A war on commerce.
J Bennett: They seem to really understand how the retailers have been protecting themselves and saying, OK, well, if you built a fence around this or you've put a lock key on this piece, I'll just go around to the other side door.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs in the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, a gentleman named Bennett. He is chief customer officer at Signifyd. We're talking about their recent report about a fraud ring.
Dave Bittner: All right, Joe, before we dig into our stories this week, we've got a little bit of follow-up here. What do we got?
Joe Carrigan: We do. We have Jon, who writes in with a little story. He says, Hi, Dave, Joe and Jen, who is our executive producer...
Dave Bittner: Yeah.
Joe Carrigan: ...Jennifer Eiben.
Dave Bittner: Yeah.
Joe Carrigan: Jon wants to provide a little bit of background. He has a bachelor's degree in computer networking and information systems management, a master's degree in information security. He listens to our podcast every week and has for years. He works in identity management and access management for a large multinational bank.
Dave Bittner: Well, Jon (laughter).
Joe Carrigan: He says he knows phishing, hacking and social engineering very well.
Dave Bittner: Yes, indeed.
Joe Carrigan: During a team meeting last week, my - I'm just going to start reading.
Dave Bittner: Yeah, OK.
Joe Carrigan: During a team meeting, my colleague told me that as part of a new rollout of multifactor authentication, we would be receiving an email in the coming weeks to confirm our MFA setup to ensure that there's no interruption when the rollout goes live. Common, right?
Dave Bittner: Yeah.
Joe Carrigan: When you start building these systems into - building these systems to be more secure, you're going to try to roll that out.
Dave Bittner: Yeah.
Joe Carrigan: Today, I received an email saying, click here to confirm your MFA. Honestly, I was holding my daughter when the mail came in and I was reading it. While I was reading it, she became fussy. I was amazed at how quickly the mail came after being told about it, so I thought I'd confirm my MFA and then put the baby down for a nap. I clicked the link and fortunately got saved by Firefox saying the link looks suspicious.
Dave Bittner: Yeah.
Joe Carrigan: I went and looked at the email again and realized that it was from a non-company address and had the time crunch statement of you'll be locked out if you don't confirm by next week. I fortunately never put in my credentials, so I passed the test, more or less. But I got pretext by my colleague and went to ask him about it and if he knew about the test. Turns out that it was just a lucky timing of our CERT team conducting a test at the same time as the MFA rollout was planned. Thought I'd share that. Even when you're in a rush and the mail looks like something you're expecting, you should still take the - take a second to ensure the sender address and the URL is real before you click.
Dave Bittner: Yeah.
Joe Carrigan: OK. So fortunately, Jon got saved by the Firefox link - or Firefox notification that the link was suspicious.
Dave Bittner: Right.
Joe Carrigan: This was also from his CERT team, which is - I don't know, this sounds like it might be business miscommunication, right? I don't know that I'd run this test while doing that. Or maybe I would. I don't know. 'Cause it's harmless, right? Your - it is a real attack scenario. This is what attackers look for. Exactly what attackers look for.
Dave Bittner: Yeah. Yeah, I - yes. I guess in this case, it seems it was coincidental. I would - I don't know, I don't know how sporting it would be to run a multi-factor phishing test while you were rolling out multi-factor...
Joe Carrigan: Yeah, while...
Dave Bittner: ...Right? I mean...
Joe Carrigan: And everybody knows about it.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: I don't - you know, I guess you're not setting yourself up for good feelings of trust and honesty among your team if that's your strategy. It's like all the ones where the - you know, the company sends out a phishing test at the end of the year that says good news, everybody's getting a bonus.
Joe Carrigan: Right.
Dave Bittner: Right? I mean...
Joe Carrigan: And there's no bonuses.
Dave Bittner: Yeah.
Joe Carrigan: That's the worst part.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Just kidding. Ha-ha-ha-ha.
Dave Bittner: Yeah, but you - here, let me slap on the wrist for...
Joe Carrigan: Yeah.
Dave Bittner: ...Failing that test.
Joe Carrigan: Yeah, that is a - that particular test is one I would definitely leave to the bad guys. But this one, I think is good because I think - I'm going to disagree with you on this one, that this is sporting. And the reason being that he works at a large, multinational bank. Chances are, information about this rollout has leaked to the bad guys. So I think it's good to prep the - I don't think you take metrics on this, right?
Dave Bittner: Yeah.
Joe Carrigan: I don't think you take metrics or ding people on it. But I think that you use this as a teaching moment. And you say, this is what the bad guys are going to do. We think they may know that we're rolling out the multi-factor authentication.
Dave Bittner: The other thing that I think is noteworthy here is that part of the reason that he went down the wrong path is that he was distracted...
Joe Carrigan: Yes. Yes, it is.
Dave Bittner: ...By taking care of his young child.
Joe Carrigan: That is one of the things that doctors Lee and Dahbura at the Information Security Institute did some research on in the past. And they found that, yes, being distracted does, in fact, make you more susceptible to a phishing attack.
Dave Bittner: Yeah, absolutely. Absolutely. So you know, don't have young children.
(LAUGHTER)
Joe Carrigan: I'm going to disagree with that.
Dave Bittner: They grow up so fast, Joe. And it's great.
Joe Carrigan: Yes, but then they give you grandchildren. And it's wonderful.
(LAUGHTER)
Dave Bittner: I was just saying to a friend of mine recently who has very young children, and they were, you know, sort of - as new parents do, they were asking, when does it end?
Joe Carrigan: (Laughter).
Dave Bittner: When does it end? And I said, the great thing is that not only - there comes a time when you can say to them, go feed yourself.
Joe Carrigan: Right.
Dave Bittner: But there also comes a time when you can say, go get me some food.
Joe Carrigan: Right.
(LAUGHTER)
Dave Bittner: They will bring you back some food. And this is a wonderful, wonderful thing, a good reason to have children. All right. Well, our thanks to Jon for sending that into us. We do appreciate it. And, of course, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com. All right. Joe, let's jump into our stories this week. Why don't you start things off for us here?
Joe Carrigan: Dave, again, I have two stories because they're both very short term, which is a problem. When I go looking for these stories, I can't find a good, long story that's involved.
Dave Bittner: OK. That's all right.
Joe Carrigan: I don't know why. But the first story comes from CNN. And I don't know why it's under politics. It should be under government. But it's by Sean Lyngaas. I hope I'm saying that right. "Scammers Posed as Tech Support to Hack Employees of Two Agencies Last Year."
Dave Bittner: Government agencies?
Joe Carrigan: Government agencies.
Dave Bittner: OK.
Joe Carrigan: And the story doesn't say which agencies they are. But they are federal employees of government agencies, of civilian government agencies. And CISA - that's the Cybersecurity Infrastructure Security Agency - the NSA and the threat-sharing center for state and local governments, known as MS-ISAC - an ISAC is just a way to share information in a certain industry. And the MS-ISAC is the multistate ISAC. The goal of the scam appears to have been to hit both private sector and government agencies, to trick victims into sending the scammers money. It was unclear if that happened in the case of the federal employees. Interesting that it's unclear. I think you should be able to find that information out. I would like to know if these federal employees - first off, what they were going after...
Dave Bittner: Yeah.
Joe Carrigan: ...Because it sounds to me like this may have been - I'd like to know who was targeted, what agency was targeted. The agency said they were concerned such hackers could sell stolen information to government-backed spies, which is true, right? It's an espionage attempt. But this is a civilian effort. But that doesn't mean that foreign national - foreign intelligence services are not interested in civilian activities of our government, you know? The espionage game is not just about, you know, the military stuff.
Dave Bittner: Right.
Joe Carrigan: And it's - the State Department is a huge target. And that's pretty much a civilian agency - right? - or a civilian department. It's not an agency. It's a department. But they were coming in by saying, hey, I'm with tech support. Give me a call. And these guys called them.
Dave Bittner: Right. Right.
Joe Carrigan: So - and then they were told to go to a malicious site and download some software, so bad news all around.
Dave Bittner: Yeah, absolutely. What's the other one?
Joe Carrigan: The other one is more of a personal story. And it comes from People magazine, from Anna Caplan.
Dave Bittner: OK.
Joe Carrigan: And the headline of the story is "36-year-old Woman Accused of Romance Scam to Swindle $2.8 Million from Elderly Holocaust Survivor."
Dave Bittner: Wow.
Joe Carrigan: (Laughter) What? I have a sentence in my head right now. I'm not going to say it.
Dave Bittner: (Laughter) OK, good.
Joe Carrigan: But it was on the nature of the character of this person.
Dave Bittner: OK.
Joe Carrigan: (Laughter) This person's name is Peaches Stergo. She is from Florida. And how did she find this guy? Well, she went on a dating app and connected with him on the dating app. And then she said, hey, by the way. I've got a large sum of money that I've won from a lawsuit from a car accident. But my attorneys won't release the funds to me because I owe them money, right?
Dave Bittner: (Laughter).
Joe Carrigan: And she talks this guy into giving her $27,000...
Dave Bittner: Wow.
Joe Carrigan: ...On the first go - or $25,000 on the first round. This was back in May of 2017. Got my numbers mixed up there, Dave.
Dave Bittner: OK.
Joe Carrigan: It continues. She continues on to essentially get almost monthly checks, often in increments of $50,000, from this poor guy.
Dave Bittner: Wow.
Joe Carrigan: She has essentially drained this guy's bank account. And he is now having to move out of his apartment in New York City.
Dave Bittner: Aw.
Joe Carrigan: It's terrible.
Dave Bittner: Yeah.
Joe Carrigan: Terrible what they've done. I hope they can recover some of this because, naturally, when you're a human being that does this kind of thing, you're going to go out and spend frivolously. And this woman is no exception. She had a life - the indictment says she lived a life of luxury with the millions she received from the fraud. She bought a home in a gated community, a condominium, a boat, numerous cars, including a Corvette and a sedan - a Suburban, rather. During the course of the fraud, she took expensive trips, staying at the Ritz-Carlton, and spent thousands of dollars on expensive meals, gold coins and bars, which were essentially fungible materials, right - those still have value - jewelry, Rolex watches and designer clothing. The designer clothing and the cars and all the food, that money is essentially gone. But they may be able to get some money by recovering the gold bars and the coins and maybe the Rolex and the houses.
Dave Bittner: Yeah.
Joe Carrigan: I think they can certainly liquidate those and give the guy back some of his money.
Dave Bittner: It's interesting that this article says that it was discovered when the man who was being scammed told his son about the arrangement.
Joe Carrigan: Yep. That was - as he was running out of money, he told him. So it's, you know - this goes - this reminds me of what you do with your dad and how you have the ability to monitor his bank account...
Dave Bittner: Right.
Joe Carrigan: ...On the regs. So if this guy's son had seen the first $25,000 payment, he may have gone, hey, what's going on here, Dad? And stopped the guy from losing, you know, $2.8 million.
Dave Bittner: Yeah.
Joe Carrigan: If you have 20 - $2.8 million, $25,000 is not that big of a loss for you. But like I say frequently, these scammers are going to just keep hitting you up for money until one of two things happens. You realize it's a scam, and you stop sending him money. Or you run out of money to send them.
Dave Bittner: Right. I wonder if they ever met - if this was all done remotely. The story says that she was in Florida.
Joe Carrigan: In Florida, and he's in New York.
Dave Bittner: Or she's from Florida. He's in New York.
Joe Carrigan: Right.
Dave Bittner: It doesn't really say, but - yeah. It's heartbreaking, isn't it?
Joe Carrigan: It is. It's terrible.
Dave Bittner: Yeah. To your point about being able to monitor your loved ones' bank accounts, one of the nice things is, for example, I have my father's bank account set up so that if a transaction above a certain size occurs...
Joe Carrigan: Right.
Dave Bittner: ...I get a notice. So what that means is I'm not getting the day-to-day, just-going-about-his-life sorts of things, you know? So I'm not getting alert fatigue - right...
Joe Carrigan: Right.
Dave Bittner: ...From all the day-to-day banking stuff. I suppose there's a little bit of risk there where if, for example, someone were to come after my father in small increments...
Joe Carrigan: Yes.
Dave Bittner: ...Then I wouldn't know about it.
Joe Carrigan: Right.
Dave Bittner: But certainly, you know, somebody - $25,000 or something like that, I would get that right away and hopefully be able to head it off at the pass. You just never know.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, we will have links to both of these stories in the show notes.
Dave Bittner: My article this week comes from WIRED, written by Matt Burgess, and it's titled "A Sneaky Ad Scam Tore Through 11 Million Phones," some 1,700 spoofed apps, 120 targeted publishers, 12 billion false ad requests per day. This is a campaign called Vastflux, one of the biggest ad frauds ever discovered. Are you familiar with the attack technique called fast flux? Have you heard of that?
Joe Carrigan: I have not heard of this.
Dave Bittner: OK.
Joe Carrigan: This is a new one to me.
Dave Bittner: I recall us reporting on it a while back on CyberWire. And fast flux was a way - I believe it was a way of, like, obfuscating IP addresses. Like, so it would appear as though your requests, your interactions were coming from a broad array of IP addresses rather than a single one. And that cuts down on the ability for your actions to be detected.
Joe Carrigan: I see.
Dave Bittner: So the researchers are calling this Vastflux, and that's a play on the name fast flux, which is the - part of the type of attack that they're using here.
Joe Carrigan: Right.
Dave Bittner: So let me back up here and just sort of describe what's going on. You know, as we know, we live in this online app economy and this online advertising economy. So if you or I or anybody goes onto a website or a Google search or pretty much anything we do that has ads these days online - and these days, that's most things.
Joe Carrigan: Right.
Dave Bittner: When you log on to a site, quite often there's a bidding process that takes place among the ad companies to put their ad in front of you. And part of that is based on the information they have about you, where you're located, the demographic information they have about you, all that kind of stuff. So what these bad actors were doing was they were actually purchasing ad space with legitimate ad networks, but in their ads, they were inserting bad code. I believe it was Java code. I can't remember if it was Java or JavaScript. Let me see if I can get it here.
Joe Carrigan: Probably JavaScript.
Dave Bittner: Yes. They were inserting malicious JavaScript code. And what it would do is display multiple ads that were stacked up on top of each other.
Joe Carrigan: I see.
Dave Bittner: So you would only see - as the user, you would only see the topmost ad.
Joe Carrigan: Right.
Dave Bittner: But this could stack up to 25 ads underneath.
Joe Carrigan: I see.
Dave Bittner: And they would get credit and get paid...
Joe Carrigan: They'd get paid for showing you 25 ads.
Dave Bittner: ...For showing all of those ads.
Joe Carrigan: After only showing one.
Dave Bittner: Correct. So they'd pay for one, pay for one placement, but collect on the placement of 25 ads.
Joe Carrigan: I see.
Dave Bittner: This is bad for the user because it'll drain your phone battery faster as it processes all of these ads. These ads tend to be processor intensive.
Joe Carrigan: OK. I'm not sure I care that much about that. But - and in fact...
Dave Bittner: As - you know, as a user, you probably wouldn't.
Joe Carrigan: Right.
Dave Bittner: It doesn't seem like they're going after the user as their victim here.
Joe Carrigan: Right. This is a front-end ad broker - right? - or ad seller. And what they're doing is they're saying to all these different back-end engines, like Google and Amazon and Trade Desk, all these different back-end people, they're going, we'll show you an ad, or we'll show an - one of your ads.
Dave Bittner: Right.
Joe Carrigan: And they're not showing the ad to the user, but they're collecting the money from these companies.
Dave Bittner: Right. Right.
Joe Carrigan: All right.
Dave Bittner: So they were doing 12 billion ad requests per day.
Joe Carrigan: Right. That's a lot.
Dave Bittner: That's a lot.
Joe Carrigan: Yeah.
Dave Bittner: It's also interesting that they were primarily hitting iOS devices, which - I think we tend to think that most of this stuff happens on the Android side just because it's a little less of a walled garden. But...
Joe Carrigan: I wonder why they're going - why they were hitting iOS devices because it's just HTML and JavaScript. I mean, it's simple enough to do.
Dave Bittner: Yeah.
Joe Carrigan: But...
Dave Bittner: Don't know.
Joe Carrigan: I wonder if they're taking that market because those people demand - if you're on an iOS device, do you command a higher price as an advertisee - as someone to get shown an ad to?
Dave Bittner: You do. Yes.
Joe Carrigan: Yeah.
Dave Bittner: I believe in general you do.
Joe Carrigan: That's probably why they picked - they targeted iPhone users...
Dave Bittner: Yeah.
Joe Carrigan: ...Or iOS users.
Dave Bittner: That makes sense. This article says that they believe they hit about 11 million devices and that, again, the device owners really wouldn't have known this was going on. It didn't...
Joe Carrigan: Right.
Dave Bittner: It wasn't infecting their device. It was just sort of taking advantage of their device to run this scam. So these researchers reached out to the ad companies and let them be aware of it. They've done their best to shut it down. And evidently, for now, this VASTFLUX campaign has been stopped.
Joe Carrigan: It'll be back.
Dave Bittner: (Laughter).
Joe Carrigan: And the reason I say it'll be back is because this is very difficult to detect...
Dave Bittner: Yeah.
Joe Carrigan: ...Because if you think about this, they're going - they're selling their ads - or they're selling ad space to a whole bunch of different buyers. And all - if I sell that - if I say - there might be 25 buyers they're selling to. And they're saying to everybody, congratulations. You won the auction. Now give me my money.
Dave Bittner: Right.
Joe Carrigan: And that's how this works. The user never sees it. The only way to check it is to have a researcher analyze the HTML of every web page on the internet and find out if anybody is doing this.
Dave Bittner: Well, I also - I mean, I place some of the responsibility on the ad networks in that they should be doing a better job of taking a look at this JavaScript code that's coming through their - that's passing through their systems. Don't you think?
Joe Carrigan: Yeah. I mean, I don't know which advertiser - I mean, these guys are front-end, right?
Dave Bittner: No. I think - no. So they're buying space through ad brokers to place these ads...
Joe Carrigan: I see.
Dave Bittner: ...That contain the JavaScript.
Joe Carrigan: So they're middleware.
Dave Bittner: Yeah.
Joe Carrigan: OK. Yeah. I see. So you're saying that the guy at - the front-end guys should be watching this a little bit closer.
Dave Bittner: Correct.
Joe Carrigan: Yeah. Right. That is who bears the responsibility for this.
Dave Bittner: Yeah, yeah, at least for catching it, you know?
Joe Carrigan: Right.
Dave Bittner: There's - to me, that's a shortcoming there.
Joe Carrigan: Right - for the defensive responsibility. Yeah. The offensive responsibility always lies with the bad guy.
Dave Bittner: Right.
Joe Carrigan: And I want to make that clear. I'm not blaming the victim here.
Dave Bittner: Yeah. I wonder, too, if there's anything on the OS side, you know, for iOS and Android, if there's anything that they could be doing to look out for this sort of behavior. I suppose these ads are kind of self-contained and - you know, and anything you do to stop this could also break it. But...
Joe Carrigan: Right. I mean, it's - the thing is that it's really not the - it's a web developer - or a web browser developer that you're talking about here. That's who you're - and in the case of iOS, that is only Apple.
Dave Bittner: Right.
Joe Carrigan: Right - with WebKit. Is that what it's called?
Dave Bittner: Yeah.
Joe Carrigan: And in the case of Android, it could be anybody. So, you know, like, I have three browsers on my phone. I have the DuckDuckGo browser. I have Mozilla. And I have the default Chrome browser, which I almost never use. So, you know, who's going - I think you will see something like this in the Chrome browser because that's owned by Google, and they are one of the people that are probably victimized by this.
Dave Bittner: Yeah.
Joe Carrigan: So yeah. I think you might see things coming out of Chrome in this.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. Again, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from friends of the show Chad and Jen.
Dave Bittner: Oh, super-listener Chad.
Joe Carrigan: That's right - super-listener Chad.
Dave Bittner: Yeah.
Joe Carrigan: I got a great story. Can I tell the story?
Dave Bittner: Sure.
Joe Carrigan: OK. So I was actually playing Fortnite with Chad and Jen. And all of a sudden, Jen goes, Joe, is Lisa yelling for you? And I'm like, I don't know. Is she? But my wife was downstairs, and she could hear - Jen could hear Lisa. But my headphones actually block out everything. Plus they fill my ears with the events going on in the game.
Dave Bittner: So the people you were playing with...
Joe Carrigan: Could hear.
Dave Bittner: ...Could hear your wife calling you, but you could not.
Joe Carrigan: But I could not.
Dave Bittner: Brilliant.
Joe Carrigan: It is.
Dave Bittner: All right. You've gamed that very well, Joe.
Joe Carrigan: I did.
Dave Bittner: Yeah.
Joe Carrigan: But Chad writes in, hi, Dave and Joe. As you know, I'm a regular listener, and I try to pass the things I learn on to my wife when I can. She sometimes is trapped in the car with me and has to listen. There you go, Chad. Thank you. Do that with as many people as you can.
Dave Bittner: Sure.
Joe Carrigan: Either way, she has gotten pretty good at spotting scams. She asked if I could pass this email on to you. Jen has several music services. So this almost caught her. Thanks for all the good info - love the show. Talk to you later, Chad. So this is an email that Jen received. It's called renewal details. So, Dave, why don't you go ahead and read this email?
Dave Bittner: It says renewal details. It's all caps, so...
Joe Carrigan: Right.
Dave Bittner: They're yelling - and two exclamation points...
Joe Carrigan: That's right.
Dave Bittner: ...Not one.
Joe Carrigan: So very exciting.
Dave Bittner: Yes. Thank you for your payment of $141.34, music lover - Jen's email address. Thank you for subscribing iTunes iMusic Application. The annual renewal fee of your plan upon expiration of your contract will be invoiced based on the information on your registered details with us. We are happy for you. For the day of consumption, a full one year or 12 months subscription.
Joe Carrigan: For the day of consumption.
Dave Bittner: Yeah. Total amount paid - $141.34. You will not be charged for your complimentary trial. Once it ends, your subscription will renew at $141.34 unless you cancel by Tuesday, January 17, 2023. Enjoy listening to our iMusic with your family and friends, and groove on all kinds of music of your choice. In case you are dissatisfied or do not want to continue with this subscription or cancellation, please reach us to our Help Desk team at 1-800 within a 24-hour period to stop it. If you do not subscribe to the iMusic in-app services, then simply reach out to our help desk team to cancel. Thanks, The App Store team.
Joe Carrigan: Now, the phone number is separated by a bunch of dots - like, periods...
Dave Bittner: Right.
Joe Carrigan: ...To get through the spam filter, which apparently it did very effectively. Dave, is iTunes iMusic a product? Is that actually a thing?
Dave Bittner: iTunes iMusic - iMusic is - there's - no. There's Apple Music.
Joe Carrigan: Right.
Dave Bittner: There's no iMusic.
Joe Carrigan: OK. I didn't think so.
Dave Bittner: But I could see how people could be confused with it or tricked by this because Apple...
Joe Carrigan: Right.
Dave Bittner: ...Does tend to put i in front of everything.
Joe Carrigan: They do indeed...
Dave Bittner: Yeah.
Joe Carrigan: ...iPod, iPad, iTunes. So this is interesting. And I - this kind of dovetails in with our message from Jon earlier.
Dave Bittner: Yeah.
Joe Carrigan: This comes into Jen as something that would be - she would be expecting, right?
Dave Bittner: Right.
Joe Carrigan: 'Cause she listens to multiple music services. Now, I will confess that, at one point in time, I actually had two music services. I had Amazon Music and Spotify. But I just kept...
Dave Bittner: How decadent.
Joe Carrigan: Huh?
Dave Bittner: How decadent.
Joe Carrigan: How decadent of me, right? I cancelled the Amazon Music because I noticed I'm never using this, and that's just eight bucks to help Jeff Bezos play rocket ship. So...
Dave Bittner: OK.
Joe Carrigan: ...I'm going to cancel it and just stick with Spotify, which I have the family account on so that my wife and kids can all listen to it.
Dave Bittner: Right.
Joe Carrigan: So this email comes to her, and it fits with what she would expect. But, fortunately, she spotted it as a scam, probably 'cause of the terrible grammar in this one.
(LAUGHTER)
Joe Carrigan: This is an attempt to get you to call the number and then give them access to your PC.
Dave Bittner: Yeah.
Joe Carrigan: So...
Dave Bittner: Or your credit card or who knows what.
Joe Carrigan: Or your credit card, yeah.
Dave Bittner: Yeah. Right. Because they - even if you - they could say, oh, gosh, well, in order to process your refund, we'll have to have - we need your credit card number.
Joe Carrigan: Right.
Dave Bittner: Right? And off you go.
Joe Carrigan: Yep. You know, I want to get a burner phone just to call these guys - just call these numbers and see what happens.
Dave Bittner: (Laughter) OK.
Joe Carrigan: But I don't want to use my regular phone 'cause I don't want them calling me back on that number.
Dave Bittner: Yeah. You could get a - couldn't you get, like, a Google Voice account?
Joe Carrigan: I could.
Dave Bittner: That would work. Yeah. All right. Well, our thanks to Chad and Jen for sending this into us. We do appreciate it. Once again, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with a gentleman who goes by the name of Bennett - just a single name, like Madonna or...
Joe Carrigan: Right.
Dave Bittner: ...Cher.
Joe Carrigan: Or Foster from ZeroFox.
(LAUGHTER)
Dave Bittner: Right, right. But he is the chief customer officer at a company called Signifyd, and they recently published a report on a fraud ring. So here's my conversation with Bennett.
J Bennett: The scale of this particular attack is, you know, close to a billion. It's, you know, rounding to a billion. We originally estimated it at about 660 million in actual successful attempts across the e-commerce industry in the USA in Q3, Q4 of calendar '22 - so during the holiday period and ramping up to it. So that size is pretty eye popping. And so that's a big reason that we wanted to share our learnings of this - to help the broader, you know, infosec community understand what this meant and how to maybe address it.
Dave Bittner: Well, can you describe to us what's going on here? What exactly is this fraud?
J Bennett: Yeah, it's really interesting because it's not super novel in the worldwide scope of fraudulent attempts in payments or e-commerce or consumer-facing, you know, financial instruments, but it is relatively unique targeting the United States of America, and specifically consumer deliveries related there up into the holiday season. So Signifyd operates worldwide, and we've seen these kind of attacks in a couple other places. In Latin America especially, we've seen these kind of brute-force attacks. And then, in the United States, we've seen them before at much larger order values for things like gold or cryptocurrency - things that are closer to fiat currency.
J Bennett: And so a couple of things that really made us drawn to this were that it was targeting kind of our e-commerce merchants - the - you know, kind of our bread and butter, where we started, and using very focused, deliberate and broad-based attacks that are at the - call it very boring, $200 average order value. Think AirPods - right? - from that perspective - something that people want to buy for the holidays you want to receive as a gift. You, as a consumer, are shopping for a deal online. You're like, man, you know, inflation's really high. I want to try to get a good deal. I find a site that has good reviews. They have a 25% off on the latest model. Apple's not offering any discounts directly on that model. How can this be? But the reviews are so good. All right. I, as a consumer, am going to buy that.
J Bennett: The fraudsters take that order. They go use stolen financial information. They buy that from a legitimate retailer with that stolen financial information from a irrelevant third-party member who's going to file the chargeback eventually. And then the original consumer who wants that 25% off receives actual AirPods, and the fraudsters pocket the profit from that. So it's actually very sophisticated in a triangulation perspective, and there're some nuances, and it gets even more complex, but that's ultimately what we were able to deduce was happening here.
Dave Bittner: And who ultimately loses out here? I mean, is it the merchants that the fraudsters are buying the product from that eventually get that chargeback?
J Bennett: That's exactly correct. So in a card-not-present environment, the onus for protecting against fraudulent financial instruments usually falls on the retailer, depending on the payment instrument type. And that's definitely the case with credit card payments.
Dave Bittner: Now, your report points out the success of this group. And as you said, they're inching up near a billion dollars of volume here. You know, that's a lot. What do you suppose is the reason for their success here?
J Bennett: Yeah. So to put this into context, we estimate that the attempts are over $3.5 billion at this point. So if you're thinking about a success rate, you know, call it a 20% success rate - right? - in terms of getting through across all of e-commerce. Our clients, thankfully - we were able to blunt some of that. But the reason that they've been successful is they're targeting these items that retailers want to sell, and they're targeting items' ranges and very clearly, obviously, gifting-type activities ahead of the holidays on order values that normally do not receive scrutiny.
J Bennett: So if you think about a retailer that maybe has an average order value of 500 bucks - right? - for example, so maybe a, you know, consumer electronics provider. Someone who has - is buying a cart of $100, $150, $200, that's below your median. It's below your average. It's below your hottest items. If you have one of the, you know, more, you know, antiquated systems in place where you have human beings taking a look at orders, those human experts are going to be focusing on your big-ticket items 'cause that's historically where fraud has been more prevalent in the United States.
J Bennett: So I think that's a big reason of success, is that the fraudsters reverse-engineered the kind of basic elements of defense that are - that have been deployed in e-commerce. And then there's a whole level of sophistication once they found any measure of kind of pushback or the ability to deflect the attacks. But I think at its root, it's - they seem to really understand how the retailers have been protecting themselves and saying, OK, well, if you built a fence around this or you've put a lock key on this piece, I'll just go around to the other side door.
Dave Bittner: So what are the red flags for the retailers themselves? Are there any things that they can, you know, have their radar up for?
J Bennett: Yes, absolutely. So the key things to be looking at are high purchase velocity. And so that means, for example - let's say, for example, like, we're talking about a - you know, a top-of-the-line, you know, gadget that people want to get. It's very normal for there to be higher purchase velocity, more orders related to that ahead of the holidays. So again, the fraudsters kind of know that.
J Bennett: And the key to looking at and determining if you have an issue is, are there many types of people with the same names, with the same emails, with the same IPs? You need to take a look at kind of a holistic graph of the types of orders that are coming in and saying, gosh, we didn't used to get so many orders going to Portland, but now the Portland orders are up 10,000%. Portland is a known reshipper hub, for example. So there's all kinds of things like that where you can slice and dice the data regardless of the type of systems you have and say, OK, all right, this piece of my business has really dramatically changed. Let's take a look at that.
J Bennett: As soon as the fraudsters have developed any sense that the retailers were pushing back and blocking their orders, they would kind of up-level the agents on their side that were, you know, targeting that site, and they'd start little things like address manipulation, or they changed things like purposely trying to confuse and bypass the security systems that would come in place. So I think one other - stepping back a little bit, the United States has not really faced a kind of brute-force, broad-based attack like this where there are human beings that are trained on what to do in, let's call it a call center - right? - that have been organized and trained on, hey, this particular site will allow you to address manipulate kind of the delivery address in a way that will confuse its fraud systems and allow the order to go through. Here are the 10 ways that you should try that. Go through this playbook.
J Bennett: And just as a customer service agent, you know, might legitimately have a playbook and a flowchart to go through, that is - that has been built by people who know what they're doing and then given to an army of human beings and said, OK, when you encounter this resistance go to flowchart 2B and execute this playbook, OK? Report back on whether or not they're successful or not. OK. Rinse and repeat.
J Bennett: So I think that the key is as soon as the retailers identify kind of this, you know, larger amount of orders with kind of any abnormal elements related to them, followed by chargebacks, you need to raise the - kind of the gates up and really start paying more attention to those orders. The fraudsters seem very focused because they are ultimately selling it to end consumers on particular products that are selling very well. So we've seen a lot of people who may not have the most sophisticated defenses be somewhat helpful in deflecting this attack by targeting their highest-, you know, value items. That's the exact dangerous thing to do when you're trying to make sales. So there's obviously a balancing act there, but that's kind of the success that we've seen.
Dave Bittner: Is it fair to say that one of the weak links in this chain here is the credit card companies themselves, that - seems to me that's really the main thing that's being exploited here?
J Bennett: Well, you could say that, that the financial instrument itself - right? - is kind of the root cause. It is a necessary but not sufficient condition, I think. And here's my point on that. If someone has compromised a credit card, and all they've compromised is a credit card, the credit card company, actually - it's fairly easy to stop that after maybe the first, second attempt, right?
J Bennett: So here's what we're finding, though. This fraud ring is much more sophisticated, where they don't just have the financial instrument. They know the emails. They know the passwords. They know the addresses. Depending on the order size, they might be using, for example, houses that have recently sold that they know don't have anybody at where they can open a credit facility and then also confirm that information and then have that house become a place where mules can go to pick up the orders themselves to then get to the end consumer. So the level of sophistication is going much beyond just the payment instrument itself.
J Bennett: So I hear you. It's like, gosh, if the payment instrument were more secure, would that help? It would, of course, yes. I'm not going to say that it's not. But I do believe that there's a lot more going on here. And kind of taking a little bit of a step back, I think disrespecting the fraud ring or their level of sophistication is a big part of the problem, right? And so one of the - thing that I like to do is think of these folks as a business, and a sophisticated business that has very clear COGS and profit margins. And, you know, the best fraud ring is going to have the most profit to invest back in.
J Bennett: I kind of look at it a little bit more holistically, personally. But you're absolutely right, of course. Yes, in many ways, yes, the credit card companies or whatever payment instrument could be offering a more secure payment instrument, with a huge caveat. Consumers, especially in America, do not want the friction imposed by a more, quote-unquote, "more secure" payment instrument.
Dave Bittner: Do we know who's behind this - what part of the world they're coming from?
J Bennett: Absolutely, yeah. So this particular very sophisticated fraud ring is based in Southeast Asia. And I note that, I believe, based on the information that we have and that, you know, many of our colleagues in the industry have is that this is a - this is kind of a very well-coordinated - unclear yet if it's cell, you know, kind of structure or if it is really more hierarchical, like a corporate structure. But it is very well organized, regardless of the actual pieces. We do know a little bit about the contours. We are exploring ways to stop it at its root - right? - from that perspective. And definitely, they are based in that - Vietnam or Thailand is kind of our current best guess.
Dave Bittner: So what are your recommendations then for folks to best protect themselves against this?
J Bennett: Yeah. So I think that the first thing is chargebacks are a very lagging indicator, right? And so chargebacks from the person who has had their financial instrument stolen and used in this triangulation is going to notice this on their credit card statement, you know, at most same day. But by the - in - that sounds fast, right? But because this a brute-force attack, we're talking about literal hundreds of orders being placed within hours, right? That's how you get to these really large numbers. And with same-day shipping or, you know, release before holidays and that pressure to get the goods out the door, what we're finding is that, you know, hours is too long, right? So chargebacks is too late.
J Bennett: So I think that there really needs to be either a very excellent team with excellent tools that is, you know, kind of constantly monitoring fluctuations in traffic patterns and kind of sorting, like - hey, yes, is this 10,000% increase to Miami a problem or not, or is that sale - just happened to be really, you know, successful? Those types of questions are very hard to answer in real time. So I suggest adopting technology - you know, machine learning in the space obviously works - something that can sift through the signal and noise and make sure that you're focusing on the right things at least, if it's not making the decisions for you.
Dave Bittner: Joe, what do you think?
Joe Carrigan: This ring is getting close to a billion dollars in recognized fraud. Dave, do you think that Signifyd has found all of the fraud in this?
Dave Bittner: Highly unlikely.
Joe Carrigan: Highly unlikely. I think these guys may have gotten away with more than a billion dollars.
Dave Bittner: Yeah.
Joe Carrigan: Interesting that it's really not new, novel techniques. This reminds me very much of the scam that we were talking about in Pakistan with the Amazon opening up services in Pakistan.
Dave Bittner: Right. Right.
Joe Carrigan: I think this is the same kind of thing. You remember how we were terribly confused by that?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: We had a listener write in and tell us about it, and it sounds almost exactly like what Bennett's describing here. Interesting that they're not really novel techniques, right?
Dave Bittner: Yeah.
Joe Carrigan: They're just using the - I like that Bennett describes this as a brute-force attack. That's what it is. They're just trying things until it works. And I often say my favorite kind of force is brute force, right?
Dave Bittner: (Laughter).
Joe Carrigan: It's remarkably effective. And it shouldn't be as remarkably effective in a lot of things. But here, I don't know how you defend against it without using techniques that Bennett is describing, which is, like, artificial intelligence and buying a product and helping - you know, or - 'cause you're trying to sell things, right? You're trying to make that happen. And as the victim organization here, you would lose out. And if these guys target your organization and find a vulnerability, you could lose big.
Dave Bittner: Mmm hmm. Yeah, absolutely.
Joe Carrigan: Interesting that, in the U.S., these guys are going for more fungible things, like gold bars and things like that. I think that's really fascinating. What makes it OK to do that in the U.S., but not Latin America? Is it because the U.S. has a higher, you know, per-capita income that, when someone sends a gold bar to a house in, let's say, Portland, Ore., - which is where he was talking about there being a lot of re-shipping around the area - that that's less suspicious than somebody in Ecuador ordering one? Maybe. I don't know. I'd like to know why that is the case. I think - and that's why it's fascinating because it poses a question to me.
Dave Bittner: I wonder if it could be as simple as the proliferation of cash-for-gold shops all over...
Joe Carrigan: Right (laughter).
Dave Bittner: It's easy to turn around - it's easy to launder gold.
Joe Carrigan: Yeah. That might be - that's a good point, Dave. It might be because we have those cash-for-gold shops around here, and those things don't exist in other countries.
Dave Bittner: Yeah.
Joe Carrigan: Same with payday loans - I don't know if payday loans exist in the other countries, but we have them all over the place here. And they are terrible, terrible organizations. This scam also kind of reminds me of cryptojacking. In cryptojacking, I install some malware on somebody's computer that does all the crypto mining for me, and it costs them money to do that for me. So it's like changing the business model to an all-profit business model. Here, they don't make it all profit because they are a large organization, and they have to pay people. But they do eliminate the cost of goods sold - totally eliminated.
Dave Bittner: Yeah.
Joe Carrigan: They're essentially fencing stolen goods is what's going on here.
Dave Bittner: Right.
Joe Carrigan: They attempted over 3 billion, and they take home almost 1 billion in business. So that means they have, like, a 33% success rate with every one of these orders they place. So in order - so when they get a customer order in, they have to try three times to get that order fulfilled at no cost other than the time and effort it takes to do it.
Dave Bittner: And it pays off.
Joe Carrigan: And it pays off. Right. These guys are very adaptive. They have that re-shipping operation that he talks about.
Dave Bittner: Yeah.
Joe Carrigan: That involves a lot of legwork here in the U.S., right? If this ring is being operated out of Southeast Asia, they still have some operations here in the U.S. And I think those operations are susceptible to law enforcement.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, it would be interesting to have the federal authorities involved in this, find a couple of these people. You know, if you're just a porch pirate and the FBI arrests you, I can imagine that being a very terrifying situation, you know?
Dave Bittner: (Laughter) Yeah. It's a bad day.
Joe Carrigan: Right. It's a bad day. You know, you're expecting to interact with local law enforcement, and next thing is somebody taking you to an airport and putting you on a plane to fly you to Washington in custody. That would be very intimidating. But, you know, I'm not all for the intimidation of - by law enforcement. I don't want to say that I'm doing that. But at the same point in time, these guys are running a huge operation that's damaging businesses, particularly in the U.S.
Dave Bittner: Yeah.
Joe Carrigan: Finally, the last thing I want to say is that chargebacks are slow. By the time you get notification that a chargeback has happened, that order has not only shipped, but it has - it is shipped to the first place that it was going to get shipped to, then picked up by a porch pirate, repackaged, shipped out to the customer. The customer has had it probably for at least two weeks before you even see that the chargeback has occurred...
Dave Bittner: Yeah.
Joe Carrigan: ...As a fraudulent account - as a fraudulent charge. So it's not a really good indicator. You're going to have to do something more on this.
Dave Bittner: Yeah.
Joe Carrigan: And that is, you know, noticing these trends. Or accept the loss. I don't know, maybe you accept the risk. I don't think that's a good example 'cause I think it sounds like, once these guys find out that you're vulnerable to this kind of attack, they just keep doing it.
Dave Bittner: Right. Kill the goose that lays the golden egg.
Joe Carrigan: Right.
Dave Bittner: Yeah. All right. Well, our thanks to Bennett for taking the time for us. Again, he is the chief customer officer at Signifyd, and we do appreciate him taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
