Hacking Humans 5.11.23
Ep 242 | 5.11.23

Remedies for infectious computers.


CW Walker: Getting visibility into what the criminal underground has stolen from an organization is really kind of the first step to post-infection remediation.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exxploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with CW Walker. He's the Director of Security Product Strategy at SpyCloud. We're going to be talking about post-ransomware recovery. All right, Joe, before we get to our stories here, we have a couple of items of follow-up here.

Joe Carrigan: Yes, we do.

Dave Bittner: Why don't you do the first one and I'll do the second one here, and we'll make our way?

Joe Carrigan: Dave, I want to put out a way to go, a kudos if you will to one of the big tech companies.

Dave Bittner: Okay.

Joe Carrigan: And it's my least favorite big tech company, Facebook.

Dave Bittner: Really?

Joe Carrigan: Yes.

Dave Bittner: All right.

Joe Carrigan: But I had a relative who was a connection on Facebook and somebody cloned her account and immediately sent me a friend request though knowing what was going on, I sent a message to the actual account of the person, and she to this day has still not responded, but I don't know that she knows how to respond, this person is an older person.

Dave Bittner: Okay.

Joe Carrigan: But I started getting messages from the fake account within two days of accepting their friend request. And as soon as I received the message, I tried to reply and Facebook said, "Oh, no, you can't reply to this." They had already figured out this was a fake account, and shortly after, without any action on my part, they have shut the account down.

Dave Bittner: Oh, good.

Joe Carrigan: So, I'm impressed with how fast that happened that the scammer was able to send me messages and presumably start some scam, but I was not able to reply to the scammer and now the account is gone.

Dave Bittner: Good.

Joe Carrigan: So, well done Facebook.

Dave Bittner: Happy ending. Sure.

Joe Carrigan: It looks like they are getting better over there resolving that problem of fake accounts.

Dave Bittner: Right, right. All right. Well, we've got a couple of notes from listeners about some recent episodes. The first one here is a note from Clayton. And Clayton says, "Dave and Joe, I think Joe made an unintentional insight in his commentary during this episode. At one point you mentioned your daughter's professor referred to computers as fast idiots."

Joe Carrigan: I remember that.

Dave Bittner: "As you are both well aware, humans reacting emotionally could just as well be classified as fast idiots. Insulting language aside, humans in this state are just as likely to follow the instructions given to them as input, malicious or otherwise."

Joe Carrigan: That's 100% correct.

Dave Bittner: "Quite figuratively, the human is now hackable, as you both mentioned later in this episode and most every other episode the best defense is to slow down and return to a more human state." What do you make of this? I think Clayton is right on the ball here.

Joe Carrigan: I agree with you 100%. And I agree, the language is insulting. It's not that you're stupid because these things happen, it's because you're literally doing the thinking with the different part of your brain that is more equipped for faster decision-making.

Dave Bittner: Right.

Joe Carrigan: And it's not equipped for higher-level cognitive functioning.

Dave Bittner: Right. It's the "run away from a tiger" part of your brain.

Joe Carrigan: Exactly. It's called the amygdala, it's very small and very efficient, and very fast. So, it's -- yeah, this is absolutely spot on, Clayton.

Dave Bittner: Yeah, yeah. Well, thank you for writing in, Clayton. I think it's a good emphasis of a good point. We had another letter from a listener named Robert who wrote in. And wrote, says, "I have some feedback on a discussion you guys had whether wallets are safer than smartphones. In the end of your discussion based on what you said, you guys still called that your phone was more secure than your wallet as long as it's properly secure." Robert writes, "On a technical level, I agree with that but I also think your phone is quite a bit more risky than your wallet, and here's why. Your phone is not just the device you use for monetary transactions and accounts on it, but it doubles as your memory device for phone numbers which is what its primary use is for anyway." I would say it's what its primary use used to be.

Joe Carrigan: That's a good point, Dave.

Dave Bittner: Yeah. I think these days, they're portable computers that have the functionality to make phone calls. But I'm nitpicking. Robert goes on and says, "Very few people memorize important phone numbers or keep a black book or something nearby in order to communicate with those you might need like banks or financial institutions."

Joe Carrigan: Hundred percent correct.

Dave Bittner: Yeah. He says, "Remember that the thieves are not just stealing your phone to access your financial and personal information but they're also taking away your means of being able to communicate with important businesses and institutions in order to protect your financial assets in time."

Joe Carrigan: That's right.

Dave Bittner: I think that's a good point.

Joe Carrigan: That is a good point. I will counter that point by saying if you -- well, I won't counter the point, I'll agree with that. That's -- Robert is 100% correct.

Dave Bittner: Yeah.

Joe Carrigan: I will say though if you are lucky enough to just have your phone stolen and you still have access to your wallet, all the numbers you need are in your wallet printed on the back of the credit cards. If you have access to the physical credit card, you still have access to the information you need. All you need now is a phone. But no, Robert makes a great point. Here is another question, I'll ask you, Dave. Do you know your wife's cell phone number?

Dave Bittner: I know my wife's cell phone number but I do not know my children's cell phone numbers.

Joe Carrigan: Right. I don't know my children's cell phone numbers either. I made a point of memorizing my wife's cell phone number for exactly this reason.

Dave Bittner: Yes.

Joe Carrigan: Fortunately, I guess I do know my daughter's cell phone number because hers is just my wife's plus one.

Dave Bittner: That's very convenient.

Joe Carrigan: It's Lisa plus plus is Kayla.

Dave Bittner: I used to know my parents' but then they got new numbers and so I don't know those either.

Joe Carrigan: Yeah. Actually, I used to know my son's as well but he got a new phone number, and that wound up -- yeah. I just never even made a point of remembering it.

Dave Bittner: Right. Well, I mean, that's to Robert's point here, right? I think he's right on.

Joe Carrigan: Yeah. And I certainly don't remember my bank's phone number.

Dave Bittner: No.

Joe Carrigan: I just don't know it.

Dave Bittner: No, no. I -- yeah, I think he's right. We've offloaded memorizing phone numbers. We don't do that anymore because we don't need to. And so, yeah.

Joe Carrigan: What are we doing with that part of our brain though?

Dave Bittner: Look at cat videos.

Joe Carrigan: Very constructive.

Dave Bittner: Yeah, not a lateral move.

Joe Carrigan: No. I still remember the phone number of the kid that used to live across the street from me. I can tell you what it is right now.

Dave Bittner: I remember my first phone number.

Joe Carrigan: Oh, I still remember that too. But that was -- I can't say it but there were easy mathematical ways to remember it.

Dave Bittner: Okay. Well, back then it was a lot easier too because we didn't have to remember area codes.

Joe Carrigan: That's correct. And we could always put a mnemonic in front of it like Pennsylvania, right? Pennsylvania 65000.

Dave Bittner: All right. Well, thanks to everybody for writing in with your questions and comments. We do appreciate it. We're not always able to read all of them on the air but please know that we do read all of them and we do consider all of them. If there's something that you would like us to read on the show, you can email us, it's hckinghumans@ thecyberwire.com. All right. Well, let's jump into our stories here. Joe, why don't you start things off for us?

Joe Carrigan: Speaking of ATM cards and things of that nature, Dave, my story actually is a conglomeration of stories but I'm going to start with this one. This morning as we're recording this, my son found out that he had $400 withdrawn on his ATM card, a withdrawal he didn't make. Isn't that interesting?

Dave Bittner: Yes.

Joe Carrigan: Now, here is what's also interesting. It was on an ATM close to our house that we know about, that we use frequently.

Dave Bittner: Okay.

Joe Carrigan: Because it's gotten affiliation with our bank and our bank is a little further away. So, we just go to this ATM and that's where we withdraw our money. Now, he made a withdrawal there last week, and then the money disappeared from his account yesterday or this morning, or something. This morning is when we noticed it, yesterday is when it happened. I asked him, "Does your card have a chip in it?"

Dave Bittner: Yeah, that's what I was going to ask.

Joe Carrigan: And he said it does. So, he called the bank, the bank said, okay, well, we're going to start an investigation here. And we're going to find out what happened, I guess. But I looked this up for the -- and according to the FTC website that there are limits to your liability for these kind of things, for lost or stolen ATM cards. And if you report the crime within two business days of noticing it, your liability is capped at $50.

Dave Bittner: Oh, okay.

Joe Carrigan: If you report the loss or theft of a card before anything is stolen, your liability is zero.

Dave Bittner: Nice.

Joe Carrigan: After two days, your liability jumps up to 500 bucks.

Dave Bittner: Oh, okay.

Joe Carrigan: Which is substantial.

Dave Bittner: Yeah.

Joe Carrigan: So, one of the key takeaways here is to make sure that you are watching your bank account for these kind of withdrawals.

Dave Bittner: Right, right.

Joe Carrigan: I don't know how this cloning worked though because we walked over to the location that this place is -- actually we drove over, we could have walked, but, I mean, it's really close. We drove over and I walked in and I pulled on the little cover of the -- where the card goes in. And then I asked my son was there anybody standing around you when this happened. He goes, "No." I said, "Has everything looked the same?" And he goes, "I don't remember. Maybe the cover was green." You know, the card slot cover was green.

Dave Bittner: Why would you make note of any of that?

Joe Carrigan: Why would you make note of it? He doesn't know. I said, "Was anybody around --" I did ask if anybody was around him. I think I've already said that, right? But he said, "No, there was nobody around except the security guard who was not close enough to see him enter his PIN." So, there is some other means of them garnering his PIN from this. So, I did a search on similar stories and I came across an interesting consumer banking scam, this is from ABC News 7 out in San Francisco, it's by Michael Finney and Rene Corey. And this is a similar scam. Well, I don't know if this is similar or not but what these guys are doing is -- and I noticed this feature on the ATM where my son was -- we think he had his card skimmed there and we know that's where the transaction was conducted, the fraudulent transaction.

Dave Bittner: So, the money that was taken was at the same location that he had last used the card.

Joe Carrigan: Yes.

Dave Bittner: Interesting.

Joe Carrigan: That is interesting, isn't it? I didn't make that clear, did I?

Dave Bittner: Did you notify the store?

Joe Carrigan: We did. We actually told the manager. We walked in there and discussed it with him. And he said, "Well, I'm going to turn this thing off right now and have the company come out and take a look at it, do an inspection of it."

Dave Bittner: Oh, okay. I wonder if there's security footage that they could look at.

Joe Carrigan: There might be. There is a camera on the device.

Dave Bittner: Sure.

Joe Carrigan: But one of the other features on the device, on this machine, is it has the tap, you know, the near-field communication tap. And this story depends on that feature being on the ATM.

Dave Bittner: Now, is that what your son did?

Joe Carrigan: No, he did not.

Dave Bittner: Okay.

Joe Carrigan: He inserted his card because -- and I asked him about this. He goes -- I said, "Did you use the tap feature?" He goes, "No, I don't trust the tap feature."

Dave Bittner: Oh, boy.

Joe Carrigan: I'm like, "I don't trust it either."

Dave Bittner: You don't! Why not? Why don't you trust the tap feature?

Joe Carrigan: Because what information --

Dave Bittner: It's tokenized.

Joe Carrigan: No, is it a tokenized feature --?

Dave Bittner: Sure.

Joe Carrigan: Is it tokenized in the card tap?

Dave Bittner: It's my understanding.

Joe Carrigan: Okay. Well, then, okay, maybe that's better.

Dave Bittner: I'm sure our listeners will let us know.

Joe Carrigan: They will let us know. I'm sure PCI guys out there right now are screaming at their radios. Radios?

Dave Bittner: Who is right but more importantly who is wrong?

Joe Carrigan: Right. So, in this story out of San Francisco, what these guys are doing is they're walking up to an ATM that's equipped with one of these tap interfaces and they are filling the slot where you put your card with glue.

Dave Bittner: Of course, okay.

Joe Carrigan: So, then you walk up as a customer of the bank and you put your card in there and you can't get your card in there because it's filled with glue. So, somebody very helpful goes, "Oh, you have to use the tap interface." Right. And they say, "Let me help you out with this." Now, as most of our listeners probably already figured out, this is the bad guy, right? So, when you use the tap interface, it begins the process of doing whatever you do with an ATM, and they're watching you enter your PIN. And then you walk away but if you don't walk away from the -- if you don't close out the transaction, if you leave it open like it'll ask you at these ATMs, "Do you want to conduct another transaction?"

Dave Bittner: Right.

Joe Carrigan: Right. These are Chase ATMs. I'm going to name the company Chase because they are named in this article here.

Dave Bittner: Okay.

Joe Carrigan: So, the customer then gets the money, the banking customer gets the money. The screen still says, "Do you want to conduct another transaction?" The customer walks away from the ATM and then the guy says, "Yes, I want to conduct another transaction." And because he saw you enter the PIN, he enters the PIN.

Dave Bittner: I see.

Joe Carrigan: And then withdraws money from your account. Probably checks your account balance as well.

Dave Bittner: Right.

Joe Carrigan: To see how much money he can withdraw.

Dave Bittner: Yeah.

Joe Carrigan: Now, there are a couple of bad things that Chase did in this case. Number one, I'm going to ding them on their user interface.

Dave Bittner: Okay. Fair enough.

Joe Carrigan: You shouldn't have something that says, "Do you want to conduct another transaction?" Or, I don't know, maybe you should or maybe your time out should be a lot shorter. I don't know how that works.

Dave Bittner: I suppose they think that it's safe because it requires the entry of the PIN a second time.

Joe Carrigan: Right. It does require the entry of a PIN. And that's a good point. It might be safe. I don't know. But it would be nice if it required access of the card again to make sure that the person who is holding the card is still there. But then, now you're entering into a field where all I have to do now is render the -- just get the card from the person, which might cause physical harm, right? And that's not an objective any of us want to have. So, these people had these fraudulent transactions on their card. They called Chase, Chase denied all their claims saying you have to prove that this was fraudulent. And when these people said, "Well, do you have access to the footage, the security footage?" Chase said, "You have to get -- we can only look at that security footage with a police -- subpoena from the police."

Dave Bittner: What?

Joe Carrigan: Right. Exactly. Which is wrong.

Dave Bittner: I'm calling BS on that.

Joe Carrigan: That is BS. That is completely incorrect. When you call your bank and you say, "A fraudulent transaction has occurred," you are entitled and your bank is obligated to conduct what is termed a reasonable investigation, which includes looking at their own surveillance footage. They don't need authorization from law enforcement to look at that.

Dave Bittner: Yeah, there's no restrictions on a bank camera.

Joe Carrigan: That's your property. That is the stupidest argument I've ever heard from a large corporation coming out about a fraud claim. Frankly, I'm going to stick by that term. That's a stupid argument. They really shouldn't have made that. Well, of course, when the media found out about this and started reporting on this, well, then Chase said, "Okay. Well, we're going to look into how we're going to change our policies to make our customers more safe and we are going to refund everybody's money."

Dave Bittner: Good news.

Joe Carrigan: Good news. Right. It is a shame that this is a standard operating procedure for businesses that when something like this happens that they don't address it like, "Okay. We have a security problem, our customers are losing money. We have to make them whole. Let's solve the problem." They put all the onus initially on the customer and that's what they want to do. But, you know, it's what these companies do. So, this is why I say when people ask me who do I talk to about this. Media. Just go to the media. If you're not getting satisfaction, see if you can get somebody to bring broader attention to it.

Dave Bittner: Well, I think it's a good reminder of why we need robust and healthy media, and particularly local media which has really been hit hard lately. But you think about, for example, your local TV affiliates, most of them have some sort of consumer advocate who's the person whose job it is to try to --

Joe Carrigan: He's on your side, Dave.

Dave Bittner: Yeah, exactly. They cut through the red tape when it comes to these sorts of things.

Joe Carrigan: Right. To get right through and make things happen.

Dave Bittner: Right. Right. Wow. How do you think things are going to shake out for your son?

Joe Carrigan: That's an excellent question. I hope that they shake out well and he only is at a loss for 50 bucks.

Dave Bittner: Okay.

Joe Carrigan: But, you know, it's 400 bucks, it's not a big amount to lose but it's still significant. It's a significant amount for -- you know, a young person to lose. I would be upset losing -- I'd be very angry losing 400 bucks.

Dave Bittner: Anybody would, yeah.

Joe Carrigan: I'd be like, "Let me see the picture."

Dave Bittner: Right.

Joe Carrigan: I probably know this guy. I probably see this guy around town.

Dave Bittner: Right.

Joe Carrigan: Where is my 400 bucks, buddy?

Dave Bittner: You just stake out. You'd be hiding behind the ATM waiting for the next person to come by.

Joe Carrigan: I'll be hiding behind the makeup counter waiting for him.

Dave Bittner: That's not at all suspicious.

Joe Carrigan: Right.

Dave Bittner: Who is that man crouching behind the makeup counter?

Joe Carrigan: Why does he have a crowbar?

Dave Bittner: Yeah. And that, ladies and gentlemen, is why Joe was no longer the host of the "Hacking Humans" podcast. All right. Well, that is an interesting story there. You'll have to keep us up to date on what happens with your son if he gets any justice here or not.

Joe Carrigan: Yeah. Also, we're going to put a link in the show notes to the FTC site that outlines your obligations or your rights, rather.

Dave Bittner: Good, good. Yeah. So, Joe, for my story this week, I want to start off by taking a little trip back in time. You will recall that we talked about stories where they were alleging in business transactions that people were using deepfake voices to trick people in corporations, officers in corporations to get them to transfer large sums of money.

Joe Carrigan: You and I had this discussion probably years ago and you were dubious of it.

Dave Bittner: I was dubious of it. And I believe I was justified. And I hadn't -- and I did some digging and was unable to find any actual evidence that this is what had happened. It was one of those things where I think it was something that some experts had speculated on being a possibility, and then somebody -- that speculation turned into in someone's story this is what probably happened, and then it became a game of telephone. And the next thing you know, that's what happened.

Joe Carrigan: Churnalism they call it.

Dave Bittner: Oh, I never heard that. I like that.

Joe Carrigan: Oh, you never heard that term?

Dave Bittner: No. That's good.

Joe Carrigan: That's when news agencies just start reporting the news of other news agencies.

Dave Bittner: Yeah, yeah. So, we were skeptical of that and I called foul on it and I said, you know, I don't believe this has ever happened. But we both agreed that it was only a matter of time before it actually happens.

Joe Carrigan: Right. And I think we talked much more recently like within the past two months that I think I even asked you, "Do you still think this is not going to happen?"

Dave Bittner: Right. Well, Joe, it's happened. So --

Joe Carrigan: I should have made that the Joestradamus prediction.

Dave Bittner: That's right. This is a story from Action News 5 which is out of Memphis, Tennessee, and it's titled "The Family Targeted by AI Scam Using Loved One's Voice." So, we talked about the increasing capabilities of these AI voice generators and we've talked about I referred to it as robot Dave which is a version of my own voice that I've loaded into one of these and it spits out a remarkably convincing version of my own voice.

Joe Carrigan: I thought it was you the first time I heard it.

Dave Bittner: My own inflection, all that kind of stuff. So, it would seem that the scammers are on board with this and are making use of it. In this particular case, there's a woman who received a phone call from her daughter, who she thought was her daughter, and it was her daughter's voice screaming hysterically, "Help me, help me, Will's dead." Will is her husband. "Help me, help me."

Joe Carrigan: Yikes.

Dave Bittner: And she was, of course, terrified.

Joe Carrigan: So, they knew her husband's name. They knew this woman's son-in-law's name.

Dave Bittner: Correct.

Joe Carrigan: Wow!

Dave Bittner: Correct. So, the phone call came in with her daughter's name on the caller ID. Okay.

Joe Carrigan: Oh, that's way more.

Dave Bittner: Yeah, right. So, the call comes in with her daughter's name on the caller ID. She answers the call. She's greeted with the screaming voice of her daughter, convinces her it's her daughter. "Help me, help me. My husband's dead. Help me." Now, the woman, the mom, was able to keep her wits about her enough that she hung up the phone and she called her daughter back.

Joe Carrigan: Right.

Dave Bittner: And quickly established everything was fine.

Joe Carrigan: Okay. Good. I'm very glad to hear that that's how it went. Did these guys call back again?

Dave Bittner: They did not.

Joe Carrigan: Okay.

Dave Bittner: They did not. But the woman emphasized, the mom emphasized, she says I probably would have done anything they asked for at that moment. And this speaks to what our listener wrote in about saying, you know, the whole thing about being -- just having that part of your brain short-circuited. Yeah, especially when it comes to your kids and your loved ones. They spoke to someone -- a cybersecurity expert Marcus Sachs. I'm not sure where that person is from.

Joe Carrigan: We've heard that name before. I think we've talked about him before. I think he's been quoted before as an expert on the articles we talked about.

Dave Bittner: They said that these AI scams are rapidly spreading across the country. He says the criminals choose a victim and gather information like the audio of a loved one's voice and public information about a tragic event, then they craft an AI persona, and they strike.

Joe Carrigan: Public information about a tragic event.

Dave Bittner: So, in this case, if you actually watch the TV news story version of this story, the husband Will had been in a terrible car accident within the past year and had serious injuries.

Joe Carrigan: Oh, yikes.

Dave Bittner: So, this was actually additionally pressing those buttons. In other words, the mom was already kind of emotionally primed that this is a possibility.

Joe Carrigan: These are horrible people.

Dave Bittner: Yeah. So, she had those pathways already wired up in her brain and ready to go that a tragedy could happen to this loved one. So, fortunately, all is well that ends well with this gang, you know, they -- the family -- the mom did the right thing. And kudos to her for having peace of mind --

Joe Carrigan: That is amazing that she hung up the phone and called her daughter back.

Dave Bittner: It is. It is. There's another little bit that I like here. They say that the family plans to develop a safe word to be sure it is actually their loved one on the other end of the line. I think that's a great idea.

Joe Carrigan: Yeah, yeah. Although, I'd use a term code word because safe word means something else.

Dave Bittner: It might. The same sort of thing. But, yeah.

Joe Carrigan: Yeah. This is amazing that -- well, actually, I guess I'm not amazed. I shouldn't be amazed but I'm -- I guess what I'm kind of surprised by that, not really surprised but unhappy with is the speed at which this has moved. You know, here we are, we're less than six months away from these voice things coming out and ChatGPT going live, you know, anybody can access and anybody has access to these kind of tools. And here we are and these are now becoming remarkably powerful scamming tools. I don't know. I've already said, we talked earlier about similar stories that were not this advanced. This is really advanced. These guys did their homework. These guys are using open-source intelligence gathering, artificial intelligence, phone number spoofing, and they're creating something that would probably get at least half the people out there to react immediately and not think clearly through it. I mean, these are going to be really effective. And I'm surprised at how fast that came to fruition. I probably shouldn't be surprised though. I mean, these guys are motivated by money.

Dave Bittner: Sure, yeah.

Joe Carrigan: You know, this also brings to the question should we have large swaths of our voice out there everywhere we go?

Dave Bittner: Some of us have -- that horse has left the barn.

Joe Carrigan: That horse has left the barn. And I would tell you this, Dave, when we were talking earlier about the more simplistic versions of these scams, I said I'm going to go and reach out to my family and tell them I'm never going to ask them for money and I did that. I made -- I sent the text out to every member of my family referencing these capabilities and saying, "If you ever get a call from me that sounds like it's from me and I'm asking you to help me with something, hang up and call me back."

Dave Bittner: Right. I think that's the right thing to do. Yeah, I think that's the right message to put out there.

Joe Carrigan: Right.

Dave Bittner: Let me ask you this though, let's say -- let's just try to imagine you're an average person out there minding their own business, right, someone who has not had their own podcast or whatever. How easy do you think it would be to find audio of anyone?

Joe Carrigan: That's a good question. If they have a social media presence, I bet it's pretty easy.

Dave Bittner: I think it might be.

Joe Carrigan: You know, if they have a TikTok account, if they have an Instagram account where they post videos of themselves, it's trivial. I actually wanted to build a robo Joe and found out that using ElevenLabs, you have to actually pay five bucks a month to build your own voice there. But that's a small price for scammers. But I don't want to pay yet.

Dave Bittner: That's interesting. I was able to do mine for free. But maybe that was -- yeah, maybe it was -- maybe they changed their policies.

Joe Carrigan: This is -- people are building these.

Dave Bittner: Yeah, yeah, interesting. Huh. All right. Well, I think there's more of this to come. This is certainly going to get worse before it gets better if it gets better. So, I think it's one of those things that we all need to do our part and warn our loved ones about this.

Joe Carrigan: Right. Especially if you have a podcast.

Dave Bittner: Especially if you have a podcast. Well, it's a thing though. I mean, these -- part of what the deal is with these simulation tools, these synthesis tools is that they require very little sampling data to do what they do. It's scary good. It's scary good. Yeah. All right. Well, that is my story this week. Again, we would love to hear from you. You can email us, it's hackinghumans@ thecyberwire.com. All right, Joe, it's time to move on to our Catch of the Day.

[ Soundbite of Reeling in Fishing Line ]

Joe Carrigan: Dave, our catch of the day comes from Michael who writes. "I went looking in my spam folder for a legitimate email today and I spotted this. And, man, this is a doozy."

Dave Bittner: It really is. So, this is an email. I am going to try to do my best to read through this. It starts out, the title says, "Final notice. Emergency guvernament decision announces all your debt had been canceled." And it's from IRS Cash whose email address is not having anything to do with the IRS. And the reply to is a different reply to than the source email, it also has nothing to do with the IRS. And the text of the message says, "We've been trying to reach you many times. Please confirm receipt. Emergency guverninament decision announces all your debt had been canceled. Confirmed by IRS." Now, one of the things I like about this is after the word canceled, there's a little graphic of a police siren.

Joe Carrigan: Right, yes.

Dave Bittner: Like the light part of a police car. Like an old-timey police car, single little -- right, the one that spins around, right. Yeah. Okay. It says --

Joe Carrigan: And you know, you're thinking, ta-na-ta-na-na ta-na-na ta-na-na.

Dave Bittner: Right. It says, "Programs, before they expire today, confirm the claim you cash money from US federation." And it has a name, eligibility status. "Pending confirmation." And it says, "Confirm now." And then there is an address and it says, "This email was sent to you by IRS $ Cash."

Joe Carrigan: IRS $ Cash is the -- that's the people that work at the IRS, Dave.

Dave Bittner: I guess so. I was thinking maybe it was a relative of Gene Simmons from Kiss, you know, he uses a dollar sign instead of Ss in his name. So, maybe it's a buddy of his. Yeah, I mean, this is just one that's so bad that it's just a filter.

Joe Carrigan: Yeah, Michael goes on to point out he says, "I know that these emails aren't designed to fool experts. In fact, they're designed so that somebody with enough savvy won't respond and just end up being a dead end." So, yeah, he's right. This is -- that's exactly what this is for is somebody that is -- would believe this. This is the kind of person they want.

Dave Bittner: Right. Right. That's about as bad as they get.

Joe Carrigan: Yeah.

Dave Bittner: Yeah. All right. Well, again, we would love to hear from you. If you have something you would like us to consider for "Catch of the Day," you can email us hackinghumans@ thecyberwire.com.

Joe, I recently had the pleasure of speaking with CW Walker, he is Director of Security Product Strategy for SpyCloud. And we're talking about ransomware and some of his experience when it comes to that sort of thing. Here's my conversation with CW Walker.

CW Walker: I think ransomware is on everyone's mind, right? It's gotten to the point where it's even on the mind of the administration and some of the policies that the administration is enacting. But largely that's because it's become so effective for criminals to line their pockets, monetization through ransomware is really, really, really big right now. So, the reason that we are focusing on this as an industry. It is not just because of the monetary impact which it's significant and there's lots and lots of reports from big and small folks in the industry about the impact there. But also, the impact to lives, right? It's maybe something like you and I experience with our municipality being attacked by ransomware and not being able to pay, in my case, my water bills. But ransomware also has a tremendous impact on lives when things like hospitals are attacked. And so, beyond just the financial impact, the human impact of these digital attacks bleeding into the physical space really kind of drives the imperative and the urgency of solving ransomware.

Dave Bittner: Well, when we talk about this notion of post-infection remediation, I mean, I think since the outset folks have talked about protecting yourself from ransomware. And a big part of that has been to have a robust backup strategy. But I'm guessing that this notion of remediation, it's more than that.

CW Walker: Yeah, absolutely. And the way that I conceptualize this for myself is I have a physician who tells me that he can certainly treat my ailments associated with a poor lifestyle. But the preventive measure is a more effective treatment, right? And as we look at post-infection remediation, we're looking really at precursors to ransomware in the case of initial infection vectors like info stealers, for example, which may also come sideloaded with things like CS beacons for persistence. But looking at the entire scope of infection beyond just the device and starting to include in a malware response plan the connected cloud services attached to that individual. So, moving beyond a device-centric view to really a critical workforce or workload or application with you beyond just what's sitting on our individual devices.

Dave Bittner: Help me understand how something like that works from a practical point of view. I mean, is this -- I think many organizations today are using multiple cloud installations to do the various things they need to do. Are we talking about a conduit between those various clouds to keep an eye on things? Or how exactly does it work?

CW Walker: Yeah, excellent question. And you're right. Cloud-hosted applications really drive the vast majority of our critical workloads, right? From everything like code repositories which can be extremely sensitive, largely cloud hosted to our AWS or Microsoft or Google cloud infrastructure or it could be something as simple as the way that you and I are interacting in this conversation, right, and how we connect and save information that we can use in other places. Everything sort of has a cloud-hosted application. Stealer malware is looking at any way that it can get access to interesting information that it can use to monetize. Now, the same folks that are trying to monetize credit card numbers from stealer malware are also those folks that are being referred to as initial access brokers and interacting directly with ransomware operators as well. And they differentiate that largely by the cloud applications that they're stealing with the malware. But also, the type of device that they believe that they have infected where an individual device for a personal user with no business applications, that they can certainly monetize those Netflix accounts and those bank accounts. But if they get access to a safe login to a VPN credential or to a single sign-on credential or cookies related to those individual applications, those become way more interesting from an enterprise compromise and they will look then to try and monetize those by sharing or selling those to ransomware operators.

Dave Bittner: What are your recommendations for folks who are looking to dial this in? Everybody has a limited budget, limited resources whether that's time or money, how do you prioritize where you're going to spend that time and money? What are the best areas for your particular organization to build those walls, to install those locks, you know, to build that mode and fill it full of alligators?

CW Walker: Yeah, absolutely. And I would say the absolute cheapest way of doing this from an individual standpoint is free because one thing we don't think about is as we save credentials in our browsers, browsers have this wonderfully convenient function of password and session synchronization, right? And they synchronize our applications for us. So, if I log in on my phone or my laptop, or my desktop computer, my passwords will be wherever I need them. However, stealer malware can take advantage of that as well where if I log into a work computer with a personal profile because maybe I need to check my email every once in a while at work or I believe that I do, that stealer malware is going to be able to take every saved password from both my personal and my work computers and sync them to wherever that infection has happened, thereby exfiltrating potentially some really sensitive stuff. So, disabling browser synchronization from an individual level is one of the first things that you can do. And enterprises should also consider policies inside of browsers that either allow them if they can to prevent that type of synchronization. Or training to tell employees they shouldn't synchronize passwords. From an enterprise standpoint, taking a look at sessions and cookies is extremely important. So, being able to have visibility even if a user's home machine is compromised whether or not an enterprise credential was on that home machine and synched. And so, being able to collect and see the types of information that a bad guy has stolen even if it's outside of the purview of a normal security team.

Dave Bittner: I feel as though sometimes organizations kind of want to have their cake and eat it too where they don't want to spend the money and provide their users with, you know, a company iPhone or Android device or whatever because they're expensive. So, they say, oh, this is great, you know, bring your own device and use that. But then the flipside of that is the user says, well, I'm only giving you so much access to my personal device because it's my personal device, you know. So, how do you thread that needle of respecting a user's privacy but also taking advantage of the many advantages there are of BYOD policies?

CW Walker: Absolutely. Yeah, and this is a big thing, right? And in fact, I would venture to say, and I don't have statistics on this, but I would guess that most organizations have employees that are using their personal cell phones, right, for both business and personal functions. And although most organizations are generally pretty good about providing a laptop, depending on the industry, maybe it is you get to choose your own laptop. And then it feels a little bit more like yours even if it's not necessarily, right? And so, really the challenge for organizations is that visibility. Whether something is inside of my castle walls or not, do I understand what kind of exposures have happened from a stealer-type malware infection? Or do I understand the mechanisms, right, that the malware is employing to get around the things that I do have really secure? Now, I will say that anecdotally, as I've looked at some of our own research and worked with clients in this space, organizations have gotten pretty good at catching and preventing stealer malware infections. It's not perfect certainly but we've all gotten better at it. Where we see the largest impact to organizations are unmanaged devices or undermanaged devices like you're talking about with a "bring your own device" functionality because security teams are sort of like is this something that we should worry about or maybe we do worry about it but is this something that really falls into our purview because it's a personal device. And one example that we saw was an organization that actually was relatively sophisticated on protecting their own devices. But an employee was on vacation and had to fight the fire that popped up at work and logged in, not even to his own device but a family member's device and had passwords sync to this family member's device which was subsequently infected with malware. That is I think by everyone's definition way outside of the purview of the security team, not even in the employee's laptop but an employee's family member's laptop. But understanding the types of information that are stolen by these malwares, credentials certainly, cookies, files, a screenshot, information on the system itself so that they can try and virtualize it with a relatively accurate fingerprint, or use residential proxies to make it look exactly like the victim's machine. Getting visibility into what the criminal underground has stolen from an organization is really kind of the first step to post-infection remediation.

Dave Bittner: Yeah, I mean, that example that you described there, I mean it really does emphasize the need for defense in depth, I suppose, that I mean, there are so many things that you could try to look for along the way, you know, behavioral stuff. Where is this person? They're logging in from somewhere they've never been before on a device we've never seen before. You know, there's all these little red flags that could go off along the way. But again, I guess I wonder how you -- how do organizations not get caught up in a vortex of complexity when there are so many things that could go wrong in so many ways. You can't -- there's that old saying nothing is foolproof to a talented fool, you know. And so, like your example, how do you -- who could predict that? And yet, there it is.

CW Walker: Yeah, absolutely. And I think this really comes down to, you know, like the security in-depth model that you're talking about. But really going beyond a framework of just the device, you know. As we go through a malware response process or an incident response process, it has to be more than just, okay, we have a laptop that was infected that is a laptop -- that is a company laptop and that we own and we do our forensic analysis, we go through our communications channels, we re-image that device or if you're one organization that I talked to you literally light the device on fire, I'd love to be on that team. But it gives us a false sense of security, right, when so much is beyond the edge of the device. So, understanding the potential risks when there is an infection that we know about, going beyond just re-imaging the device but also applying a post-infection remediation framework that isn't augmentation to that malware or incident response framework that says, "Beyond the device, we also need to look at all of the applications that user had access to." If it's sort of a sales-focused thing, salesforce, and a marketing platform, or if it's a developer, maybe it's a ticketing system, access to our code repository, resetting the passwords and invalidating any live sessions to those users, and then also going through the process of validating the data in the applications, the cloud applications to which that user had access to validate that when they were infected, nothing was stolen or compromised and it's so to go through that full remediation process, even in those applications they're beyond the edge of the device.

Dave Bittner: Joe, what do you think?

Joe Carrigan: Very interesting. Monetization via ransomware is still a big part of the criminal enterprise business model. We've had a couple of stories that said ransomware is on the decline but last year's data breach investigation report from Verizon showed a 13% increase in incidents. So, I think ransomware is still a big problem. It's not the biggest problem out there. Business email compromise is going to have much bigger losses per event in terms of monetary losses. But ransomware usually almost always is also a data breach event as well. So, there are significant losses or significant events rather that can actually have significant financial losses. It's not going away any time soon because it is a great way to monetize your unethical behavior, I guess. That's a great way to get money out of people. The human impact is something that really concerns me. Getting ransomware into some critical utility's operational technology could be devastating. You know, what's the three-three-three, you can go three minutes without air, three days without water, and three weeks without food. You know, if you shut the water down in an area, you're going to cause a lot of havoc. Right. That's going to be a very large problem to deal with. An even bigger problem to deal with, we've already kind of seen is the medical incidents. You know, we've seen ransomware events that have impacted medical facilities where people have had to be -- had to have been re-routed. And there was a case in Germany where somebody died on the way to being re-routed.

Dave Bittner: That's right.

Joe Carrigan: So, these have real-world impacts and these are the things that concern me the most. Speaking of health care, I kind of like CW's analogy about personal health with the prevention of ransomware being worth a pound of cure. The more you can do to stop that from happening, the better off you'll be because you won't have to experience it. Right. It's just a better way to go about your business I think. Code repositories coming under attack from ransomware, do you remember the Codespaces attack back in 2014?

Dave Bittner: I don't think so.

Joe Carrigan: I remember this because it wasn't actually ransomware, it was a ransom attack but these guys got into Codespaces, the AWS frontpage, the portal, you know, they got into the console, that's the word I'm looking for. They got into the console and they said if you don't start giving us money, we're going to just start deleting things. And then the guys from Codespaces decided they were going to try to back things up and the bad guys saw that happening and just started deleting everything they could. And they wound up putting that company out of business.

Dave Bittner: Wow.

Joe Carrigan: I had a small business at the time with some friends of mine where we had some code in there, and we got an email that said, yeah, Codespaces is gone, we're just shutting down. Now, fortunately, we still had the code on our local machines. But our code repository was destroyed. So, it was just gone. I also thought that the BYOD discussion was really interesting, this bring your own device, and the particular hack that gets discussed in this where somebody is logging in, not from their machine, not even from their personal machine but from a family member's personal machine that later then gets compromised after they've put their credentials on the machine and some info stealer comes in and takes that stuff away. It's -- I don't know how you protect against that aside from using multifactor authentication. I mean, that's really the only solution there, a hardware-based multifactor authentication token or maybe certificate-based authentication would work as well. But actually, that might not work because the certificates may -- or, you know, the private keys may have been on that computer as well. I think the hardware token might be the only way to do it. And your point in this discussion is really good that humans are fantastic at doing unexpected things.

Dave Bittner: Anybody who's had kids.

Joe Carrigan: Right. You can do all the planning in the world for all the cases you think are going to happen, and a new case is going to come up, a new use case, a new security case, something is going to happen. It's just the way humans are. We're -- I don't know. I want to say we're terrible this way but it's actually probably one of our strengths.

Dave Bittner: Nothing is foolproof to a talented fool.

Joe Carrigan: Right. Well, humans are resourceful creatures. We're going to find a way to get around something. And we're going to find a way to get done what we need to get done. And that's what you're looking at here. So, CW has a couple of good tips here. Disable browser synching, particularly for passwords. I don't use the password manager that comes in any of the browsers. I just don't trust them and exactly for the reason that gets talked about a lot in this interview. If there is an information stealer on your computer and it gets access to those managers, if it can get around the encryption that's in place, or if it can wait until you unlock it and decrypt it, then it's going to take the information. That doesn't mean that other password managers are more secure, that's also a risk factor with other password managers. But it's you don't automatically sync it across all the locations, right?

Dave Bittner: Right.

Joe Carrigan: So, it's a different problem. Manager tokens in your cookies, that is for an enterprise, that's really important. And this is where we're going to start seeing more and more of these attacks getting manifested is in this space where people are losing their tokens or their cookies to malicious actors because those are the pieces of the session that are awarded or provided to the user after they've been through the authentication process. They are demonstrations of existing authentication. So, if I can circumvent the authentication process by demonstrating that I'm already authenticated with these tokens or these cookies, that's what I'm going to do. Now, that is a lot harder to do than just a simple social engineering attack where I try to harvest credentials from somebody. This does actually involve real skill to do it, but eventually, there are going to be tools out there, commodity tools that help bad actors do these things.

Dave Bittner: Right. All right. Well, again, we'd like to thank CW Walker for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. We'd love to know what you think about this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like "Hacking Humans" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben, the show is edited by Elliott Peltzman, our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.