Weaponizing your out-of-office replies.
Jack Chapman: So what we've seen really is almost making the average bottom-level phishing attack more sophisticated, more automated, and probably, most importantly, more human.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, James Dyer and Jack Chapman from Egress join us, we're talking about their research about how hackers exploit the existing email infrastructure. All right, Joe. Before we jump into our stories here, we've got a little bit of follow-up. What have we got here?
Joe Carrigan: Right. Ron wrote in with a suggestion regarding specific email accounts. We were talking about that last week.
Dave Bittner: Yeah.
Joe Carrigan: And he says, If you spend some very small amount of money per year, you can buy a domain and use a service like Fastmail or Proton Mail to host your domain. And then you can configure this domain as a catchall for email. And you can create as many new email accounts and addresses as you want and discard them whenever you see fit.
Dave Bittner: Yeah.
Joe Carrigan: It's a little bit easier to maintain than running your own email server, actually substantially easier.
Dave Bittner: I would say it's a lot easier. If you're not Joe, it's a lot easier.
Joe Carrigan: Right. For me, I've never set up an email server. Well, I haven't set up an email server in years.
Dave Bittner: Okay.
Joe Carrigan: And when I did set up email servers, I hated every second of it.
Dave Bittner: Okay.
Joe Carrigan: Early Exchange. And, oh, my gosh. What a nightmare. Anyway, I can even say decades now, Dave.
Dave Bittner: Nice.
Joe Carrigan: How about that.
Dave Bittner: Yeah.
Joe Carrigan: So, anyway, it's much more manageable, and it's easy. And if your hosting domain goes out of business, you can still move it to a new domain and keep the email address.
Dave Bittner: Right because you own the domain name. Yeah.
Joe Carrigan: Right. You're good to go. Also, he says, Thanks. And your show is outstanding.
Dave Bittner: Oh, that's very nice.
Joe Carrigan: So thank you, Ron.
Dave Bittner: Thank you, Ron. All right. Let's jump into our stories here. Joe, why don't you start things off for us.
Joe Carrigan: Dave, I have a -- I'm going to open up a little bit of good news and then move on to my main story.
Dave Bittner: Okay.
Joe Carrigan: This was coming from newjersey.com or nj.com, actually, nj, and is written by Jeff Goldman. And it is New Jersey man is going to spend two years and three months in prison. This is Mahmoud Bowler, B-O-W-L-E-R. He is 40. He's from Newark, New Jersey. And he helped scam one woman out of $66,000.
Dave Bittner: Oh.
Joe Carrigan: And I'll bet he has scammed many more people out of more money. So the fact that he's spending two years in prison for a $66,000 crime, I think that's pretty good. It's -- I'd like to see a little bit more because if you look at that as an annual representation of income, that's, you know, that's not a lot of money but still.
Dave Bittner: Yeah. And he's here in the States.
Joe Carrigan: He's here in the States.
Dave Bittner: Okay. All right.
Joe Carrigan: He is -- he grew up in Ghana, but he is in the US now. And that's how we got him.
Dave Bittner: All right.
Joe Carrigan: So he'll be the guest of the feds for the next couple of years.
Dave Bittner: So we say a guest at Club Fed.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Good work. Now, speaking of the feds, my story actually comes from Emma Fletcher over at the FTC. And the FTC has put out a report, and this is a consumer protection data spotlight, which is, I guess, one of their products --
Dave Bittner: Okay.
Joe Carrigan: -- that they do. And it is called Social Media: A Golden Goose For Scammers. So here's another opportunity for me to tell you another reason why I hate social media.
Dave Bittner: Okay.
Joe Carrigan: And the FTC runs something called the Consumer Sentinel Network, which is a data aggregation product that gathers information from law enforcement agencies like the I triple C, IC3, as I like to call it --
Dave Bittner: Yeah.
Joe Carrigan: -- is a contributor. There are 25 state law enforcement organizations that are contributors. Actually, there are multiple FBI organizations, not just the I triple C. But there's like their Financial Crimes Unit at the FBI.
Dave Bittner: Okay.
Joe Carrigan: All of these report data to the FTC, and then they can all access aggregates of these data to build -- you know, understand trends and things like that. It's a helpful tool from the federal government.
Dave Bittner: Okay.
Joe Carrigan: But they actually do some reporting on this data, and they found out that one in four people who reported losing money to fraud since 2021 have lost it on social media. This is to the tune of $2.7 billion. This is the most or the biggest, the biggest way to lose money in -- according to this dataset, the next biggest being $2 billion. So it's like 35% bigger than the next -- the next biggest way to lose money, which, by the way, is websites or apps.
Dave Bittner: Okay. So being online is hazardous to your wallet.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: Being online can cost you somewhere around $4 billion, $4.7 billion a year. Oh, wait. Email, that's another.9 billion. And then online pop-ups and texts and/or online popup ads. And then phone calls close, close at -- close to the websites and apps at around almost $2 billion.
Dave Bittner: Wow.
Joe Carrigan: Phone calls $2 billion. That's a lot of money to phone calls. This article goes on to say that because the vast majority of frauds are not reported, that the number is actually huge. It is much bigger than $2.7 billion. There are a lot of people losing money out there on Facebook marketplace. The reason, this article speculates, it is easy to set up an account. I would agree it's easy to set up an account. You can be whoever you want to be. You can be someone who matches perfectly with your target, or just set up a nice match that you think would be a general good match. Or you can even impersonate people that exist, right? We see that all the time. An interesting point is that it's hitting younger people more than older people. And they say that this is because young people tend to use social media more than older people.
Dave Bittner: Yeah.
Joe Carrigan: As that -- as the population ages in this dataset, they use social media less, so they're going to fall victim to it less.
Dave Bittner: Yeah. I saw a different unrelated story to this one earlier in the week that had that same data point that, you know, turns out that younger folks are more susceptible to a lot of these scams than older folks, even though I think in our minds we probably skew it just the opposite way.
Joe Carrigan: Right. There's other data about scams and not just social media scams but, like, general scamming --
Dave Bittner: Yeah.
James Dyer: -- how this is more impact -- or not more impactful but it's more likely to impact a younger person simply because they haven't been kicked around by life long enough, Dave. That's what it is. Older people are --
Dave Bittner: Skeptical.
Joe Carrigan: Yeah. Older people are less likely to believe it. The problem is that, with older people, the losses can be devastating.
Dave Bittner: Yeah.
Joe Carrigan: When an older person loses 200, $300,000, that is significantly -- significantly life-changing.
Dave Bittner: Right.
Joe Carrigan: And that doesn't happen to younger people mainly because they don't have 200 to $300,000 yet.
Dave Bittner: Right. There's -- they don't have that nest egg.
Joe Carrigan: Right. So a younger person will lose like $1,000, and that sucks. Don't get me wrong. I'm not belittling that. If I lost $1,000 right now, I would be like, how am I going to get that back?
Dave Bittner: Yeah.
Joe Carrigan: Thinking about robbing, robbing liquor stores or something. I don't know. I wouldn't be doing that.
Dave Bittner: Joe goes on a crime spree.
Joe Carrigan: I need $1,000 yesterday. Yeah. No. But it's -- it's still impactful, but it's not life ruining for a young person. So we don't tend to hear about these stories very often, but it does happen to them more frequently.
Dave Bittner: Interesting.
Joe Carrigan: Now, there is a great little graphic here, Dave. You know how much I like data and games.
Dave Bittner: Yep.
Joe Carrigan: I'm going to give you three -- you haven't seen the graphic yet, have you.
Dave Bittner: No, I have not.
Joe Carrigan: Okay. Good. I'm going to give you three categories of online scams.
Dave Bittner: Okay.
Joe Carrigan: And I want you to tell me first which one had the highest number of incidences.
Dave Bittner: Okay.
Joe Carrigan: Okay. So the three are online shopping scams, investment-related scams, and romance scams. Which one was the number one in terms of just numbers, not loss but numbers.
Dave Bittner: I'm going to guess investment scams because I think people are embarrassed to report their romance scams.
Joe Carrigan: Okay. You are right about romance scams. Romance scams only make up 6% of the dataset.
Dave Bittner: Okay. Investment scams make up 20% of the dataset. Online shopping scams make up 44% of the dataset. Wow.
Joe Carrigan: Which is shocking to me.
Dave Bittner: What do we mean by online shopping? What does that encompass?
Joe Carrigan: Like Facebook marketplace.
Dave Bittner: Yeah. Okay.
Joe Carrigan: Those kinds of -- or --
Dave Bittner: Like Craigslist.
Joe Carrigan: Craigslist, yeah. Any of those. Any of those.
Dave Bittner: Oh, does that include Amazon?
Joe Carrigan: It does not include that. These are top social media scams.
Dave Bittner: Okay.
Joe Carrigan: So these are social media online shopping scams.
Dave Bittner: Gotcha. Okay.
Joe Carrigan: Instagram things. Hey, you want to buy this product? Anyway, it's all the scams from social media.
Dave Bittner: Okay.
Joe Carrigan: Now, not thinking about the number but thinking about the volume, the size of the loss, okay.
Dave Bittner: Okay.
Joe Carrigan: All the numbers added up, all the losses types adding up --
Dave Bittner: Okay.
Joe Carrigan: -- which one do you think is the biggest loss of online shopping scams, investment-related scams, or romance scams?
Dave Bittner: Again, I'm going to choose between investment and romance. Just going to roll the dice here and say romance scams.
Joe Carrigan: Ah, Dave.
Dave Bittner: Is it investment?
Joe Carrigan: Disappointment. Yes. You should have said investment. Fifty-three percent of the losses are from investment scams.
Dave Bittner: Okay.
Joe Carrigan: Which is shocking. I don't know if it's shocking because, these investment scams, what they do and this article talks about it is they make it look like your investment is being successful.
Dave Bittner: Right.
Joe Carrigan: So you pile more money into it. And then that's when, you know, once you start asking for your money back, that's when they start saying, Oh, well, you need to pay some fees to get your money back.
Dave Bittner: Yeah.
Joe Carrigan: And you start paying fees. You're fully invested in the sunk cost fallacy at this point in time.
Dave Bittner: I should know this, but I'm wondering are women or men more likely to fall for romance scams?
Joe Carrigan: That is a great question.
Dave Bittner: Or is it equal? I don't know.
Joe Carrigan: I don't know. I don't know if there's data on that. There probably is data. I'm sure if our listeners are aware of a survey, they will let us know.
Dave Bittner: Yeah.
Joe Carrigan: So, if you do. But, you know, I haven't ever sought that out. I don't know because we've heard stories about people getting scammed by romance scams, and we've heard both sides of the story. We've heard both genders getting scammed.
Dave Bittner: Right, right.
Joe Carrigan: Right.
Dave Bittner: I guess the funny thing I'm thinking about here is that women typically get scammed online by men, and men typically get scammed online by men pretending to be women.
Joe Carrigan: Right.
Dave Bittner: When it comes to romance scams.
Joe Carrigan: There is the occasional female romance scammer. There was one lady in Florida that was living high on the hog on --
Dave Bittner: Right.
Joe Carrigan: -- somebody's money. But, yeah. That's -- that's the -- that's the rarity.
Dave Bittner: Yeah.
Joe Carrigan: It is generally men just running these things.
Dave Bittner: Yeah. Interesting.
Joe Carrigan: So, yeah. Investment scams account for 53%. Despite only accounting for 20% of the incidents, they account for 53% of the losses. Romance scams account for 6% of the incidences but at 14% of the losses. And while shopping, online shopping scams account for 44% of the incidences, they only account for 8% of the losses. And the other numbers are just lumped here in other.
Dave Bittner: Okay.
Joe Carrigan: Other things. This comes from about -- this is from January this data, by the way, is from January of this year to June of this year 2023.
Dave Bittner: Okay.
Joe Carrigan: And there is 56,000 reports with a total of 658 million lost.
Dave Bittner: Wow.
Joe Carrigan: So the larger number, the 200 -- the 2.7 million is since 2021. So, if there's any confusion there, this -- this article does a really good job of laying it out.
Dave Bittner: So what's the takeaway here, Joe?
Joe Carrigan: Takeaway is social media is terrible, Dave. That's Joe's takeaway.
Dave Bittner: Okay.
Joe Carrigan: It doesn't matter where you are. If you're online, you need to be careful.
Dave Bittner: Yeah.
Joe Carrigan: You need to -- you need to educate yourself about the -- how these scams look, what they look like. Look for the telltale signs like changing platforms and going to end-to-end encrypted messaging application.
Dave Bittner: Right.
Joe Carrigan: You know, all the things we talk about on this show.
Dave Bittner: Yeah.
Joe Carrigan: Look for those. Look for those warning signs. And don't invest in cryptocurrency. Absolutely don't invest in cryptocurrency. If you -- unless -- unless you can afford to take the money you're going to invest in cryptocurrency out into the street and just set it on fire, don't do that. You know, I mean, maybe you want to invest a little bit in cryptocurrency because you think there might be a chance for high return, good. Fine. It's like gambling. I would say the same thing. If you're going to invest with that, invest money that you can totally lose because I have a feeling that something is going to happen.
Dave Bittner: Super high risk.
Joe Carrigan: Yeah. Well, actually, with all these scams, it's not -- something is going to happen.
Dave Bittner: Yeah. But even if you're investing in actual crypto, I don't know. Yeah. Super high risk.
Joe Carrigan: Super high risk
Dave Bittner: Absolutely. Yeah, yeah. All right. Interesting stuff. Well, we will have a link to that story from the FTC in our show notes. My story this week comes from the folks over at Ars Technica. This is written by Dan Gooden, and it's titled Google-hosted malvertising leads to fake KeePass site that looks genuine.
Joe Carrigan: Huh.
Dave Bittner: Joe, are you familiar with KeePass?
Joe Carrigan: KeePass is a password manager.
Dave Bittner: It is.
Joe Carrigan: And are they one of the ones that got breached recently or a couple of years ago?
Dave Bittner: I don't recall specifically. Seems like, you know, they --
Joe Carrigan: All these breaches are merging into one big --
Dave Bittner: Yeah, yeah.
Joe Carrigan: Well, which is essentially what they've become.
Dave Bittner: Right. So KeePass, you're correct. KeePass is a password manager. And what has happened here is some researchers found that there were folks running ads.
Joe Carrigan: Oh, wait. Dave, KeePass is, yeah. That's the one I use.
Dave Bittner: All right.
Joe Carrigan: KeePass XE is the one I use, not KeePass. I use a -- yes. But we've talked about KeePass before.
Dave Bittner: Yeah.
Joe Carrigan: This is the -- this is the one where we had the story about the rules you can write in KeePass.
Dave Bittner: Oh. Okay. All right. So KeePass is a legitimate product. It is a password manager. And there were ads appearing on Google for KeePass.
Joe Carrigan: Right. It's free and open source.
Dave Bittner: Yeah. So what would happen is, if you would click through on one of these ads, it would take you to KeePass.info. And it says -- it says that. You look at the ad, and it says it goes to KeePass.info. And then, if you go to KeePass.info, it takes you -- it loads up a web page that looks exactly like the legitimate KeePass website.
Joe Carrigan: Huh.
Dave Bittner: And, of course, you know where this goes from here.
Joe Carrigan: Right.
Dave Bittner: You install some malware that is pretending to be KeePass. It's actually a malware family called FakeBat. Not exactly sure what that does. But there's some interesting things here. Google's Ad Transparency Center shows that these ads were running by some company called Digital Eagle, which Google claims is a organization that has been verified by Google. Of course, that's not worth anything, I guess, in this case. And -- but what I really want to get at here that I'm curious on your take, their -- the way that they make this KeePass.info look like a legit website is they're using something called Punycode. You familiar with Punycode?
Joe Carrigan: I'm not.
Dave Bittner: Okay.
Joe Carrigan: What is Punycode?
Dave Bittner: So Punycode allows you to -- to have Unicode characters represented in ASCII text.
Joe Carrigan: Okay.
Dave Bittner: So, for example, in this case, the word Keepa -- like, the K in the word KeePass.
Joe Carrigan: Yeah.
Dave Bittner: The way it's encoded, it actually has a little tiny comma like -- like pixel below the K.
Joe Carrigan: Like a diacritic below the K.
Dave Bittner: Yeah.
Joe Carrigan: Okay.
Dave Bittner: Which most people would miss.
Joe Carrigan: I didn't even see that when I was looking at the -- when I was looking at the picture here.
Dave Bittner: Looks like a piece of dust on your monitor.
Joe Carrigan: It does.
Dave Bittner: Except it scrolls.
Joe Carrigan: Yep.
Dave Bittner: So -- so that's part of how they do it. So it appears to you to be KeePass.info, but it's actually going to xn-- eepass-vbb.info. So something different.
Joe Carrigan: Right. And they can use this I don't know what you call it, a mismatch in text encoding, you know, using different type -- there are different types of text encoding online. Right.
Dave Bittner: Right. There's Unicode. There's ASCII for us old timers.
Joe Carrigan: Yes.
Dave Bittner: And by having these because your browser can interpret those, these bad guys are -- are taking advantage of that.
Joe Carrigan: Right.
Dave Bittner: Now, Google says that they have since taken it down.
Joe Carrigan: Oh, great. Thanks, Google.
Dave Bittner: But just, to me, this points to the increasing or decreasing ability for Google to successfully police this stuff.
Joe Carrigan: Yeah.
Dave Bittner: If a -- if a ad provider is verified and is able to do this, it means that Google's verification procedures are flawed in some way.
Joe Carrigan: Broken. I would say they're broken. Yeah.
Dave Bittner: Yeah. Or perhaps an organization was legitimately verified, but then the bad guys got in and took over their account.
Joe Carrigan: I would find out what had happened there if I were Google.
Dave Bittner: Yeah.
Joe Carrigan: I'd be furiously researching this.
Dave Bittner: Yeah. I mean, some people make the point that it is not in Google's interest to track these things down.
Joe Carrigan: I make that point frequently.
Dave Bittner: Track these down with great vigor because, of course, Google makes money off of them.
Joe Carrigan: Yeah. Google -- Google released earnings last week, and their advertising is still their biggest part of their -- their business model.
Dave Bittner: Yeah. I suppose the opposite of that would be that it's not in their long-term interest to -- to allow this sort of thing because just like we're talking about here, the people's trust of Google will go down. And they won't want to use Google.
Joe Carrigan: Yeah.
Dave Bittner: They'll switch to one of their competitors.
Joe Carrigan: Yes. I -- maybe they'll switch to Apple, who doesn't have an advertising business model.
Dave Bittner: Unfortunately, Apple also doesn't have a search engine.
Joe Carrigan: Right. That's true. It's not like they couldn't build that, you know.
Dave Bittner: That's true. It's true since Apple has all the money, right? Could just buy DuckDuckGo and be done with it, although I guess DuckDuckGo gets their stuff from Bing, which is Microsoft. It's all one big pile of giant companies, Joe?
Joe Carrigan: Yeah, yeah. That's the last thing I want is more -- more conglomeration in these things.
Dave Bittner: Yeah, yeah.
Joe Carrigan: You know, I'm right now looking, watching with -- with bated breath as the -- as the -- I don't know if it's the FTC or the SEC, somebody is looking at the antitrust problems with Amazon, Facebook, and Google. Right. So every time I see that, I get a little smile on my face.
Dave Bittner: Yeah. They are -- they are a bit big, too big for their britches, I would say.
Joe Carrigan: I would agree. And, you know, Google, this problem. This problem with this ad -- you know, this is not the first time we've talked about it. I've talked about how this even impacted me directly one time. And it's so pervasive. If it's out there all the time. I don't know anybody that hasn't had this happen to them. So if it's got saturation in the marketplace, why isn't Google concerned about it? Or why aren't they acting as if they're concerned about it? Why aren't they doing something? What -- I mean --
Dave Bittner: But they would say they are.
Joe Carrigan: Yeah. They are. Sure. But here we are with another great story about somebody actually installing malware on your system as a result of these ads.
Dave Bittner: Yeah. I mean -- I mean, Joe, if you can't trust an ad, who can you trust?
Joe Carrigan: Right. Well --
Dave Bittner: Well, but you know what? This also reminds me -- I mean, this gets to that point of you go to a news site right now. And you have an ad blocker, and they say, we see that you have an ad blocker installed. Well, yeah. I have to have an ad blocker installed because of all the crap like this. Makes me mad, Joe.
Joe Carrigan: Right. Absolutely. Yeah. It makes you angry.
Dave Bittner: Yeah.
Joe Carrigan: So my biggest problem with this and is the human factors design of these ads are designed to look like the search results. When Google first started doing ads, they put the ads over to the right side of the page.
Dave Bittner: Yeah.
Joe Carrigan: Now, your eye doesn't go to the right side of the page, your eye goes to the first result in the search. But -- so Google has realized that's the more valuable place to put the ad because that way they get more click-throughs.
Dave Bittner: Right.
Joe Carrigan: And that's what they're doing.
Dave Bittner: Yep. So they don't have their users' best interest in mind. They --
Joe Carrigan: Oh, their users are their product, Dave. They don't care about the product.
Dave Bittner: Yes.
Joe Carrigan: They care about their profits and the customer. That -- and you, the user of this system, are -- are -- I don't know how to say it, Dave. You just --
Dave Bittner: But I wonder, how do you protect yourself against something like this? Obviously, you can have an ad blocker.
Joe Carrigan: Right. The ad blocker works.
Dave Bittner: I don't know how much that works within a Google results search page. I'm not sure the degree to which an ad blocker blocks ad results that are within Google's own search results.
Joe Carrigan: Yeah. I don't know. Have you tried it with your ad blocker?
Dave Bittner: Let's give it a shot. Let's go to google.com. And you know what? I'm just going to search for KeePass.
Joe Carrigan: Right.
Dave Bittner: See what we get here. No. I don't see any ads. So it looks like my ad blocker's working. All right. Good news.
Joe Carrigan: I get it because I don't have an ad blocker.
Dave Bittner: Well, let me put it this way.
Joe Carrigan: I also don't see any.
Dave Bittner: Nothing's being labeled as being an ad in here. But, you know. What does that mean?
Joe Carrigan: Let me try diamonds.
Dave Bittner: Okay. You know they're a girl's best friend.
Joe Carrigan: Yes. Okay. So go ahead and search diamonds.
Dave Bittner: Okay.
Joe Carrigan: See what happens.
Dave Bittner: Diamonds. Okay. Nope. Don't see any ads.
Joe Carrigan: I get two ads before I get anything.
Dave Bittner: Okay.
Joe Carrigan: I get sponsored, sponsored.
Dave Bittner: Yeah. All right. Well, there we go. There's our -- there's our brief little experiment that you may or may not get ads, depending on your -- the degree to which you have ad blockers installed.
Joe Carrigan: Right.
Dave Bittner: But still shouldn't be an issue. This -- a company with the resources of Google should be doing a better job than they are with this.
Joe Carrigan: Yeah.
Dave Bittner: And that's frustrating.
Joe Carrigan: What should we tell them, Dave? If they can't do this at scale --
Dave Bittner: They shouldn't do it at all. There you go. All right. Well, we will have a link to this story in the show notes. Of course, we would love to hear from you. You can email us. It's hackinghumans@n2k.com. Joe, it's time to move on to our catch of the day. [ Soundbite of reeling in fishing line ] Dave, our catch of the day comes from the CyberWire editorial staff. And there's a real problem here, Dave. It's a nice picture. So it doesn't have any text in it so -- Okay.
Joe Carrigan: I mean, it does have text in the picture. You have to read the picture.
Dave Bittner: Yeah.
Joe Carrigan: But it's not --
Dave Bittner: Yeah.
Joe Carrigan: There's nothing clickable here.
Dave Bittner: All right. So this says, the subject is Apple FaceTime information disclosure. There's a logo here from the National Security Department.
Joe Carrigan: Right. The NSD.
Dave Bittner: NSD. Yeah. The highly secretive -- they're even more secretive than the NSA, Joe. So secretive I've never heard of them.
Joe Carrigan: Yes.
Dave Bittner: It says, A vulnerability has been identified in the Apple FaceTime mobile applications that allow an attacker to record calls and videos from your mobile device without your knowledge. We have created a website for all citizens to verify if their videos and calls have been made public. To perform the verification, please use the following link. There's a big yellow button that says FaceTime verification.
Joe Carrigan: FaceTime verification.
Dave Bittner: It says, This website will be available for 72 hours. National Security Department.
Joe Carrigan: Yeah. Seventy-two hours is probably -- it probably won't be available that long, hopefully. I don't know what happens when you click on this link. But if there's anything for you to enter any information, yes, your video has been leaked.
Dave Bittner: Right, right. I'm guessing this will take you to a page where something will pop up and will say, Oh, we need your Apple ID. We need your apple login information here --
Joe Carrigan: Yeah.
Dave Bittner: -- in order to verify your FaceTime. In order for the National Security Department to verify your FaceTime, we need your -- so.
Joe Carrigan: They got so angry when I said National Security Administration instead of agency. You remember that?
Dave Bittner: Yeah.
Joe Carrigan: They wrote letters. And I was wrong to say administration. It is agency.
Dave Bittner: Yeah.
Joe Carrigan: But I wonder how they feel about National Security Department?
Dave Bittner: Well, I'll give you another one. Don't call someone from the CIA an agent. They're not agents. They're officers.
Joe Carrigan: Officers.
Dave Bittner: And they're very -- they're very prickly about that.
Joe Carrigan: Yes. FBI, FBI people are agents, right?
Dave Bittner: FBI is agents, CIA officers.
Joe Carrigan: Officers.
Dave Bittner: Yes. That's correct, that's correct. All right. Again, we would love to hear from you. You can email us. It's hackinghumans@n2k.com. Joe, I recently had the pleasure of speaking with James Dyer and Jack Chapman. They are from a company called Egress. And they did some research about how hackers are exploiting existing email infrastructure. Here's my conversation with James Dyer and Jack Chapman. It came to my attention whilst analyzing hundreds more scouting emails than we would usually get on a daily basis. And understanding these scouting emails were not only just analyzing if that inbox is legitimate and is alive but also embedding tracking pixel technology with links within that email, which would collect additional information. Off the back of that, understanding what they're looking for, I analyzed that a lot of these scouting emails were actually coming from a server that was located in Japan. And was doing a connection from that server what mail flow is coming from there, I was able to identify a few follow-up attacks as well. Now, you mentioned scouting emails. Can you explain to us what -- what exactly is under that umbrella?
James Dyer: Yeah. So a scouting email is usually when an attacker will get a list of victims email addresses, but it can be quite out of date. So they usually send an email with little context or no subject, no email address to see if Microsoft give them an NDR, which is a nondeliverable receipt. That's where Microsoft will tell them this email address no longer exists. You can't send to them. But they can also use links to gather more information like metadata, what IP address is accessing this link, what web browser or software are they running. And they're able to then use that information to follow-up attack, find different vulnerabilities and exploits the attacker can leverage when they do repeat that attack.
Jack Chapman: Just to add to that, I think, really, it's an interesting trend we've seen where it really is that first step in the kill chain of how do attackers find targets. And, historically, you've had sort of those data breaches. But as these data breaches have increased over time, some of that older data isn't as useful anymore. So these scouting attacks are how criminals are essentially renewing the validity of that data while also performing additional services like putting it into nice buckets for them to sell on to other criminals like vertical specific like these users are in finance, these users are in technology, and so on. And it's really one of the sort of driving forces behind some of the increasing sophistication we see with criminals attacking in their email space.
Dave Bittner: Yeah. It's a really interesting insight. I mean, I was recently chatting with some folks on social media over on Mastodon, and they were kind of scratching their heads about all of these emails that they were getting that said nothing other than Hello or Hi, you know. It's just like one word types of things. And we were trying to puzzle through what could they possibly be for, and it sounds like these -- these scouting endeavors could fit the bill, could explain what they're up to.
James Dyer: We see hundreds of those where it's like, Hi, there. Hello. And they're honestly just scouting for either a response from the user so they can potentially do a follow-up attack and gather more information. But we've seen recently with ChatGPT entering the industry how attackers can just gather so much more information and understand who they're going after. They're able to launch these attacks at much more scale than before.
Dave Bittner: And how has ChatGPT kind of supercharged their efforts?
Jack Chapman: I think it's quite interesting. To take that question one step further, it's really how is AI changing the landscape. And ChatGPT is definitely a jump forward in these large language models. It's really removing the barrier of entry to not only creating the phishing template but creating the malicious link that will scrape credentials, being able to use it to gather background information on organizations. And, really, it's almost like a personal assistant for criminals, especially with some of the weaknesses in these AI systems. So what we're seeing really is almost making the average bottom-level phishing attack more sophisticated, more automated, and probably, most importantly, more human.
James Dyer: I would echo that. You often see those standard 419 scams where it's a national stuck on space request in time bitcoin, whereas attackers can now use ChatGPT to make a more convincing story with no grammar or spelling mistakes. There's just an old pal inviting you to a wedding that they want your email address or something so they can attach onto, that they can use to launch a follow-up attack as well.
Dave Bittner: Well, let's dig into this specific issue here with -- with the out of office notices. I mean, I think this is pretty common thing for most people to do. I know if I'm out on vacation or holiday, I'll put up an out-of-office reply to let people know to not expect a response very quickly. What's the peril here? How are the bad guys taking advantage of this?
James Dyer: So these were attacks were extremely common pre-COVID when people were taking holiday and using the out-of-office feature within Microsoft but kind of died down where they were doing staycations or maybe not using out of office. But we've seen quite a lot recently where attackers will do those skeleton attacks to understand if the email address is still active. But if they get a bounce back, that that individual is out of office, they can then use that information to aid their attack. They can go on social media platforms like LinkedIn, like Instagram and gather more information about this individual. And they can perhaps impersonate them or go after people within their team and use them being out of office as a leverage, as a bit of credibility in their conversation.
Dave Bittner: Jack, are there any specific examples here of the types of things that you all are tracking?
Jack Chapman: Yes. I think we can almost view out of offices as almost a layered approach, a bit like a lot of security concerns where just saying that you're not at work. So when we say level one where it's like, okay. There's an opportunity to impersonate this person. And this is something we often face, that balance between efficiency and in some ways politeness in a business to give people a heads up, you won't be answering emails for a little while. But on the other scale, and especially what's happened in some of these cases is where you give specifics to that. It might be the case of I'm going to be out of office because I'm in the US. I'm out of office because I'm going on a bike tour. I'm out of office because I'm climbing a mountain, all of these additional bits of information almost help seed that next attack like all sort of good oscent based methodologies in SEC ops, it's important we're aware that something that is very human to share can be turned around and weaponized. And with tracking, a lot of these types of attacks where it's almost becoming opportunistic, where the main mission for the criminal is to gather and sell these datasets. However, if they're offered almost information about a potential victim or organization where they can impersonate that victim, it's almost like a silver platter for them. It's done half their research for them.
Dave Bittner: And I suppose folks need to be careful, too, about what they share on social media. I mean, I'm thinking that, if I'm out of office and I have a fairly straightforward out of office notice at work, but then I post on Facebook, you know, hey, having a great time, you know, climbing this mountain with my family and that's publicly accessible, it's not hard for the bad guys to connect those two dots.
Jack Chapman: Absolutely. And I think it's safe to say -- I know we've discussed this a lot in industry over the years of that gap between personal presence and work presence, but I think it is safe to say that that divide has never been thinner in a lot of people's cases. And for the sake of a thirty-second Google search, you suddenly have all of the information you need to double, triple, quadruple the effect of your next attack.
Dave Bittner: What are your recommendations, then? I mean, do we not do out-of-office responses? Or what's the best practice here to help tamp down on this?
James Dyer: My first kind of response to that would be being aware of how operation security can be an impact, being aware that what you post on LinkedIn or Facebook can actually be used against you. And understanding if that should be information that we put out there in the open because I often hear that people think they don't have anything to offer these attackers, that they're not worried if they go after them. But, at the end of the day, if you have a Microsoft 365 credentials that they can steal and/or login, that is enough. That has the authentication to back it up and the long shelf life that domain has, we see multiple attacks, actually, where people just log into their Microsoft 365 account, upload a malicious file onto SharePoint, and use SharePoint's built-in notification system to send an email to all different types of people. And that becomes quite hard to detect from a technical aspect because that email is from SharePoint. There's nothing malicious in it until you actually end up on SharePoint where there's a malicious attachment waiting for them.
Jack Chapman: I think just add two things to that. It's very much from a human side of be aware that there's this risk out there. Therefore, let's mitigate it in some common sense steps. Let's not put specifics in out-of-office emails, for example, because really the outcome's the same. Similarly, let's hold off on posting all of our sort of personal holiday photos until perhaps we're back. And just these couple of sort of safe sanity steps which don't reduce the enjoyment or some of these activities or the efficiency for business process can drastically change the outside perception as an individual and as an organization. Then I think on the other side thinking as a security team who has to try and manage some of these risks, I think first thing is having visibility of these risks. And that's where, basically, looking at what is your threat landscape? Are you going to have persistent threat actors against your business on a daily basis, weekly basis because that's really going to be the first step of how worried do we need to be about these attacks versus the opportunistic versus actually this type of threat landscape doesn't actually apply to us. Like all things cyber, not one size fits all here.
Dave Bittner: I suppose -- is it fair to say that there's some awareness training that comes into play here, too, of letting your employees know or -- or perhaps putting, I don't know, standards in place? If someone is away on vacation and you suddenly get a call from them saying, hey, you know, I need you to transfer this money, and I need it done today, that that sort of thing should be setting off all kinds of red flags.
James Dyer: Absolutely. And when I always look at this, it's always going back to the core three pillars of how can technology help; how can people and training help; and how can policy help, which is often overlooked. And a lot of the answers are there already. If you just have the one policy step of a financial transfer can't happen without voice confirmation, that suddenly removes 99% of attacks. I know there's deep fakes coming along to help target that vector. That's one for another day, perhaps. But simply having technology in place that can detect these type of attacks, but having training, just making people aware because in some ways it's not just an organization problem. There's quite personal risk here as well. I know a lot of opportunistic robbers, for example, physical security, will take the opportunity of when they see people posting holiday photos to target homes, for example. And this all collates together. So I think there's quite a lot we can do and advise people here.
Dave Bittner: Yeah, I mean, it's an interesting balance, isn't it? I mean, you have to balance the risk of all this against I think people's sincere desire to be social online and, you know, share their adventures and be connected with people through these social media platforms. But I guess, unfortunately, these are some of the things you have to keep in mind.
Jack Chapman: Yeah. It's one of those hard things, especially being in cybersecurity where you want people to have the freedom to enjoy this technology. But when attackers find a route into almost corrupt the benefits of this technology, that's where we do need to put a couple more controls in place so that we keep people safe at the end of the day.
Dave Bittner: Are there any technology solutions that folks can aim at this, any sorts of things that can help it at the source?
James Dyer: I think a great piece of software that you can help mitigate some of these attacks is obviously multifactor authentication, where you can prevent people attempting to try and log into your account. Obviously, there are phishing frameworks like Evilginx that can store your session cookies and can help bypass MFA. But it's a great layer to stop a large amount of attacks as well.
Jack Chapman: And just add to that, I think the other side is that's basically evaluate the kill chain of all the different steps that attackers take to go down this route and create this threat and just ensure that we validate it. So I know a lot of new ICSs integrated cloud email security solutions are layering on top of Microsoft, which can really help with some of these more advanced attacks, going down the chain having process in place to essentially validate, for example, demark, to make it harder for your organization to be targeted. I think this combined with the training and the policy puts organizations in a lot better place. And one thing that always gives me a headache, especially James mentioned MFA is just because it doesn't stop every attack doesn't mean it's worth -- not worth doing because, at the end of the day, we need to frustrate the criminals as much as possible here to keep ourselves safe.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I'll say it again, Dave. Email is terrible.
Dave Bittner: Yeah.
Joe Carrigan: It's just the worst.
Dave Bittner: Yeah.
Joe Carrigan: It's -- it's the only service that we as network and internet users put out there, open up where anybody can put anything into it.
Dave Bittner: Right.
Joe Carrigan: And that makes it terrible.
Dave Bittner: Yeah.
Joe Carrigan: Do you remember the good old days? Let's get nostalgic. Do you remember when email was just text?
Dave Bittner: I remember when email was on dial-up bulletin board systems. That was great.
Joe Carrigan: Yeah. That was a different mail system. That wasn't actually like -- I guess it was email, but it was like a completely different protocol.
Dave Bittner: Yeah. And it would -- yeah. Depending on which BBS they were running, you know, it was one person at a time kind of thing.
Joe Carrigan: Right.
Dave Bittner: Yeah. They were all different, which meant you had to learn a different set of controls for each one. Anyway, rat hole.
Joe Carrigan: Thank you. Why do we have to add HTML to email? This is -- first off, I don't want to see people's formatting. I don't want to see your little kitten background.
Dave Bittner: Yeah.
Joe Carrigan: Right? I don't want to have to download that image. But going to HTML enables a lot of things like image downloads, right --
Dave Bittner: Right.
Joe Carrigan: -- which is the -- what those tracking pixels are they were talking about.
Dave Bittner: Yeah.
Joe Carrigan: If you have a setting in your client, turn off the image downloading. It should be turned off by default, but it probably isn't.
Dave Bittner: Yeah.
Joe Carrigan: I like the term scouting email. I think that's an excellent term because the purpose of these emails is reconnaissance with their -- with their -- the emails that James and Jack are talking about are -- are for that purpose. And let's take a look at what -- what you get. If you send an email into a -- into an organization, a bunch of emails into an organization, you're going to find out almost immediately which ones are bad because they're going to bounce back. And you can immediately just remove those from your list. If you add a tracking pixel and their client downloads it like Microsoft Outlook does when you preview a message, it might go out and download that image, you have confirmed, number one, the email is legit, right. You got that there's a user on the end of that email.
Dave Bittner: Right.
Joe Carrigan: The person opens their email or previews it. And, three, you might get the email address they're coming out of -- I'm sorry, IP address.
Dave Bittner: Yeah.
Joe Carrigan: The IP address they're coming out of. And if you have enough information, you may be able to determine whether or not they're at work or at their home office, right, which means you have more intelligence you can gather that way.
Dave Bittner: Right.
Joe Carrigan: If you include a link and they click on it, you get even more information. Like they're the kind of user that will click on links, you send them an email, right? That's very important information.
Dave Bittner: Yeah. But once you get that, you'll actually get the string of their default. You'll get the browser string, which will tell you what their default browser is. Maybe it has a vulnerability. Maybe you can actually exploit that. And you can also get confirmation of their email address. All that can happen from one email sent in. That's a lot of information to collect from one email. Jack notes that this is usually the first step in the kill chain, and that is 100% correct. In the vast majority of cyberattacks, the very first kinetic activity, the first thing they do after they've gathered other information is they send emails in. Right.
Joe Carrigan: So it is the first step in the kill chain. Out-of-office replies, in Microsoft Outlook, you can set that out-of-office reply just to go to people in your own organization. If -- if you can do that, do that. If you are going to be slow responding to emails, maybe you delegate your email to somebody else instead. So that there's a human on the other end so you're not just telling people that you're out on vacation. If -- if you tell people you're out on vacation outside of your organization, it really opens you up. You know, you -- they can use LinkedIn to find out who your coworkers are and attack them by impersonating you. In sales and sales organizations, it may not be possible to turn off your email Auto Replies from outside, right.
Dave Bittner: Right.
Joe Carrigan: You may want to say, Okay. If you have something really important, please contact this person. And that may be good information to have. So I understand that there's a use case where that's happening. But putting these things together, you know, the kind of information to -- that you need to attack somebody this way is trivial. So be careful with what you're doing.
Dave Bittner: Right.
Joe Carrigan: And don't forget about your own personal operational security as well. Don't say you're out on vacation, you're on vacation for the next two weeks hiking, hiking the Appalachian Trail from Maine to New Hampshire this weekend when you live in Maryland. Somebody can just drive up to your house and go, yay. He's sure not there.
Dave Bittner: Right, right.
Joe Carrigan: Come home to an empty house.
Dave Bittner: Right. Sure am glad I hired, you know, Bubba to babysit my Rottweiler while I'm gone.
Joe Carrigan: Maybe put that in, right?
Dave Bittner: Right.
Joe Carrigan: Babysit my Rottweiler and clean all my guns.
Dave Bittner: That's right, that's right.
Joe Carrigan: I'm not worried they're not interested in me. I have to take a deep breath whenever I hear this anymore. I've been screaming this from the mountaintops for as long, almost as long as I've been telling people about using password managers and multifactor authentication. You do have something of interest, and James makes a great point talking about the Microsoft 365 account being used to host malicious software. That's a nightmare scenario. And it's enabled by the attitude, I don't have anything that's of interest.
Dave Bittner: Right.
Joe Carrigan: You do have things that are of interest. To protect yourself, policy, policy, policy with your business. Always -- and I agree. I can't remember who was -- James or Jack that said it, but policy is overlooked. Make sure your policy is good and not subjected to vulnerabilities. Multifactor authentication and focus on the kill chain. The earlier is the better.
Dave Bittner: Yeah.
Joe Carrigan: Right. That, you know, we keep saying hackers only have to get it right once. They don't. They have to get it right a series of times in a row to get -- get entry. If you can stop them anywhere along that line, you stop them.
Dave Bittner: Yeah. Maybe they'll move on to someone else who's easier.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: All right. Well, our thanks to James Dyer and Jack Chapman from Egress for joining us. We do appreciate them taking the time. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. This show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
