adopt certain behaviors, to perform well, to repeat those behaviors so that they turn into habits, if we have that degree of psychological safety. So I think that's what you're talking about.
Dave Bittner: And so what are your recommendations? I mean, what sort of things have you come up with based on your research?
Nadine Michaelides: Well, I think, you know, having that multidisciplinary approach, having - looking at it from different angles and not just different angles, but looking at different times within the career development of an individual and a group of individuals is really, really important. I think a lot of work in the area or solutions in the area of insider threat focus very much on that period of time when it's too late. So those behaviors are actually already occurring, and any tools will seek to monitor to see if there's any strange things happening in the middle of the night or forwarding of emails to personal accounts, et cetera, but fail to actually work with HR, as one example, or look at the individual right at the recruitment and selection stage to really understand, what is this individual like? What is their profile like? What are they motivated towards? What are their aspirations? How are they likely to behave given certain scenarios? And that's the bit that I'm really interested in.
Nadine Michaelides: And I think the current cybersecurity teams are missing a trick by not sort of trying to understand that individual right from the start and also to look at the current human factors - environment, the landscape, in terms of, you know, what does their organization actually look like from a risk perspective in terms of human factors? You know, it's not just about having those behaviors. It's about understanding the motivation behind those behaviors. And there's nothing currently there that does that. So that's pretty much been the focus of my research and the solutions that we've developed.
Dave Bittner: You know, it's really a fascinating point that you make. And I think about hiring someone for a technical role, and I could imagine that, you know, perhaps they wouldn't have as much scrutiny when it came to their forward-facing personality as, say, someone who was going to be in a customer service kind of role. I mean, is that a shortcoming? Is that something that we should be paying more attention to?
Nadine Michaelides: I think, you know, there's been a lot of work over the last 30, 40 years around developing organizational culture, deciding what your vision, mission and values are as a team and really having those sort of psychometrics or recruitment selection assessments that try and fit those people to the teams. But what isn't there currently is understanding whether that person not just fits the values, which can be quite high-level and created perhaps 20 years ago, but their security values, you know, their security culture. Is that person going to be a great role model in terms of being an ambassador for security culture? And that's really where I think it's of extra value that HR and the cybersecurity teams worked together to identify that.
Dave Bittner: And how, specifically, could they do that? Is that part of the onboarding process?
Nadine Michaelides: So in the same way that you would - it's kind of expected these days, particularly with large organizations, that you would do some sort of psychometric testing as part of the recruitment and selection process to try and see if you're a good fit for the team. And that should never be the decision-making factor - you know, the results of those tests. It should always be competency-based or interviews - unbiased interviews. But they can be there as a key indicator to try and help that decision-making process and understand the needs of that individual once they're employed. So in the same way, there are assessments out there, including ours - well, actually, sorry, only ours - that look at that from - had to be honest - that look at that from a security-conscious perspective.
Dave Bittner: I'm curious, does your work help on the other side of things as well? I mean, if we have a problem, if we have a situation, can the work that you've done inform whether or not we're likely to come to a solution with an individual? Or perhaps it's best that they get cut loose or they move on.
Nadine Michaelides: So you mean if there's been an insider attack?
Dave Bittner: Right.
Nadine Michaelides: So, I mean, we do go in and investigate the situation through interviews if there's been an insider attack. That very much should be the learning for the future in terms of creating their cybersecurity strategy from a human factors perspective. Yeah, so learning from the past is critical to preventing threats from happening again in the future.
Dave Bittner: What about the situation where people are going around the rules just to get their work done? You know, I've heard of folks who - an organization says, we're restricting your access to Dropbox or some other online tool like that. But they need that as part of their day to day, and so they find a workaround. They use a personal account or something like that. How do you address those sorts of things?
Nadine Michaelides: Well, I mean, simple surveys would identify if those issues are occurring and why they're occurring. I mean, we've done a number of pieces of work - bespoke pieces of work - with organizations to - which is a mix of qualitative and quantitative data. And that is really, really important because it can be as simple as, yeah, a piece of kit, like an encryption email piece of kit, which is completely a barrier to business. And therefore, what people do, of course, is do a workaround. I mean, I would say that happens the majority of the time in those situations. So understanding what those barriers to business are are really important in preventing any insider attacks from happening.
Dave Bittner: Do you find that there are any common misunderstandings when it comes to HR and relating to the behavior of their employees? Are there places where they think they're probably doing better than they actually are?
Nadine Michaelides: Well, it's a tricky one. I mean, I would say, normally, the issue is a lack of communication between the two teams or working in silo on projects rather than understanding what the impact of their pieces of work are on the other department. I haven't noticed so much of a conflict between the two teams. But, yeah, interesting question. Why do you ask that?
Dave Bittner: Well, I guess it's not uncommon for folks who have been at something to fall into their own patterns and habits and beliefs. And certainly, interpersonal relationships and communications can be kind of fuzzy. So I could see how it would be easy for biases to kind of sneak in there and, you know, to the point of, well, that's the way we've always done things or that's the way I always evaluate people. And it seems to me like part of what you're doing is getting in here and kind of shaking things up but doing so in a way that is backed by science and research.
Nadine Michaelides: Yes, absolutely. And I think, you know, HR is a very important part of that, as are the awareness teams, the communications teams, as you mentioned. I mean, there are a number of people, usually - certainly in larger organizations - that have a responsibility to ensuring that the organization is secure and recruiting in the right way, monitoring not just behavior but attitudes, for example, toward cybersecurity and having the correct controls in place from onboarding to exit strategy. So, yeah, there are a number of people and teams that should be involved in the protection of that organization in terms of insider threat or otherwise from, you know, just cybersecurity generally.
Nadine Michaelides: And, yeah, security very much relies on those teams communicating together, having projects that run across those departments and understanding that, you know, whilst we have our tasks and our responsibilities and deliverables and deadlines, actually, you know, sometimes there are curve balls. And sometimes there are some things that we may not have thought of. So that sort of creative thought, thinking outside the box, is absolutely, fundamentally important because that's what the social engineers are doing. They're thinking outside of the box. So we need to think like that, too.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I am very happy to hear that there are people that are now calling themselves cyber psychologists.
Dave Bittner: Yeah.
Joe Carrigan: This is great news. I couldn't be happier with having that as a professional job title. Nadine talks about the psychological contract, and that's not anything that's been written down. I tend to be kind of cynical about the psychological contract - you know, the - all the beliefs that Nadine mentioned, like the opportunity for promotion, you know, the opportunity, the performance. I don't know. I'm much more cynical about that. And I've become much more cynical as I've gotten older. But when I was young, I was very optimistic about that.
Dave Bittner: Mmm hmm. The - sort of the things that that an organization will dangle in front of you to...
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: And that is particularly true in larger companies. I am in a smaller company right now and in an academic setting. And those are vastly different.
Dave Bittner: Yeah.
Joe Carrigan: And I've worked in - I've been in a smaller company. Now, I haven't been in a large corporate environment for probably 13 years. So it's vastly different. And I much more appreciate working in the small corporate environment. And I really like the academic environment. That was - that's pretty nice.
Dave Bittner: Yeah.
Joe Carrigan: Lo and behold, people are less involved when employers violate this psychological contract.
Dave Bittner: Right.
Joe Carrigan: This is something to me that is painfully - well, I don't want to say painfully obvious. I'm sure that her research documents much more as to why this happens. But the fact that this happened is probably nothing that was surprising to anybody or to Nadine.
Dave Bittner: Yeah.
Joe Carrigan: By the time the behaviors, these malicious behaviors, are happening, your organizational culture has already failed. And it's - I think when Nadine is talking about the cybersecurity teams and thinking about the psychology of this, that's great. We should all be thinking about that. But it really falls - the lion's share of this, I think, falls in the hands of management and leadership.
Dave Bittner: Yeah.
Joe Carrigan: That's where I'd put the blame. And this is, you know, this is something I had never thought of before. This is kind of a new thing. The impact of how employers treat people is a cyber risk. You always run the risk of angering somebody into a malicious behavior. And that - you know, the insider threat, you - we think about that when we think about the insider threat.
Dave Bittner: Right.
Joe Carrigan: But I think the more - the bigger risk, rather, is inducing apathy. I think that's where you're really going to lose people, and you're really going to suffer damage, is when you violate this psychological contract to the point where people just don't care. Because if you do that - it's a lot easier to do that to people than it is to get them to - to motivate them to do malicious things. There are some people that you can never motivate to do malicious things.
Dave Bittner: Yeah.
Joe Carrigan: But you can motivate just about everybody to not care about the organization. That's easy. Your question - there - are there places where HR is not doing as good as they think they are? Yes. I will answer that question with a solid yes. And one of those big areas is recruiting. And this is especially true in larger organizations. I think there is a real disconnect between HR and hiring managers. And I have worked at some organizations that have had some awesome recruiting groups.
Dave Bittner: Yeah.
Joe Carrigan: And I've worked in organizations that just make it part of their HR department. I don't know that recruiting and HR are the same thing. I think that they should be distinctly separate, and that recruiting - somebody who does recruiting should not answer to somebody who runs HR I think - this is my opinion. I'm pontificating now, but I really don't think those are the same thing. HR is someone that's there to kind of protect the company...
Dave Bittner: Yeah.
Joe Carrigan: ...And keep people in line and make sure that nobody does anything that they shouldn't be doing. Make sure that no - sexual harassment is the first thing that comes to mind. That's always a big HR task.
Dave Bittner: Right.
Joe Carrigan: And - as well it should be. It's not something I'm diminishing here. It's something that's very important.
Dave Bittner: Yeah.
Joe Carrigan: We should all have a workplace we all feel comfortable going to.
Dave Bittner: Right.
Joe Carrigan: And that's HR's job. But getting people to come to the workplace - I don't think that's HR's job. I think that's a distinctly different skill set that requires a different kind of person to do. This is not a management task. This is almost a creative task. And I've worked in organizations where the recruiting department - I got hired one time inside of one week with an internal recruiting department.
Dave Bittner: Yeah.
Joe Carrigan: It was amazing - an amazing experience all around. And I still keep in touch with the person that ran that recruiting department. And now she is actually head of HR at another company. So - but they focus on recruiting most of the time.
Dave Bittner: Yeah.
Joe Carrigan: But that's enough out of me. I thought this was a really good interview. I'm very happy, like I said, to hear people talking about cybersecurity and cyberpsychology...
Dave Bittner: Yeah.
Joe Carrigan: ...Coming together. That is fantastic.
Dave Bittner: Yeah. A really interesting angle that we don't often hear much about, so I'm pleased.
Joe Carrigan: Yup. And I think Nadine had a lot of cool things to say.
Dave Bittner: Mmm hmm. Well, again, our thanks to Nadine for joining us. The organization is called Anima People, and we hope you will check them out.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
