Hacking Humans 2.9.23
Ep 231 | 2.9.23

A boom of infostealers and stolen credentials.


Keith Jarvis: What we have seen over the last couple of years is these, you know, credentials are increasingly being used as the point of entry into corporate networks, which then leads to really large ransomware incidents.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Keith Jarvis, senior security researcher at Secureworks, joins us to talk about stealers and trackers. 

Dave Bittner: All right, Joe, before we jump into our stories here, we have a bit of follow-up. Do you want me to read this? 

Joe Carrigan: Oh, sure. That's - it'd be great. 

Dave Bittner: All right. A listener named Ron writes in and says, hey, gentlemen. I've been a longtime listener and constant learner from your show. I teach military members about personal cybersecurity and how to be safer on the internet. I cite your show as a top pick for those wanting to start out in digital privacy and security and zero regrets. Every week I'm given new and heavy-hitting examples of how bad things can get. But I leave each show feeling somehow better about our chances to overcome them. Well, thank you, Ron. That's very... 

Joe Carrigan: Very kind words, Ron. 

Dave Bittner: Yeah. Anyway, another top pick I push on my students is a book by Carey Parker called "Firewalls Don't Stop Dragons." Have you heard of it? Have you heard of it? 

Joe Carrigan: I have not. 

Dave Bittner: Me neither (laughter). Ron says, let me throw in here that I am in no way affiliated with the author or his work. But in my library of books on internet safety and security, this one happens to be the most accessible, in my opinion, for newcomers to the realm. And much of what you discuss is covered, too. He says, thanks in advance, and please keep doing what you do. It makes my job easier. 

Joe Carrigan: So I looked up this book on Amazon. 

Dave Bittner: Yeah. 

Joe Carrigan: And Carey Parker is about to come out with a fifth edition of this book. 

Dave Bittner: Oh, wow. 

Joe Carrigan: So I didn't - I want to just go out and buy it. But if I see that he's going to buy a - or going to come out with a fifth edition, I might hold off until that comes out. 

Dave Bittner: OK. 

Joe Carrigan: The library system around here does not have it, so you couldn't just go and read it for free at the library like some kind of software pirate or - I don't know. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, it's - I kind of always feel that way when I read a book at the library. Like, I'm not paying the author to do it, you know? 

Dave Bittner: They still - I mean, the book still gets sold. 

Joe Carrigan: Yeah, right, right. But I still go to the library. It doesn't bother me that much. 

Dave Bittner: Yeah. 

Joe Carrigan: And frequently, I do buy the books. 

Dave Bittner: Yeah. 

Joe Carrigan: Not that I need to justify it. I don't know why I feel like I do. But anyway... 

Dave Bittner: There's no guilt or shame in using your public library, Joe. 

Joe Carrigan: Right. Yeah. It's a great place, great resource. I think we might - we should probably reach out to Carey Parker, see if we can get him on the show. 

Dave Bittner: Yeah. 

Joe Carrigan: It would be a great idea. 

Dave Bittner: Yeah, that is a great idea. We'll do it. I like the idea of dragons also... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause I think about sometimes - I know you and I have discussed this in the past that I like the metaphor of, you know, the little town below the mountain. And up on the mountain, there's a dragon. 

Joe Carrigan: Right. 

Dave Bittner: And the town has to decide, you know, do we kill the dragon, or are we OK with the dragon every now and then flying down from the mountain and picking somebody off to eat? 

Joe Carrigan: Right. 

Dave Bittner: You know, and that's a decision sometimes you have to make, you know? And so I like that. I'm intrigued by the metaphor. So... 

Joe Carrigan: Yeah, it's the same as the Scylla and Charybdis problem, you know? 

Dave Bittner: Yeah. All right. Well, Ron, thank you for writing in. We do appreciate it. And we will check out that book. Again, it's called "Firewalls Don't Stop Dragons." 

Dave Bittner: All right, Joe. Let's jump into our stories this week. I'm going to kick things off for us. And my story this week comes from ISMS.online, which I believe stands for Information Security Management Services Online. It's an organization that provides certifications and helps organizations make sure that they're following regulations and so on and so forth. But they also have a blog section here, and there's an article here written by Dan Raywood, and it's titled "Password Managers: A Work in Progress Despite Popularity." 

Joe Carrigan: Yeah. 

Dave Bittner: And I think this is sort of triggered by some of the, shall we say, challenges that some of the password management companies have had as of late. 

Joe Carrigan: Right. 

Dave Bittner: I think most famously LastPass... 

Joe Carrigan: Yes. 

Dave Bittner: ...Who's had a... 

Joe Carrigan: Had a breach. 

Dave Bittner: Had a breach and sort of - I don't know. Cascading isn't quite the right word - a series of revelations that have come from that breach that have sort of trickled out about the seriousness of that breach and the degree to which that breach is an issue. It's uncovered perhaps some shortcomings in some of the ways that LastPass handled some of their encryption, what they chose to encrypt or didn't encrypt, the amount of encryption that your files had applied to them. And some of it, I believe, depended on how long you've had a LastPass account. Like, you know, they... 

Joe Carrigan: So they never upgraded the encryption over time? 

Dave Bittner: Yes. Yes. Right, exactly. So in a way, they did upgrade the encryption over time, but they didn't retroactively go back and reencrypt stuff from people from the old - you know, the old customers who had originally come on board when they were using a lower level of encryption. 

Joe Carrigan: Right. Right. 

Dave Bittner: So... 

Joe Carrigan: Which if the customer is still using the product, there's a fairly standardized way of going about updating the encryption. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. You - it's the same with hashing algorithms. 

Dave Bittner: OK. 

Joe Carrigan: The customer has to log in. For a hashing algorithm, they have to use - you know, if you're going to upgrade your hashing algorithm, then you - in these hashes, there is a little indicator of what algorithm was used to hash it. 

Dave Bittner: Yeah. 

Joe Carrigan: So if you see that that's out of date, then you check it with the old algorithm, and when it matches, you rehash it with the new algorithm and just put it back in the system. That's how you do it. And the same thing can be done with the encryption on these devices. But the user does have to log in, depending on the level of encryption that these companies had. Now, LastPass always claimed that you were the only person that could decrypt your data. 

Dave Bittner: Correct. 

Joe Carrigan: Right? 

Dave Bittner: Correct. 

Joe Carrigan: So if they can't decrypt it, they can't do this unless you log in. 

Dave Bittner: Right. Right. And I think they're recommending one of the things you do is change your master password... 

Joe Carrigan: Right. 

Dave Bittner: ...To something complex and long. And I think that triggers the reencryption of everything. So that's... 

Joe Carrigan: Yeah, but that shouldn't be necessary. You should just be able to reencrypt it just by them using the service again. 

Dave Bittner: Yeah. So the fundamental question that this article asks is are password managers to be trusted? And I wanted to put that question in front of you here, Joe. 

Joe Carrigan: Yeah. 

Dave Bittner: What do you think? 

Joe Carrigan: That's a good question. Well, this - yeah, we talked about - we've addressed this risk before, that you are putting all your fish - or all your eggs; that's the analogy - all your eggs in one basket. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But it's a pretty good basket. So, you know, I don't know. Do you use LastPass or 1Password? 

Dave Bittner: We have used LastPass. Yes. 

Joe Carrigan: Can you protect that with a multifactor authentication like a FIDO key or something? 

Dave Bittner: Yes. And I do. 

Joe Carrigan: OK. So if you do that, these guys are never going to break whatever was encrypted on that. They're just not going to have the information. Even with all the brute forcing in the world, they're just never going to be able to get through that. So that data is pretty safe. But the question then is, what was encrypted? Well, everything should have been encrypted, but... 

Dave Bittner: It turns out... 

Joe Carrigan: Turns out, it's not. 

Dave Bittner: Right. 

Joe Carrigan: So... 

Dave Bittner: Right. 

Joe Carrigan: I mean, there are personal solutions. I still don't like the idea of browser-based password managers. Microsoft has a password manager. Google now has a password manager, but it's fairly integrated with the Chrome browser, so I'm not sure how much I like it. Firefox has one built into it. 

Dave Bittner: Yeah. 

Joe Carrigan: I'm sure it's better than it ever was, but you're still storing your data in the browser. 

Dave Bittner: Yeah. Apple has one. 

Joe Carrigan: Apple has one. Yup. 

Dave Bittner: Yeah. 

Joe Carrigan: Microsoft's is actually separate. It's part of an application called Microsoft Authenticator. So it's - I feel better about that one. But I've started using KeePass because it runs on Linux and Windows. I think there might even be an Apple version for it. 

Dave Bittner: OK. 

Joe Carrigan: But it - I'm moving away from Password Safe because there's no Linux-based implementation that lets you use YubiKey. 

Dave Bittner: OK. 

Joe Carrigan: So I use the YubiKey on my local - on my Windows machine, but when I need to move the data or when I need to put this on a Linux machine, I need to take that protection off of it. And since I store that in the cloud, I don't want to do that. 

Dave Bittner: Right. 

Joe Carrigan: So... 

Dave Bittner: Right. 

Joe Carrigan: But KeePass lets me do everything, and it's open source and free. But then I have to manage the passwords. And I'm already running into an issue where I've got databases out of sync. I am OK with this because it's - No. 1, it's free, and I'm cheap. No. 2, I'm pretty sure that this kind of a problem is not going to - this LastPass problem is not going to happen with KeePass. Even if the bad guys do get my file, it is completely encrypted with the algorithm. The entire file is encrypted, and they're going to need my YubiKey to open it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is - they're going to have to physically access me, and at that point in time, I have a different set of problems. 

Dave Bittner: I wonder if the incident that LastPass has gone through here - and I guess it's better to say the incident that LastPass's users have gone through here... 

Joe Carrigan: Right. 

Dave Bittner: ...Is that an indication that maybe something that is open source is better because - or at least to be considered because that would have the scrutiny... 

Joe Carrigan: Right. 

Dave Bittner: ...Of people looking at it. I think a lot of LastPass users were surprised after this breach to find out that their - when their vaults were stolen, that not everything in the vault was encrypted. 

Joe Carrigan: Right. 

Dave Bittner: And if this had been an open-source project, perhaps it would have had a lot of eyes on it, and that would have been known ahead of time. 

Joe Carrigan: Yeah, that's the argument, the common argument that open-source advocates put forward. 

Dave Bittner: Yeah. 

Joe Carrigan: But one of the big problems is that you really do need to have those eyes put on it. 

Dave Bittner: Right, right. And it's not a guarantee. 

Joe Carrigan: It's not a guarantee. 

Dave Bittner: Yeah. 

Joe Carrigan: There have been eyes on crypto products in the past. Like, for example, I think Matt Green was part of this effort when VeraCrypt was still around. Was it - no, it was TrueCrypt, the predecessor to VeraCrypt. They did an analysis on, on TrueCrypt and found that it was - that the cryptography was implemented well. TrueCrypt eventually shut down, and somebody picked up the code and implemented VeraCrypt with stronger encryption. So that's a way to encrypt files on your hard drive, by the way. 

Dave Bittner: OK. 

Joe Carrigan: So if you need an encrypted volume, a place to store data - like, all my tax data is stored in a VeraCrypt volume... 

Dave Bittner: Right, right. 

Joe Carrigan: ...So that if somebody does get access to my computer, as long as I don't have that file opened as a hard drive on my computer, they will never get that information out because the - they'd have to know the very long password that I use to store that and that is stored in my password manager, which is protected with my YubiKey. So it's going to be very difficult for them to get in. 

Dave Bittner: Good luck to you. 

Joe Carrigan: Yeah, good luck. 

Dave Bittner: Yeah. 

Joe Carrigan: But, you know, I'm not - I'm an outlier, I should say, in this. 

Dave Bittner: (Laughter) You sure are, Joe. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, I'm incredibly paranoid about having my data breached. I know how to use the encryption products. Not everybody does. 

Dave Bittner: Yeah. 

Joe Carrigan: It's not - you know, it's not something you just - there is a learning curve. It's not much of a learning curve. 

Dave Bittner: You have that combination of paranoia and technical know-how... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...That leads you down pathways that most are not willing to tread (laughter). 

Joe Carrigan: Right. You're like, I'm not following Joe down that dark road. 

Dave Bittner: Right. Right (laughter). Well, so a couple other things come to mind here for me. First of all, I wonder if we are moving away from this altogether. You know, it seems to me like the momentum is toward ultimately doing away with usernames and passwords. 

Joe Carrigan: Right. Yeah, just going to some kind of public key, private key system. 

Dave Bittner: Right - some alternative that uses other ways to get - to log in to things. 

Joe Carrigan: Yeah. 

Dave Bittner: Biometric or - who knows? But that seems to be the direction that people want to go in. And I think there's good - many, many good reasons for that. 

Joe Carrigan: Yeah. 

Dave Bittner: So I wonder if this is just something to - we're biding our time with. 

Joe Carrigan: Yeah. 

Dave Bittner: In the meantime, it's... 

Joe Carrigan: I hope so. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, we've been talking about the death of passwords since you and I have been on this show and on the CyberWire together. 

Dave Bittner: Yeah, true. 

Joe Carrigan: So - and it still hasn't happened yet. It - I think it is coming. I think it is coming. But I mean, you're always - I think you're still going to need a password. It's just that all these other layers on top are going to be essentially better. And that password is still going to offer you some level of protection, especially if it's a good, strong password, that just makes it harder. But really, these additional features are going to make it much harder. And that's really where the benefits are going to come in. 

Dave Bittner: Yeah. And I think also one thing this article points out is that this is very much about risk management. 

Joe Carrigan: It is. 

Dave Bittner: It's not an all-or-nothing thing. 

Joe Carrigan: Right. 

Dave Bittner: There's no 100% solution here. 

Joe Carrigan: Correct. 

Dave Bittner: It's about - this article points out that for many people, having a notebook in your kitchen drawer with a pencil and paper, you know... 

Joe Carrigan: Yeah. 

Dave Bittner: That may be the best password manager for you. 

Joe Carrigan: It might be. And people laugh at that, you know, but now in order for a malicious actor to get access to your passwords, they have to physically break in your house. That's a much bigger risk for someone to take. 

Dave Bittner: Right. 

Joe Carrigan: You know, and if you're just a regular guy like you or me, that - nobody's going to take that risk for it, right? 

Dave Bittner: Right, right. 

Joe Carrigan: But if you're - you know, maybe if you're a higher - a high-up official in some government agency, then that's not - that's your risk model. And somebody might break into your house. So you don't do that. 

Dave Bittner: Right. 

Joe Carrigan: You have to assess your own risk model. It's - I often say this, that security is a spectrum. You know, cryptographers tend to think of security in a very binary way, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Either it's secure, or it's not. If I can break it, it's not secure. No matter what I have to do, it's - if it's broken, it's broken. I - and I understand what they're talking about because they're thinking about the mathematic problems, the math behind everything. 

Dave Bittner: Yeah. 

Joe Carrigan: And they're correct. They're correct. But if you move yourself in a more secure direction, that's better. And, you know, you can't really quantify that. I mean, you can say that one is better than the other. Like, we often say that that even an SMS multifactor authentication code text to you is better than nothing. 

Dave Bittner: Right. 

Joe Carrigan: And it is. But too many people go, well, that's no good. It's not secure at all. And they're correct. But it's still better than nothing. 

Dave Bittner: Yeah. Yeah. So is it fair to say that we're still on team password manager? (Laughter). 

Joe Carrigan: I am still on team password manager. Yeah. 

Dave Bittner: I am, too. I am, too. I think it's still definitely better - I think it's better to have a password manager than to not have a password manager... 

Joe Carrigan: Right. 

Dave Bittner: ...For many, many reasons, as we've outlined here. 

Joe Carrigan: Yep. And, you know, and this this is not something that is - that has happened to me because I'm not a LastPass customer. I'm - I use the open-source products. But these open-source products have, in the past been targeted by malware to deliver, you know, data exfiltration products that can deliver the unencrypted safe out - or the encrypted safe, rather - the encrypted file out. So, you know, it's out there. 

Dave Bittner: Yeah. 

Joe Carrigan: It's out there. 

Dave Bittner: Yeah. All right. Well, that is my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, once again, I have two stories. The first story is going to make you mad, and the second story is going to make you laugh. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: And I'm not proud of the first... 

Dave Bittner: Well, I'll be the judge of that (laughter). 

Joe Carrigan: Right. I'm not proud of the first story coming from this source, but it comes from TMZ. 

Dave Bittner: Oh. 

Joe Carrigan: Right. 

Dave Bittner: OK. So was that at the top of your list of - in your browser bookmarks you check in? 

Joe Carrigan: It is, Dave. I am very concerned about... 

Dave Bittner: (Laughter) Every day? 

Joe Carrigan: ...All the news and sports and... 

Dave Bittner: Sure, sure. 

Joe Carrigan: ...Hip-hop and photos and - I'm just reading the titles across the top of - the menu across the top. 

Dave Bittner: OK. OK (laughter). 

Joe Carrigan: So this is a story about a 19-year-old TikTok-er by the name of Madison Russo, who has been picked up by her local police department in Iowa because she was on TikTok telling people that she has had cancer and not just any cancer, but three different diagnosis - diagnoses? Diagnosis? Diagnoses. She said she had leukemia, then she had pancreatic cancer, and then she had a tumor the size of a football. 

Dave Bittner: Oh. 

Joe Carrigan: And she had used TikTok as a way to raise money through GoFundMe and had gotten 439 people to give her $37,000. 

Dave Bittner: Wow. 

Joe Carrigan: Somebody called the police and said, I don't - this seems a little bit fishy. And the police swung around, and they found - when they went into her house, they found all kinds of things just laying around the house, like oxygen tubes, a pill for - pills for an anti-nausea medication that they say were just - they weren't prescribed to her. They were prescribed to somebody else. But she was using them as props. Here's a picture, Dave. Here she is with the tube in her nose and looking - smiling and looking good. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: And she's talking - she has also what looks like a - one of those drug injection lines that they put in your chest when you're in the hospital. 

Dave Bittner: Right, right, right. 

Joe Carrigan: I think this picture was just taken in her apartment. 

Dave Bittner: So she did not have cancer. She does not have cancer. 

Joe Carrigan: She does not have cancer. She's fine. They subpoenaed her medical records as well and found she had no diagnosis of cancer. So... 

Dave Bittner: Wow. So does she get charged with fraud? 

Joe Carrigan: She gets charged with theft, is what they charged her with. 

Dave Bittner: Oh, OK. 

Joe Carrigan: And it's a - you know, it's a simple charity scam. 

Dave Bittner: Right. I guess - this is tough because we all see these sorts of things, especially if you're on social media, and given - for our international listeners, given the sad state of affairs of the U.S. health care system, it's pretty common these days to see these sort of GoFundMe campaigns for folks who have outstripped their health insurance or need help with funding. And so you see these things, and sometimes they'll pull your heartstrings, and you'll say, well, there's someone maybe I want to give some money to. 

Joe Carrigan: Right. 

Dave Bittner: But it's hard to say, you know, I'd like to give you some money, but first, I'm going to need some verification. 

Joe Carrigan: Right. Yeah, you can't say that. 

Dave Bittner: Like, you don't want to say, prove it. 

Joe Carrigan: Right. 

Dave Bittner: And then that's exactly what this woman was taking advantage of, I suppose. 

Joe Carrigan: Exactly. And, well, she's going to - she could face up to 10 years in prison for this. 

Dave Bittner: Wow. 

Joe Carrigan: So, you know, it's good that she's been stopped. The people that sent her money are probably out the money. I don't think they're going to get that back. But, you know, be mindful of who you're giving money to online. The charity scams are out there, and they play on your emotions. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a trigger that a lot of us have. I feel bad for that person. 

Dave Bittner: Right. 

Joe Carrigan: Generally - you know, I generally don't give to these kind of things. I have in the past when somebody said, hey, I know this guy. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, he's going through this, and this is terrible. I've said, OK, I'll send him some money. 

Dave Bittner: Yeah. 

Joe Carrigan: But, you know, the person I knew telling me this was somebody I trusted... 

Dave Bittner: Right. Right. 

Joe Carrigan: ...And personally asked me to donate some money. And I donated a little bit of money, and if they scammed me out of the 20 bucks I gave them, OK, you got me. 

Dave Bittner: Yeah. Right. 

Joe Carrigan: You know, it doesn't really hurt. 

Dave Bittner: Yeah, it's hard to not take on a certain amount of cynicism in the face of these sorts of things, you know, you - to still be open to giving... 

Joe Carrigan: Right. 

Dave Bittner: ...For the folks who legitimately need it, yeah. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: All right. Well, what's your other story, Joe? 

Joe Carrigan: My other story is - comes from PetaPixel, and it comes from Pesala Bandara. And the title is - I'm not going to spoil the title. But the... 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm not going to say what it is. But it's about the U.S. Marines and the U.S. Army. 

Dave Bittner: OK. 

Joe Carrigan: Apparently, the U.S. Army set up a camera system that was powered by AI image processing software... 

Dave Bittner: OK. 

Joe Carrigan: ...To monitor an area. And then they... 

Dave Bittner: So like a security camera. 

Joe Carrigan: Like a security camera, right. 

Dave Bittner: OK. Yeah. 

Joe Carrigan: And then they said to a group of Marines - I think it was eight Marines. They said, let's see if you guys can get through this. And Dave, not a single Marine got detected. All they had to do was touch a robot. You know, that was the objective of the exercise, was to get in there and touch a robot. 

Dave Bittner: So at the center of this area, there's a robot. 

Joe Carrigan: Right. 

Dave Bittner: And - OK. 

Joe Carrigan: So they spent... 

Dave Bittner: It's like tag with a robot (laughter). 

Joe Carrigan: They spent six days - right. It's like tag. 

Dave Bittner: Yeah. 

Joe Carrigan: Six days training the AI. And then the Marines went in. All eight of them got through. One pair of Marines did somersaults for 300 meters and got through because the AI didn't recognize them as people coming in. 

Dave Bittner: (Laughter) Oh, 'cause of the movement. So the AI thought, oh, here comes some tumbleweeds or something. 

Joe Carrigan: Right. 

Dave Bittner: Nothing to be concerned about. 

Joe Carrigan: Nothing to be - they didn't recognize it as humans. 

Dave Bittner: OK. 

Joe Carrigan: Two Marines successfully evaded the camera by hiding in a cardboard box, which is a strategy they learned from a video game called Metal Gear Solid. 

Dave Bittner: (Laughter) Oh. 

Joe Carrigan: And this is a - there's a great quote in here. You can hear them giggling the whole time. 


Dave Bittner: So now the Marines are issuing tactical cardboard boxes. 

Joe Carrigan: Right. 


Joe Carrigan: Another Marine field stripped a fir tree and walked like a fir tree. 

Dave Bittner: Field stripped. 

Joe Carrigan: Yeah, field stripped. That's what they used to do with cigarettes when you - tearing - when you were smoking in the field, you'd tear your cigarette apart. That's field stripping. But this guy... 

Dave Bittner: OK. 

Joe Carrigan: ...Field stripped a fir tree and then walked in, and the AI camera didn't notice anything. 

Dave Bittner: Oh, my gosh. 

Joe Carrigan: So I think this is a great - we'll put a link in the show notes. It's simple tricks. This is from a forthcoming book. And, oh, by the way, this came from Rob - listener Rob - who sent this to us. 

Dave Bittner: OK. 

Joe Carrigan: I want to thank Rob for sending this... 

Dave Bittner: Thank you, Rob. 

Joe Carrigan: ...'Cause this is hilarious. 

Dave Bittner: It's like something out of an old Warner Brothers cartoon, with the... 

Joe Carrigan: (Laughter) Yeah. Like Wile E. Coyote with the bush? 

Dave Bittner: You know, the coyote. Yeah, exactly. Just sneaking in, no one to see here - bush. Oh, that's hilarious. All right. Well, those are our stories for this week. And we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it's time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Tim, who says, hey, Dave and Joe. I got this really interesting scam email sent to an address I no longer use. It made it past the spam filters, probably because it is actually from PayPal. It's a unique twist on the classic send off an invoice and hope they pay it scam that I've never seen before. What they've done here is sent an invoice as though they were Coinbase, which of course they are not. After verifying that it was indeed a legitimate PayPal link with no weird redirects or anything in the URL, I opened a simplified version of the URL on the VPN and in a sandbox browser, and it did indeed resolve to a legitimate PayPal invoice. So it's - again, we're seeing this. This happens a lot, where you can get on PayPal and just send anybody an invoice... 

Dave Bittner: OK. 

Joe Carrigan: ...And tell them pay me through PayPal. But what these guys have done here is a little bit different than that. 

Dave Bittner: OK. 

Joe Carrigan: So why don't you - this is a - it looks like an invoice from Coinbase. 

Dave Bittner: And it says, (impersonating Arnold Schwarzenegger) dear customer, you sent a payment of $479 to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our help desk number. Cancellation after 24 hours from this email won't be valid for refund. Have a great day, PayPal help desk. 

Joe Carrigan: Right. And then they give you a phone number. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And that's the scam here. They're trying to get you to call the phone number, and then I'll bet they're going to try to get access to your Coinbase account if you have one. 

Dave Bittner: Oh. 

Joe Carrigan: So Coinbase is where you keep cryptocurrency. It's a cryptocurrency exchange. 

Dave Bittner: I see. 

Joe Carrigan: So if I'm a scammer and I want to scam a bunch of people out of their cryptocurrency, I'm going to go, where do people keep their cryptocurrency? Well, they keep - some of them keep them in exchanges. I'm going to send out a bunch of emails looking like I'm Coinbase about to bill somebody and get them to call me. Then I'm going to have them install the remote access software on their computer. And then I'm going to get access to their Coinbase. And then I'm just going to transfer all the cryptocurrency to my wallets. And that's going to be the game. That's the end of it. You will not get that back. There is no regulation or anything to stop it from happening. 

Dave Bittner: Yeah. It's interesting that they're saying in this email - they want you to call what they're claiming is the PayPal help desk... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Which, of course, it isn't. 

Joe Carrigan: That's right. 

Dave Bittner: But I bet if you call, they'll answer the phone and say PayPal help desk. 

Joe Carrigan: Yup. I'm 100% sure that's the case. 

Dave Bittner: So do you think they're going after your PayPal account, your Coinbase account or both? 

Joe Carrigan: My thinking is they're going - probably both. They might be going after both. 

Dave Bittner: Yeah. 

Joe Carrigan: But my thinking, initially, is they're going after Coinbase. 

Dave Bittner: Oh. 

Joe Carrigan: That's - because that's where people keep their resources, keep a lot of resources. 

Dave Bittner: Right. Right. What could PayPal be doing to help tamp down this sort of thing? I mean, if it's widespread like this - I'm looking on this for a place to report this as a fraud. 

Joe Carrigan: Right. There's no place to do that. 

Dave Bittner: Yeah, it does say at the bottom - don't know the seller? You can - oh, there is a contact us button, yeah. 

Joe Carrigan: The contact button. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: OK. So there is it. 

Dave Bittner: I suppose there is a way to report it. 

Joe Carrigan: Yeah. I don't know how effective that is. I mean, the problem with these companies is that they are large companies operating with the smallest possible staff they can afford to operate with. 

Dave Bittner: Right. 

Joe Carrigan: And, you know, like I say often, when you're dealing with these companies, it's like screaming into the void. 

Dave Bittner: Yeah. You know what, Joe? I need to make up T-shirts that say, we can't do that at scale. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: And on the back, it says, then don't do it. 

Dave Bittner: Right. Right. Don't do that (laughter). There you go. All right, well, thank you, Tim, for sending that in. Tim is a regular contributor to this show and other shows as well. So friend of the show Tim sent this in. We do appreciate it. And again, we would love to hear from you. You can email us at hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Keith Jarvis. He is a senior security researcher at Secureworks. And we were talking about infostealers and trackers. Here's my conversation with Keith Jarvis. 

Keith Jarvis: And so over the last several years, we've really seen this particular way of getting into networks sort of, you know, explode, right? So infostealers, stealing credentials - nothing really new there. That's been with us for decades. But there's just - the ecosystem is really flush with options for threat actors to go in and buy infostealers that steal essentially everything off of a computer. They can choose, you know, one that's hosted by the threat actors or one that they host themselves. Really, they go from very basic up to advanced capabilities. And what we've seen from Secureworks' perspective over the last several years as - is the, you know, credentials are increasingly being used as the point of entry into corporate networks, which then leads to really large ransomware incidents. 

Dave Bittner: Can you walk us through the typical life cycle of something like this with an infostealer? I mean, how does one find themselves victim of it? And then ultimately, how do the credentials end up for sale? 

Keith Jarvis: Right. So, again, there's so many of these infostealers that are for sale, and there's so many customers. Really, how you end up getting one is basically how you get anything. I mean, there's just so many people involved with this. It may come in through a spam email. It may come in through pirated software that's been laden with one of these infostealers. Somebody may break into your network through other means, and then they also want to capture credentials from the computers that they've gotten access to. So they'll drop one of these infostealers on there. So there's a lot of different ways that these are getting into corporate networks. 

Keith Jarvis: And then, from there, it's sort of like potluck what happens to your stolen credentials. Some of these threat actors are - their business model is to steal credentials and then to sell them on the open market and try to make money that way, not by actually monetizing the machines they broke into but basically just a smash and grab operation where they get stuff, and then they bundle it, and they sell it online. From there, on those marketplaces where that data is sold, really, it's anyone's guess who's going to actually end up purchasing that lot. Sometimes, it's going to be people looking for, you know, cryptocurrency, maybe people looking for infrastructure to run another operation. But oftentimes, we've seen it's going to be somebody who wants to break into a corporate network and distribute ransomware throughout that network. 

Dave Bittner: Yeah, one of the things that I see you all highlighted was the ability for folks to go on to one of these markets and basically make a request to say, these are the types of things I'm interested in. 

Keith Jarvis: Yeah, and that's kind of a new feature. There is a place called Russian Market that introduced that in October - the ability to say, hey, I have a specific interest in this platform or this website, so I'm going to put that out there as a sort of presale request. And then hopefully, a vendor on that website is going to say, oh, this person wants this demand for this amount of money, so I'm going to go hunt for that. In the past, it's usually been they distribute these infostealers en masse. And then basically, what you might typically expect to find on a computer Gmail address is, you know, WinSCP credentials, these sorts of things. That's what comes back into what they call the logs. And those are sort of bundled up and sold. And you basically - what's for sale is what they're providing, right? You don't get any choice into what they've actually compromised. But with this, you know, you can say, oh, I want to get into some major e-commerce platform. Or I know that software vendor uses this internal administrative interface, so I'm going to provide the URL as a mask and see where I can get those specific types of credentials that I can use in a particular type of intrusion. 

Dave Bittner: What about at the high end? As you mention here, folks who want specific access to, let's say, a Fortune 500 company or something like that - is that available, as well? 

Keith Jarvis: Yeah. So usually with the marketplaces, that's really - you're working in bulk data. But there's an entire cottage industry of what we call initial access brokers, the people who get into the network first, and then they're looking to sell that access. They don't want to do the rest of the intrusion. So a lot of that happens on places like Telegram or on the underground forums where they'll say, I have access to a Fortune 50 company in the U.S., and it has X amount of revenue. I'm selling this for $15,000, or it may be something much less, you know, interesting than that. You know, I have a Japanese company with 10 million in revenue, and here's access for $200. So that's usually where they've identified what they think is high-value. And they know that they can get more money out of selling that and just bundling it with everybody else's credentials. 

Dave Bittner: One of the things that strikes me is the professionalism that's going on behind the scenes here. I mean, am I right that these organizations really - they're set up like legitimate businesses? 

Keith Jarvis: Yeah, absolutely. So especially with these markets over the last four or five years, there was nothing really like this just that long ago. This is kind of, I think, the credit card theft that was rampant a number of years ago. These sort of shops popped up to service that market - stolen credit cards. And this is sort of the continuum of that because it's increasingly difficult to monetize stolen payment cards. So what we saw as innovation, you know, a number of years ago in that space has now moved over to credentials. And you're right. These are all very automated, slick platforms for just going in and really quickly searching for what you want that day and then buying it and, again, now requesting, you know, specific bespoke intrusions based on, you know, a mask or something like that. So it's really sort of mechanized and professionalized over the last couple years. And it makes it really easy, and it lowers the bar for certain bad actors to really get into this game. 

Dave Bittner: And what interest are you all seeing, if any, from law enforcement to monitor this and try to tamp down on it? 

Keith Jarvis: Yeah. So it's an increasingly prevalent way of getting into corporate networks from our telemetry over the last several years. It's definitely on law enforcement's radar here in the United States and abroad, in the U.K., etc. I don't know specifically what they're trying to do. I know they've gone after payment card forums and marketplaces. They've just recently gone after DDoS booting services. One imagines that they're doing something up for these particular types of markets. But we know that the justice works very slowly. So I'm not sure when that's going to actually happen, but I'm assured that it's a priority for those groups. 

Dave Bittner: So what are your recommendations, then, for organizations who want to best protect themselves here? What sort of things should they put in place? 

Keith Jarvis: Right - so good security controls, you know, at the perimeter, preventing spam emails from getting in, preventing people from downloading stuff while browsing the web. But something is going to get through eventually - so having really good telemetry and visibility into your endpoints to see when one of these infostealers lands that you can identify it and quarantine that machine as soon as possible. And then after that, don't just image the machine and sort of go on about your business. You really have to say, OK, this machine has been completely harvested of all the private information that was on it. And that's going to be a mixture of data that belonged to the individual that was using that machine and also probably a lot of corporate secrets. 

Keith Jarvis: So you really have to do an accounting of what was stolen there and to do password resets to help that that individual, you know, reset the thing to their own personal life and banking details and stuff like that because you can't just assume because you wipe the malware that it's no longer a threat. And I think also, obviously, multifactor authentication - the more critical assets you can put that in front of, the better prepared you are going to be when one of these things does happen and somebody does try and come back with credentials and get in. 

Dave Bittner: Yeah. I mean, is that really the key - for the consumer to have good password hygiene? 

Keith Jarvis: Yeah, absolutely. But as we're asking people to get better about their hygiene, they're forgetting their passwords. So they're storing them in the browser. They're storing them in password managers, which is, you know, nominally a good thing. But that also means that there's a giant cache of credentials on every machine in the world now where the software comes in and steals it. So it's kind of a mixed blessing. I think it's a net positive that we're moving people towards that, but this is kind of one of the downsides of that - is that people are storing these things, you know, not in text files and Excel spreadsheets anymore but in proper password managers. But still, it is a concern. 

Dave Bittner: Where do you suppose we're headed here? You know, you're mentioning that the folks who previously had been working in credit cards - stolen credit cards have moved on to this. I mean, is there a natural evolution that's going on here as cat and mouse? 

Keith Jarvis: No. I think we're in the full swing of this particular era of, you know, credential theft. I think the increasing adoption of MFA and especially, you know, advanced options with MFA - so, like, with Microsoft 365, you can get a push notification. And we know that attackers are spamming those push notifications and just getting through anyway. They've introduced number matching, where you have to match a number with the actual prompt that prevents that type of attack - the same with the standard one-time codes, which can be intercepted and then replayed, you know, within a 30-second window. So people are moving past that, and that's really what's going to crush this particular ecosystem. But we know that's sort of a lagging indicator. There's always going to be when the top 1% of security places that can push that out first, and everyone else is going to lag behind. So I think we're in for this particular type of attack for a number of years to come. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Interesting interview. Infostealers can take everything, but I think credentials are really what they're after the most because, once they get the credentials, they can get access. An infostealer is just software, and Keith was talking about how advanced these software packages can be and how - but still, they're just going to do what they're told. 

Dave Bittner: Right. 

Joe Carrigan: A malicious actor with access to your network is much more dangerous than the software. 

Dave Bittner: Oh. 

Joe Carrigan: They're going to, you know, have that - you know, like, they're not going to be distracted by the - they're going to - look, hey, that's a person under a box, right? 


Dave Bittner: Right. Right. Right. 

Joe Carrigan: The - you know, the software may not - something may escape software's notice, but not a human. A human is going to be looking around, taking notice and stealing all the data they can. 

Dave Bittner: Yeah. So a human has an adaptive curiosity. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: That's a good way to put it. There are tons of vectors for this stuff to get into your network, which is just terrible (laughter). But - and Keith talks about, you know, the spam emails and all that - you know, phishing emails. 

Dave Bittner: Yeah. 

Joe Carrigan: And then all the other vectors, as well - fake tech support phone calls, anything. Think about the threat model, where someone is selling access to your network. You know, sometimes, when I think about penetration into a network, I think that this is more like a personal operation. Like, the first guy - there's somebody out there that wants to get into the network. So what do they do? They go in, and they get access. And now that they've got access, they go up to the next thing, and they go, OK, now we got to spread through the network. And now we - then, we've got to finally do something to monetize this. 

Dave Bittner: Right. 

Joe Carrigan: But it's interesting to me that there's, like, a marketplace for these initial access people. These are... 

Dave Bittner: Right. 

Joe Carrigan: ...Guys that just go, can I get in here? Yes, I can. OK, I'm in. I'm done. 

Dave Bittner: Yeah. 

Joe Carrigan: Let me cash out here. Let me monetize just the access part. 

Dave Bittner: Right. 

Joe Carrigan: You know, I haven't done anything that would draw the attention of law enforcement. Let somebody else take that risk. 

Dave Bittner: Right. 

Joe Carrigan: So I'm just going to get some - you know, get some money from somebody that's going to do something bad. And, you know, the whole marketplace is fascinating to me. But then, what you got to think about is - what's the malicious actor? The guy that's actually going to do the damage - what is that - what does that person look like? They are somebody out to just make money off of you, right? They don't care how - they're willing to pay for the access, and they're looking to do as much damage as they can to maximize their profits. 

Dave Bittner: Right. 

Joe Carrigan: So the paradigm has to be that you're - while you're looking for the initial access person, that's not the same guy that's going to come in and do the - and, you know, wreak havoc on your network. It's just some person that's good at getting initial access. And you've got to think of it like the marketplace and the organization that these companies have. You and I have been talking about the development of this organization, and it's been absolutely one of the most fascinating things to watch over time... 

Dave Bittner: Yeah. 

Joe Carrigan: ...How these guys have become specialized. 

Dave Bittner: It's like an "Ocean's 11" team. 

Joe Carrigan: Right. 

Dave Bittner: You know? 

Joe Carrigan: Exactly. 

Dave Bittner: Each person has their specialty. You got the safecracker. You got the... 

Joe Carrigan: Right. 

Dave Bittner: ..Social engineer. You got the... 

Joe Carrigan: I was thinking Henry Ford and... 

Dave Bittner: ...Demolition. 

Joe Carrigan: ...Specialization, right? 

Dave Bittner: Yeah. Yeah, sure. 

Joe Carrigan: You know, he made cars affordable by just having people do small pieces. Now, this malicious activity can be done at scale because people can do their parts very quickly... 

Dave Bittner: Right. 

Joe Carrigan: ...And move it down the cyber assembly line. 

Dave Bittner: Yeah. 

Joe Carrigan: Access prices are interesting, too. I - Keith provides examples from $200 to $15,000. You know, I don't want to take the time to learn how to hack. I just want to get access, and I'm pretty good at that. So here's - it's all still just basically commerce. It's a black market, but it's a market. 

Dave Bittner: Right. 

Joe Carrigan: One of the things that Keith says that's really important is you can't just wipe the machine and move on - that a lot of things have already happened. You've already suffered a data breach when there's an information stealer on a computer. You can't - when you have a malware incident that can't just be - well, we'll just wipe the computer and that's it. We're done. And I like what Keith says, you got to tell the user - do you have any personal information on here? Is any of your banking information on here? You better change all of that because you've been compromised, too. And usually, the user is the one who initiated the activity that got the malicious software on there in the first place. Principle of least privilege is a pretty good way to go about that and limiting that risk. Make sure that the user - if the user doesn't need to have administrative access to the machine or install software, then that user shouldn't have those permissions on your hardware. 

Dave Bittner: Right. 

Joe Carrigan: Again, we hear multifactor authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: And still, password managers are good. Protect them with multifactor authentication, too. But we've already talked about that in your story a lot today. 

Dave Bittner: (Laughter) That's right. That's right. All right. Well, interesting stuff. And, again, our thanks to Keith Jarvis from Secureworks for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.