Small, medium, and large phishing trends of 2023.
Michael Price: Phishing is old, but it continues to be heavily used. And we continue to see folks adapting to get around some of the newer protections that continue to be put in place.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Michael Price. He is CTO at ZeroFOX. We're talking about trends in phishing. All right, Joe. Before we jump into our stories here, we have a couple of bits of follow-up. I will read the first one here. This is from a listener named Michelle who writes in and says, Hi, guys. I've been warning my family about a situation with my aunt and her internet love, and love is in quotes, for over six months. She met him playing Words with Friends, and they began chatting daily. I told my family about all of the hallmark red flags and warning signs that she was, at very least, being catphished. But because my aunt is lonely, they do not want to burst her bubble or create conflict. Recently, I was informed that this man Zelled her $500 and asked her to purchase an iTunes gift card for his son. I told her that is a scam, and she may be unknowingly participating in illegal financial activity or money laundering. I don't know what her culpability would be, but I want to protect her and stop her from funding organized crime and likely human trafficking. The problem I am encountering is that my family sees my concerns as paranoia, and their ignorance to the realities of fraud and security make them think I'm crazy. No one will take me seriously, and I'm very worried that my aunt may lose a lot of money because I know how much her feelings are controlling her behavior. How can I approach them in a way where they will take me seriously and handle my aunt in a delicate matter to avoid her feeling shame and embarrassment. I'm worried that, instead of seeing reality, she will double down on her belief that he is real and continue to be victimized. Thank you, and keep up the outstanding work you all do.
Joe Carrigan: This is something Mallory Sofastaii was talking about, a very similar Words with Friends scam.
Dave Bittner: Yeah, yeah. So, first of all, my heart goes out to Michelle --
Joe Carrigan: Right.
Dave Bittner: -- having to deal with this. You know, hesitant to give out specific personal advice here on the show. But I think in general there are a few things that come to mind here. First of all, there's a quote from Carl Sagan, you know, the great scientist and skeptical thinker. He said, One of the status lessons of history is this. If we've been bamboozled long enough, we tend to reject any evidence of the bamboozle. We're no longer interested in finding out the truth. The bamboozle has captured us. It's simply too painful to acknowledge, even to ourselves that we've been taken. Once you give a charlatan power over you, you almost never give it back. I think there's something to that.
Joe Carrigan: Yeah.
Dave Bittner: And I think that's probably what's going on here. I mean, at the base level of this, Joe, what do you suppose is going on here?
Joe Carrigan: You mean, what's going on with the -- tactically?
Dave Bittner: Yeah.
Joe Carrigan: So what's -- yeah. This is a scammer. He is using this woman right now for money laundering.
Dave Bittner: Right.
Joe Carrigan: That's exactly what's happening. So if you want to have your family member listen to this -- family members listen to this podcast, I don't think that you're paranoid or overreacting at all.
Dave Bittner: No.
Joe Carrigan: There are some serious things that are going to happen here. What's -- what's likely to be next is that this guy is going to ask your aunt for money if he hasn't done that already.
Dave Bittner: Right.
Joe Carrigan: And your aunt's going to send him that money. Now, we already know she has his Zelle account, right.
Dave Bittner: Uh-huh.
Joe Carrigan: So we've had story after story where people have tried to claw back money via Zelle, and Zelle is like, No. You transferred it. That's -- that's you giving someone else money.
Dave Bittner: Right.
Joe Carrigan: I -- you know, the first thing that occurred to me was how culpable would she be if this is money laundering? And, you know, I -- I immediately thought about the fact that Zelle now and all these payment transaction organizations like Venmo and everything have to provide 1099s to people if they've received more than $600 from commercial transactions. I don't know if these are classified as commercial transactions or not.
Dave Bittner: Yeah.
Joe Carrigan: The IRS has said we're not talking about you paying back your friends for splitting a tab.
Dave Bittner: Right.
Joe Carrigan: That's not what we're -- what we're after. We're after people who are dodging taxes on -- on business transactions.
Dave Bittner: Yeah.
Joe Carrigan: So this probably won't result in a 1099 being issued.
Dave Bittner: Right.
Joe Carrigan: Probably. But, you know, depends on how much money she's helping these guys launder.
Dave Bittner: Yeah. And I suspect also that she wouldn't -- that they wouldn't come after her for the crime because I think it's clear here that she is a -- an ignorant victim --
Joe Carrigan: Yes.
Dave Bittner: -- to use an indelicate term.
Joe Carrigan: Right. Ignorance in only not knowing. Right.
Dave Bittner: Right. And she is -- she is a victim herself.
Joe Carrigan: She is indeed.
Dave Bittner: This person is taking advantage of her kindness, is taking advantage of her loneliness. I'm sure that your aunt is a wonderful woman who has a lot of love to give.
Joe Carrigan: Yeah.
Dave Bittner: And this person is making her feel like someone is interested in her and wants a relationship, even if it's just companionship. And that's a powerful, powerful force.
Joe Carrigan: It is.
Dave Bittner: So, I mean, I agree with you, Joe, that this is certainly money laundering as it is right now. I suspect it's also grooming --
Joe Carrigan: Yep.
Dave Bittner: -- in that this person is starting the relation -- starting the financial relationship in one direction, which is sending her money.
Joe Carrigan: Right.
Dave Bittner: Asking her to do something with it with the iTunes gift card. So sending her money, getting it all back in the gift card so not costing the scammer anything --
Joe Carrigan: Right.
Dave Bittner: -- but establishing --
Joe Carrigan: A pattern.
Dave Bittner: -- normalizing a pattern of exchanging funds.
Joe Carrigan: Right.
Dave Bittner: And I think you're right on. I think if it hasn't already happened, that ask is going to come --
Joe Carrigan: Soon.
Dave Bittner: Yeah. Of -- and it'll be disguised as, oh, I need money to pay a medical bill or, oh, I need money to travel.
Joe Carrigan: Sums it up. Been in a terrible accident.
Dave Bittner: Right, right. Oh, I want to come see you. I need to buy plane tickets or something.
Joe Carrigan: Right.
Dave Bittner: All of these things that over the years we've been doing this --
Joe Carrigan: Yeah.
Dave Bittner: -- we've described. There's -- there's no question in my mind that your aunt --
Joe Carrigan: Is being victimized.
Dave Bittner: -- is being victimized.
Joe Carrigan: Yep. Absolutely. I agree 100%.
Dave Bittner: And -- and she -- there is no shame in that.
Joe Carrigan: Nope.
Dave Bittner: She is not stupid.
Joe Carrigan: No, she is not.
Dave Bittner: She did not do anything wrong.
Joe Carrigan: No.
Dave Bittner: So --
Joe Carrigan: The person she's talking to is an evil person.
Dave Bittner: Yeah. Yeah. So that -- I mean, I don't know much more to tell you than that, Michelle. Your aunt is lucky to have you to be looking out for her. And I hope that this all ends in a good place and you can, you know, cut it off before it goes any farther.
Joe Carrigan: And if you do let your family listen to this podcast, Michelle's right. And she's not paranoid.
Dave Bittner: No. No, she's not paranoid. And -- and hopefully she prevents, you know, any more or serious suffering from happening because, as we've talked about over and over again, there are people who have lost their life savings --
Joe Carrigan: Yes, they have.
Dave Bittner: -- to these sorts of things. And this is exactly how it starts.
Joe Carrigan: Yep.
Dave Bittner: Exactly how it starts. All right. What else do we have, Joe? What -- we got another bit of follow-up here?
Joe Carrigan: We do. We have a question from Marc who says, Dave and Joe, I received this email from Walmart wanting me to review some products I recently purchased, right. And he sends along an email that's like, how do you like this product? So write a review about the product.
Dave Bittner: Okay.
Joe Carrigan: Seems normal, right? Well, I used the self checkout, paid with my Visa card. Self checkout doesn't ask for a password or username. How did they know what my email address is? Facial recognition? Did Visa give it up? Or whatever. He says it's disturbing. And I agree.
Dave Bittner: Yeah.
Joe Carrigan: It is disturbing. The first question I have is did you enter a phone number, or is there some kind of -- I'm not -- I don't shop at Walmart enough to know if there's an affinity program --
Dave Bittner: Right.
Joe Carrigan: -- that you can enter where you provide an email.
Dave Bittner: Right. But I would guess -- I'm sorry. Don't mean to interrupt.
Joe Carrigan: Go ahead.
Dave Bittner: But I would guess that, if Mark is using that same Visa card at the grocery store where he does put in his phone number --
Joe Carrigan: Right.
Dave Bittner: -- for the affinity program, that it's being cross-referenced.
Joe Carrigan: Sure.
Dave Bittner: It's that simple.
Joe Carrigan: Yeah. That -- that is -- yeah. That's probably -- and they're probably not cross-referencing the entire credit card.
Dave Bittner: No.
Joe Carrigan: They're looking at, you know, maybe just little bits of it, little tokens of it.
Dave Bittner: And it is Visa who's giving it up, by the way. Visa totally sells --
Joe Carrigan: Yeah.
Dave Bittner: Yeah. The credit card companies give out your information. They sell it.
Joe Carrigan: They monetize all this data.
Dave Bittner: Yeah.
Joe Carrigan: Twenty percent interest isn't enough. We need to sell their information too.
Dave Bittner: Right. So that -- that is the answer. It is the Visa card that is the thing that is ratting you out when it comes to your email address.
Joe Carrigan: Yeah. I agree, though. It is creepy.
Dave Bittner: Yeah.
Joe Carrigan: It is creepy. You know, if I -- if I got this, I'd be like, well, I guess I'm not shopping at Walmart anymore. At least not with my credit card.
Dave Bittner: That's right. That's right. Yeah. Cash, Joe. You've got to pay cash.
Joe Carrigan: Now, here's the next step, Dave. What if you do pay cash, and then you get an email. Now I'm worried.
Dave Bittner: Yeah. That's right.
Joe Carrigan: This, this is using a credit card and maybe an affinity program. This doesn't concern me as much because I know that these data brokers have all kinds of profiles out there for us, right.
Dave Bittner: Yeah. Time to put an extra layer of tin foil inside of your baseball cap, Joe, right.
Joe Carrigan: To go with the one on the outside, Dave.
Dave Bittner: That's right. That's right. Go walking through Walmart looking like the Michelin man wrapped in --
Joe Carrigan: Wrapped in tin foil.
Dave Bittner: -- wrapped in tin foil. Yeah. Good. That won't draw any attention. All right. Well, thanks, everyone, for writing in. We do appreciate you sending us these messages. Of course, you can email us. It's hackinghumans@thecyberwire.com. All right. Joe. Let's jump into some stories here. Why don't you kick things off for us.
Joe Carrigan: Dave, before we begin, I want to warn our listeners that my story goes to a gross and dark place.
Dave Bittner: Okay.
Joe Carrigan: So it's -- it's not one of the happy feel good stories.
Dave Bittner: Yeah.
Joe Carrigan: It's -- remember when we started this show, and I always had the really terrible ones that started up.
Dave Bittner: Right.
Joe Carrigan: This is one of those.
Dave Bittner: Okay.
Joe Carrigan: So I'm going back to this. But this is coming out of the Wall Street Journal. There are two reporters named Jeff Horowitz and Catherine Blount. And they've been writing a number of articles about social media, and, in particular, Meta.
Dave Bittner: Okay.
Joe Carrigan: And late last month, they had two of these articles that came out. One of them is just by Jeff Horowitz. And it talks about all the State's Attorneys General that are suing Meta.
Dave Bittner: Yeah. Including our own.
Joe Carrigan: And they had -- right. Including our own.
Dave Bittner: Yeah.
Joe Carrigan: And they had an internal 2020 Meta presentation that showed that companies sought to engineer products to capitalize on this market of youth and exploit the psychology of youth and particularly teens that are, quote, predisposed to peer pressure, impulse. And -- well, I'm not quoting anymore, but they're predisposed to impulse and peer pressure and potentially harmful risky behavior. Is what the findings shows. Meta also condoned the uses of -- uses of Facebook by people who were under the age of 13.
Dave Bittner: Right.
Joe Carrigan: Now, do you remember when your kids were under 13 and they had Facebook accounts?
Dave Bittner: Yes.
Joe Carrigan: Yeah. And Mark Zuckerberg and all these people didn't care about that. They were -- they were fine with it --
Dave Bittner: Yeah.
Joe Carrigan: -- apparently. And that's what these court -- these court filings are saying --
Dave Bittner: Right.
Joe Carrigan: -- allegedly. According to the report, in December of 2017, Instagram -- an Instagram employee indicated that Meta had a method to ascertain whether or not these users were younger than 13 but advised you probably don't want to do that. This is a Pandora's box, a Pandora's box that only lets good things out.
Dave Bittner: Right, right. Yeah.
Joe Carrigan: So I hope that this suit is successful. So -- and this is talking about the -- just the absolute damage that is happening to teenage Psyche, the teenage Psyche out there from this company. Now, the next one is not nearly as benign. This one is the gross one.
Dave Bittner: Okay.
Joe Carrigan: This is by both Jeff Horowitz and Catherine Blount. And this story focuses on Instagram Reels. Are you familiar with Instagram? Are you on the Gram, Dave?
Dave Bittner: No.
Joe Carrigan: No. I have an Instagram account only because I have a Facebook account.
Dave Bittner: Okay.
Joe Carrigan: I think I posted some pictures of pickled peppers once.
Dave Bittner: Okay. May have been a peck of pickled peppers. But, other than that, I haven't -- I mean, every now and then, somebody says, Hey. Here's an Instagram reel. Check it out. And I go look at it, and I'm like, Ha ha. That's funny. It's great. I have to log in every single time. Okay.
Joe Carrigan: But there's this feature called Reels, which they built to compete with TikTok.
Dave Bittner: Okay, which is short little videos.
Joe Carrigan: Right. I don't have an account with TikTok.
Dave Bittner: Okay. This feature if you're a regular Instagram user, Reels is designed to show you videos that you'd be interested in. Okay.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: Which sounds great. I might be interested in this.
Dave Bittner: Sure. YouTube does the same thing.
Joe Carrigan: It works just fine if your interests are prurient interests, prurient -- I can never say this word -- prurient interest in kids --
Dave Bittner: Right.
Joe Carrigan: -- which is the gross part.
Dave Bittner: Okay.
Joe Carrigan: So the Wall Street Journal set up a bunch of accounts. They went into Instagram and open up accounts. And then they just started following young gymnasts, cheerleaders, and other young influencers on the platform. And they got, quote, jarring doses of salacious content to those accounts.
Dave Bittner: Okay. Go on. Explain to me what that means.
Joe Carrigan: They have -- I don't want --
Dave Bittner: So, in other words --
Joe Carrigan: Yeah.
Dave Bittner: -- I follow a young gymnast or a young cheerleader.
Joe Carrigan: Well, they follow almost exclusively young gymnasts, young cheerleaders, young --
Dave Bittner: So we're talking teenage --
Joe Carrigan: Teenage -- teenage people.
Dave Bittner: Someone between the age of like 13 and 18.
Joe Carrigan: Right.
Dave Bittner: So they're still kids.
Joe Carrigan: Yep.
Dave Bittner: And they're doing kid things like gymnastics and cheerleading.
Joe Carrigan: Yep.
Dave Bittner: Okay. And I follow those, and the algorithm gives me what?
Joe Carrigan: Dave, if listeners want to -- want to look at the article, we'll put a link to the article in the show notes. But suffice it to say it's bad stuff.
Dave Bittner: Okay.
Joe Carrigan: Right. I don't know that it rises to the level of criminality.
Dave Bittner: Right.
Joe Carrigan: But it's not what you would want to be looking at.
Dave Bittner: So it's saying, basically, we've noticed that you are an adult who has an unhealthy interest in young children. Well, here's more young children you can have an unhealthy interest in. Is it that sort of thing?
Joe Carrigan: I don't think the algorithm is saying that. The algorithm says we know what you're interested in. Here's more of it.
Dave Bittner: Okay.
Joe Carrigan: And if that interest happens to be an unhealthy interest in -- in young children --
Dave Bittner: Yeah.
Joe Carrigan: -- you get more young children.
Dave Bittner: Right.
Joe Carrigan: And adult content mixed in with it.
Dave Bittner: Oh. Okay.
Joe Carrigan: Right.
Dave Bittner: And, alongside of it, there are ads as well. So this is all being funded by the advertising. Right. Okay. All right.
Joe Carrigan: Which is -- which is very interesting. Now -- now, there's a Canadian organization called the Canadian Centre for Child Protection. This is obviously a child protection group out of Canada.
Dave Bittner: Yeah.
Joe Carrigan: And they ran a similar experiment and found the exact same results they got. So this has been repeated, right? Meta when they talked to The Journal, they said, The Journal test produced a manufactured experience that doesn't represent what billions of users see. Of course not, right? That's not what they were testing at all.
Dave Bittner: Right.
Joe Carrigan: That's not at all what they're testing. What they were testing was, if I go on here and I start following a bunch of kids, what kind of stuff do I get? You get more kids and kids doing things that kids shouldn't be doing on social media.
Dave Bittner: Okay.
Joe Carrigan: Right. The company declined to comment on why the algorithms compiled streams like these of sexual -- of separate videos showing children then sex advertisements. But the spokesman said that, in October, it introduced a brand -- a new brand safety tool to give advertisers more control over the content that appeared? That their ads appear next to. However, there are a couple of companies that have said, now, we're done. Match has said we're not doing this.
Dave Bittner: Okay.
Joe Carrigan: They've pulled all of their advertising from Reel, I think even from all of Meta.
Dave Bittner: Oh.
Joe Carrigan: So, yeah. We -- we have -- this is a quote from Justine Sacco --
Dave Bittner: Yeah.
Joe Carrigan: -- from Match. She says, We have no desire to pay Meta to market our brands to predators that place our ads or place our ads anywhere near this kind of content. Robin McCay, who is a spokesman for Bumble, said, We would never intentionally advertise adjacent to inappropriate content. And he also said that the company has suspended its advertising across all of Meta's platforms.
Dave Bittner: Okay.
Joe Carrigan: So good. Thank you, Match and Bumble, for doing this. Here's the thing. The Journal informed Meta of this. This is like a vulnerability disclosure.
Dave Bittner: Right.
Joe Carrigan: They did -- they informed Meta of this in August. And, in the months since then, tests by both The Journal and this other Canadian -- this Canadian Child Protection Centre show platform is still doing this. And the Canadian organization said it was doing this as late as the middle of November of this year. So it's still going on. So if somebody signs up for a fake account, then, you know -- or not a fake account, a new Instagram account and starts following these things, they'll still start getting served this thing.
Dave Bittner: Right.
Joe Carrigan: This content. It's really, really disturbing. I actually have a question for the Wall Street Journal and for the Canadian organization, and that is, what are you doing about the people who are investigating this?
Dave Bittner: What do you mean?
Joe Carrigan: Don't forget about that. That's tough. Investigating this is tough.
Dave Bittner: Oh, sure.
Joe Carrigan: I mean, I've -- I've known a couple of people in my life who have had one -- a guy I used to work with who was doing forensic analysis. This was years and years ago.
Dave Bittner: Yeah.
Joe Carrigan: We were both -- had a night job. And you could tell when he had a bad day. His mood was completely different. Not good for you. So I've also talked to other people about the law enforcement investigations, investigators that do this. They have to go to therapy I think every -- every year or six months or something like that. Man -- it's mandated by the organization. They have to do that.
Dave Bittner: But let me -- let me ask you just a point of clarification here because one thing you mentioned and you sort of did it in passing is you said this is kids doing things they shouldn't be doing on social media.
Joe Carrigan: Yeah.
Dave Bittner: If these platforms are open to teenage kids, so if at 13 you're in the clear to be on this platform.
Joe Carrigan: Right.
Dave Bittner: If you are -- let's just make up a number. You're a 15-year-old kid and you're into cheerleading, why not be posting pictures of your cheerleading practice?
Joe Carrigan: Yeah. That's not the kind of videos they're talking about. They're talking about --
Dave Bittner: So I guess what I'm -- so what I'm --
Joe Carrigan: These kids, I can tell you what some of the videos they're talking about are.
Dave Bittner: So are the kids trying to be titillating?
Joe Carrigan: Yes.
Dave Bittner: Okay.
Joe Carrigan: Right.
Dave Bittner: And they're allowing that.
Joe Carrigan: Yep.
Dave Bittner: They're not taking that down.
Joe Carrigan: Well, Facebook says or Meta says they take down like something like 4 million or 4 billion -- it's in the article -- a large number of these videos every month they take down.
Dave Bittner: I see. But they're not taking down all of them. Right.
Joe Carrigan: And my point to counter what -- what the Meta spokesperson said is, you know, this is not the experience of the vast majority of people who use -- use Instagram. Of course it's not. Of course it's not. When I use Instagram, I see a funny meme or a funny Reel, I laugh at it, and I log out.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right, right. It's usually an ad for the local Golden Corral, right. Off you go. Ooh. Buffet!
Joe Carrigan: But it was all you could eat.
Dave Bittner: Right.
Joe Carrigan: Yeah. So people who use the Gram for things like -- at the Gram, I said it like that's --
Dave Bittner: You're so hip, Joe.
Joe Carrigan: Right. People will use Instagram for things like this. Like, if they are in interior decorating, they're just going to see interior decorating stuff, right?
Dave Bittner: Right.
Joe Carrigan: If they're into hairstyles, you're just going to see hairstyle stuff. If they're into snowboarding, they're going to see snowboarding stuff. Problem is if you're into seeing kids --
Dave Bittner: Kids. Yeah.
Joe Carrigan: Yeah. You should -- then you're going to see more of that, too. The algorithm doesn't distinguish because the algorithm doesn't care. It's just showing people what they want to see.
Dave Bittner: Yeah, yeah. Yeah, you're right, Joe. That's disturbing.
Joe Carrigan: I'm sorry. I'm sorry, Dave.
Dave Bittner: So what's the answer here? I mean, obviously, given that Meta is at -- if we're being generous, we're saying they're dragging their feet on this or that it's just taking a long time to do --
Joe Carrigan: Yeah.
Dave Bittner: -- which, personally, I doubt. But if we're not being generous and we're saying that they're turning a blind eye to it, and we don't know, is this a matter of parents monitoring what their kids are doing online?
Joe Carrigan: Yeah. You're not going to be able to -- I'll tell you.
Dave Bittner: It doesn't seem realistic to me.
Joe Carrigan: I'll tell you, were I the only person in charge of Meta --
Dave Bittner: Yeah.
Joe Carrigan: -- tomorrow I would institute a new policy, that no one under the age of 18 can have an account on this platform. And I would find the engineer who said we can tell how old these people are and say, How do you do that and implement it. The problem with that, though, Dave, is that that is the largest market that these social media companies are going after.
Dave Bittner: I see.
Joe Carrigan: Because these people have money that is disposable, that all their money is disposable, right?
Dave Bittner: Right, right, right.
Joe Carrigan: The money of a 15-year-old can be spent on whatever that 15-year-old wants without consequence.
Dave Bittner: Well, and if you're a brand, that's when you want to hit somebody to try to get lifelong affinity for your brand.
Joe Carrigan: That's right.
Dave Bittner: If I can get you to be a Pepsi drinker when you're 15 and when your mind is malleable, right --
Joe Carrigan: Right.
Dave Bittner: -- chances are you're going to be a Pepsi drinker for life.
Joe Carrigan: My wife will not drink Coca-Cola.
Dave Bittner: Vodka. Vodka's what she drinks.
Joe Carrigan: She likes Pepsi. I grew up in a Coke house, so I don't like Pepsi.
Dave Bittner: I'll tell you, my brother, my younger brother went off to college, went off to a big, you know, big state university. And that university was -- all they poured on campus was Pepsi.
Joe Carrigan: Really.
Dave Bittner: And he went to college as a Coke drinker and came out of Pepsi drinker.
Joe Carrigan: Brainwashed him.
Dave Bittner: Yeah.
Joe Carrigan: Typical big college.
Dave Bittner: It works. It works. Yeah, it works. All right. Well, we will have a link to those stories in the show notes. My story this week is not so dark.
Joe Carrigan: Good. Thank you, Dave.
Dave Bittner: It's a little more, I don't know, a little more data-driven, I guess. This is some research from folks at Arkose Labs, which is a security company. They recently put out a report that was tracking the abuse of online bots. Right. So, you know, automated machines out there that do things online. But one of the things that they touched on, there was a whole section in this report that was about generative AI, which is the ChatGPTs of the world.
Joe Carrigan: Right.
Dave Bittner: And it reinforces some of the things we've been saying here. They said there's been a big uptick in the past six months or so of generative AI being used for content generation. I'll quote from the research here. It says, The immediate use has been to create pristine phishing emails, meaning the emails are perfectly worded without the telltale grammar mistakes that prior to generative AI were a major phishing telltale.
Joe Carrigan: Right.
Dave Bittner: As 2023 closes, we fully expect to see a major increase in romance scams because bad actors are using generative AI to craft perfectly worded responses on dating apps and sites. That was kind of new to me.
Joe Carrigan: That is just the next step in this process.
Dave Bittner: Right, right.
Joe Carrigan: You're going to -- if you can use generative AI to do anything, you can -- you can -- well, geez. I just said you can -- that's what I should say. You can use generative AI to do anything. You don't need it to just write an email for you. You can have it respond to chats, right.
Dave Bittner: Right.
Joe Carrigan: You can just copy and paste and --
Dave Bittner: Yeah. So if you're -- if you're a bad guy sitting on the other end of some dating app and someone -- you get a response from someone, you can load that response into the generative AI and say, Make me a response to this as if I'm such and such and so and so and such and such.
Joe Carrigan: Right.
Dave Bittner: And it'll spit out something that is, as this art -- to use the word from this article, pristine.
Joe Carrigan: Right. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: And all these guardrails that are being put on these AIs like ChatGPT and whatever the Bing one is, the Microsoft --
Dave Bittner: Yeah.
Joe Carrigan: -- and then Google has their own as well.
Dave Bittner: Yeah.
Joe Carrigan: Although isn't now after the fiasco of the last couple of weeks now ChatGPT essentially is Microsoft now?
Dave Bittner: No, no.
Joe Carrigan: It's still --
Dave Bittner: No. My understanding is Microsoft has a non-voting seat on the board is where they stand right now.
Joe Carrigan: Yes. They own 49% of the company, right?
Dave Bittner: Something like that. It's complicated and messy and all that good stuff. Yeah,
Joe Carrigan: I'll tell you -- well, I won't tell you how I think about this.
Dave Bittner: So a couple other interesting things from this report. There's been a huge increase that they've been tracking. So 202% increase in bots attempting to take over consumer financial accounts.
Joe Carrigan: Really.
Dave Bittner: And 164% increase in bots attempting to establish fake new bank accounts. So, on the takeover thing, multifactor authentication, multifactor authentication, multifactor authentication.
Joe Carrigan: Use multifactor authentication on all your bank accounts and your email accounts.
Dave Bittner: Right.
Joe Carrigan: Don't forget your email is also the keys of the kingdom.
Dave Bittner: Yeah. They say that online fake accounts are most likely the preferred methods to launder illicit proceeds gained from real-world crimes like human trafficking, drug dealing, or weapons sales.
Joe Carrigan: Right.
Dave Bittner: And, then again, they said a large number of bots targeted dating sites in 2023 in order to conduct romance scams. They said, In the first half of 2023, 21% of traffic going to dating sites was bad bot traffic. Think about that. One in five, if you -- if you -- I don't know how that corresponds to any, you know, the actual experience on a dating site.
Joe Carrigan: Right.
Dave Bittner: But 21% of traffic comes from bots.
Joe Carrigan: Comes from bots. Wow. Right.
Dave Bittner: So roll the dice, right?
Joe Carrigan: One out of five times you're talking to a bot.
Dave Bittner: Yeah. Geez. Right. Remember that thing, The Simpsons, where they had the -- the 1-900 number for men to call in to talk to a real woman. And it was like every male character on the Simpsons was calling in. It was Apu. And, you know, it just --
Joe Carrigan: Mo was there.
Dave Bittner: Yeah. They're all wondering where -- I think of that when I think of that, you know, eventually it's just going to be bots talking to bots, you know.
Joe Carrigan: Right. Yeah. It's awful. Anyway, I was going, actually, with this. These guardrails are on these -- these ones you pay for, the ones that large companies run. But there's a software product out there called LM Studio, which is just a large language model studio. Now, you need a lot of RAM to run a good language model.
Dave Bittner: Yeah.
Joe Carrigan: But there are uncensored, unguardrailed models out there for you to download and experiment with. And I've done this on my computer. I don't have enough RAM to run any of the more complex ones.
Dave Bittner: Right.
Joe Carrigan: But they're fun to play with. They're not as good as ChatGPT is.
Dave Bittner: Yeah.
Joe Carrigan: You know, they're older models or they're, I don't know. They're just not as interactive.
Dave Bittner: Sure. I wouldn't expect them to be.
Joe Carrigan: Right. But they -- they'll probably still do a good job with this.
Dave Bittner: Yeah. And it's only going in one direction, right?
Joe Carrigan: Right. Better.
Dave Bittner: I mean, yeah. They're going to be optimized and -- yeah. I mean, so the take-home here is, again, like we said, multifactor authentication, particularly for your email address and your financial accounts. But we -- you can no longer tell from phishing emails. Bad grammar is no longer --
Joe Carrigan: No longer --
Dave Bittner: Or I guess I should flip that around and say good grammar is no longer a sign that a an email is legit --
Joe Carrigan: Right.
Dave Bittner: -- because it's so easy to do.
Joe Carrigan: Yep. Very easy.
Dave Bittner: Yeah. There's a lot more in this report, so we will have a link to that. There's some really interesting stuff there. That is what I have for us this week. Joe, it's time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our Catch of the Day comes from Konstantin who sent us along a message that has both a message and an attachment.
Dave Bittner: Okay.
Joe Carrigan: So the message is pretty good itself.
Dave Bittner: Okay.
Joe Carrigan: Why don't you read the message first.
Dave Bittner: It says, How's everything going? We're happy to say that the addition went off without a hitch. The PDF contains all of the information you need. Given this, consider the situation carefully and determine if any other difficulties develop. We know your account number is MCBBJPOTNCHHY since we can see it. Do not hesitate to ask for help. Key to activate is, and there's a long number I'm not going to read.
Joe Carrigan: Right. Yeah.
Dave Bittner: And it's probably what? Twenty characters, something like that?
Joe Carrigan: Yeah.
Dave Bittner: All right. The attachment reads, Oh, it's from McAfee, the antivirus people.
Joe Carrigan: No, it isn't.
Dave Bittner: Purchase invoice says, We're pleased to inform you that your 15-day free trial has expired. Why would they be pleased to tell you that?
Joe Carrigan: Right.
Dave Bittner: I guess it's good news for them.
Joe Carrigan: Read on, Dave. You'll see why they're pleased.
Dave Bittner: Your subscription has been auto renewed. Okay. To continue to subscribe, a charge of $599.99 toward McAfee Security Protection has been auto debited from your bank account.
Joe Carrigan: And there's the reason they're pleased to tell you.
Dave Bittner: There you go. Yeah, yeah, yeah. So we've seen this one. We've seen this exact one before. And what's going on here, Joe?
Joe Carrigan: Oh, this is a -- this -- this -- we haven't seen is the one with the email -- with the content of the email before.
Dave Bittner: Right.
Joe Carrigan: So that's kind of new.
Dave Bittner: Yeah.
Joe Carrigan: So that's why I picked this one today.
Dave Bittner: Okay.
Joe Carrigan: But this is just a -- a payment scam. This has all the social engineering hallmarks, right.
Dave Bittner: Right.
Joe Carrigan: You have the pretext, you know, which is, Hey, we're from McAfee, and we're going to charge your account this much money.
Dave Bittner: Yep.
Joe Carrigan: You're trying --
Dave Bittner: We already charged you.
Joe Carrigan: We've already charged you.
Dave Bittner: You're in the hole, buddy.
Joe Carrigan: Right. So if you have any questions, give us a call at this phone number, right.
Dave Bittner: Right, right.
Joe Carrigan: And, by the way, your activation key here that's listed, it says confidential next to it --
Dave Bittner: Yeah.
Joe Carrigan: -- is not the same as the activation key that was up above. So --
Dave Bittner: So do you suppose that they've put this number -- like, the number that they put in here, do you think that could be something that they got from one of the publicly available data breaches, for example? Like, would this align to something that actually exists in my life if I received this, I wonder.
Joe Carrigan: I don't know. Probably not.
Dave Bittner: Yeah.
Joe Carrigan: I mean, you don't remember any your license keys or anything, right?
Dave Bittner: No.
Joe Carrigan: You keep those in the -- next to the CDs or in a file somewhere.
Dave Bittner: Right? Next to the CDs. Yeah.
Joe Carrigan: Or in your email. You don't remember. Look how old Joe is.
Dave Bittner: Joe, I keep them next to my eight-inch floppy disk, Joe.
Joe Carrigan: Wa, wa, wa. Those were fun to put in a drive.
Dave Bittner: My drawer full of punch cards. That's where they are, Joe. Absolutely. Yeah.
Joe Carrigan: My paper tape. So what happens here is there's a thing at the bottom that says call for questions. They've got an artificial time horizon in here that's supposed to prompt you for immediate action.
Dave Bittner: Yeah.
Joe Carrigan: You're supposed to be scared that you're about to lose $600 out of your bank account.
Dave Bittner: Right.
Joe Carrigan: And you call the number. And when you call the number, that's when the scam begins.
Dave Bittner: Yeah.
Joe Carrigan: They're going to ask you for access to your computer. They're going to -- they're going to ask -- ask you to -- to go to your bank account, and then they're going to steal all your money on your bank account.
Dave Bittner: Right, right.
Joe Carrigan: Or they're going to perform some kind of other scam. There's a ton of different scams the way this works. It could go 100 different ways. But once you call that number, that's when it starts going sideways.
Dave Bittner: Yeah. It's over.
Joe Carrigan: Yep.
Dave Bittner: Might as well just, you know, yeah. Give up.
Joe Carrigan: Well, once you start installing software, then it's over.
Dave Bittner: Right.
Joe Carrigan: The other way it's over is you just delete the email and forget about it.
Dave Bittner: There you go. I recommend that path.
Joe Carrigan: Yes. Me too. That is the official Joe Carrigan recommendation.
Dave Bittner: Right. All right. Well, our thanks to Constantine for sending that in. We do appreciate it. And, once again, we would love to hear from you. If there's something you would like us to consider for our Catch of the Day, you can email us. It's hackinghumans@n2k.com. All right, Joe. I recently had the pleasure of speaking with Michael Price. He is the chief technology officer at ZeroFOX. And we are talking about some of the trends that he and his colleagues there are tracking when it comes to phishing. Here's my conversation with Michael Price.
Michael Price: So, you know, to be honest with you, the phishing challenge has been around for many, many years at this point, you know, perhaps more than 10 to 15 years. Despite all of the great work that has been done on the part of different organizations and, you know, security product vendors and security teams around the world, it continues to be an issue. Our team has great insight into this problem because we help our customers to defend against this. And so we see a lot. We have a lot of data that, you know, unique view on what's going on there. Trends in 2023 continue to demonstrate that phishing is one of the key ways in which the bad guys, so to speak, are targeting their victims. We continue to see an increase in this regard. And so we're seeing, you know, some of the old tactics being used. Some modification of harvest packets are being used. We continue to see email being used as a primary vector but a little bit of a shift in how email is being used and maturation in terms of how folks have been using phishing are trying to work around some of the newer security measures that are available such as multifactor. So phishing is old, but it continues to be heavily used. And we continue to see folks adapting to get around some of the newer protects that continue to be put in place.
Dave Bittner: Can we dig into some of the specifics here? I mean, what are some of the innovations or evolutions that you all are tracking?
Michael Price: Sort of, in the beginning, the way that a phishing attack would very often take place is that the adversary would send an email out, maybe to a broad kind of random group of people. They might send emails out to specific folks. And they would include something like a link in there. The victim would click the link. It would take them maybe to a website where they would have a form, and they would put some information in. It might steal login credentials, for example, or bank account information, for example, through that process. And then they might pivot right around, go log into the account, and do whatever it is that they're trying to do. As a result of that, obviously, over the last several years, multifactor authentication has become very widely used and required by the majority of platforms. And so this might mean that, in order to log into an account, you would need to receive a code on your cell phone; or you might need to have an authenticator app on your phone. And so this has made it more difficult for the adversaries to take over these accounts to gain access to these accounts. And so folks have begun to develop tactics to work around that second factor of authentication. And so some of this can include trying to capture logs from infected hosts where they have information such as browser, you know, sort of cookie your session state that they can then use once they've got the username and password to sort of reproduce that second factor of authentication. And there are some other tactics that are being used as well.
Dave Bittner: And what about on the defensive side here? Are folks -- do folks have more sophisticated ways of tracking and blocking these phishing attempts?
Michael Price: I would say that that's true, depending upon, you know, the platforms that are being discussed. So, for example, online banking has come a long ways in terms of implementing protective mechanisms to help users avoid having their accounts at -- you know, access without authorization. A lot of popular online platforms have come a long ways in terms of requiring their customers to use that second factor or by implementing creative types of second factor authentication. And so I do think that there are improvements in the defensive mechanisms that the average person has access to now. Certainly, one, the commercial side or the enterprise side, there are a number of identity and access management providers that now provide more enterprise-grade single sign-on solutions that you can use to sort of control all of the access to your different systems within your business. And then you can take several steps to lock down access at that -- at that point. But there are some nice advancements.
Dave Bittner: I know one of the things that you and your colleagues have been tracking at ZeroFOX is domain takeovers. And in some of your reporting, you've stated you've seen a big increase in that. Can you explain to us exactly what's going on there.
Michael Price: Sure. There are a few different ways in which domains can be abused. And so, you know, you might have any given entity, a popular brand that's well-known. And, typically, they're going to have a robust online presence. And this might be on social media. It might be via regular websites. They might have mobile apps and things like this. So, specifically, when it comes to domains, there are a variety of ways in which adversaries will abuse essentially this web-based presence. You might have your brand.com as an example. Then the attacker might register a domain that's a slight variation on that domain. So it could be your brand2.com, or it could be some other domain with the URL that contains the brand name or things like this. Ultimately, they're trying to craft a domain or a URL that looks kind of like the official domain or URL. And then they'll send this out to folks. And for folks that aren't sort of suspicious by default, they'll think that this is close enough to click this link, and they'll log into the website. So this is some of the standard things that you see. We do a lot of work detecting what we call impersonating domains. And so this has to do with where folks are trying to create a domain that looks like another domain for malicious purposes. We'll protect the existence of these similar domains, and then we'll help our customers to respond by, you know, reaching out to the platform and maybe having that domain taken down. From a domain takeover standpoint, this is also something that's been going on for a long time. And so the domain registrars in hosting platforms have had to do a lot of work to improve security here. But there are ways in which, for example, a domain might become briefly unregistered due to a lapse in registration. So somebody might register the domain at that point. Otherwise, somebody could gain access to the accounts that are registered where a domain is registered, and then they might log into that account and make some changes in order to take that domain over, for example. There are some other possibilities, as well, but those are some of some of the basics.
Dave Bittner: And what are your recommendations here? I mean, what -- what would you consider to be best practices for an organization to try to defend themselves against phishing attacks?
Michael Price: One of the fundamental challenges with cybersecurity as a whole is that it tends to be a complex and challenging problem to solve. So, you know, there's a big difference, I think, between being an individual sort of consumer, just a regular person defending their home network and being an enterprise. I think it's maybe a little bit more possible as an individual because you just have less footprint to deal with. And so, you know, for example, in my personal life, I am very rigorous about having, you know, devices that I believe are fundamentally fairly secure. So just to give an example, like, Apple MacBook, the Apple operating system has a great track record of security. It's not perfect, but it's great if you have that system and you have a habit of keeping it up to date regularly. So automatic updates, always keeping your operating system up to date. That laptop or that phone, if you're doing the same thing with your -- with your phone is going to tend to be pretty resistant to security issues. And then, on your home network, hopefully you have small consumer firewall. And, you know, you may be paying attention to the configuration of some of your home devices. And, at that point, you stand a decent chance of keeping your home network secure. There's always more that you can do. From a commercial enterprise standpoint, really, you have this situation complexity where you might have tens or hundreds or thousands of people that may be spread around the world. There's all kinds of technology being employed. And so you need to, you know, have dozens of people and millions of dollars to kind of keep it all secure. So what usually happens is that people don't -- don't make that full investment, and they kind of assume that risk on purpose or accidentally. So, for the enterprise, when you're trying to deal with phishing, you know, one of the weakest links is the individual team member, you know, the employee at the company. And, you know, the way that a lot of people tried to help shore this up, at least, is through repetitive training. So there's a lot of phish training solutions out there that will send people phishing links. And if they click through them, then they'll tell them like, Hey. You fell for a test. You need to get trained. You need to get better about this. But then also you have the technical controls. So you're keeping your systems patched, having your input security on those devices. You will also have network security controls and all the traditional stuff. And then you would have an external cybersecurity solution, kind of like ours, that's keeping tabs on the creation of these domains, the circulation of these URLs, the creation of these fake accounts and trying to help you stay ahead of the curve by finding those and taking them down before they make it to your environment. So these are some of the things.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Well, phishing is still a thing, Dave.
Dave Bittner: Yes, it is.
Joe Carrigan: Email is still a primary vector. I think this year's data breach investigation report from Verizon said it's still the first kinetic action in close to 90% of attacks.
Dave Bittner: Right.
Joe Carrigan: So you're still going to see phishing emails out there. They're still going to be bad. And they're still going to be --
Dave Bittner: Effective.
Joe Carrigan: -- effective. Right. And that's actually my next point is that it's old, but it's still being used because it works.
Dave Bittner: Right.
Joe Carrigan: So that's why you're still seeing these things. Hey, open this attachment for me is a great way to get something to run -- someone to run something on their computer that they shouldn't be doing. Multifactor authentication has made it much more difficult for these guys to get into your account, and they're now looking for ways around that, whether it's through some kind of information stealer or maybe social engineering your codes out of you. They're just -- you know, they're still trying to get around it.
Dave Bittner: Yeah.
Joe Carrigan: If I can get into your -- into your computer and steal the token for your actual -- for your actual session, I can bypass any -- any multifactor authentication. The difference there is that a tool like that takes a lot of effort to write and implement. And so your risk factor has decreased a lot just by using a multifactor authentication tool.
Dave Bittner: Right. Sure.
Joe Carrigan: Platforms are coming along with multifactor authentication, which is great like banks are. I think I got an email today from PayPal that said, Hey. Why don't you step your MFA game up, Joe?
Dave Bittner: Yeah.
Joe Carrigan: I'm like, Okay. How do I do that? I think I'm already using the YubiKey with you guys.
Dave Bittner: Right, right.
Joe Carrigan: So --
Dave Bittner: They're going to ask for a blood sample, right?
Joe Carrigan: Yeah. Blood sample. Then every time I want to transfer money to somebody, I have to give a -- they have to get my fingerprint.
Dave Bittner: There you go.
Joe Carrigan: Yeah. I don't think this is happening fast enough. I think it needs to happen a lot faster. You'll notice that on a lot of enterprise applications they're starting to do this. Like, for example, a couple years ago, Twitter, before they became X, they just rolled out multifactor authentication with YubiKeys to everybody.
Dave Bittner: Yeah.
Joe Carrigan: They said to everybody, Here's two YubiKeys. You're using these now. You have that luxury when you are an enterprise and you're saying this is a condition of your employment.
Dave Bittner: Right.
Joe Carrigan: You don't necessarily have that luxury when you're a business and you're trying to say this is a condition of being our customer.
Dave Bittner: Right.
Joe Carrigan: Those are two completely different, different discussions.
Dave Bittner: Sure.
Joe Carrigan: Right. Mike touches on something here, and he kind of passes by it.
Dave Bittner: Yeah.
Joe Carrigan: And I wanted to spend a little time on it.
Dave Bittner: Okay.
Joe Carrigan: But most people look at a domain and think, eh, close enough. We're talking about those domain spoofing or what type -- not typo squatting. What's the domain -- what's it called when you're a impersonating -- domain impersonation.
Dave Bittner: Yeah.
Joe Carrigan: Right. Most people look at a domain and think, close enough, or that seems legit. And I think we're missing a key assumption here in this industry that is part of the problem. And I think this is an interesting research proposal.
Dave Bittner: Okay.
Joe Carrigan: But how many people would think that Microsoft2.com was a legitimate Microsoft domain?
Dave Bittner: Yeah.
Joe Carrigan: I'd like to know that. I don't think any research has been done in this area. Maybe I'm wrong. And if our listeners are listening and they -- they've heard about this, please send me a paper on it.
Dave Bittner: Yeah.
Joe Carrigan: But I think we as an industry have just been thinking, of course that's a bogus domain. Right? You should know that's a bogus domain. But people don't know how DNS works. They just don't. They don't know because it just does work, right?
Dave Bittner: Right. And you could totally understand why someone would think that was the domain. I mean, Microsoft2.com, well, Microsoft, they must have used up everything that goes to microsoft.com --
Joe Carrigan: Right.
Dave Bittner: -- so they need a second one.
Joe Carrigan: I had -- there was an experience I have when before I knew -- before I was doing anything technical. I went to a website, and I noticed that the website was www2. whatever the domain name was.com.
Dave Bittner: Okay.
Joe Carrigan: Right. And I was like, are they out of www addresses, right? Do they already have to go to www2? But that's not how -- DNS works the opposite way.
Dave Bittner: Yeah.
Joe Carrigan: But, in my head, I thought that the www was a -- it's not -- it doesn't -- It's not how it works, Joe.
Dave Bittner: Yeah.
Joe Carrigan: But the thing is -- the point is I didn't know how it works.
Dave Bittner: Right.
Joe Carrigan: It was a point in my life where I had no idea how DNS works.
Dave Bittner: Right.
Joe Carrigan: And I didn't understand what I was looking at.
Dave Bittner: Yeah.
Joe Carrigan: So this is what the average person experiences when they're looking at a domain. If they see Microsoft-support.salesforce.com or whatever -- not salesforce.com, some other place.com --
Dave Bittner: Yeah.
Joe Carrigan: -- right, that will look like a legit address.
Dave Bittner: Right.
Joe Carrigan: And I think there's -- I think that there is a research proposal here for finding out what percentage of the population is duped by just -- just domains that look like they should be but aren't correct. And then there's another part of that, that goes along with it about an education campaign, about how do we educate people who probably don't really care about the subject. That's really the challenge.
Dave Bittner: Well, Joe, I think you need to find one of your PhD candidates there at Hopkins and put them on the case.
Joe Carrigan: Yes. Yeah. We do a lot of technical stuff at Hopkins. But I think this is a good research question.
Dave Bittner: Yeah.
Joe Carrigan: I might float this to Tony and see what he says.
Dave Bittner: All right.
Joe Carrigan: To protect yourself, have a policy that takes into account what's on the internet. Remember that Mike is from ZeroFOX.
Dave Bittner: Yeah.
Joe Carrigan: So ZeroFOX protects companies' images online.
Dave Bittner: Yeah.
Joe Carrigan: So, yeah. Look out for imposters and things like that. By and large, you are pretty much powerless with the open-source intelligence gathering part of any attack.
Dave Bittner: Right.
Joe Carrigan: The information is out there, and you should at least be mindful of what's out there. Make that part of your planning. Assume that that's out there. Mike says also look into zero trust. That's a great idea. That zero trust mindset needs to begin with the idea that somebody already has all the information about your company. They know what your -- who your network administrators are because they've looked on LinkedIn, right? Those kinds of things need to be part of your calculus here.
Dave Bittner: Yeah.
Joe Carrigan: And handle the basics: policy, training, awareness, and culture. You know, make sure that all those fundamentals, the boring stuff, the boring stuff is what -- is what really takes good care of you.
Dave Bittner: Yeah. All right. Well, once again, our thanks to Michael Price, who is CTO at ZeroFOX, for taking the time to speak with us. We do appreciate it. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. And you can learn more at isi.jhu.edu. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. The show is edited by Tr Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
