Replier attacks: the latest tool in a hacker's arsenal.
Jeremy Fuchs: Software engineers are expecting us to not slow down, because we don't. We haven't given them evidence that we do.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans Podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week, and later in the show, my conversation with Jeremy Fuchs. He's the cybersecurity researcher at Avanan. We're going to be talking about the Replier Attack.
All right, Joe, before we jump into our stories this week, we got a bit of follow up here. You want to lead us into this segment?
Joe Carrigan: Sure. First comment comes from a listener named Wayne, who writes in with some comments about Episode 245 where we talked about Matt's wife buying a gift card at Dick's Sporting Goods.
Dave Bittner: Right.
Joe Carrigan: And then having her other card, not the one she used to buy the gift card, but a MasterCard being used at dicks.com.
Dave Bittner: Yeah.
Joe Carrigan: Where the one she used was an American Express, I believe.
Dave Bittner: Okay.
Joe Carrigan: And Wayne says it is possible that the author's wife made a purchase at Dick's Sporting Goods in person.
Dave Bittner: Yeah.
Joe Carrigan: And Wayne guesses that she doesn't have an RFID-protected wallet and that somebody scanned her wallet with an RFID reader and got probably the MasterCard and the American Express card in the return values, and when they went to use it online at dicks.com, they said, "We'll use the MasterCard," because that's probably what she used at Dick's, which is a safe assumption, I guess. It's piggybacking off the scheme to grab credit card numbers and then use it at the dot-com site.
Dave Bittner: Yeah.
Joe Carrigan: Which makes sense, I guess. One question is, how would they have gotten the CVC, which is the card verification code on the back, and the zip code.
Dave Bittner: Right.
Joe Carrigan: I don't know. I don't know that information. The zip code is not on the credit card, but I think the CVC is.
Dave Bittner: Yeah.
Joe Carrigan: But I don't -- I'm not sure how this works. I, you know what, I really have to look into the RFID process in a chip.
Dave Bittner: Oh, I did. I did.
Joe Carrigan: You did?
Dave Bittner: Yeah, I did. I looked -- actually, I found a video about it, since we talked about it, so I'll include a link to that in the show notes for our listeners, and you can check it out as well, and we can chat about it next time.
Joe Carrigan: Okay, yeah.
Dave Bittner: I'll handle this next one. Michael writes in and says, "Hi, Dave and Joe. I hadn't used ChatGPT until a few minutes ago, but I thought I'd share my first three responses for you to enjoy or cringe at." Okay, so the first prompt was "write a haiku about Chuck Norris going fishing," and it's fishing with an "F." Chuck Norris fishes, silent patience, steady hand, river trembles, yields. Oh, that's good. I like that.
Joe Carrigan: Pretty good haiku.
Dave Bittner: It's pretty good. The second one is "write a haiku about Chuck Norris phishing," and this is phishing with a "ph."
Joe Carrigan: Right.
Dave Bittner: Chuck Norris phishing, online hackers beware now, justice is served well. You got to love a good Chuck Norris joke.
Joe Carrigan: Not as good of a haiku, but still pretty funny.
Dave Bittner: Yeah, yeah. Well, and, you know, ChatGPT knows the difference between "fishing" and "phishing."
Joe Carrigan: Yes.
Dave Bittner: And then the third prompt was "write a review of the Hacking Humans podcast by Chuck Norris," and ChatGPT said, "I apologize, but Chuck Norris does not host or produce the Hacking Humans podcast. It is hosted by cybersecurity experts Dave Bittner and Joe Carrigan.
Joe Carrigan: All right.
Dave Bittner: Hey, that's us.
Joe Carrigan: ChatGPT knows who we are, Dave.
Dave Bittner: Yeah, and somehow it thinks we're experts.
Joe Carrigan: Right.
Dave Bittner: I'm a little less comfortable than I was two seconds.
Joe Carrigan: Right.
Dave Bittner: However, as an AI language model, I can still provide a review of the podcast. Uh-oh. It says, "The Hacking Humans podcast is an excellent resource for anyone looking to improve their awareness of cybersecurity threats and how to stay safe online. Dave and Joe are engaging hosts who take a deep dive into various types of cybercrime such as phishing scams, malware attacks, and social engineering techniques. They explain these concepts in everyday language, making them accessible to even the non-technical listener." Oh, I'll take that.
Joe Carrigan: Yeah, that's a pretty good review.
Dave Bittner: Yeah, yeah. I'll take it. Interesting.
Joe Carrigan: I'm guessing that ChatGPT has been trained on language that includes podcast reviews.
Dave Bittner: Yeah.
Joe Carrigan: So I'm going to guess, by this review, that most of our reviews are positive.
Dave Bittner: Yeah, and I would guess also that it probably vacuums up every transcript that we have, because every one of our shows is transcribed and on the CyberWire website, so I would guess that those have been acquired by the learned -- by the language model as well and used in -- one thing that fascinates about -- fascinates me about this is that they use the phrase "deep dive." Okay, so they say, "Dave and Joe are engaging hosts who take a deep dive into various types of cybercrime."
Joe Carrigan: Right.
Dave Bittner: That is a writing --
Joe Carrigan: Crutch?
Dave Bittner: Crutch, crutch, yeah.
Joe Carrigan: Trope?
Dave Bittner: A habit, I don't know. One of the writers on the CyberWire staff really likes to make use of that turn of phrase.
Joe Carrigan: Deep dive.
Dave Bittner: Deep dive. And so what's fascinating to me is that there's probably a lot of writing on the CyberWire website, and even could be writing describing this show --
Joe Carrigan: Yes.
Dave Bittner: That uses that turn of phrase. So for it to come back in ChatGPT using that specific turn of phrase, that's fascinating to me.
Joe Carrigan: Yeah, I would agree. That's very interesting.
Dave Bittner: Yeah, yeah. All right, well, our thanks to everyone for writing in. Of course, we love hearing from you. You can email us. It's hackinghumans@n2k.com. All right. Joe, let's jump into our stories this week. I'm going to start things off for us. My story comes from the folks over at Bleeping Computer.
Joe Carrigan: I love the name. It's always been one of my favorites.
Dave Bittner: Yeah, yeah. And this is written by Bill Toulas and it's titled "Sextortionists are Making AI Nudes from your Social Media Images."
Joe Carrigan: Now, this is interesting.
Dave Bittner: Yeah, so actually it's a warning from the FBI, who, through their IC3 portal published an alert that they're tracking an uptick in this kind of scam, extortion activity. So just real quick, I mean, sextortion is a type of online blackmail where the bad guys will threaten you with publicly leaking explicit images or videos that in the past they had stolen.
Joe Carrigan: Right.
Dave Bittner: Or acquired, and usually they would demand money.
Joe Carrigan: Yeah.
Dave Bittner: In order to not make that videos or images public.
Joe Carrigan: And you would feel compelled to deliver the money because you had absolutely had a lapse in judgment where you allowed these guys to take these -- get ahold of these images.
Dave Bittner: Correct.
Joe Carrigan: So that brings up my point here. Does the fact that these guys are now doing this make it easier to turn down actual sextortion attacks?
Dave Bittner: So that's a really interesting question, and there's -- here's an interesting little tidbit about this. The FBI says, "Based on recent victim reporting, the malicious actors typically demanded either payment in the form of money or gift cards with threats to share the images or videos with family members or social media friends if the funds were not received, or they demand that the victim send real sexually themed images or videos."
Joe Carrigan: Never do that.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, never do either one of these things.
Dave Bittner: But you could imagine how someone could be in a state of fear and, you know, emotional dismay --
Joe Carrigan: Yeah.
Dave Bittner: That they would --
Joe Carrigan: Absolutely.
Dave Bittner: They would do that. If you don't do this, then we're going to share this -- this image that's worse than anything you've ever been a part of.
Joe Carrigan: Right.
Dave Bittner: With all your friends and family. Yeah.
Joe Carrigan: Yeah, the -- right now my mind is going into a really dark place and I want to get out of that.
Dave Bittner: Okay.
Joe Carrigan: But -- because of what you just said, but -- and I would -- that would be horrifying.
Dave Bittner: Yeah.
Joe Carrigan: Does the FBI make notice -- make note of who's being targeted, whether or not it's men or women?
Dave Bittner: They don't say anything specifically about sex or gender here. They do say that some of these folks are going after people who are under age.
Joe Carrigan: Right. Well, they don't care who they go after. They're criminals.
Dave Bittner: Right, right. They do say that --
Joe Carrigan: Although if they're asking those people to send nudes, they have a bigger problem than just extortion.
Dave Bittner: Yeah, yeah. But, you know, whoever's doing this is most likely outside of the long arm of U.S. law.
Joe Carrigan: Yeah, but nothing unites foreign law enforcement like CSAM.
Dave Bittner: Yeah, that's true.
Joe Carrigan: It really is the universal disgusting thing on the internet that everybody wants to get rid of.
Dave Bittner: Right. That's a good point.
Joe Carrigan: And nobody wants that out there, and there are vast quantities of organizations that are willing to get together on this. So this --
Dave Bittner: Right.
Joe Carrigan: I don't know, it's -- I would tell these guys, "You should stop doing this." But when we started talking about these AI image generation models --
Dave Bittner: Yeah.
Joe Carrigan: That would take the clothes off of a person in a picture --
Dave Bittner: Right.
Joe Carrigan: It didn't matter who the picture was, when the person was naked, they were a woman.
Dave Bittner: Oh, right, yeah, yeah.
Joe Carrigan: Because they were -- these things were designed by guys that wanted to see what these people would look like without their clothes.
Dave Bittner: Right. So if you fed it a picture of me --
Joe Carrigan: Right.
Dave Bittner: It would take my clothes off, but underneath, there would be a female body.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: Yes, and it would be very disturbing with your beard and long hair and --
Dave Bittner: [laughs] Maybe for you.
Joe Carrigan: Yes. I saw some pictures of some world leaders who had that happen to them.
Dave Bittner: Right.
Joe Carrigan: They were hilarious, and I love seeing any politician in power being made fun of, so --
Dave Bittner: Right.
Joe Carrigan: That's my own thing, but yeah, so I'm wondering if these guys are targeting -- have they finally gone ahead and generated an AI model that will take the clothes off a man and make them look realistic?
Dave Bittner: Yeah.
Joe Carrigan: Or what -- I mean, my -- and my point I asked you about earlier is, now that this is becoming a public concern, the FBI is even warning about it. If you're actually in a sextortion scam where somebody says, "I'm going to drop these pictures of you to your social media account," you can say, "Well, I'm just going to say they're AI-generated. Go ahead and drop them."
Dave Bittner: Right, right.
Joe Carrigan: And I'll tell everybody -- I'll lie myself silly telling everybody these are AI-generated, don't pay attention to them.
Dave Bittner: Yes. I do think that that is probably an easier tack to take for middle-aged, slightly pudgy white guys, like you and me.
Joe Carrigan: Yeah, absolutely.
Dave Bittner: Good to say, "Yeah, have at it. I don't care."
Joe Carrigan: Right.
Dave Bittner: You know, but --
Joe Carrigan: Now, you do this to a kid --
Dave Bittner: Right.
Joe Carrigan: You do this to someone who's 17 or 18 years old --
Dave Bittner: Right.
Joe Carrigan: And you can create a real fear tornado in their head.
Dave Bittner: Yeah.
Joe Carrigan: It's, you know, and we've heard horrible stories about these -- about outcomes here.
Dave Bittner: Right.
Joe Carrigan: And like you said, you've said before, have the conversation with your kids. I don't care what the bad guys are telling you. Nothing's going to make me embarrassed of you or stop caring about you or be angry with you if this happens.
Dave Bittner: Right.
Joe Carrigan: Okay?
Dave Bittner: Right.
Joe Carrigan: Just come to me and talk about it and we'll be done with it. It'll be over and we'll just get through it. It'll be a short-lived thing.
Dave Bittner: Right.
Joe Carrigan: As opposed to taking something that, you know, losing money or whatever, or, God forbid, worse.
Dave Bittner: Yeah, yeah. This article also points out that the tools to do this are available in some of the underground forums, the dark web markets. The ones that are on legit resources, like GitHub, are -- they generally have functionality that prevents them from generating these kinds of things.
Joe Carrigan: Right, yeah.
Dave Bittner: But yeah, you know, I mean, this sort of thing has been around, well, probably as long as there's been photography, people have been manipulating it.
Joe Carrigan: Yes.
Dave Bittner: You could do this with a couple of photos and a pair of scissors and some glue.
Joe Carrigan: Yeah.
Dave Bittner: You could do a primitive job of it, and certainly as soon as Photoshop became a thing, you know, fakes, fake nudes became a thing.
Joe Carrigan: Yes, they did,
Dave Bittner: But what's changed here is just how easy it is to do, how quickly you can do it, and how you can do it at scale, and how you can automate it. It takes very little time and effort to have something come out that would be extremely high quality.
Joe Carrigan: Right, and these are only going to get better.
Dave Bittner: They are. You know, they have some tips here. The FBI says that parents should monitor their children's online activity, of course.
Joe Carrigan: Yes.
Dave Bittner: Parents should conduct online searches to determine the amount of exposure their children have online.
Joe Carrigan: Yeah, Google your kids.
Dave Bittner: It says that adults who post images or videos should restrict the viewing access to a small private circle of friends, and children's faces should always be blurred or masked. I get that. I don't know how realistic that is --
Joe Carrigan: Yeah.
Dave Bittner: In the world of social media. I think -- I think that's probably -- I would agree that's the best practice, but --
Joe Carrigan: Yeah.
Dave Bittner: I don't know how practical --
Joe Carrigan: Are you going to do that with every single picture you uploaded?
Dave Bittner: Right.
Joe Carrigan: You know.
Dave Bittner: And I do see people who are extraordinarily vigilant about it, and hats off to them, but I know I haven't been.
Joe Carrigan: Yeah.
Dave Bittner: You know.
Joe Carrigan: Me, too.
Dave Bittner: There's tons of pictures of me and my kids and my family and, you know, that's part of what social media is.
Joe Carrigan: I do restrict access to my social media pages, particularly my Facebook page.
Dave Bittner: Yeah.
Joe Carrigan: The only people that can see anything I put on Facebook aside from my profile pic are friends.
Dave Bittner: Right.
Joe Carrigan: Not even friends of friends can see it.
Dave Bittner: Yeah. I think that's wise.
Joe Carrigan: Yeah, otherwise, you see my profile pics, which are composed of people who have passed away, and I make a temporary profile pic, like I think you might see Grant Imahara -- Grant Imahara and R. Lee Ermey and -- for when those guys passed away, but generally it's just a stapler.
Dave Bittner: Yeah [laughs], okay.
Joe Carrigan: Actually, right now --
Dave Bittner: Desktop stapler.
Joe Carrigan: It's me drawn in the style of Rick and Morty.
Dave Bittner: Okay.
Joe Carrigan: Because one of my daughter's friends is now actually a Rick and Morty comic book artist.
Dave Bittner: Oh, wow.
Joe Carrigan: So she was signing my comic book and drew a picture of me as a Rick and Morty character.
Dave Bittner: Oh, that's neat.
Joe Carrigan: Because I'm making that my profile.
Dave Bittner: There you go. A couple other things they say here, they say if you do discover any of this content, be sure to report it to the authorities, and certainly the FBI wants to know about this sort of thing. And then they also note that in the U.K. they have a law where they have amended their online safety bill and they're classifying the non-consensual sharing of deep fakes as a crime, which is great.
Joe Carrigan: I think that's a great idea.
Dave Bittner: Yeah.
Joe Carrigan: I think we should be -- we should be doing that here in the U.S. as well.
Dave Bittner: Yeah.
Joe Carrigan: As soon as possible, actually.
Dave Bittner: Yeah.
Joe Carrigan: Non-consensual sharing of fake media, it should be a crime.
Dave Bittner: Right. Yeah. If only we had some sort of federal privacy legislation, but as Ben and I were talking about on "Caveat" recently, don't hold your breath.
Joe Carrigan: Right.
Dave Bittner: Sadly, with the way that Congress is functioning these days. It's like molasses trying to get anything through there.
Joe Carrigan: Although cybersecurity seems to be the one place where they agree on things.
Dave Bittner: It does, it does, but it still seems like at the state level is where all the action is --
Joe Carrigan: Yeah.
Dave Bittner: These days, so we'll see. All right, well, we will have a link to that story in the show notes. Joe, what do you have for us?
Joe Carrigan: Dave, my story comes from Tripwire and they have a blog post written by David Balaban in the -- I love the title of this, the "Offbeat Social Engineering Tricks in a Scammer's Handbook." So this article, it does a little bit of frontmatter where it talks about what social engineering is and all that.
Dave Bittner: Yeah.
Joe Carrigan: Of course, everybody who listens to this show on a regular basis already knows.
Dave Bittner: Right.
Joe Carrigan: But one of the first things that David talks about in this article is the sketchy "at" sign, and we were talking about this over on the CyberWire recently.
Dave Bittner: Okay, yeah, I remember that, sure.
Joe Carrigan: This is where somebody sends you a URL, and in the URL, there's an "at" sign, and what happens when you're using a web-based URL, your web browser will ignore everything in front of the "at" sign because the "at" sign, everything before the "at" sign is designed for a URL that might not be connecting to a web service. It might be connecting to like an old telnet service.
Dave Bittner: Okay.
Joe Carrigan: And it was supposed to be used for username and password pairs.
Dave Bittner: Okay.
Joe Carrigan: But the HTTP protocol specifically says, just ignore everything before an "at" sign.
Dave Bittner: Yeah.
Joe Carrigan: So I can say -- send you a link that says www.google.com @joesmaliciouswebpage.com, right, and your web browser will ignore "google.com" and go to Joe's malicious web -- malicious web page.
Dave Bittner: Right.
Joe Carrigan: So that's how that works.
Dave Bittner: Yeah.
Joe Carrigan: And of course, you can obfuscate the web address even more, and there's tons of things you can do. We talk about it in depth -- I won't go into it here because it's way too technical for this podcast, but we do talk about it over there, so listeners can go check it out.
Dave Bittner: Yeah.
Joe Carrigan: And that's the next thing that David talks about here, is the malicious encoding, which we actually talked about there as well.
Dave Bittner: Yeah.
Joe Carrigan: The next thing he talks about is link preview exploitation, where David talks about the -- compares, actually, link previews and Windows hiding file extensions, which, by the way, is the first thing I turn off on a new -- a new Windows install. I always want to see the file extensions, and I don't know why anybody would not want to see the file extensions. It just doesn't make sense to me. Of course, I started using a computer back in the days when you had DOS and you could only see the file extensions, right. Never turn that off.
Dave Bittner: 8.3.
Joe Carrigan: Right, the old 8.3 file naming.
Dave Bittner: Right, right.
Joe Carrigan: Which I think was actually a holdover from CPM, if I'm not mistaken.
Dave Bittner: Okay.
Joe Carrigan: David says a similar hoax can be accomplished with URLs using the exact same technique that I just described for you where you take the good name, or the good company name, "at" sign, bad company name, and then when you mouse over it, you are actually going ahead and looking at the webpage, right? I think that happens a lot on phones, where you do it. The next one, he talks about -- this is a very interesting social engineering attack, phone reconnaissance. So imagine an attacker calling into the phone number space of your company.
Dave Bittner: Okay.
Joe Carrigan: So they get your phone number space and maybe they get a directory online, maybe they get enough phone numbers where they can say, "Okay, I see how this works," and they start dialing random numbers at your phone company.
Dave Bittner: Right.
Joe Carrigan: And then someone is on vacation and their outbound voicemail message says, "I'm on vacation right now." Ah, that's a good piece of information, isn't it? Because then the next thing I could do is figure out who that person talks to and works with and send them an email from some Gmail address going, "Hey, I'm on vacation right now and I really need to get this thing done." Right? And that could be the beginning or it can be the reconnaissance that leads to an impersonation attack. Then he talks about the good old paper mail lure, and we've seen a few of these in our time on this show.
Dave Bittner: Yeah.
Joe Carrigan: And these are the scams that actually take a good deal of expense to carry out. Sometimes we've seen people send in thumb drives with malicious software on them, or they're not actually thumb drives. They're just rubber ducks that are actually keyboard devices that enter a -- that run a script when you plug them in.
Dave Bittner: Yeah.
Joe Carrigan: They could also be -- go to this website and enter this information. There's really no limit to what you can do with this kind of attack.
Dave Bittner: Okay.
Joe Carrigan: Your information is -- the information gain is limitless, I think. But the drawback to it is that it is an expensive attack, so you don't see it very often.
Dave Bittner: To actually send someone a physical device.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: Or even just a physical mail message.
Dave Bittner: Right.
Joe Carrigan: I almost got duped by one of these recently with a -- by a financial institution. This was a legitimate financial institution that knows some other financial activity has taken place in my life recently.
Dave Bittner: Yeah.
Joe Carrigan: And they sent me an email -- a physical mail about it and I looked at it and I was like, "What is this?" And my wife was like, "I don't know," and it took us like two minutes of looking at it and scrutinizing, not two minutes, but 30 seconds of looking at it and scrutinizing it to go, "Oh, this is an ad. They want us to call so they can try to sell us more financial products."
Dave Bittner: Right.
Joe Carrigan: Well, I don't need any more financial products. I just got this one.
Dave Bittner: Right.
Joe Carrigan: Another great -- this was one of my favorites, "OSINT," they call it. Actually, that's what it's called, "OSINT," but it actually stands for "Open Source Intelligence," and this is really, really important for every social engineer out there. In fact, there's even a toolkit called the "Social Engineering Toolkit" that lets you use and -- or helps you document all of your open source intelligence gathering before you even make a first call, right? The problem with OSINT is that there is absolutely nothing you can do to prevent it. Nothing. If you've already got the information out there, it's going to be found by somebody. I mean, I guess there is one thing you can do and that's not put a lot of stuff out there, like we were talking about in your story with the Facebook, lock down your social media and everything, but when you're a business, a lot of your stuff has to be out there and discoverable by people.
Dave Bittner: Right.
Joe Carrigan: And when you're a business, the biggest source of open source intelligence gathering is going to be places like LinkedIn, and it just -- you can almost build an entire org chart from LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: It's amazing how much you can get. And finally, the last one that David talks about here is the rabbit hole manipulation. Now, we've all heard of watering hole attacks, right?
Dave Bittner: Right.
Joe Carrigan: But this is kind of similar in that it's kind of a -- he calls it an "intricate method of social engineering." You try to lead people down a rabbit hole that you know will interest them. So you don't poison the waterhole like a watering hole attack, but you create a whole new place for someone to go and it turns out this is just a new -- a newly launched malicious website, but it's going to lure you in with some information that you may be interested in.
Dave Bittner: Right, presumably information that got through OSINT.
Joe Carrigan: Right, correct. It can build this rabbit hole with OSINT information.
Dave Bittner: Right.
Joe Carrigan: It's a pretty good article. You know, it comes up with a couple of things that are novel that I hadn't seen before.
Dave Bittner: Yeah.
Joe Carrigan: So I liked it. I thought it was pretty good, and there's a link in the show notes, so everybody should check it out, I think.
Dave Bittner: All right, very good. Again, we will have links to all of those stories in our show notes, and we would love to hear from you. Our email address is hackinghumans @n2k.com. All right, Joe, it's time to move on to our Catch of the Day.
[ Soundbite of reeling in fishing line ]
Joe Carrigan: Dave, our Catch of the Day comes from Tim who writes, "I got this telegram message from a dear friend," in quotes, "deleted account this morning. Keep up the good work."
Dave Bittner: All right.
Joe Carrigan: So by the time Tim saw the saw the message, the account had been deleted.
Dave Bittner: All right, it goes like this, "Hello, dear friend. I'm an analyst in the field of digital currencies. I have many years of experience in this field. Team analysts will share information about the coin here. If you're interested in currency, you're welcome to join us and we will formulate an efficient plan for you. Join us at the link below. We'll make a detailed plan for you to help get you high returns, help you earn an average daily income of $1,000 to $2,000."
Joe Carrigan: Wow. Dave, we're going to be rich.
Dave Bittner: Of course we are.
Joe Carrigan: The interesting thing is that the very first thing they send along is a link that takes them to WhatsApp, to a WhatsApp -- a group in WhatsApp. It's a group invite in WhatsApp. So the first thing they do is entice you. The very next thing they do is change platforms on you.
Dave Bittner: Right, right, right. Never go to a second location.
Joe Carrigan: Right, exactly. Never go to the second location, and that's what this is. This is just a crypto scam. If you join into this, they're going to tell you there's going to be a bunch of people in this group who are like, "Oh, yeah, this is great."
Dave Bittner: Yeah.
Joe Carrigan: They might not even be people.
Dave Bittner: Yeah, "I've made millions." Yeah, "You're nuts if you don't sign up for this."
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: And they're going to tell you to go out and buy some cryptocurrency on a legitimate exchange and send it to them.
Dave Bittner: Right.
Joe Carrigan: Like we had the CTO of -- or CSO of Kraken --
Dave Bittner: Right.
Joe Carrigan: On a couple of weeks ago and he was talking about these kinds of scams.
Dave Bittner: Yeah.
Joe Carrigan: That's what's going to start here.
Dave Bittner: Yeah, yeah. All right. Well, thank you, Tim, for sending that in. We do appreciate it.
Joe, I recently had the pleasure of speaking with Jeremy Fuchs. He is a cybersecurity researcher at Avanan, and we're talking about something called the "Replier Attack." Here's my conversation with Jeremy Fuchs.
Jeremy Fuchs: So, you know, we're constantly monitoring all attacks that are being aimed at our customer environments, and we're sort of flagging ones that we think are interesting or unique or different and sending them to myself and a few others for analysis and say, hey, is this something that the broader security community and even just the general audience might be interested in, because we're seeing it in many customer environments. Certainly other customers or companies are seeing it around the globe. So that serves as our general process. Obviously, we see some attacks that are very basic or very non-interesting and we block them and go about our merry way. But when we see attacks like this one and many others that we publish, we're looking for something unique, you know, maybe we've never seen it before or have only seen it a few times, or just try something that's different, and we're sort of impressed by the techniques and tactics and how the hackers are employing new strategies and what it says about what we need to do as security professionals to understand, you know, these different attacks, these different motivations, you know, and apply, if necessary, new strategies or how we defend it. So all the attacks that we've published, including this one, are attacks that we blocked from the get-go, but when we see them, we're like, no, this is really kind of interesting and think it's worthy of further discussion.
Dave Bittner: Well, let's dig in here together. Can you describe to us what exactly is going on here?
Jeremy Fuchs: Yeah. So I think what's important first to start out with is, the reply address in an email -- or I'm sorry, the "from" field in an email is kind of a vague thing. I mean, it sounds kind of silly, but, you know, you can put -- just like when you write snail mail, if anyone ever does that anymore, you can put any address on the front line. I mean, you can put Santa Claus, right? There's no real legal requirement that you have to put your own address in the "from" section on your envelope, and some people don't even do that, right? So just like how we do that in snail mail, the same thing applies for email. We can kind of fudge where the email is coming from, and even more importantly, in this attack, we can change the reply-to address. So when we click -- when an end user clicks "reply" in an email, we think it's going to the sender, and in many cases it is. In this case and in another attacks we've seen, it's going somewhere else. So what the hackers are trying to do here is say, "Hey, I want you to think I'm sending -- you're sending an email to the address that you see that looks like it comes from a company. However, what you're really doing is sending it to my personal hacking account." And, you know, they'll change it and it'll be a very similar domain or a very similar username, whatever it might be, but the idea is to catch people in something that they're not expecting to look at. I mean, if you think about it, one thing I like to do when I think about these attacks is, how would somebody fall for it, right? How many times a day do we reply to an email? Hundreds, right? Thousands, you know, so we see it comes from John Doe, we reply, and we have confidence that it's going back to John Doe, right? That's how email works.
Dave Bittner: Right.
Jeremy Fuchs: But when there's a reply-to address involved and it's different, if you're not checking that, you will have no idea that it's going to a place other than where you think, and so that's what this attack takes advantage of, and it's hoping that you're not noticing, and it's what a lot of social engineering is hoping you're not noticing.
Dave Bittner: And what are the social engineering elements here? Who are they pretending to be?
Jeremy Fuchs: Yeah, so they're pretending to be a French energy company called "Total Energy." It's obviously not Total Energy, and they are basically asking for a request for proposals to purchase a centrifuge. That was another thing that sort of ticked us off. We're like, hey, that's -- emails don't, you know, people don't ask for centrifuges.
Dave Bittner: Right, not generally on your average person's shopping list.
Jeremy Fuchs: Right, exactly. So we're like, okay, in addition to the technique of the reply-to, we were like, well, what are they trying to do here, right? And so, you know, and they don't fully know, but when we see the term "high-performance centrifuge," you know, your mind starts spinning, hey, this may be not only -- maybe they're not trying to get money here. Maybe they're trying to get something really -- you know, so this is -- so that's what they think, the attack itself is really hoping that someone think, A, thinks it's legitimate and has a need for a centrifuge or want to sell. It's a specific attack, and obviously, you know, the chances of success are probably quite low, but they will have harvested your email, maybe other information, if you fill out a request -- the request for proposal, and they can do future attacks. That's another thing we see common, is that attack one, hey, great, we get money or whatever, it's awesome, but we also want to set up attack two, three, and four, and this is another way to do that, because if you fill out the document, even if nothing comes to pass, they have more of your information and they can target something else out a lot.
Dave Bittner: So really, perhaps establishing a line of communication with someone and using keywords that they would understand specific to their industry.
Jeremy Fuchs: Yeah, exactly. I mean, look, we've all gotten those very basic credential-harvesting emails where we click a link and it's a fake Microsoft lock, and that's sort of a one and done attack, right? I've got your login. All right, I'm going to move on. Maybe I'll sell it. Maybe I'll do something else. You know, a lot of these social engineering attacks are about a long game, right? Hey, maybe I get all the information I needed in the first email and that's great, but I probably won't. I have to engage with you and email with you, right? And I have to continue a conversation and build trust and rapport so that you, the end user, thinks that the hacker is legitimate, the company legitimate, all that stuff, and sending them money or information is just second nature. What we've noticed is that some are really good at it. Some are not so good at it. The ones that are really good at it and really technically savvy are usually the ones that can, you know, make some money off of it.
Dave Bittner: Well, I mean, in a perfect world, folks would be looking at these reply addresses and really scrutinizing them, but, of course, as you pointed out, you know, we're all busy, and we're replying to lots of emails every day, so that might not be practical. What other types of things can organizations put in place to protect themselves against this sort of thing?
Jeremy Fuchs: Yeah, absolutely. I think there's two things. One, we need to educate people about the reply-to fields, and that probably has to become a broader part of our security awareness training. I mean, I think if you were to ask many of your own employees about the reply-to field, my guess is that many wouldn't even know it existed. So that's step number one. We just got to say, "Hey, there's more to email than just the to and fro," right? It's a somewhat complex system of sending, you know, electronic messages. So that's number one. Number two I think is really important that applies to this attack, but also really any sort of business email compromise attack, anything where you are potentially sending out money. Anytime you're sending out money or banking information, there needs to be some processes in place. It's not sufficient, really, for the average employee to be able to send out an invoice and banking information, right? There should be controls and processes and plans in place, you know, so that somebody can't just fall for something, right? And it's not to say that the end user is doing something wrong. It's to protect the organization and to protect everybody from themselves, establishing the process so that we know for sure, 1,000%, that when we are paying an invoice, it is correct, to the right person, to the right bank account so that we don't get swindled, and that, you know, requires a bit of a step back. It requires -- different processes are going to look different in every company, right, depending on company size and industry and are you a public company or not. There's going to be different processes and it's going to be -- and you got to figure out what makes sense and what works. But I think it's really important to build in these processes and systems so that even if an end user falls for anyone that isn't legitimate, it won't be the end of the world because we've established that second layer or third layer of checks. You know, we talk so much insecurity about defense in depth, right? It's not enough to have one system. You need two or three. Well, the same thing should go for finance and sending out invoices, and especially when we're doing it all digitally, right? No one's really writing a physical check anymore. So that's all really important, and it's a little bit past the security realm, but I think it helps protect against the attacks that are aiming to expose those organizations that don't have those processes in place.
Dave Bittner: Yeah. Is there any ability to use some sort of automation for this thing? And I'm thinking of, very often you'll see organizations have warnings that pop up that say, "Hey, be extra careful. This comes from outside of our organization." Could you apply that to this, or is the reply field just too variable?
Jeremy Fuchs: Well, I mean, you can, you know, be pretty flexible on this, right? You can set a policy within your email security provider to say every email that comes outside my organization, whether it's google.com or a fake French energy website, had that external label "use caution" type thing, right?
Dave Bittner: Right.
Jeremy Fuchs: You know, we can set things up so that reply-to addresses are more highlighted, right? So say, "Hey, we notice a discrepancy," and you see a lot of these AI-based email security systems doing things like this where it says, "Hey, the replier and the reply-to address don't match. Maybe something's up here." Another thing we can do is sort of add systems that say sort of these like "break-the-glass workflows," was kind of what we refer to them as when it comes to sending data or money, that if we, you know, if you send an email that has sensitive data or sensitive information, personal information, whether it's a Social Security number or just say, "Hey, here's my credit card info," and you just spell out the number, having this sort of external data loss prevention that says, "Did you mean to send this," right? Just giving you that stop, because, you know, as we said, we talk -- you guys were talking about, right, we're all so busy, right? I mean, hey, maybe it's 30 days late. You got to pay it, right?
Dave Bittner: Right.
Jeremy Fuchs: But we all -- so it's about creating sort of systems and workflows, automated or otherwise, that basically tell you to take a moment. One of the things that I, you know, I review these phishing attacks all day, and one of the things that I consistently think, that if we all just took five minutes to read it, I think most of the -- most of us wouldn't respond and would think it's trash because you can always find something. Now, I'm not saying you have to inspect it like it's a court document, but you just do some basic checks. Look at the sender address, look at the reply-to address, hover over the links, check out the email, like, does this email make sense. Like, why am I getting an email about a centrifuge, right? Like, take a second to ask yourself those questions and usually, again, not always, right? Nothing's foolproof, but usually, that would say, "Hey, I might need to ask somebody about this email. Let me ask, you know, Dave in IT what's with up here. Maybe he can help."
Dave Bittner: Yeah.
Jeremy Fuchs: I think that's a, you know, getting us all to slow down, right? Wouldn't that be great if we could all could do that? But I do think that social engineers are expecting us to not slow down because we don't. We haven't given them evidence that we do.
Dave Bittner: Right.
Jeremy Fuchs: And I think that's something that's really key and really helpful and it goes to processes, and I'm talking to bring everything to a whole, but take 30 extra seconds, you know.
Dave Bittner: Yeah.
Jeremy Fuchs: The world isn't going to change in 30 seconds if you don't respond to that email. Yeah, maybe if you're reading on your phone, take a second till you get back to your computer to read it, right? Sometimes a little bit easier to see on a computer than a phone. So take the extra moment, re-read the email, always ask somebody else if you're unsure, develop some processes in place, and I think you'll see things maybe a little bit easier for your organization.
Dave Bittner: I think it's a really great point and it makes me think that, you know, it's something that leadership in any organization really needs to emphasize to say, "We're going to support you taking the time you need to really scrutinize this because, you know, that five minutes you take for an email is a lot less than the clean-up if we do make a big mistake," right?
Jeremy Fuchs: Absolutely, and I think, you know, in our go, go, go mentality, work and life, right, we're not thinking about what happens if this is successful, this attack, right?
Dave Bittner: Right.
Jeremy Fuchs: First, we got to figure out, all right, maybe we paid $100,000 to some place we shouldn't, or more. Now we got to deal with your, we got to try to get that back and got to deal with insurance. You know, the work that's created by not doing some of the other things beforehand and not having preventative measures in place is, you know, it's tenfold, if not more. It's really about establishing that sort of security culture within an organization and within everybody, you know, doesn't have to just be the top of the top. It's got to be every single person, and it's hard, right? It's not easy to establish that stuff. We all take the security awareness trainings and I'm sure 90% of us gloss over them. I mean, I'm guilty of doing the same thing, right? But it's important, and it can lead to, you know, worse things down the road, and creating that sort of preventative, take-a-step-back culture within our organization has a lot of long-term benefits that are a lot cheaper and a lot easier than the alternative.
[ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: I have said this before and I'm going to say this again. Email is terrible. It's the worst. It's one of the oldest services on the internet.
Dave Bittner: Yeah.
Joe Carrigan: And all the email protocols that we still use today, like SNMP -- no, that's SMTP, Simple Mail Transfer Protocol.
Dave Bittner: Yeah.
Joe Carrigan: IMAP and POP.
Dave Bittner: Yup.
Joe Carrigan: Those were all developed in the '80s.
Dave Bittner: Right.
Joe Carrigan: Right? And security was not really at the forefront of consideration of what was then ARPANET and transforming into the internet in the '80s.
Dave Bittner: Right.
Joe Carrigan: It's the only system that everyone has that allows anyone in the world to put something into something you control, like your inbox in this case, specifically your inbox. There is no other service like that on the internet where, when you get internet connections, that automatically just let people do that.
Dave Bittner: Right.
Joe Carrigan: Unauthenticated, whatever, just send me an email and I'll get it.
Dave Bittner: Right.
Joe Carrigan: And I don't know what the fix is here, but I do like griping about this.
Dave Bittner: Right.
Joe Carrigan: That thing that goes into your inbox, of course, it could be anything since -- especially since they started doing HTML and rendering in these email clients and they could send along an attachment that could be malicious. To top it all off, there is little enforcement of the validation of the reply-to address, which is by design, I think.
Dave Bittner: Yeah.
Joe Carrigan: The "from" address and the reply-to address do not have to be the same because somebody, when they were designing this, could see the use case where they don't have to be the same.
Dave Bittner: Right.
Joe Carrigan: Right? And there's probably a valid use case for it. I can't think of it off the top of my head, but I'm sure it's there. So I'm not going to sit here and go, "This was the stupidest thing ever."
Dave Bittner: And it made perfectly good sense at the time.
Joe Carrigan: It made perfectly good sense for somebody to do that.
Dave Bittner: Right.
Joe Carrigan: But the attack that Jeremy is talking about here, they have a send message from some bogus "from" address, and this is actually -- back in the '90s, this was really easy to do. I had a friend of mine that sent an email to a -- from a corporate email address to my corporate email address. We worked at the same company, and he put the "from" address as -- I think it was billclinton@whitehouse.gov.
Dave Bittner: Okay.
Joe Carrigan: This was back during the Clinton administration.
Dave Bittner: Right, right.
Joe Carrigan: So, I mean, I would have been a little bit more creative. I would have said quesogrande @thewhitehouse.gov. But, so that's just an illustration of how you can change the "from" address in these protocols.
Dave Bittner: Yeah.
Joe Carrigan: And there's also another place for a reply-to address. So if you get an email that looks like it's coming from joe@thecyberwire, that can be just entered in there and sent by anybody.
Dave Bittner: Right.
Joe Carrigan: And then when you click "reply," it doesn't go to joe@thecyberwire. It goes to somebody else.
Dave Bittner: Right.
Joe Carrigan: And that could be anybody in the world.
Dave Bittner: Yeah, yeah. And it's just one of the -- I mean, like you say, it's one of these old protocols and there have been attempts to graft things on it over the years.
Joe Carrigan: Yeah, we got DMARC --
Dave Bittner: Things like DMARC, yeah.
Joe Carrigan: Other technologies that help.
Dave Bittner: Which help, but you've got to maintain backwards compatibility.
Joe Carrigan: Right.
Dave Bittner: Which means you can't make those things mandatory.
Joe Carrigan: Right, which I think it might be time for new, a new messaging service on the internet, and, you know, you leave email in place. You know, in fact, the term "email" was actually coined by CompuServe, and did you ever have a CompuServe account?
Dave Bittner: I'm sure I did.
Joe Carrigan: Yeah.
Dave Bittner: I don't think I probably ever paid for it, but I had one back in the day.
Joe Carrigan: Yeah.
Dave Bittner: The days of dial-up and phone-freaking.
Joe Carrigan: Oh, my gosh, what a slow, slow connection it was.
Dave Bittner: Yeah, but it seemed miraculous at the time.
Joe Carrigan: Right. I remember getting the weather maps and being so enamored with getting the weather maps.
Dave Bittner: Yeah, yeah.
Joe Carrigan: It took 10 minutes to download the map. I showed my wife, she was my girlfriend at the time, I said, "Look at this, I just got a weather map. We can see the satellite image of the Earth." And she goes, "That took 10 minutes."
Dave Bittner: Right. The storm has come and gone in the time it took you to -- it's no longer raining.
Joe Carrigan: But these attacks, these reply attacks are, like a lot of attacks, the beginning of a chain of attacks.
Dave Bittner: Yeah.
Joe Carrigan: And Jeremy mentions that. You're going to have follow-on attacks. If you start replying to these guys, they're going to have information. First off, the first thing they get is that the email address they sent an email to is valid and somebody responded, it's valid, and there's somebody at the other end. That is good information for an attacker to have, to begin with, and then everything else you send to them is more intelligent for them to have.
Dave Bittner: Yeah.
Joe Carrigan: Again, we hear that companies need to have a process in place for sending out money, and this is a good point, disclosure of financial information. There should be processes in place for that as well. Sending a check of more than -- more than $200, or some limit that your company decides, is good for them, for the risk model, is one piece of one process. Sending financial information to a recipient that asked for it is another process that has to be followed, and these processes are defense in depth. So not only do you have the first line of defense where you are hoping the person goes, "Hey, this is kind of a weird request. I'm not going to respond to this," but should that fail and the person go, "Okay, let me go see if I can get that," you begin the other process of disclosing financial information to somebody and you have to go through these different checks and balances to make sure that everything is valid before that information gets sent out.
Dave Bittner: Right, right. Belt and suspenders.
Joe Carrigan: Right, exactly.
Dave Bittner: Joe, why did the golfer wear two pairs of underwear?
Joe Carrigan: Because he got a hole in one.
Dave Bittner: There you go.
Joe Carrigan: Ah, I think I figured that one out.
Dave Bittner: Oh, nice, nice.
Joe Carrigan: Jeremy says this great line, "if we all just took five minutes," and I think this so frequently, right, if we all just slowed down and took the time to do things, but then I see that these kinds of attacks still work.
Dave Bittner: Yeah.
Joe Carrigan: And I'm still -- I don't want to say disappointed, but saddened by it. I understand that everybody's busy. It takes a lot of time to do the work that you have to do and an email is an interruption in your day. Slow down, take a little bit of extra time, and think about what you're doing and be cognizant of what you're doing.
Dave Bittner: Yeah.
Joe Carrigan: That helps a lot.
Dave Bittner: Absolutely. All right. Well, our thanks to Jeremy Fuchs from Avanan for joining us. We do appreciate him taking the time.
That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. We're privileged that N2K and podcasts like Hacking Humans are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
