Saving the world from cybercrime.
Renee Dudley: I just hope that people will see that there's this group who's dedicated to stopping this horrible crime that they may never have heard of before.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Daniel Golden and Renee Dudley from ProPublica - they're talking about their book, "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime."
Dave Bittner: All right, Joe, before we jump into our stories this week, we have a bit of follow-up here.
Joe Carrigan: Yes, Dave. Ignacio writes in to give me a bit of a hard time.
Dave Bittner: (Laughter) OK.
Joe Carrigan: You want to read this? This is directed to you, not to Dave and Joe as our letters often are.
Dave Bittner: With pleasure, Joe (laughter). It says, hello, Dave. As usual, the podcast is my go-to for work or exercise. And again, I tend to walk faster or hit the keyboard harder when Joe gets his Apple information wrong.
Joe Carrigan: (Laughter).
Dave Bittner: Last time it was Apple based on Linux.
Joe Carrigan: Wait, did I say that?
Dave Bittner: I don't know. It's probably a slip of the tongue, I would imagine...
Joe Carrigan: Yeah, Apple isn't...
Dave Bittner: ...Because you know that Apple is not based on Linux.
Joe Carrigan: It is not. It's based on FreeBSD...
Dave Bittner: Yeah.
Joe Carrigan: ...As many things are. And there are a multitude of reasonings behind that. And I'm a big fan of FreeBSD. I've...
Dave Bittner: Yeah.
Joe Carrigan: ...Had it as an operating system. It's a great operating system.
Dave Bittner: All right. Well, step away from the rat hole...
Joe Carrigan: Yep.
Dave Bittner: ...Because we're going to continue Ignacio's letter here.
Joe Carrigan: Yes, thank you.
Dave Bittner: He says, this time Joe stated that he prefers open source options for password managers since he's cheap. Well, I'm cheaper, so I prefer the free Apple keychain via the free Mac OS, iOS, iPad OS - and he says, Joe's Microsoft Windows ain't free - for my password manager. It keeps the passcodes encrypted. It can be used on any or all of your Apple devices. It incorporates not only two-factor but multifactor options plus YubiKey now too. You don't have to remember any passwords or create any passwords and it does it for free - cheap - on the only security-first OS.
Dave Bittner: In addition, it helps you identify accounts that were part of a breach - no need to look up on Have I Been Pwned - and tell you which accounts have reused passwords. Joe's Linux or Windows can't claim it's a security-first for those OSes. I just want to point out here that Ignacio is pedantically spelling Windows with a Z, as they do.
Joe Carrigan: Windows - D-O-Z-E.
Dave Bittner: Windows, yes.
Joe Carrigan: This is spoken like somebody from the - Apple's community back in the late '80s, early '90s.
Dave Bittner: That's right. That's right.
Joe Carrigan: Or early '90s, when Windows first came out.
Dave Bittner: So he goes on and says, if the term open source is his preferred option, why not use Unix/BSD, which is what the Mac OS and iOS is built on? You can have lots of fun quizzing Joe on every episode about Apple security options which are all free and have yet to show up on any breach. Again, Joe and you do a great job - informative and entertaining. You have both mastered the art of communicate-to-educate. You guys keep up the great work. So a little spoonful of sugar there to make the medicine go down, right?
(LAUGHTER)
Joe Carrigan: Got a couple of things. Number one, Apple's OS is not the only nor the first security-focused operating system. If you really want a security-focused operating system, you can look at OpenBSD, which has been around since 1997 and has had only two remote security holes since then - two in - what? - almost 30 years.
Dave Bittner: Yeah.
Joe Carrigan: That's a lot.
Dave Bittner: OK.
Joe Carrigan: So if - let me get a little more pedantic than Ignacio does here.
Dave Bittner: It's not a contest, Joe.
Joe Carrigan: Are you sure? (Laughter) No. I will agree...
Dave Bittner: OK.
Joe Carrigan: ...That if you have that Apple - the only thing I don't like about Apple Keychain is the name.
Dave Bittner: Yeah.
Joe Carrigan: Everything else is great about it.
Dave Bittner: OK.
Joe Carrigan: I just don't like the name because that's now an overloaded term for something else, right?
Dave Bittner: Yeah.
Joe Carrigan: Maybe keychain is fine because I'm thinking certificate chains. But that's what I think of when I think of cryptography. But Apple, they are - one of the things they're very good at is marketing, and that's actually what makes their system pretty good. I mean, they are focused on the user. And I've said this about Apple. They do security well. They do user focus well. And, Dave, I want to point out to you, look through the window and tell me what logo is on the back of the laptop I'm using.
Dave Bittner: That is an Apple logo.
Joe Carrigan: That's an Apple logo.
Dave Bittner: Yes.
Joe Carrigan: I have - there was a spare Apple computer at the office. And somebody said, hey, I've got this Apple computer laying around. Nobody said they would take it. So I said, I'll try it. So here I am, trying it.
Dave Bittner: (Laughter) Oh, good for you. Welcome to a new world. You've expanded your horizons.
Joe Carrigan: So far, I don't know what to do with it other than surf the web. This thing is very little more than a Chromebook to me.
Dave Bittner: Yeah. Well, I will say that - actually, just earlier this week, I was chatting with somebody over on Mastodon, and they were asking for recommendation of a - what's the - the time-based password apps.
Joe Carrigan: Right.
Dave Bittner: You know, where you - you know what I'm talking about. What's the proper term?
Joe Carrigan: Yeah. So, like, Google Authenticator.
Dave Bittner: Yeah. That's right, the authenticator apps.
Joe Carrigan: Right.
Dave Bittner: And they are asking for recommendations for what to do on iOS when it comes to one of those. And I pointed out that that functionality is actually built into iOS.
Joe Carrigan: Right.
Dave Bittner: There is one.
Joe Carrigan: It's in Keychain, right?
Dave Bittner: Yeah. So you don't need a third-party one. It's built into the OS, which is one of the things I think Ignacio is pointing out here, so - all right. Well, Ignacio, thank you for writing in. Thank you for writing in, Ignacio, and giving Joe a hard time 'cause he doesn't get enough of a hard time from me every week.
Joe Carrigan: Right.
Dave Bittner: But we would love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Joe Carrigan: I think it's all in good fun.
Dave Bittner: Absolutely. All right. Well, let's do our stories here, Joe. Why don't you start things off for us?
Joe Carrigan: Dave, my story actually comes from Coinbase.
Dave Bittner: OK.
Joe Carrigan: They have released an article or a posting.
Dave Bittner: Yeah.
Joe Carrigan: One of my favorite things about this article is, at the very top, it has something called the tldr...
Dave Bittner: Yeah.
Joe Carrigan: ...Which is too long, didn't read.
Dave Bittner: Right.
Joe Carrigan: It just summarizes the article for you in one paragraph. But apparently - and actually, this is news, actually - Coinbase had a security breach back in early February, but it was very minor. And they published a report on what happened. And they've walked you through the attack...
Dave Bittner: OK.
Joe Carrigan: ...Which is amazing.
Dave Bittner: Yeah.
Joe Carrigan: Nobody ever does this.
Dave Bittner: Good for them.
Joe Carrigan: Yeah. So on Sunday, February 5 of this year, several employees started receiving alerts with SMS messages on their cellphones, indicating that they needed to urgently log in via the link provided to receive an important message. So a social engineering scam.
Dave Bittner: So this was purporting to come from the company, from Coinbase?
Joe Carrigan: Yes. Purporting to.
Dave Bittner: OK.
Joe Carrigan: So it says it's coming from IT or somebody. They need to come in and get the - there's a message you need to get - you need to read.
Dave Bittner: OK.
Joe Carrigan: So the majority of people ignore the unprompted message, but one employee, believing that it was an important and legitimate message, clicked the link and entered their username and password, right? After entering this information and, quote-unquote, "logging in," which they weren't doing, they were just at a credential harvesting site...
Dave Bittner: Right.
Joe Carrigan: ...Their username and password was stolen. The employee was prompted to disregard the message and was thanked for complying.
Dave Bittner: OK.
Joe Carrigan: Right? So, oh, hey, look, there's nothing going on here. Everything's fine.
Dave Bittner: Right.
Joe Carrigan: So the attacker then tries to log in with the employee's username and password and quickly finds out that they are required to use MFA. Now, the article doesn't state what kind of MFA they're using, but I would like to think that it's some kind of hardware-based thing because of what happens next.
Dave Bittner: OK.
Joe Carrigan: The guy then calls this employee and says, hey, I'm from corporate IT over here at Coinbase.
Dave Bittner: So the bad guy calls the employee.
Joe Carrigan: The bad guy calls the employee. And he says, one of the most powerful things you can say, the most powerful phrases in the social engineering attacker's tool kit...
Dave Bittner: Yeah.
Joe Carrigan: ...I need your help.
Dave Bittner: Right. Because everybody wants to be helpful.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: And the employee logs into their workstation and starts following the instructions that the guy is giving them over the phone. And the employee notices that these instructions are going a little bit - becoming more and more suspicious as time goes on. And it's good information to know that they actually didn't make it into any customer wallets or any - actually, there are no customer wallets at Coinbase. There are Coinbase wallets.
Dave Bittner: OK.
Joe Carrigan: You have an account at Coinbase. So, again, I'm going to say this again because I think it can't be said enough. When you have your money, your cryptocurrency at an exchange, that is technically the cryptocurrency's - or the exchange's cryptocurrency. You are relying on them to give it back to you when you ask for it. There's a lot of trust. Coinbase - I'm not impugning Coinbase here. Coinbase is not going to steal your crypto.
Dave Bittner: Right.
Joe Carrigan: But there is - technically, in the technical aspect, there is nothing to stop them from doing it. The only - it's like a bank. There's technically nothing to stop a bank from taking your money and keeping it.
Dave Bittner: Right.
Joe Carrigan: But there are other reasons to have that happen.
Dave Bittner: Yeah.
Joe Carrigan: The problem here is that if someone does get into your crypto - into their crypto wallet and takes their cryptocurrency, there's nothing anybody's going to do to get that money back, except find the people that did it and get them to cough up their private keys.
Dave Bittner: Ask nicely.
Joe Carrigan: Ask nicely, right, with a rubber hose.
Dave Bittner: (Laughter) Right.
Joe Carrigan: That's called rubber hose cryptanalysis. That's actually a term of art. It's one of my favorite terms of art. So they did get some employee information, which, by the way, is not insignificant. This is - you know, if somebody got a load of - you know, not a load but a small bit of employee information from Coinbase, that's information that's very critical. And they need to know exactly who that was that has been leaked. And they need to talk to everybody who had their information breached because they're going to be the next targets. But I think Coinbase is on top of that because their Computer Security Incident Response Team was aware of the incident within 10 minutes because their SIEM let them know. That's security incident and event reporting system.
Dave Bittner: Yeah.
Joe Carrigan: And they reached out to the employee via a messaging app, an internal messaging app, and said, someone's trying to get access to your account, at which point - I don't know what they said exactly, but they let them know that the scam - or them I don't know if it's a man or woman. They don't tell you.
Dave Bittner: Yeah.
Joe Carrigan: And rightfully so. They shouldn't. The employee then terminated the phone call and stopped all communication with this scammer. So the CSIRT - or the incident response team - I'm just going to say that - immediately suspended all access for the victimized employee and launched this full investigation. But they say - here, this is a little bit of corporate speak - because of our layered control environment, there were no funds, and no customer information was compromised. The cleanup was relatively quick. But still, there are a lot of lessons to be learned here. The article goes on to say that anybody can be targeted and victimized by social engineering attacks... ...Which is 100% true. I'd like to point out that this person - while we like to sit here and think this person is the victim of this attack, this employee.
Dave Bittner: Yeah.
Joe Carrigan: You know, they were convinced, and they believed that what they were doing was right, although their suspicions were aroused. But I don't know how I feel about this with the fact that there is literally millions of dollars at stake here of other people's money. You know, maybe somebody should be more security-minded. I don't know. I'm not going to...
Dave Bittner: Well, I mean, they didn't get to the money. So the MFA...
Joe Carrigan: They didn't get to the money. It worked.
Dave Bittner: It worked. Yeah.
Joe Carrigan: Yeah. Everything they did worked.
Dave Bittner: Everything - yeah. So good on them.
Joe Carrigan: Good on them. Yeah.
Dave Bittner: One thing that caught my eye here is that the employees were hit with these SMS messages that made - that prompted them to log in.
Joe Carrigan: Right.
Dave Bittner: So when they click through on the SMS message, they go to a fake login page.
Joe Carrigan: Right.
Dave Bittner: This is where I think a password manager could've caught this...
Joe Carrigan: Right.
Dave Bittner: ...Because the password manager would've said, hold on here, cowboy. This is not where we usually log in...
Joe Carrigan: Right.
Dave Bittner: ...For this site.
Joe Carrigan: That's correct.
Dave Bittner: You sure you want to do this?
Joe Carrigan: Yep.
Dave Bittner: And so it could've been nipped in the bud there before it got any farther.
Joe Carrigan: Right. That's a good point.
Dave Bittner: Yeah.
Joe Carrigan: What's interesting is that somebody has phone numbers for people who work at Coinbase. So there's already some kind of data breach out there about that.
Dave Bittner: Right, right.
Joe Carrigan: I don't know how these people got that information. I mean, they could have just gotten it from LinkedIn and then gone to these people's websites...
Dave Bittner: Oh, yeah. That's...
Joe Carrigan: ...Built the dossier or built...
Dave Bittner: (Laughter).
Joe Carrigan: ...You know, done open-source intelligence gathering to get this information.
Dave Bittner: Let me tell you, Joe, the conversations that I have had with the folks on the CyberWire sales team about the tools that are out there for information on sales prospects.
Joe Carrigan: Really?
Dave Bittner: They - yeah. Well, they raised my eyebrows. I mean, they - basically, there are companies out there who - not surprisingly, they just go out there, and they scrape everything, and then they aggregate it, and they cross-reference it. And so if - let's say, for example, if somebody wants to sell something to me...
Joe Carrigan: Right.
Dave Bittner: ...They can put my name in there, and it'll bring up everything they know about me. Here's where he is on Twitter. Here's where he is on Facebook. Here's his phone number. Here's his work phone number. Here's what he's posted about this.
Joe Carrigan: Yeah.
Dave Bittner: You know, just so it's not - it's - there's no real barrier to collecting. If I went out there and said, hey, I want the phone numbers of everybody you have at CyberWire, that's a click away.
Joe Carrigan: Right.
Dave Bittner: You know, probably a few bucks, and...
Joe Carrigan: Right.
Dave Bittner: ...You have access to that.
Joe Carrigan: Right. I wonder how much that service costs a month.
Dave Bittner: I don't know. I don't know. But hey, if you can get access to millions of dollars of crypto, it's worth it.
Joe Carrigan: Yeah. Right.
Dave Bittner: Yeah.
Joe Carrigan: And I'm sure that this is not the only spot that they're - or the only people they're targeting. One of the things that is in this article that is one of your dog whistle - I don't know what to say, but one of the things that kind of gets your goat...
Dave Bittner: Yeah.
Joe Carrigan: ...Grinds your gears...
Dave Bittner: Yeah (laughter).
Joe Carrigan: ...Frosts you.
Dave Bittner: Yeah.
Joe Carrigan: This wasn't - here's - I'm going to quote this from the article.
Dave Bittner: OK.
Joe Carrigan: "This wasn't just any attacker. We believe this individual was associated with a highly persistent and sophisticated attack campaign..."
Dave Bittner: Well...
Joe Carrigan: "...That's been targeting scores of companies since last year."
Dave Bittner: Of course.
Joe Carrigan: Right.
Dave Bittner: There's nothing we could've done, Joe. (Laughter).
Joe Carrigan: Well, but they did it.
Dave Bittner: That's true.
Joe Carrigan: This is, like, the flip side, right?
Dave Bittner: Yeah, you're right.
Joe Carrigan: Hey, look. We got these sophisticated guys, and we stopped them.
Dave Bittner: Yeah, that's true.
Joe Carrigan: Good - Coinbase did a good job here.
Dave Bittner: That's true.
Joe Carrigan: And you know what? My favorite thing about this article is that they published this. This is brilliant. So...
Dave Bittner: So here's a question for you.
Joe Carrigan: Yeah.
Dave Bittner: Would this article have been published had they been unsuccessful?
Joe Carrigan: Oh, excellent question, Dave.
Dave Bittner: Right? (Laughter).
Joe Carrigan: I don't know.
Dave Bittner: I mean, it's easy to toot your own horn when everything went well.
Joe Carrigan: Right. That's a good question.
Dave Bittner: Yeah.
Joe Carrigan: I don't know.
Dave Bittner: Not to make - I mean, I don't want to, you know, yuck someone's yum, as they say.
Joe Carrigan: Right.
Dave Bittner: But it's, you know...
Joe Carrigan: I'll tell you what we'll do, Dave. You and I will successfully hack Coinbase...
Dave Bittner: (Laughter).
Joe Carrigan: ...Get millions of dollars and then see if...
(LAUGHTER)
Dave Bittner: Yeah. If we successfully hack Coinbase and we get millions of dollars, this will be our last show, Joe.
Joe Carrigan: (Laughter) Right. We'll be done.
Dave Bittner: (Laughter). We'll be on a yacht somewhere...
Joe Carrigan: Yep.
Dave Bittner: ...You and I.
Joe Carrigan: International waters.
Dave Bittner: That's right. That's right. (Laughter) With our brand-new Apple laptops.
Joe Carrigan: That's right.
Dave Bittner: (Laughter). All right. Interesting story. And we will have a link to that in the show notes if you want to check it out. My story this week comes from Forbes. Actually, this is written by Cyrus Farivar, who's been a guest on our show before.
Joe Carrigan: All right.
Dave Bittner: Good author. He is a senior writer over at Forbes. And the article is titled "These Companies Say They Can Recover Stolen Crypto. That Rarely Happens." So this is interesting here, Joe. I mean, imagine that you are someone who has fallen victim to one of the many scams that we talk about here...
Joe Carrigan: Right.
Dave Bittner: ...And you're trying to figure out what to do. Perhaps you've reached out to law enforcement 'cause, again, as we've talked about here many times, it seems as though, certainly, local law enforcement either doesn't know what to do, doesn't...
Joe Carrigan: Right.
Dave Bittner: ...Have the resources...
Joe Carrigan: Yep.
Dave Bittner: ...To try to track these things down.
Joe Carrigan: And even if - I mean, well, I think the - it's a big mystery to a lot of people in general, and generally, people in law enforcement tend not to be too technical.
Dave Bittner: Yeah, that's true. I mean, I think more and more, we're seeing that law enforcement agencies and even down to the local level, they have people who are assigned to be specializing in this sort of fraud, elder fraud and that...
Joe Carrigan: Right. Right.
Dave Bittner: ...Sort of thing. So they're there to try to help to the degree that they can. But there's a limited amount of funding, expertise, all that kind of stuff.
Joe Carrigan: Yeah.
Dave Bittner: So imagine - this article talks about a gentleman who only goes by the name M for his privacy. He lost over half a million bucks to a scammer - cryptocurrency. And so one of the things he did was he went out and he searched for organizations who could perhaps help him get some of the money back. And according to this article, he went to an organization called CipherBlade. And that's a company that claims to have recovered millions of dollars in stolen cryptocurrency.
Joe Carrigan: Really?
Dave Bittner: He signed a contract with them, agreed to pay up to $6,500 - or to pay $6,500 for up to 10 hours of work. And also, if CipherBlade got any of the money back, they would get 12.5% of whatever they got back.
Joe Carrigan: That would be the only way I'd pay anybody like this. I would not pay them a retainer. I'd be like, if you think you can get the money back, heck, I'll give you not 12.5%, 25%.
Dave Bittner: (Laughter) OK. Well, according to this person, more than a year has passed, and he hasn't seen a dollar...
Joe Carrigan: Wow.
Dave Bittner: ...Back.
Joe Carrigan: Shocker.
Dave Bittner: Well, and that's really what this article is about. It goes into that there are several companies who have opened up - opened for business, claiming to be able to do this sort of thing, to help you get your cryptocurrency back. And it seems as though what Cyrus Farivar has found out is that their success rate isn't - not very high.
Joe Carrigan: I'm surprised their success rate is greater than zero.
Dave Bittner: Yeah.
Joe Carrigan: How do they do any of that?
Dave Bittner: Well, the article points out that there are ways to track crypto transactions...
Joe Carrigan: Right.
Dave Bittner: ...As you know.
Joe Carrigan: Do they get law enforcement involved at some point in time?
Dave Bittner: They can.
Joe Carrigan: OK.
Dave Bittner: This article points out that some of these companies simply use another company called Chainalysis. And...
Joe Carrigan: Right.
Dave Bittner: ...I believe we've talked about Chainalysis.
Joe Carrigan: We have talked about Chainalysis. They monitor blockchains, and they can tell you where the flow of cryptocurrency goes.
Dave Bittner: Right.
Joe Carrigan: And I - if memory serves me right, they have started monitoring cross-blockchain transactions. So...
Dave Bittner: OK.
Joe Carrigan: ...If I exchange Bitcoin for Ethereum, that's really difficult to track.
Dave Bittner: Yeah.
Joe Carrigan: But these guys have come up with a way to do it. Like, OK, this guy put $100,000 worth of Bitcoin into this wallet, and then somebody else got $100,000 worth of Ethereum on - into this wallet.
Dave Bittner: Yeah.
Joe Carrigan: That's probably the same money.
Dave Bittner: Right. So this article points out that Chainalysis - you can get certified by Chainalysis for around 800 bucks. You can earn a certification on tracking down these sorts of things.
Joe Carrigan: Really?
Dave Bittner: But these companies who are trying to go after these folks who stole your crypto, they can do a certain amount of tracing, but then they don't have law enforcement...
Joe Carrigan: Right.
Dave Bittner: ...Powers.
Joe Carrigan: There's nothing they're ever going to do to get somebody to cough up the private keys, aside from maybe hacking into them or maybe working with a crypto exchange if they have - if these guys are - if these criminals are dumb enough to put that money into a crypto exchange. But they're probably not.
Dave Bittner: Yeah.
Joe Carrigan: They're probably using their own wallets.
Dave Bittner: Yeah. They say that they do work with law enforcement, and then they - the reports that they make, they provide to law enforcement to try to partner with them to get money back. And they do point out, like this company CipherBlade, they provided the reporter with several satisfied customers, people who say that CipherBlade helped them recover their pilfered crypto.
Joe Carrigan: OK.
Dave Bittner: So there is some success here.
Joe Carrigan: I'd like to know how that went down, how the - how they got the money back.
Dave Bittner: Yeah. I guess the whole point of this article and why I think it's good to share with our audience is that - my take on this - and I'm curious what you think, Joe - is that your odds of getting anything back are pretty low.
Joe Carrigan: They are, very low.
Dave Bittner: And so I can't help wondering if engaging with these sorts of companies is throwing good money after bad.
Joe Carrigan: I would say it is. And the only way I'd go - I would engage with them is if they worked entirely based on the percentage of the crypto they got back from me.
Dave Bittner: Yeah.
Joe Carrigan: That would be it. I wouldn't engage with them otherwise. I wouldn't send them 6,500 bucks to - what's the word? - retain them...
Dave Bittner: Right.
Joe Carrigan: ...For so many hours. I would say - I would offer them twice what their commission is. I'd say, you know, this 12.5% and 6,500 bucks, we're talking about half a million dollars in crypto? Is that what it was? Half a million?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: So I'm going to give you a quarter of that, which is much more than - the difference is much more than $6,500. In fact, it's many times more. You should just take that...
Dave Bittner: Yeah.
Joe Carrigan: ...And see what they say. If they say no, they say no because they know their success rate is not that high, and they've done the multiplication of their success rate times the delta. And they know, no, we're not going to do that.
Dave Bittner: Yeah. In this article, they spoke with a gentleman named Tony Moore, who's a detective with the LA County Sheriff's Department, and he specializes in cryptocurrency crimes. And he says that he encountered at least a dozen scam victims who reported such crimes to his agency after they had already hired one of these companies. He says he recommends that victims don't engage one. They quote him. He says, I always tell them, no, you're going to pay them for what I'm already doing. They can't seize. You're going to waste your money for them to trace your money when that's what we do here.
Joe Carrigan: Right.
Dave Bittner: Interesting.
Joe Carrigan: Yeah, that's interesting. LAPD has - is this LAPD?
Dave Bittner: LA Sheriff's Department.
Joe Carrigan: LA Sheriff's Department...
Dave Bittner: Yeah.
Joe Carrigan: ...Has their own cryptocurrency guy. And that's correct. Law enforcement does have the power to seize.
Dave Bittner: Yeah.
Joe Carrigan: But even if they seize, there's no guarantee they're getting it back either...
Dave Bittner: Right.
Joe Carrigan: ...Because those keys may be well-hidden anywhere in the world. And, you know, there's no guarantee you're going to get it back. You know, the only thing you can do is threaten the person with a long sentence...
Dave Bittner: Yeah.
Joe Carrigan: ...And then incentivize them to give up their ill-gotten gains.
Dave Bittner: Right. Right. Yeah. And also, just to reiterate what we've heard from folks at the FBI, the FBI wants to hear from you.
Joe Carrigan: Right.
Dave Bittner: Contact your local field office. Certainly, when we're up in the neighborhood of half a million dollars, I think that's going to warrant the FBI's...
Joe Carrigan: Yeah.
Dave Bittner: ...Attention.
Joe Carrigan: I think so. Maybe.
Dave Bittner: So that's - they should be on your list of folks to contact if you find yourself scammed 'cause they've said time and again that they want to know.
Joe Carrigan: They do want to know.
Dave Bittner: And they have the ability...
Joe Carrigan: Yeah.
Dave Bittner: More than a lot of other agencies, they have the ability to help. They have the power.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: Whether or not they do for your particular case is up in the air, though.
Dave Bittner: Yeah.
Joe Carrigan: It's - you know, they might not be able to do anything about it. It might not be a priority. I don't know.
Dave Bittner: Yeah.
Joe Carrigan: But, yes, you should definitely let them know about it. If they - if you get their attention, then you can bring the resources they have to offer. And asking is free.
Dave Bittner: That's right. That's right. That's right.
Joe Carrigan: You have absolutely no reason to not ask them.
Dave Bittner: Right. So it seems as though, you know, some people have gotten satisfaction from these companies. But it seems - I think overall, just buyer beware.
Joe Carrigan: Yeah.
Dave Bittner: There's a good chance that - for a lot of reasons, there's a good chance that you could spend money on this sort of thing and end up not really getting anything back.
Joe Carrigan: Not getting anything back - exactly.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Josh. It's an email. You want to read the subject and then the rest of the email?
Dave Bittner: Sure. The subject says, your wallet is about to be suspended. Your wallet is about to be suspended. Apply for KYC verification. We're writing to inform you that in order to continue using our wallet service, it's important to obtain KYC, Know Your Customer, verification. KYC verification helps us to ensure that we're providing our services to legitimate customers. By completing KYC verification, you'll be able to securely store, withdraw and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats. We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet. Thank you for understanding. Sincerely.
Joe Carrigan: And it just ends there - sincerely.
Dave Bittner: Yeah.
Joe Carrigan: This is actually looking like it's coming from this company called - a company called Metamask. I didn't know what Metamask was until this morning, but it is a crypto wallet.
Dave Bittner: OK.
Joe Carrigan: It has browser integration, so you can interact with the Ethereum blockchain...
Dave Bittner: Oh.
Joe Carrigan: ...And use smart contracts.
Dave Bittner: So Metamask is a legit company.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: Yes, it is. And the link that's in there looks like it takes you to Metamask, but the address that it goes to is not Metamask.
Dave Bittner: Ah.
Joe Carrigan: It's a fake website. Josh goes on to say, here's a pretty good attempt at getting people's crypto wallets. It fooled me until I remembered that I don't have a Metamask wallet.
Dave Bittner: There you go.
Joe Carrigan: And I took a look where the link actually goes, and it doesn't go where it says it goes.
Dave Bittner: Yeah.
Joe Carrigan: The spelling and grammar is pretty good as well as the following - the formatting and design, which is almost indistinguishable from the real website. It is. He opened up the link in a virtual machine that took him to a place that says - a page that says, enter your recovery phase. So I actually tried this as well...
Dave Bittner: Oh.
Joe Carrigan: ...And went to this website. The first thing that happens is you get a CAPTCHA, right? That looks like, you know, they're trying to validate that you're a human.
Dave Bittner: Yeah.
Joe Carrigan: And then it goes - it does. It says it looks like a Metamask website. It's not. It says, enter your passphrase. And if you do this - two things. If you do this, they get your private keys. The passphrase is a mapping of words, English words to your private key.
Dave Bittner: OK.
Joe Carrigan: The other thing is that there is no Know Your Client requirement for wallets.
Dave Bittner: OK.
Joe Carrigan: There - they can't do it. It's not enforceable.
Dave Bittner: OK.
Joe Carrigan: You can go out and get a crypto wallet and just put all the crypto you want in it. As long as you're keeping and managing the keys...
Dave Bittner: Yeah.
Joe Carrigan: ...There is no responsibility on anybody's part for a Know Your Customer requirement.
Dave Bittner: That's a fintech thing. That's a banking system...
Joe Carrigan: It's a...
Dave Bittner: ...Thing, right? Yeah.
Joe Carrigan: If you keep your money on a cryptocurrency exchange, there are Know Your Customer requirements...
Dave Bittner: Oh, I see. OK.
Joe Carrigan: ...Right? - because that's where money gets laundered a lot.
Dave Bittner: I see.
Joe Carrigan: Now, that's not saying that money can't be laundered through crypto wallets. It absolutely can.
Dave Bittner: Right.
Joe Carrigan: It's just there's no enforceable action there.
Dave Bittner: I see.
Joe Carrigan: So...
Dave Bittner: OK.
Joe Carrigan: It's an interesting scam preying on people who don't understand how cryptocurrency works.
Dave Bittner: There's plenty of those.
Joe Carrigan: Right. Yeah. There are plenty of those. And plenty of people have cryptocurrency...
Dave Bittner: Right.
Joe Carrigan: ...And don't know how it works.
Dave Bittner: Right. Yeah. No shame there - just...
Joe Carrigan: Right.
Dave Bittner: You know, it's complicated and easy to get confused.
Joe Carrigan: It is. Absolutely. And that's what this is hoping to do, is confuse you.
Dave Bittner: Right. All right. Well, our thanks to Josh for sending this in. Again, we would love to hear from you. If you have something you'd like us to consider for our Catch of the Day, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Daniel Golden and Renee Dudley. They are from ProPublica. And we are talking about their new book, "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime." Here's my conversation with Daniel Golden and Renee Dudley.
Renee Dudley: So I joined ProPublica in 2018 as a tech reporter, and Dan was my editor. And we were brainstorming ideas that I should work on for the year. And one of the things that I was hearing about from sources in corporate America was this crime called ransomware was taking hold. And I was hearing that companies were getting hit by ransomware. The amounts were growing, and they were worried about it, and they were trying to keep it secret. And I was intrigued about this crime. You know, I'd heard about it. It didn't make news every day back then like it does now. And I brought it up with Dan, and he was intrigued, too. And we both agreed that there had to be some U.S. connection to ransomware beyond the fact that there are so many victims here. And so I dug in.
Renee Dudley: And before long, I started hearing about this man, Demonslay335, who ultimately became the hero of our book. His real name is Michael Gillespie. And everybody said that Demonslay335 was the most knowledgeable person essentially on the planet when it came to ransomware. And I found out that he was a part of this global team that looked for vulnerabilities in the hundreds of strains of ransomware that exist. And they create free tools that help victims recover their files without paying hackers. And I'm sure your listeners will be familiar, but for those who are uninitiated, ransomware, it encrypts your files and makes them inaccessible. And you have to pay a hacker to get them back. And so this team was making these tools that allowed people to get their files back without having to pay hackers and feed into this entire ransomware economy.
Renee Dudley: And so I hooked up with Demonslay335. I called him at his office, which was a Nerds on Call IT repair shop in the town of Normal, Ill. And we started talking, and he was incredibly helpful for a variety of stories that I wrote and Dan edited for ProPublica that became a part of a yearlong series. And he was so knowledgeable that, you know, I wanted to get him - to know him more, and I wanted to learn more about this team. And I went to go visit him, you know, months after the stories started rolling out. And when I got to his home in Illinois, I was pretty blown away by what I saw. At this point, I realized - you know, I knew from talking to him and some of his teammates that the ransomware hunting team that he was a part of was this pro bono, you know, global team that was helping people for free.
Renee Dudley: But what I didn't know is that Michael was doing it while facing a multitude of personal crises. I met him, you know, outside his rundown - you know, pretty rundown home in this working-class neighborhood - needed a lot of repairs. He's this humble guy. You know, he's more - wearing, you know, jeans and a ratty T-shirt. And, you know, I got talking to him, and he shared with me his struggles with - you know, just struggling to make ends meet. He can't - you know, he was unable to pay his bills, and one month he'd have to turn off the electric, the next month the water, just to make ends meet. He almost lost his home. And he'd just beaten cancer. And meanwhile, he's working day and night to create these tools to save victims who will never know his name. And what struck me was that here's somebody who's the best in the world at what he does. And he's living in these extremely humble circumstances without seeking fame or money or any of the normal motivations, and just with zero fanfare. And I thought that was really remarkable. And I called Dan from the airport on my way back to Boston. And I said I thought this guy was really interesting. And we've got to at least do a profile on him. And we did. And, you know, ultimately, he became the hero of our book, "The Ransomware Hunting Team."
Dave Bittner: So Dan, the book really comes at it from the point of view of highlighting the folks who are out there trying to help the victims. And that's not an angle that I think we see a lot of when it comes to the coverage of ransomware. What decided - what was the decision between the two of you to take that approach?
Dan Golden: Well, we wanted to write a book that would be accessible to everybody, that everybody could enjoy whether they were technology experts or not. So you know, we boned up on the cryptography enough so that we could explain some of the technical aspects. But we wanted to tell a human story and a narrative. And these people were extremely interesting, you know, not just Michael, but his mentor, Fabian, was fascinating guy who had grown up in Germany under difficult circumstances and then felt that it was possible, because of his exploits against ransomware, that organized crime might be after him, Russian organized crime. And he moved to England. And he was living kind of as a hermit there.
Dan Golden: And just many other people - the team in general, they are not your standard sort of Ivy League success stories. Some of them didn't go to college at all. Some of them, you know, one - Fabian didn't even finish high school. They've had backgrounds of poverty or abuse. One fellow in Hungary is extremely superstitious and a bit odd. Some of them are on the autism spectrum. And so we just thought that these were fascinating personal stories. And what we tried to do was set their stories against a broader framework where we tell, essentially, the history of ransomware from its invention to the present day. And while we were working on the book, you know, the world had the bad luck. But we as journalists had the good luck that ransomware kept getting worse and worse, so that when we started, you know, the attacks were, perhaps, for thousands or tens of thousands of dollars.
Dan Golden: As we went on, the demands rose to hundreds of thousands or millions of dollars. The targets shifted from being individuals to being corporations, universities, hospitals, even police departments and governments. And the hackers became sophisticated so that before they would actually make the ransomware attack, they would get inside the computer and steal data so that even if you could somehow preserve your files, you would still have to pay a ransom, because otherwise they would make your private information available. So it became a bigger and bigger threat, a more and more worrisome crime. It made the top of the news with the Colonial Pipeline attack and with Biden trying to negotiate with Putin about cracking down on ransomware gangs. So we found ourselves dealing with both the compelling personal story and what was becoming one of the top threats to world - to people's security and wellbeing.
Dave Bittner: You know, Renee, one of the things that strikes me as I read the book was how it really is a bit of a David versus Goliath story here. I mean, you have these ransomware operators who are demanding millions of dollars. And as you point out, the folks that you highlight here are not well-to-do, wealthy people who are being underwritten by big organizations. That was really a bit of a revelation for me because I think of the folks who work in cybersecurity are generally - I think the perception, anyway, is that they're very well-paid. They're very in demand. But in this case, this is really - this is a ragtag team here.
Renee Dudley: It is. And you make a few interesting points there. It certainly is a ragtag team. They call themselves this band of misfits. Many of them come from backgrounds of poverty and abuse. They were bullied in school. They tend to keep to themselves and not fit into typical, you know, social structures and in-person friendships. And they've really found their niche and found their calling online. A lot of them have this sense that the internet is their intellectual home. And they don't want bad guys there. So they see this as both an intellectual challenge and a way to fight back against the boys who came for them when they were younger.
Renee Dudley: And I'll also mention, a lot of them do have jobs in the security field. Fabian Wosar, for example, is one of the masterminds of Emsisoft antivirus software. But others, like Michael, you know, he's fixing broken hard drives, you know? He spent 10 years at the Nerds On Call IT repair shop, fixing broken hard drives. So - but you're right, none of them were getting rich from any of this. On your other point of the David versus Goliath, you know, in terms of here is the - these people hunting ransomware, fighting against these hackers. The strange thing is that both the hunters and the hackers have a lot in common. They have, essentially, the same skill set. They're experts in cryptography. From what we can tell, a lot of them are self-taught, you know, learning through tutorials online and on YouTube and checking books out of the library. And they have a lot of the same interests, video games. They like some of the same movies. A couple of - you know, a couple of the people on the team are really into Disney, and Michael Gillespie's favorite movie is "The Lion King," and there's a ransomware called HakunaMatata. You know, the similarities - you know, we don't know a ton about the hackers, but there's certainly evidence that they share a lot of the same interests and tend to be misfits.
Renee Dudley: On the other hand, you're absolutely right that, you know, while some of them are teenagers who are trying to make money or gang leaders who want a Lamborghini, there's increasing evidence that some of the hackers are working under the protection or possibly at the behest of enemy governments. So it's - you know, it's certainly wild that there's this group of people working against these increasingly organized, potentially state-sponsored hackers.
Dave Bittner: You know, one of the fascinating parts in the book for me is you have a chapter here titled "The FBI's Dilemma." And I'm curious, Dan, if you can give us some insights from that. I mean, this ransomware scourge really hit at a time when the FBI was facing some of their own challenges.
Dan Golden: Yeah. The FBI, for a long time, dismissed ransomware as kind of an ankle-biter crime with low amounts of money involved, not worth their attention. And that was symptomatic of the FBI generally giving a lower priority to cybercrime than it would've to, say, terrorism. And in general, the FBI has this kind of macho culture and this belief that any agent can do any kind of case, which might be true in some situations but not in a highly technical cyber case. And just in terms of manpower, it doesn't have the kind of numbers of cyber expertise agents that it probably needs. You know, other examples we talk about, the Dutch National Police in the book have - you know, they'll pair up each agent with somebody who's cyber savvy. And the FBI doesn't have anywhere near like those numbers, partly due to its culture, partly due to its resources, partly due to its taking a look at ransomware and then deciding, well, this really isn't worth their time.
Dan Golden: They were taken very much by surprise by the increasing threat of ransomware, as the dollar amounts ratcheted up and the attacks shifted from people to major organizations and businesses. And they were, you know, well behind the curve, and they also were not particularly receptive to the hunting team and its members who could offer abilities to crack codes or provide keys. And the FBI really - that was - it seemed to feel that wasn't really what it did, you know? And its focus is predominantly on arresting people, and that's difficult in these cases because the criminals are often in countries where we don't have extradition agreements with, like Russia or Iran. You know, sometimes you have to go after the infrastructure, the servers or other aspects, rather than just straight out try to arrest somebody who you're never going to get until they decide - unless they decide to, you know, vacation on the Riviera. The whole system was not really geared up for this kind of international threat, and as a result, American organizations and individuals suffered a great deal of needless harm.
Dave Bittner: So, Renee, I'm curious - what are the take-homes for you? What do you hope that people take away from the book?
Renee Dudley: You know, I hope people will come away with a sense of hope because we end with some of the changes that are afoot. First of all, one of the things that I'm - that I've taken away from writing it is that there are these ordinary people who are just doing their day jobs but doing these absolutely extraordinary things in their spare time. They have filled a void in American society through their contributions. You mentioned the FBI, you know, federal law enforcement, the federal government in general, up until the Colonial Pipeline attack essentially ignored the problem of ransomware, while this ragtag team was, you know, spending all of their spare time fighting it. It's pretty incredible what they've been able to accomplish. First of all, they've saved millions of victims from paying billions of dollars to hackers since they've started in 2016. And all of these resources are available on Michael's own website, which is called ID Ransomware. It's a site that he set up so that victims of ransomware could upload sample encrypted files, figure out what they were afflicted with and then find out if free help was available and how to get it.
Renee Dudley: So from a very practical sense, you know, I hope people will know that there are resources out there. This team is out there to help them. From a more - from a national standpoint, the FBI is increasingly receptive to what the ransomware hunting team and private researchers in general have to offer, which is a lot. And we've seen examples of the hunting team providing huge, you know, large, you know, household name company victims with their free tools through the FBI. In other words, victims will come to the FBI to report a crime, and they'll end up getting this help that they otherwise might not have known about. So there's promising things happening. And I just hope that people will see that there's this group who's dedicated to stopping this horrible crime that they may never have heard of before.
Dave Bittner: Dan, how about you? Any final thoughts?
Dan Golden: Yeah, I think I'd like to see the book increase transparency about ransomware and make victims more willing to come forward and companies to be more public about it. I mean, one of the problems that has allowed ransomware to become so prevalent and dangerous is the limited knowledge about it. Very few people report the attacks to the FBI. A lot of public companies don't announce that they've been hit by ransomware. If they say anything at all to their investors, they say, oh, we had a malware incident.
Dan Golden: I'd like to see this book as being a way to say, look, ransomware is all over the place. It's not necessarily shameful to have been hit by it. And the more that people come forward, they talk about it, the more pressure they will bring on the government and society to find solutions. So I think I'd like to see this book as the beginning of a national conversation that ends up in greater awareness, greater, stronger defenses and more discussion about the ransomware problem.
Dave Bittner: Joe, what do you think?
Joe Carrigan: It's nice to know that there are people out there working to hack the bad guys.
Dave Bittner: Right.
Joe Carrigan: That's nice - nice to know. Ransomware is software that's developed by people. People are - people write vulnerable software.
Dave Bittner: Right.
Joe Carrigan: And these guys go around and find these vulnerabilities and exploit them. And the result is free description - free decryption.
Dave Bittner: Yeah.
Joe Carrigan: Free description - I can give you a free description of anything, Dave - free decryption of your encrypted data, which is wonderful. These guys been doing this for a long time.
Dave Bittner: Yeah.
Joe Carrigan: It's good stuff. One of the things that sticks out in this article is they were talking about Fabian (ph), who lived in Germany and had to move to the U.K. because he thought the Russian mob was after him.
Dave Bittner: Yeah.
Joe Carrigan: That's terrifying. I don't know what I would do in that situation.
Dave Bittner: Yeah. I mean, you know, find yourself with an unfriendly relationship with gravity.
Joe Carrigan: Right. Yeah.
Dave Bittner: Tossed out of a window.
Joe Carrigan: Renee said that both sides of this equation are crypto experts. I wouldn't say that about the ransomware gangs, although now more so I would say that. But when this first started, the authors of ransomware were essentially crypto users, and if they had done it properly, then the security researchers would not have been able to break it. It would have been, you just have to pay the ransom or reformat your hard drive and start all over.
Dave Bittner: Yeah.
Joe Carrigan: But these guys are out for the quick buck. It's a business to them. It's a business. And that's what they're doing. They're looking to minimize costs, including the cost of time. So they're going to write crypto that works well and or that works good enough to get the money.
Dave Bittner: Right.
Joe Carrigan: Barely sufficient software, Dave. It's an agile principle.
Dave Bittner: (Laughter) Right.
Joe Carrigan: So here's my main question about this whole thing is why isn't Michael Gillespie working for some security company?
Dave Bittner: I don't know.
Joe Carrigan: It's interesting. Renee makes the observation that a lot of these guys don't have college degrees...
Dave Bittner: Yeah.
Joe Carrigan: ...Which, again, speaks to, you know, the hiring problem - I say problem in quotation marks, the cybersecurity skills gap. Here's a guy that's actually gone out, reverse engineered ransomware, broken it and posted it up on his website and he works repairing hard drives at, like, a Geek Squad place.
Dave Bittner: Yeah.
Joe Carrigan: You know, this - why is that the case?
Dave Bittner: Yeah, who knows? I mean, there might be circumstances that keeps him from...
Joe Carrigan: Right.
Dave Bittner: ...Being able to do that sort of thing.
Joe Carrigan: Sure, there's that.
Dave Bittner: Yeah, maybe he - or maybe he just enjoys keeping it an avocation and not a vocation.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Maybe.
Dave Bittner: All right. Well, again, our thanks to Daniel Golden and Renee Dudley for joining us. Once again, the name of the book is "The Ransomware Hunting Team: A Band of Misfits' Improbable Crusade to Save the World from Cybercrime." Do check that out.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.