Podcasts
Hacking Humans
Ep 257
Hacking Humans 8.31.23
Ep 257 | 8.31.23

Exercise caution: online shopping edition.

Show Notes
Transcript

Oren Koren: There is no way Amazon or any other service provider will send you a file as an attachment that you're not waiting for. If you bought something, that's fine. You will get an attachment for the invoice or for anything else. But the simple PDF-based attack is based on the fact that you will open the mail, you will not be infected yet, and then you will open the file itself.

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Oren Koren, the CTO and co-founder of Veriti Security, we're talking about avoiding phishing. All right, Joe, before we jump into our stories, we've got quite a bit of follow-up this week. You want to start things off for us?

Joe Carrigan: Yes. I'm not going to name names here, Dave, but there is a company out there I've seen put this in their marketing literature. Cybersecurity Awareness Month is October.

Dave Bittner: Yeah.

Joe Carrigan: Coming up soon.

Dave Bittner: Right.

Joe Carrigan: Because here we are already in September. Cannot believe it, so fast. But can I please say, please do not abbreviate Cybersecurity Awareness Month as CSAM. I have seen people do this. That means something else entirely.

Dave Bittner: Right.

Joe Carrigan: Please don't do that.

Dave Bittner: Yeah.

Joe Carrigan: Just say Cybersecurity Awareness Month.

Dave Bittner: Yeah.

Joe Carrigan: Isn't it funny, especially, because every industry has their abbreviations for things.

Dave Bittner: Right.

Joe Carrigan: What I've found, when you switch from one industry to the other, you bring all those old abbreviations with you.

Dave Bittner: Yeah.

Joe Carrigan: And so you have to translate them in your mind and go, no, that's not what that means. It means the new thing.

Dave Bittner: Yeah, my son is studying for an accounting test that's called a BEC test.

Joe Carrigan: Oh, nice.

Dave Bittner: I think that's a business email compromise test, but no, it's like business and something else. I don't know what it means. I can't remember what it means. He told me two nights ago what it meant.

Joe Carrigan: Yeah.

Dave Bittner: Or maybe it was last night.

Joe Carrigan: Yeah.

Dave Bittner: I don't know. Recently, very recently, and I can't remember what it is because all I think is business email compromise.

Joe Carrigan: Right.

Dave Bittner: Overloaded acronyms, not a good thing, especially within one industry, and CSAM means something else entirely.

Joe Carrigan: Yeah.

Dave Bittner: And I think it deserves its own special place.

Joe Carrigan: Let me take this next one here. Someone who goes by the capital letter G writes in and says, in the AI Versus AI episode, you mentioned that Google gave their source code so they can do business in China.

Dave Bittner: That was me. I said that.

Joe Carrigan: I would appreciate if you can clarify this point with some references as my probably outdated experience is the opposite. My experience from five years ago is that Google is not even accessible from China. When five years ago, my company expanded with an office in China, the only way we could get the China office to use our Google workspace was to route those connections through private lines to our Hong Kong or Tokyo office. If anything, Google are the only of the big ones who does not do business in China.

Dave Bittner: This is correct, and this is my fault. I was wrong. I misremembered who had done it. It was IBM, and we have a link to a Wall Street Journal article that talks about this.

Joe Carrigan: Okay.

Dave Bittner: And Microsoft. We have a link to a Microsoft News article that talks about this as well.

Joe Carrigan: Okay.

Dave Bittner: So it was not Google, and G is correct.

Joe Carrigan: Yeah. All right. Thank you for the correction.

Dave Bittner: I don't know who G is, but I will note that G is the first letter of Google.

Joe Carrigan: That's right. Hmm. Well, thank you, G, for setting us straight. We do appreciate that.

Dave Bittner: Yes.

Joe Carrigan: We had a listener named Miguel write in who said, good afternoon, Joe and Dave. Love listening to your podcast. Well, thank you, Miguel. He said, in regards to the story of Tim, I was prior law enforcement for about nine years before transitioning to cyber. I've had a few calls for service that dealt with online scams and can honestly say that I was not trained properly to handle them. I did my best, as best I can, but as a deputy low on the totem pole, I could not do much.

Dave Bittner: Right.

Joe Carrigan: It sucked because my job was to help the community no matter how small or big a situation was.

Dave Bittner: Frustrating.

Joe Carrigan: Yeah. We did, however, have an awesome financial crimes unit. The sergeant in charge had lived and breathed financial crimes. If she was sleeping, I'm pretty sure she was dreaming about finances. She had taken upon it herself to ensure that the unit was capable of dealing with online scams and worked closely with our local FBI field office to ensure that the investigation was done properly and in a timely manner.

Dave Bittner: Good.

Joe Carrigan: So this is interesting from Miguel. What it makes me wonder is if you approach your local law enforcement organization, should you lead with it being a financial crime rather than an online crime?

Dave Bittner: Yeah. I need to talk to your financial crimes unit.

Joe Carrigan: Right. Right.

Dave Bittner: Yeah. Maybe.

Joe Carrigan: Could be.

Dave Bittner: I don't know. We should try that next time we're aware of anybody being a victim of these kind of crimes.

Joe Carrigan: Yeah. It's interesting. All right. Well, interesting insights. Thank you, Miguel, for writing in. One more bit of feedback. This is from Will, who wanted to draw our attention to a link expander. And we'll suggest urlexpander.org. Will says this expands things for you. And actually, Will sent along a link with a reference to my alma mater, the University of Maryland, that just opened the "Hacking Humans" webpage. So thank you, Will. I did check it out. I used that link to check it out. So Will basically says that they've checked out many of these link expanders, and this one seems to be the best.

Dave Bittner: Ah.

Joe Carrigan: And I checked it out, and I agree. It's pretty full featured. What I like particularly about it is that when you put a link in there to be expanded, it goes, expands it on its own, takes a screenshot, and posts the screenshot of it.

Dave Bittner: Nice.

Joe Carrigan: So basically, you're pre-detonating the site and able to look at it before you go to it. On their servers.

Dave Bittner: On their servers.

Joe Carrigan: Right.

Dave Bittner: Yeah. So very useful thing there. So again, that's urlexpander.org. And thank you, Will, for sending that in. That's a handy tip. That's a good tip.

Joe Carrigan: Yeah.

Dave Bittner: All right. Well, thanks to all of you for writing in. And of course, we would love to hear from you. Our email address is hackinghumans@n2k.com. All right, Joe. Let's jump into some stories here. Mine is kind of short and sweet, because we had a lot of follow-ups.

Joe Carrigan: Okay.

Dave Bittner: So I want to just be respectful of our time here. But this is a story from the folks over at Bleeping Computer, and it's titled, Sneaky Amazon Google Ad Leads to Microsoft Support Scam. Part of why this caught my eye, Joe, is that, was it last week or the week before? I can't recall.

Joe Carrigan: It was two weeks ago, I think.

Dave Bittner: I mentioned my father falling victim to one of these, that he called me, he summoned me to his home.

Joe Carrigan: Right.

Dave Bittner: And I went, and his Chromebook had been basically taken over and made inoperable by this pop-up message on his browser.

Joe Carrigan: Yes.

Dave Bittner: And this article describes that. It is the same thing that I came across. There's a picture of it here in the article from Bleeping Computer. And it is the exact thing that I came across when I went to my father's house to unwind what had happened to him.

Joe Carrigan: Funny. The first line in this article, a legitimate-looking ad for Amazon in Google search results redirects visitors. So again, last week -- we've been talking about this a lot lately. Last week, I got taken in by the exact same problem with a hotel reservation site.

Dave Bittner: Right. Right. Yeah. So in this case, what happens is, this user does logs on to Google.

Joe Carrigan: Right.

Dave Bittner: Does a search for Amazon. A sponsored link comes up that, for all the world, appears to be Amazon. It says, Amazon official site, online shopping, best deals. Has the Amazon logo. But when you click through, on the ad, it pops up this Windows Defender security notification that basically says -- well, I can read you what it says. It says, access to this PC has been blocked for security reasons. Call Microsoft Windows Support, and then it has an 800 number. It pretty much takes over the whole screen.

Joe Carrigan: Right.

Dave Bittner: And I think, as I mentioned on our previous show, there's a crawl on the bottom of the screen that, you know, it's just doing everything to make you feel like this is important. The other thing about this that this points out rightfully is that, really, the only way around this is to force quit out of Chrome.

Joe Carrigan: Right.

Dave Bittner: Well, if you're on a Chromebook, Chrome is the operating system. Right? Like, I mean, it's the front end.

Joe Carrigan: It is the front end of, yeah, Chrome OS.

Dave Bittner: Yeah. So you gotta restart. But when you restart, the first thing Chrome asks you is, do you wanna reload all the tabs.

Joe Carrigan: Yes. And you have to say no.

Dave Bittner: No, I don't wanna do that. Otherwise, you're gonna be stuck in a loop here.

Joe Carrigan: Yeah.

Dave Bittner: So good advice there. This article also points out that the folks at Bleeping Computer reached out to both Google and Amazon. Guess what they heard back, Joe?

Joe Carrigan: Crickets.

Dave Bittner: Nothing. Right? They heard back nothing.

Joe Carrigan: Right.

Dave Bittner: I gotta say, it's pretty frustrating that Google, in particular, doesn't seem to be either able or interested in doing a better job at tamping this down.

Joe Carrigan: Well, Dave, don't forget that there is money to be had here. Every time someone clicks on that link, Google makes a -- first off, they make money when you see the link, and if you click on it, they make more money.

Dave Bittner: Right. Yeah. I mean, perhaps this is adorable of me, but I would like to think that Google is not perverse enough to go with that incentive.

Joe Carrigan: Yeah. I would like to think that, too. This is damaging to their reputation.

Dave Bittner: Right, right.

Joe Carrigan: And Google, like a lot of major companies, cares about their reputation.

Dave Bittner: Yeah. At the same time, we're seeing more and more stories, even in the mainstream press, that Google is becoming harder to use and less reliable, and this is exactly why.

Joe Carrigan: Yeah. I've noticed that the search results are not nearly as good as Bing.

Dave Bittner: Is that right?

Joe Carrigan: Yeah. I don't know why that is. I think people are maybe gaming the search engine optimization more on Google than they are on Bing.

Dave Bittner: That would make sense. Right. I think that's one of the main reasons why Windows machines get more viruses than Macs, because there's just so many more of them.

Joe Carrigan: There's just more of them.

Dave Bittner: They have a bigger footprint. It's a more sensible part target.

Joe Carrigan: Right.

Dave Bittner: Same thing. If you're going to go after somebody, Google's the place to be.

Joe Carrigan: Right.

Dave Bittner: And DuckDuckGo, they get their search results from Bing.

Joe Carrigan: Yes.

Dave Bittner: They license it from Microsoft.

Joe Carrigan: I think that's right.

Dave Bittner: Yeah.

Joe Carrigan: I would like to see them build their own index, but back in the '90s, Dave, when Yahoo and AltaVista and Lycos were the search engines, it was easy to do that.

Dave Bittner: Right.

Joe Carrigan: There weren't billions upon billions upon billions of pages.

Dave Bittner: Yeah.

Joe Carrigan: Now there are. You can't just build a web crawler and go out and crawl the web and hope to be done in a couple of days. That's not going to happen.

Dave Bittner: Right. Right. All right. Well, we will have a link to this story from Bleeping Computer. If you're curious, again, from a couple of episodes ago, the scam that my father fell victim to, this has an actual image screen capture of what I came across when I opened up his Chromebook. It's a good one to pass along to friends and family, because it seems like it's making the rounds.

Joe Carrigan: Yes.

Dave Bittner: Joe, what do you got for us this week?

Joe Carrigan: Dave, my story comes from WBZ, and Mike Sullivan is the author on this story.

Dave Bittner: Okay.

Joe Carrigan: The title of the article is, Cambridge Shed Builder Thought He Was Getting an Award, But It Was a Vanity Scam.

Dave Bittner: Oh.

Joe Carrigan: Now, Dave.

Dave Bittner: Yeah.

Joe Carrigan: I want to talk a little bit after we talk about this business owner here, but about how this might be something that might get me.

Dave Bittner: Okay.

Joe Carrigan: Because of my vanity.

Dave Bittner: All right.

Joe Carrigan: So this is out of Cambridge, Massachusetts, and there's a local business owner. He was getting awarded a best of honor for his shed building.

Dave Bittner: Okay.

Joe Carrigan: His name is Kevin Richard, and he says, it's plausible, I could win an award for shed building, and there are pictures of his sheds in here, Dave.

Dave Bittner: He's like, I build a pretty good shed.

Joe Carrigan: Look at the shed, Dave. It is a work of art. These things are beautiful.

Dave Bittner: Right.

Joe Carrigan: If there was an award for shed building, he would win it. Pretty good shed. Reminds me of the old Monty Python sketch about, I forget the exact name, but it was like Joe "Two Sheds" Jackson or something like that because he had two sheds. The guy had two sheds. Yeah. No, these are fine-looking sheds, I have to say. This is a high-end looking shed. No doubt about it. This gentleman has skills.

Dave Bittner: He does.

Joe Carrigan: Yeah. So he gets a phone call, and it's a woman with a very generic name like Jenny Smith.

Dave Bittner: Okay.

Joe Carrigan: And he says they didn't have a website, and she says that he could pay $150 for a display plaque for his business, or $1,500 for a media package where he says he's the best shed builder in Cambridge, maybe?

Dave Bittner: Yeah.

Joe Carrigan: I don't know. It seems like there'd be a lot of shed builders in Cambridge. I don't know why. It just seems like a crafty part of the world to me.

Dave Bittner: Yeah, shed building town?

Joe Carrigan: Yeah, exactly.

Dave Bittner: Sheds are the cars up there?

Joe Carrigan: Well, it just seems like up in Boston, there are lots of crafty people. I guess I'm being influenced by how much I used to enjoy watching This Old House.

Dave Bittner: Ah. They did a lot of work in New England.

Joe Carrigan: Yeah, exactly. Kevin says he's sure that they automate it, and it scales up to get hits, and they prey on fragile people with egos like me.

Dave Bittner: Right.

Joe Carrigan: He realized it was a scam right away and reported it to the Better Business Bureau of Boston for this. We all seek recognition, and unfortunately -- this is a quote from Paula Fleming, who's a spokesperson for BBB. We all seek recognition, and unfortunately, people have been scammed by this for many years. Last year, it was brought up, and unfortunately, a lot of Boston women were targeted. They were nominated and asked to pay an upfront fee to make it to a runner-up status, and there were people paying the fee.

Dave Bittner: Yeah.

Joe Carrigan: So this is kind of a short article, but I want to talk about this, because lately, in one of my email accounts, I've been getting tons of messages that are not getting caught by my spam filter, for me to be listed in the who's who.

Dave Bittner: I was going to ask, you know, that's funny you mention that, because I was going to ask you about that. Because my first recollection of this sort of thing, a vanity product, was the, you know, you could be who's who in small business owners, or high school graduates.

Joe Carrigan: Right.

Dave Bittner: And then way back in the day, they were books, and someone made a book, and you'd pay $200 to be in the book, and you'd get a copy of the book, and there were probably 1,000 other people in the book. It was like a high school yearbook, basically, the format of it.

Joe Carrigan: My grandfather actually paid to be listed in a book called Who's Who in the East.

Dave Bittner: Okay.

Joe Carrigan: And my mom, I think, still has the book, but he's in there.

Dave Bittner: Yeah.

Joe Carrigan: He's in there, listed.

Dave Bittner: Well, so let me ask you this. Your grandfather gets solicited to be in the book.

Joe Carrigan: Right.

Dave Bittner: He pays the fee.

Joe Carrigan: Yep.

Dave Bittner: He gets in the book, they send him the book, the book is valuable enough that your grandmother still has the book.

Joe Carrigan: And my mother still has it, yeah.

Dave Bittner: Your mother still has the book, I'm sorry.

Joe Carrigan: Yeah.

Dave Bittner: Was that a scam?

Joe Carrigan: I don't know.

Dave Bittner: The family has found value in that investment.

Joe Carrigan: That's a good question.

Dave Bittner: Right?

Joe Carrigan: Good question.

Dave Bittner: I mean, there are all kinds of pay-to-play awards program.

Joe Carrigan: Yes, there are.

Dave Bittner: There's no shortage of those.

Joe Carrigan: Right.

Dave Bittner: You know, pay $250 and get a trophy to put on your shelf.

Joe Carrigan: Yes.

Dave Bittner: Those are far and wide.

Joe Carrigan: Right.

Dave Bittner: But I guess what this article is saying, if he had paid for the media package, he probably wouldn't have gotten anything. Is that the implication here?

Joe Carrigan: I don't know. He may have gotten something. He may have gotten a plaque.

Dave Bittner: Yeah.

Joe Carrigan: But that's an interesting question, isn't it? What's the markup on that plaque?

Dave Bittner: Well, yeah. That's true.

Joe Carrigan: Yeah. Here's another thing that I get. I did an interview with a small newspaper in, I think, Annapolis.

Dave Bittner: Okay.

Joe Carrigan: And since I did that interview, at my work email address, I have been getting offers for press kits, like laminated plaques of me in this paper.

Dave Bittner: Oh, right. Sure. Yeah.

Joe Carrigan: I can't even remember the name of the paper, so I don't want a laminated plaque of me in the paper.

Dave Bittner: Right.

Joe Carrigan: There is one where if they would have called me, I would have been interested, and that's when I was fortunate enough to be interviewed by the Wall Street Journal.

Dave Bittner: Right.

Joe Carrigan: Because, you know, when I was in college, I had a subscription to the Wall Street Journal, and I was like, I wonder if I'm ever going to have my picture in there. And one day, I actually did.

Dave Bittner: Wow.

Joe Carrigan: It's like a career highlight.

Dave Bittner: Was that the thing where they do like the little woodcutting?

Joe Carrigan: No, they didn't do the woodcutting on me.

Dave Bittner: Oh, okay.

Joe Carrigan: I wish they did.

Dave Bittner: You weren't that important.

Joe Carrigan: No. It's just the same picture that if you go to JHU's website, that you see me there. It's the same picture taken by JHU photographer, Will.

Dave Bittner: Yeah. I don't think I've ever been in the Wall Street Journal, so very nice.

Joe Carrigan: Yeah. Well, I have a couple copies of the paper laying around, because I am vain.

Dave Bittner: I'm good.

Joe Carrigan: Like I said, that would work on me. This is one of those things that if somebody called me and said, hey, you want -- but that Wall Street Journal thing was years ago, so nobody ever reached out to me about it.

Dave Bittner: Yeah. But that's also interesting to me because back in my previous life, when I was, you know, sort of early days, right out of college, and me and some friends were riding the wave of desktop digital video, and we started a small company, we had a little office. And we were looking for all the PR and press we could get.

Joe Carrigan: Right.

Dave Bittner: And so when our local newspaper published an article about us, you know, New Startup Comes To Town, you know, that sort of thing.

Joe Carrigan: Yeah.

Dave Bittner: We absolutely printed that out and matted and framed it and hung it on the office wall.

Joe Carrigan: Oh, absolutely.

Dave Bittner: You know? So my point is that I think for the folks who are offering that to you, again, like the Who's Who book, as long as you get something, to me, there is some value in there, especially if you're not someone capable of printing, matting, and framing on your own.

Joe Carrigan: Right. Which I am not.

Dave Bittner: Right.

Joe Carrigan: Trust me. When I was getting my first degree, I had to do some graphic design, had to take a graphic design class, including matting and framing.

Dave Bittner: Right.

Joe Carrigan: And the teacher was like, look, you suck at this. Just go up to the art store and have them mat and frame it. She was very frank with me.

Dave Bittner: I'm not even going to try to teach this to you, Joe. You're just too far.

Joe Carrigan: Yeah. I liked this woman. She was very honest and direct with me, which I have a real appreciation for. But I got a C in that class. Apparently, she did not like my style.

Dave Bittner: All right.

Joe Carrigan: That's okay. I'm not much of an artist when it comes to drawing things.

Dave Bittner: Fair enough. Fair enough.

Joe Carrigan: Writing is more my forte.

Dave Bittner: So what's the lesson here?

Joe Carrigan: Check your vanity, really.

Dave Bittner: Yeah.

Joe Carrigan: You know, that's really what it is. These guys are going to come after you with some kind of emotional trigger. We talk about it all the time with fear and greed. But your vanity is also a target. They're going to try to pump you up. Hey, look how smart you are. Look how cool you are. Look how good your sheds are.

Dave Bittner: Right. Exactly. Exactly.

Joe Carrigan: Yeah.

Dave Bittner: It's good that they -- well, is it good or not? I don't know. Wouldn't it have been funny if we opened this story and they were lousy sheds?

Joe Carrigan: Right.

Dave Bittner: Just ramshackle.

Joe Carrigan: Like a shed that I would build.

Dave Bittner: Right. Like a Homer Simpson shed. Instead of these fabulous sheds that this gentleman builds, if they're just barely held together with spit and bailing wire, and the guy's like, wow, finally, the recognition I deserve.

Joe Carrigan: Right. No, but I'm looking at these sheds, man. They are beautiful.

Dave Bittner: They are.

Joe Carrigan: Yeah. I'd be proud to have one of these sheds in my backyard.

Dave Bittner: Yeah. All right. Well, we will have a link to this story in the show notes. And again, we would love to hear from you. You can email us. It's hackinghumans@n2k.com. All right, Joe, it's time to move on to our Catch of the Day.

Joe Carrigan: Dave, our Catch of the Day comes from the EU Agency for Cybersecurity. It's an eBay phishing scam.

Dave Bittner: Yeah. So we'll have a link to this in the show notes. They have a number of good examples here from the EU Agency for Cybersecurity of phishing scams. Now, I'm going to read this, but then also there's something I want to unpack with you, Joe.

Joe Carrigan: Okay.

Dave Bittner: So it goes like this. It says, Dear eBay member, we regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problem, please visit link below and re-enter your account information. If your problems could not be resolved, your account will be suspended for a period of 24 hours. After this period, your account will be terminated. For the user agreement, section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend, or terminate your membership and refuse to provide our services to you if we believe your actions may cause financial loss or legal liability for you, our users, or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspicion of this account, please be advised that you are prohibited from using eBay in any way. This includes the registration of a new account. Please note that this suspension does not relieve you of your agreed upon obligation to pay any fees you may owe to eBay. Regards, Safe Harbor Department, eBay Incorporated. This is an automated message. Do not reply. Okay, so this is a phishing message.

Joe Carrigan: Right.

Dave Bittner: It is not real.

Joe Carrigan: Correct.

Dave Bittner: But one thing that caught my eye here was the link, the URL for the link is signin.ebay.com, and then with a whole bunch of stuff afterwards for tracking and all that good stuff.

Joe Carrigan: Correct.

Dave Bittner: What do you think about that?

Joe Carrigan: That is probably HTML, where this is the display link, and then underneath there's an href that points to some phishing site that collects username and password for eBay accounts.

Dave Bittner: Right. That's exactly what I thought. But at first glance, you look at it and you go, oh, well, that's eBay.

Joe Carrigan: That is eBay. That's correct.

Dave Bittner: So if you hover over the URL, and there are also ways to do it on the mobile devices, I don't remember exactly off the top of my head what they are, but they do exist even though they are not as convenient as on your desktop device.

Joe Carrigan: Correct.

Dave Bittner: You can see that true link that's underneath of there.

Joe Carrigan: Correct.

Dave Bittner: The other thing that struck me about this was this paragraph where they go into basically boilerplate legal stuff.

Joe Carrigan: Right.

Dave Bittner: My guess is they copy and pasted this from the eBay EULA.

Joe Carrigan: They may have actually tried to conduct an eBay scam and gotten their account suspended, and this might actually be copied from that email.

Dave Bittner: Oh, that's an interesting idea.

Joe Carrigan: Yeah. Because it does look like, hey, look at our user agreement, section nine.

Dave Bittner: Right.

Joe Carrigan: I mean, you can right now go and look at section nine of the eBay EULA, but Dave, who wants to do that?

Dave Bittner: Yeah. So probably what this is doing is trying to get your eBay credentials.

Joe Carrigan: Yeah.

Dave Bittner: You would go and log into a site that looked like it was eBay, but of course it was not. They would get your credentials, take over your account, and then do the bad things they do.

Joe Carrigan: That's right. Yeah.

Dave Bittner: All right. Well, again, we'll have a link to this website in our show notes. The folks at enisaeuropa.eu, that's the European Union Agent for Cybersecurity, have a nice little webpage. It has a bunch of different phishing examples. We may borrow some of them from them in the future as well. All right, Joe. I recently had the pleasure of speaking with Oren Koren. He is the CTO and co-founder of a company called Veriti Security, and we're talking about phishing avoidance. Here's my conversation with Oren Koren.

Oren Koren: So I relocated to the US two months ago, and it was my first time being in the US for Amazon Prime. So my wife really wanted that. So I gave her, of course, an account, she opened everything, I've trained her how to use it. I've told her what not to do. But then I said, okay, if she wants that, and okay, it's coming up in the upcoming Friday, let's try to find some stuff that can be useful for us to protect ourselves from one side of it. But maybe there is something bad going on behind the scenes. I've sent it to my guest host team in Israel, and we started to look for stuff. And when we are looking at those kind of potential attacks, we try to put our opposite hat of the attacker side. And I think one of the interesting things were, okay, how do I start? How do I find something that is related to Amazon Prime that is bad for a user? And there are multiple ways to go. In this past, we've taken four ways, more than that, but we found four different things that were super interesting in this research. Eventually, she bought a lot of stuff, I bought a lot of stuff, it was a good one, the kids were super excited, all of us.

Dave Bittner: Me too.

Oren Koren: But yeah, we found super interesting stuff related to the campaigns that we found there.

Dave Bittner: Well, let's go through it together here. What are some of the things that you all highlight?

Oren Koren: So I think one of the first things that we've seen is the simple attack that means a file that is attached to an email. And think about a scenario where you're getting an email with an attachment saying, we're going to disable your account, or we're renewing it now. You need to open your account if you don't want to renew it. So from one hand, if you want an account and it's going to be disabled, so you need to log in from the other side. If you don't have any account, so I'm going to log in and I'm going to pay for it. So we saw a PDF file as an attachment, sending to thousands of people, really. We saw like thousands of malicious emails with this PDF. When the goal there was simple, to open the file and then just to log in through a phishing domain or a lookalike domain. It was pretty spreaded. But the interesting part, and that's another angle we've looked at, is the targeted countries and the language was very focused on the US. And I will talk about it in a second, how we found some of the groups that are actually running that. But the first one was the simple one, a PDF file that was attached. Unfortunately, some of the anti-phishing solutions did not find that in the file level. But then in the checking process, we're also deploying all the security controls that there are, just bought all of them. And we started anti-phishing in the browser as something that is useful against that, because you try to log into somewhere, but it's a lookalike. It's not real. So that's how we actually started. We found some suspicious or malicious files. And from that, it was like going to the rabbit hole, because now the next question is, okay, it's a suspicious, malicious file. There is a domain that looks exactly like Amazon. Who created it? And did he create more? How many variants are there? And that was the next step of the workflow of the research.

Dave Bittner: Yeah. Well, the next one that you highlighted here were email-based spear phishing campaigns. What was going on there?

Oren Koren: Yeah. What we found in the relation to the first one, it was a mistake of an attacker. He reused the domain for spear phishing and for the attachment. And what we've done there is we found one from one of the files that were attached. But from that, we started to research on all of the domains, all of them, that has been bought in the last month. And we've created an automation for that to see all of the new domains that are being registered. And with our systems, we were able to find all the lookalikes domain to the lookalike one. That means we scanned all of them, all the new ones that have been bought in the globe. And we found hundreds of domains that were divided into different groups of attacks. And that's, I think, the interesting part here. When we've looked at that, we said, okay, they've bought a domain for $2, $5, $10. But who has done that? Who bought 200 domains or 100 domains because you grouped them? And then we found a kit, just an attack kit that you can buy in $300 or like a quarter of 0.003 something of Bitcoin. And you can actually run the entire campaign with just putting the domain inside. So we bought it and we've tried to understand, okay, we have the kit, the attack kit. We have all the domains. Now who is not being attacked? Because we understand the US citizens are being attacked and some of the Europe are being attacked, but who is not? And we found interesting exceptions in the code, in different campaigns saying, if someone from country A, B, or C is getting in or open it, don't run it. So it was a targeted, it was interesting. And I will say that the next step with the malware itself, it was a pretty simple variant of a malware. But the interesting part was that it's not just to steal your user and password for Amazon like that first campaign. It's actually infect your host because you want to log into your Amazon. And that's, again, it could be used with a PDF file that is attached. But in this case, it was a link that sends you to a malicious or infecting website and through a browser vulnerability, it will download the malware eventually. So it was a combination of the two things, but one group specifically taken the two approaches and that's how we've moved forward for this approach of saying, okay, so now someone is infecting hosts and not just stealing users and passwords.

Dave Bittner: So the next one that you highlighted here, kind of moving away from websites and email, this is actually applications that were impersonating the Amazon apps themselves.

Oren Koren: Yeah, it was interesting. One of the researchers said, what if I will look years back and I will find suspicious or malicious apps and then I will look for new ones and if there is any close correlation between them. So the interesting part there is some of them -- we've posted only one of them, but we found some. Some of them were super, super sophisticated and very good ones. Like you really can think that you're using Amazon, but you're not. And eventually you give all of your information inside and then the app doesn't work, so you delete it. But the simpler ones are so simple. They're going back to the roots of stealing your username and password. But also when in fact the mobile device itself, what they've done is, let's send free SMSs. Let's take all the data from the phone itself. So it was a parallel campaign and definitely a different attacking group. Someone thought about this idea, wrote the apps, of course different language. And we saw in this case again, it's I think tens of thousands of downloads from exfiltration data there. There was one more interesting part. How do you take the data from the phone? How do you take the data from the user and send it up? They've used file sharing to send the data out. So it's like you've infected yourself and then you're sending to a file share. There are so many ways to do that. All your personal data all the time, including they took all of your photos and they can take a photo or record the audio even if you didn't allow it. So it was a parallel campaign with the goal of stealing everything you have eventually, but using Amazon as Amazon Prime.

Dave Bittner: And then another thing that you all listed here, you have a list of 170 domains that are suspicious here that you suspect could be used in future phishing attacks related to Prime Day. I mean, a lot of these, some of them are obvious sort of scam things, but many of them, they look like they could be a legit domain that Amazon may have use for.

Oren Koren: Yeah, in some cases you can think about that. You have amazonrn.com. So that's maybe something that you will look at the browser, but maybe you have amazon-refund. Okay, that's a refund, but that's.top, that's not.com. And there are so many variants of the lookalike domains that you've seen here. That technique is first of all, to be aware that someone is trying to do it against you. And second, it's even not enough in some cases because you'll go to the website. If it looks the same, you will conduct the login, you will be redirected to the main page, but they will steal from you in the meanwhile. So this is only a small portion of what we have found. We didn't publish everything, all the domains, but we've checked all of them. And the important part is that now if you have an anti-bot, an anti-malware, an anti-virus, even the common ones, what we've done with this data is we've shared it with the community. First of all, let's give it to all of the community, all of the vendors through the regular systems and workflows so everyone will be protected and then publish it. So if you look on some, if not all of the domains, now you cannot go there, first of all. But second, the attackers already understood that they've been caught. One last thing that is interesting, if you look at the list in the publication, there are so many that looks almost the same, just one thing that has been changed in the middle. And even if you're not a security expert, you can just create groups of them. And that's interesting to think as an attacker. How do they think? If you look at amazonreturnmoney or amazonturnmoney or amazonturnretailmoney, okay, so someone thought about an idea, think about it by yourself. It's okay, let's buy three of them. The only unfortunate part for the attackers is that we worked super fast and they paid for all of those domains, but unfortunately they got blocked. So they've lost a few thousands of bucks on the way.

Dave Bittner: And that's fine.

Oren Koren: Yeah, I'm willing to do that again.

Dave Bittner: Right, right. So what's your advice for people out there who want to, you know, they want to use Amazon, but they want to make sure that they're doing it in a safe way? What are your tips?

Oren Koren: So first of all, I will use the mobile part as the first important notion because all of us are using mobile devices and buying from using our apps. The thing is that in most of the stores, the formal one, you cannot really download the malware. It's hard to upload the malware. We found some, but most of the models that you will find are from not the official sources. Google are doing a great job. Apple are doing a great job. All of those vendors with their app stores are doing an amazing job to protect us. But you need to verify an important thing. First of all, you download the app. It should be from a formal and official source. And unfortunately, people in the past, we had jailbreak, right, for iPhone that some of us used. So don't use that anymore. Don't do that to yourself because you'll actually infect yourself. And it's not the infection. It's the fact that now someone can hear everything you're saying. Someone can see everything you're doing. Just download from the official sources. This is the first thing. Second, there is no way Amazon or any other service provider will send you a file as an attachment that you're not waiting for. If you bought something, that's fine. You will get an attachment for the invoice or for anything else. But the simple PDF-based attack is based on the fact that you will open the mail. You will not be infected yet. And then you will open the file itself. Now, to overcome that, it's pretty simple. Update your software. It's like that. I can focus on the security controls that can protect from it in a second. But if you update all the time your software as a consumer or as an enterprise and the simple softwares, those are Adobe or the PDF or the Microsoft-related one for desktops and laptops, those will reduce the attack surface on you related to files because the attacker will use a vulnerability in your Adobe version or your Word version. So just keep it updated. So that's the second part. The third and I think the most common thing that we see again is that your attackers are stealing your username and password and trying to do that using those phishing websites. You need to be aware, first of all, that so many attackers are trying to achieve that. That's the first and simple advice I have, just to be aware of it. But second, one of the best tools that all of us have and can use as consumers or as enterprises are anti-phishing in the browser. There are super simple deployments of those technologies that will just say, okay, this is a lookalike domain. This is the phishing domain because it uses the same icon on the top, but it was registered two weeks ago. So definitely not Amazon. Or it looks like Amazon, but it's not because it was implemented in the wrong way from a JavaScript perspective. So you have a browser. You can use the native ones. You can download the good and new ones that are focusing on zero and anti-phishing. But those features, you have them already. In your enterprise, definitely everybody have them. You just need to use them. I think that's one of the root causes that we see. People are buying security controls and products, consumers and enterprises, and they're not using it. So just use what you have and it will block most of it. I can tell that, by the way, because we've bought all of the security controls you can think of. Because again, that's one of our things that we do. We analyze and we automate processes there, but they can really block it. They can really do their job, even for a zero-day domain, an unknown one. But unfortunately, you're not using your security controls in the best way. So just use them. Last thing is awareness. Awareness training is something that is mandatory if you have a compliance, of course, as an enterprise. But if you're a small shop, you have 50 or 100 employees, it's their responsibility to understand that there is a challenge. It's your responsibility. You want to give more to your employees, on one hand, or on the other hand, you have the compliance regulations that you need to have. You must train. You must train your employees. Start with yourself, by the way. Start with training on your own domains, because this is an example on Amazon. You have those on your organization every day. Some of them are getting in. Your employees need to be trained. So it's training, training, training.

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, did you buy a lot of stuff on Prime Day?

Dave Bittner: You know, I actually did.

Joe Carrigan: Really?

Dave Bittner: Well, yes. A lot of stuff. I spent a good amount of money on Prime Day. So there were several expensive items that I purchased on Prime Day that were really good deals. I bought a pair of AirPod Pros that have been on my list, and there was a particularly good deal. I pulled the trigger, and I bought them.

Joe Carrigan: So far, I've not found anything on Prime Day that I wanted to buy.

Dave Bittner: Okay.

Joe Carrigan: I've looked for the past four or five years. Nothing has come to me and gone, oh, I've got to have that for that price. That's a good price. I've just never had it. Maybe it's because --

Dave Bittner: Lucky you.

Joe Carrigan: Yeah, I don't know.

Dave Bittner: Or the algorithms haven't got their hooks in you or something.

Joe Carrigan: Right.

Dave Bittner: You don't use Amazon enough.

Joe Carrigan: Oren is using adversarial thinking. Early on in the interview, he talks about what would we do if we wanted to trick somebody with the Amazon Prime Day. This is a vital skill. I say this often, that just because you have the ability to think adversarially does not make you a bad person. Right?

Dave Bittner: Just because you're paranoid doesn't mean they're not out to get you.

Joe Carrigan: Right, exactly. That too.

Dave Bittner: Right.

Joe Carrigan: Adversarial thinking is very important. That way, it helps you recognize when somebody might be actually out to get you, as you say.

Dave Bittner: Yeah.

Joe Carrigan: Thousands of malicious PDFs to collect credentials. It's very focused in the U.S., and anti-phishing missed it. That's significant, I think.

Dave Bittner: Yeah.

Joe Carrigan: I also think it's significant that he found the kit that was available for $300 that was completely automated.

Dave Bittner: Right.

Joe Carrigan: That's, I was going to say fantastic, but it's not fantastic. It's horrible, but it's amazing.

Dave Bittner: Yeah.

Joe Carrigan: You don't need skills to run these scams. You just need money.

Dave Bittner: Right.

Joe Carrigan: You just need a little bit of money. $300 is not a lot of money.

Dave Bittner: Right, and a certain amount of moral flexibility.

Joe Carrigan: Right, yeah. Well, moral flexibility. That's a nice way to say it, Dave.

Dave Bittner: Yeah.

Joe Carrigan: Then there was another one where they were not just stealing your credentials, but also infecting your host with drive-by downloads or with malicious downloads. That is also very interesting. It's also interesting that some of these kits will not let you operate in some countries. It's pretty safe to guess the country of origin when you see that. Right?

Dave Bittner: Right.

Joe Carrigan: Interesting, the mobile apps run the gamut as well. The mobile apps that imitate or pretend to be Amazon using file share as a way to upload all your information. Remember that file sharing is a useful tool. And like any useful tool, it can be used to do good things or bad things.

Dave Bittner: Right.

Joe Carrigan: So here it is being used maliciously. We see this all the time.

Dave Bittner: Yeah.

Joe Carrigan: These malicious apps that are on your phone will access all the sensors on your mobile device, and that can be absolutely devastating to you. If you think about just being able to turn your microphone and camera on and recording everything you do.

Dave Bittner: Right.

Joe Carrigan: I mean, the privacy implications are huge. You do not want that. I think the discussion of the domains was pretty interesting as well. There's a lot of domains that look like they would be Amazon domains. I think I've actually seen legitimate domains that tech companies have used that aren't like Microsoft.com. It's like Microsoft something else.com. I seem to remember having a memory of that. Maybe this is a Mandela effect thing.

Dave Bittner: Well, in the old days, the early days of the internet, a lot of times you'd see links that would refer to Akamai, especially if you were streaming video or something like that.

Joe Carrigan: Right. Yeah.

Dave Bittner: The days before everybody had big pipes to the internet, only a few companies did.

Joe Carrigan: Right. Companies like Akamai, which are content distribution networks.

Dave Bittner: Right.

Joe Carrigan: That's how they got big.

Dave Bittner: Right.

Joe Carrigan: I like the story that Oren tells here where he and his team got to essentially cost these guys a few thousand dollars in domains by getting them shut down and getting them listed as indicators of compromise.

Dave Bittner: Right.

Joe Carrigan: Which is a term of art in the industry here. Once something is listed as an indicator of compromise or an IOC, that information is pretty quickly disseminated and those domains become useless.

Dave Bittner: Right.

Joe Carrigan: There is actually precedent for those domains being seized by companies like Amazon or Microsoft. You might have a malicious domain and then later on that just becomes the property of Amazon because they go, well, this is obviously someone phishing for credentials. They shouldn't have it. Give it to us.

Dave Bittner: Right.

Joe Carrigan: Then Amazon maintains that domain and nobody ever buys it again.

Dave Bittner: Sometimes the FBI puts a nice little splash page on it.

Joe Carrigan: Yes, they do. I've seen that happen a number of times.

Dave Bittner: Right, right.

Joe Carrigan: So I like the advice that Oren gives. Don't sideload Amazon apps. If you're a regular user, just a person that is not technical, there is no reason for you to ever sideload an app.

Dave Bittner: Yeah.

Joe Carrigan: I don't think that you need to do that. You don't need to jailbreak an iPhone either.

Dave Bittner: No, no.

Joe Carrigan: Have you ever jailbroken your iPhones?

Dave Bittner: No, I have not.

Joe Carrigan: No.

Dave Bittner: No, it just never seemed worth it to me. I was certainly tempted along the way, particularly in the early days when the iPhone had some pretty limited functionality.

Joe Carrigan: Right.

Dave Bittner: It's hard to remember now, but it took several versions of the iPhone before we had copy and paste.

Joe Carrigan: Right.

Dave Bittner: So that's a pretty good motivation for wanting to jailbreak your iPhone.

Joe Carrigan: Yeah.

Dave Bittner: These days, I think the reasons to do it are fewer and farther between, so I've resisted.

Joe Carrigan: Right. I have rooted a couple of Android phones to install CyanogenMod on it, but I haven't rooted my last four phones.

Dave Bittner: Yeah.

Joe Carrigan: I don't know why you would need to do that.

Dave Bittner: Yeah. I mean, you got to have a good reason, and you got to know what you're doing. Otherwise, you're just looking for trouble.

Joe Carrigan: Right. If you're a developer, yeah.

Dave Bittner: Yeah.

Joe Carrigan: Maybe you want to install a different mod because you don't want Google tracking you everywhere. Okay, I get it. Maybe then, but otherwise, no.

Dave Bittner: I think a side issue here is that you should go through the official Play Store and app stores.

Joe Carrigan: Right.

Dave Bittner: Because obviously on Android, you have the option of side loading from alternate app stores, which Apple doesn't let you do.

Joe Carrigan: Correct.

Dave Bittner: So think twice before you do that, because none of the app stores are perfect, but they're pretty good.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Amazon actually has an app store that you have to enable the loading of third-party apps to do it, so I haven't done it on my last two phones. I have done it before, but not recently.

Dave Bittner: Yeah.

Joe Carrigan: The Amazon invoices are on their website. When you log into your account, you have access to all your Amazon invoices on your website. They never need to email you one.

Dave Bittner: Right.

Joe Carrigan: You never need to download a PDF or open a PDF in an email. You just go to your Amazon account and look at all your invoices.

Dave Bittner: Yeah.

Joe Carrigan: Keep your software updated. This is a big one. This is one of the top three things I say to people right after you use multi-factor authentication, use a password manager, keep your software updated. The fact that a lot of these vulnerabilities are exploited on software that could have been patched.

Dave Bittner: The longer you go with unpatched software, the lower-hanging fruit you become.

Joe Carrigan: That's correct. That's a good way to say it. The longer you go with unpatched software, the lower-hanging fruit you are.

Dave Bittner: Yeah.

Joe Carrigan: You know, it takes like seven seconds for a Windows XP box to be owned when it's put on the internet. We were trying to set up a Windows XP box for our students because we do that. We have students that need to conduct malicious activity, and we have a special little network where we do this.

Dave Bittner: Right.

Joe Carrigan: Our systems engineer, Chris Vanghaus, put it on the internet once, and it was done in seven seconds.

Dave Bittner: Wow.

Joe Carrigan: It was so fast. Somebody was inside of it already.

Dave Bittner: Wow.

Joe Carrigan: That's an example of what we're talking about here. XP is a very old operating system with a lot of known vulnerabilities that are not going to get patched, period, because the operating system is not supported anymore.

Dave Bittner: Right.

Joe Carrigan: That's another thing. Use a supported operating system. Be aware that your credentials have value. I said this last week. I'll say this again. Don't think that you have nothing of value to an attacker. The credentials to your account have value to an attacker. Even if they just want to resell it, they can get a couple bucks for it, which is significant to them.

Dave Bittner: Yeah.

Joe Carrigan: The anti-phishing tools in the browser that Oren talks about, I think these are coming along. I don't know. I haven't had the opportunity to interact with these.

Dave Bittner: Yeah.

Joe Carrigan: I know that a lot of password managers that integrate with your browser have a feature that will say, whoa, whoa, whoa, this is not the website you think it is.

Dave Bittner: Right. Which is very helpful.

Joe Carrigan: Yeah, which is remarkably helpful.

Dave Bittner: But before you give anything the ability to look at everything you're doing, just be careful to vet it, because it could be a bad person.

Joe Carrigan: Yeah. It could very well be a bad person. Yeah. Pretty interesting interview.

Dave Bittner: Yeah.

Joe Carrigan: Yeah.

Dave Bittner: All right. Well, again, our thanks to Oren Koren from Veriti Security for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We're privileged that N2K and podcasts like "Hacking Humans" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.