Reeling in some phishing trends.
Adam Bateman: Now we're starting to see attackers move into other areas. So not just SMS but, actually, very much more recently we started to see the rise in IM phishing.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show my conversation with Adam Bateman. He is cofounder and CEO at Push Security. We're talking about phishing. All right, Joe. Before we get to our stories, we have some follow-up here.
Joe Carrigan: Yeah. Michael has written in with some comments about my whining about the terminology.
Dave Bittner: I think we were -- I think we shared the whining duties last time. You want me to read this?
Joe Carrigan: Yes.
Dave Bittner: All right. He says, Hi, Dave, and Joe. Following the latest episode of Hacking Humans, I was having a think about alternate names for social engineering and came up with eDeception.
Joe Carrigan: Good name.
Dave Bittner: Social engineering is all about deceiving a victim into performing an action, including taking zero action. Deception is fundamental to biological survival, from the most basic of organisms to the most complex. Humans have just taken it to the extreme.
Joe Carrigan: This is an excellent point, Michael. And when I talked about social engineering or the eDeception, I frequently talk about the reason that we're victimized by these things. And it's from -- I talk about it from an evolutionary standpoint. These bad guys will appeal to things that have made us successful as a species, like our desire to help one another, our greed, or our fear.
Dave Bittner: Right.
Joe Carrigan: And this is just another -- the adversarial part of that, that I never thought about mentioning, and Michael is 100% right. I'm putting this in my presentation.
Dave Bittner: Oh, all right. Very good.
Joe Carrigan: I think it's really, really -- a really salient observation.
Dave Bittner: Okay. Michael goes on and says the survey you discussed highlights that most people have no idea what social engineering is. Cybersecurity professionals have a greater understanding of what social engineering refers to, how it works, and mitigation strategies than the layperson. But nobody can identify and avoid every attempt. Michael says, I believe social engineering is a meaningful description of what deception is and has a place in our professional vernacular. However, I can't describe what electrical, chemical, civil, mechanical, nuclear, or aerospace engineers do. So why should we expect the layperson to understand what social engineering is without a concerted effort to teach them. Referring to nonphysical social engineering techniques as eDeception could be appropriate.
Joe Carrigan: Yeah. I agree with this. And I get Michael's point here about, you know, jargon is -- is helpful in a community --
Dave Bittner: Yeah.
Joe Carrigan: -- to quickly communicate complex ideas. So you and I say social engineering to ourselves, to our -- to each other, to other cybersecurity professionals, and they get it. But if we're going to go talk to people that are not steeped in this field every single day --
Dave Bittner: Yeah.
Joe Carrigan: -- and we say social engineering, we've just stopped them from listening, I think. I think eDeception, using eDeception as a term when you're talking to the general public is much better. It's more descriptive of what's going on. And this is a front runner candidate for me, this term.
Dave Bittner: I would say that I think it's better than social engineering. I think there's still some work to be done because I -- just doesn't -- it doesn't flow trippingly off the tongue the way I would like something that would -- that could catch on with the general public.
Joe Carrigan: Yeah.
Dave Bittner: I think, if I'm presenting in front of a group of people on this, I don't start by saying social engineering. I say online scams --
Joe Carrigan: Right.
Dave Bittner: -- is how I describe it. And everybody gets that.
Joe Carrigan: Yep. So I wonder if following on, building on what Michael has suggested here, I wonder if eScams would be good, or I don't know. This is good. But I still -- I'm still curious to hear what other people have to say. I feel as though the perfect term is still out there -- Yeah.
Dave Bittner: -- and we haven't found it yet.
Joe Carrigan: Yeah. I get it. I would agree. But I like this term. I like eDeception.
Dave Bittner: Yeah. No, it's good. Absolutely. All right. Well, Michael, thank you so much for taking the time to write in. We do appreciate it. Joe, why don't we go to our stories here. You want to kick things off for us.
Joe Carrigan: Yes, Dave. Next week is Christmas, right. And if any of you are looking for any last minute gift ideas, I have one.
Dave Bittner: Okay.
Joe Carrigan: I'd like my boss, Frank Shirley -- I'm sorry. I started quoting a movie. Christmas Vacation, Dave. Come on. Have you not seen --
Dave Bittner: Not -- I haven't seen it enough to quote it.
Joe Carrigan: Oh.
Dave Bittner: I could probably quote regular Vacation.
Joe Carrigan: Yes.
Dave Bittner: That one I know. Real tomato ketchup, Eddie? Like that I know. But not Christmas Vacation.
Joe Carrigan: Of course referring to the scene where Clark group goes on the rant about Frank Shirley, played by Brian Doyle Murray.
Dave Bittner: Yeah.
Joe Carrigan: And Eddie goes out and kidnaps him.
Dave Bittner: Okay.
Joe Carrigan: Brings him back. Great movie if you haven't seen that movie. I watched that movie and still get a laugh out of it. It's one of those movies where every line is a joke.
Dave Bittner: Okay.
Joe Carrigan: And I think it's held up.
Dave Bittner: All right.
Joe Carrigan: Anyway, last minute gift ideas, a lot of people go for gift cards, Dave.
Dave Bittner: Yeah.
Joe Carrigan: Well, there is a story coming out of WCCO in -- which is in Minneapolis, Minnesota --
Dave Bittner: Okay.
Joe Carrigan: -- from Alan Henry. And this is a story that talks -- we'll put a link to this story in the show notes. But I found a bunch of stories about this. And this kind of harks -- harkens back to a -- an email we got from a listener a long time ago about them buying a gift card. And -- or a family member bought a gift card for somebody else in the family. And by the time the person -- the recipient tried to redeem the gift card, it was empty.
Dave Bittner: Yes. I remember that.
Joe Carrigan: Right. So this is now a very common scam. In fact, I surmised, I guessed at the time that what they were doing was just putting the printed barcode to their own gift card on that gift card that -- they were tampering with the gift card in the package, printing out their own barcode for it, and putting it on the package. And then, when somebody loaded up that -- when somebody bought that gift card, they were actually loading up the scammer's gift card.
Dave Bittner: Okay.
Joe Carrigan: So this is now happening en masse and in an organized fashion. And, in fact, in Seattle or Sacramento, rather, they -- the police arrested one guy who's putting 5000 of these things into Target stores.
Dave Bittner: Wow.
Joe Carrigan: Five thousand cards into a Target store. I found another -- another story out of Braintree, Massachusetts. By the way, I like the name Braintree, Massachusetts.
Dave Bittner: That's where you're going to retire to?
Joe Carrigan: Probably not. A little too cold.
Dave Bittner: Okay.
Joe Carrigan: But maybe I'll spend the summer there.
Dave Bittner: Uh-huh.
Joe Carrigan: But two women were arrested for stealing close to 2000 gift cards. Now, I'd like to know legally how this -- how this gets prosecuted. I mean, if they can demonstrate that these people are stealing these gift cards, and that they're going to come back and use them in a scam --
Dave Bittner: Right.
Joe Carrigan: -- great. But if they're taking these things, they have no cash value --
Dave Bittner: Well.
Joe Carrigan: -- until you load them up.
Dave Bittner: Yeah. They still have -- I mean, you're still stealing.
Joe Carrigan: Yeah. I mean, I guess -- I guess you are taking merchandise out of a store without paying for it.
Dave Bittner: Correct.
Joe Carrigan: But if you -- if you do that, Dave, if you and I do that, we walk up, we take one gift card off the rack, and we leave --
Dave Bittner: Well --
Joe Carrigan: -- we don't get anything.
Dave Bittner: Yeah. Right. But what if you -- I mean, what if you go to McDonald's and take all the napkins?
Joe Carrigan: Yeah. Okay.
Dave Bittner: Right.
Joe Carrigan: Yeah.
Dave Bittner: Eventually, they're going to -- like, somebody's going to meet you at the door.
Joe Carrigan: Right.
Dave Bittner: So.
Joe Carrigan: When I was a kid, I used to take straws for some reason.
Dave Bittner: Yeah.
Joe Carrigan: Lots of straw. No idea why.
Dave Bittner: Okay.
Joe Carrigan: Nobody ever stopped me, though. But not all the straws.
Dave Bittner: Right.
Joe Carrigan: I found another story about a place in Pennsylvania. They don't tell you what store it is. But it's just a grocery store where they arrested two people who had come in, and these guys were actually putting the cards on the shelves. And they have security footage of it.
Dave Bittner: Like reverse shoplifting.
Joe Carrigan: Yeah. It's like exactly. I'm going to in and put my merchandise on the shelf. But what happens is you grab one of these things thinking you're grabbing a gift card. And you -- you take it in, take it up to the cash register. And they may say, Hey, are you being scammed right now? Is somebody on the phone telling you to buy gift cards pretending to be the IRS? You go, No. I'm just trying to buy my nephew a gift card because he likes playing Fortnight or he likes Apple gift cards for iTunes or, I don't know, whatever.
Dave Bittner: Right. Yeah.
Joe Carrigan: Whatever. But then you give the gift card, and it's empty because somebody else -- you've essentially just loaded up somebody else's gift card.
Dave Bittner: Yeah.
Joe Carrigan: I saw another video. I can't find this video now, but I did see this video last week where a law enforcement officer was saying that they were just cutting the gift cards so that the original barcode was still visible through the little hole in the paper around the gift card.
Dave Bittner: Yeah.
Joe Carrigan: And they had the actual code, right? So they had the scratch-off code.
Dave Bittner: Oh.
Joe Carrigan: So they could enter the scratch-off code and then get the money from the gift card. And if you gave it to somebody, they wouldn't even have the access to the scratch-off code because it would be physically missing from the card.
Dave Bittner: Oh. Okay. That's interesting.
Joe Carrigan: So they're doing this one of two ways. They're either printing out their own barcode and putting it on the -- on the cards; or they're going in, they're taking the cards or scratching off the little, like, lottery ticket stuff, the scratch-off stuff on the back.
Dave Bittner: Yeah. That silver, that silver scratch-off stuff.
Joe Carrigan: Yeah. Everybody knows what that is, right.
Dave Bittner: Yeah, yeah. And then they're just entering the codes into their own systems or whatever. And then they're putting the cards back on the shelf repackaged. So be on the lookout for that this year as -- as you -- as the holidays come close and you need immediate gifts. You know, I'm going to give you some old man Joe advice here. I think gift cards are just the modern case of the gift certificate. Yeah. Exactly that. That's exactly what they are. Yeah.
Joe Carrigan: I think it was on the Seinfeld. Jerry Seinfeld and George Costanza are talking, and they're arguing about should they get a gift card for somebody? And Jerry says no. And George says, It shows thought. And Jerry says, It shows defective thought, because now you've essentially spent money, and you're forcing this person to go shop at this other store.
Dave Bittner: Yeah.
Joe Carrigan: So that's kind of how I feel about it. But I want to talk -- actually, there was a quote in here from Target in this --
Dave Bittner: Okay.
Joe Carrigan: -- in the first article that I talked about. We are aware of the prevalence of gift card scams and take them very seriously. We have signs in our stores, and the shared general safety tips with our team members so they can stay alert and help guests as best they can at our registers. Our centralized cyberfraud team helps educate our team members about common scams and encourages them to look for guests purchasing high dollar amounts or large quantities of gift cards or tampering with cards in stores. So, basically, Target is really focusing on the person getting scammed as a gift card purchase.
Dave Bittner: Yeah.
Joe Carrigan: You know, they're not really focusing on what the problem is here. They're saying, Okay. Be on the lookout for someone tampering with cards. But I think that scams like this make the purchase of these gift cards much more risky, and I think that retailers really don't care about this.
Dave Bittner: I don't know. I mean, I wonder if it might reach a point where the retailers feel as though having that big rack full of gift cards is no longer worth the effort for them because of the -- the negative association that people will have with the store that it came from if something goes bad.
Adam Bateman: Right. One of the things that the law enforcement people said was go up to the counter and get a gift card from behind the counter if they have them there, which I think is a good idea. I have yet to see gift cards behind the counter. I don't know that I've seen it.
Dave Bittner: Yeah. I mean, the other thing I would say is buy the gift card online, right.
Joe Carrigan: You can do that.
Dave Bittner: And either email it to them or print it out and, you know, put it -- if you're going to give someone a card or something like that because then that takes away the possibility of the scammer that had to lay hands on the gift certificate.
Joe Carrigan: Yeah. On the product. Right?
Dave Bittner: Yeah.
Joe Carrigan: That's a great idea, Dave.
Dave Bittner: Yeah.
Joe Carrigan: I did have a funny, intrusive thought on this one.
Dave Bittner: Okay.
Joe Carrigan: So imagine that you're an IRS scammer, right?
Dave Bittner: Yes.
Joe Carrigan: And you've got somebody on the phone and you say, I need you to go to the store and buy a bunch of iTunes gift cards. So they go to the store. They spend $200 in iTunes gift cards, only to have another scammer get the $200 because they pulled one of these scams where they changed the code.
Dave Bittner: Right. Right. I'm thinking of that -- that Spider-Man meme where they're all pointing at each other.
Joe Carrigan: They're all pointing at each other.
Dave Bittner: Right? That's -- it scans all the way down.
Joe Carrigan: I would be very sad to see the victim lose $200. I would laugh. Yeah at the -- at the agony of the scammer. I mean, this -- I hope that -- I hope nobody loses money. I know people are going to lose money. But I think it's just funny that, if somebody loses money, they lose it to the person that's not scamming them. That would -- there's -- there is a certain, I don't know, cold comfort I get in that.
Dave Bittner: Yeah. You know, I'll also add that a lot of people -- I think, especially lately, and I can see it with gift cards being associated with these scams more and more in people's minds, that people are talking about gift cards as being lazy and less thoughtful than cash and that sort of thing. And I -- I see where people are coming from with that, but I don't know that I agree with it because, for example, let's say you have a niece or nephew who you know is an avid reader.
Joe Carrigan: Right.
Dave Bittner: Right. And so you want to support their reading. So, if you buy them a gift card to their local bookstore or even Amazon, you know -- remember when Amazon was a bookstore?
Joe Carrigan: I do.
Dave Bittner: You know, or --
Joe Carrigan: In Jeff Bezos' garage.
Dave Bittner: Yeah. Whatever, you know. But let's just say your local bookstore. What you're saying to them is that I recognize that you're an avid reader. And so I want to buy you a book, but I don't know what you want to read. So you go choose a book because, for an avid reader, part of the fun is going to choose a new book.
Joe Carrigan: Yeah. I do -- you know, that is one of the things, since I started with my Kindle, right, I have read a lot more fiction than I ever have. And I've enjoyed it.
Dave Bittner: Okay.
Joe Carrigan: Kindle makes reading the fiction very easy, especially with the way I read it because I read it at night in bed while falling asleep. Turn my brain off.
Dave Bittner: You ever bumped yourself on the forehead with a Kindle?
Joe Carrigan: Yeah. Or I've woken myself up as the Kindle falls on the floor.
Dave Bittner: Okay. Yeah.
Joe Carrigan: And I've dropped that thing a lot of times. I'll say it's great.
Dave Bittner: It's held up.
Joe Carrigan: But the -- the one thing I miss is going into a bookstore and going, all right. Which book am I reading next.
Dave Bittner: Yeah.
Joe Carrigan: You know. Now I have to do that through the Kindle interface. And a friend of mine said that, when Netflix started doing that, started -- when Netflix opened and you started -- you mailed DVDs back and forth with that company, he said he missed the experience of going into a -- into a video store and just browse.
Dave Bittner: Sure.
Joe Carrigan: You can't do that.
Dave Bittner: No.
Joe Carrigan: It's a different experience.
Dave Bittner: I think those rituals are important. And I think, for those of us who are -- are of a certain age, that was a big part of going to the record store was the record store ritual of flipping through the stacks and deciding what you're going to save up for and buy next.
Joe Carrigan: Yeah.
Dave Bittner: You know.
Joe Carrigan: Yeah. I would -- every -- every two weeks when I got paid, I would make it a point to go out and buy a new piece of vinyl.
Dave Bittner: And I think that's a big part of the resurgence in vinyl is the coming generation is -- is rediscovering the pleasure of some of those rituals so.
Joe Carrigan: Yeah, yeah. Flipping through the thing. Now my son's getting into vinyl, but he's ordering all his stuff online. I don't get it.
Dave Bittner: Okay.
Joe Carrigan: You've got to go to a record store, Joe.
Dave Bittner: Vinyl is great. It sounds worse and it's less convenient.
Joe Carrigan: Right. Yeah. I don't get the vinyl sounds better argument. I don't buy it. I think that's gar -- a garbage argument.
Dave Bittner: Yeah.
Joe Carrigan: Digital sounds way better, has.
Dave Bittner: Well, please send your letters to Joe.
Joe Carrigan: Yep. I'll argue this point. I'll argue this point and I'll --
Dave Bittner: Because, as we all know, there is no more irrational group in the world than audiophiles.
Joe Carrigan: Right. Yes.
Dave Bittner: So please send your letters to Joe, and we'll -- he will answer them in turn. All right. Interesting stuff. And we will have a link to your stories in the show notes. My story this week is actually -- it's kind of a combo. It's one story that led me to another and actually started with a report from Joanna Stern and Nicole Nguyen, who were reporting for The Wall Street Journal.
Joe Carrigan: I heard this.
Dave Bittner: So they're covering a new feature that's coming in the next version of iOS, which happens to be the catchy 17.3.
Joe Carrigan: I'm fine with version numbers, Dave.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Because it's easy to know what you have in your phone. And the new one is -- is probably better. If nothing else, it's more recent.
Dave Bittner: Right, right.
Joe Carrigan: What I didn't like was the Android where you had like Ice Cream Sandwich and Froyo or whatever it was.
Dave Bittner: Right.
Joe Carrigan: I don't know. How -- how do I know what this is?
Dave Bittner: Yeah, yeah. So this -- this coming version, which is currently in beta, has a function called stolen device protection.
Joe Carrigan: Right.
Dave Bittner: And this is Apple recognizing that there's a problem here and upping their game.
Joe Carrigan: Yep.
Dave Bittner: So what happens is -- and I'm paraphrasing from the coverage from the New York Times -- if you enable the stolen device protection, your phone will restrict certain settings when you're away from a location familiar to the iPhone, such as your home or work. So, in other words, if your phone is not at your house or not at your work, it's going to require more scrutiny to log into than it would than it would if it were at your home or your work.
Joe Carrigan: Interesting.
Dave Bittner: Just kind of --
Joe Carrigan: I think that's a -- an interesting way to go about it.
Dave Bittner: Yeah, yeah. So if you activate stolen device protection, if you want to change your Apple ID password and you're away from one of those familiar locations, the device will require your face ID or touch ID. Then it will implement an hour-long delay before you can do the change.
Joe Carrigan: Ah. That's a good plan.
Dave Bittner: After the hour, it will ask you to reconfirm with another face ID or touch ID scan. And only then can the password be changed. So this is to cut down on, you know, people who would steal your phone, you know, drive by snatch-and-grab kind of things.
Joe Carrigan: What they would do is wait for you to unlock it and then snatch it.
Dave Bittner: Right.
Joe Carrigan: And then, once they had it opened, they would go in and, like, lock you out of your account and everything.
Dave Bittner: Exactly.
Joe Carrigan: I mean, it wasn't just the phone they were taking from you.
Dave Bittner: Right.
Joe Carrigan: It was a lot more.
Dave Bittner: Because your -- an unlocked phone has -- is really the keys to everything.
Joe Carrigan: Yes.
Dave Bittner: Think about people have your banking stuff in there, your email, your all sorts of things, your Venmo, you know, all that good stuff.
Joe Carrigan: Yep.
Dave Bittner: So I think, while that's interesting -- and I think that is a good thing, and it's interesting to see that we're heading into -- we're heading in this direction out of necessity --
Joe Carrigan: Right.
Dave Bittner: -- because it is a constant cat-and-mouse game. I originally learned about this from coverage from the Daring Fireball website, which is John Gruber's website, mostly focuses on news about Apple and Macintosh stuff. And he described a scam here that I thought was worth sharing with our listeners. In this scam, someone would chat up a victim in a bar and offer to use the victim's phone to snap a photo of the victim and their friends. So, Joe, you and your lovely bride are at a bar or restaurant, and everybody's having a good time. They're watching the football game or something like that.
Joe Carrigan: Right.
Dave Bittner: And I'm coming up and I'm just, you know, close to you guys and laughing and enjoying and, you know, saying, Hey, isn't that team great? You know, yeah, yeah, yeah. And I say, Hey, you know what, Joe?
Joe Carrigan: Immediately I don't like you, though.
Dave Bittner: Well, all right.
Joe Carrigan: But not everybody's me, Dave.
Dave Bittner: I'm chatting up your wife, which would make you not like me as well.
Joe Carrigan: That's right. Now I don't like you even more.
Dave Bittner: Right. So I say to you, Hey. You know what? Why don't you let me take a picture of you and your lovely bride here. Hand me your phone, and I'll take a -- you guys look -- you look like you're having so much fun. And you say, Sure. What could possibly go wrong.
Joe Carrigan: Right.
Dave Bittner: So you hand me the phone, which is unlocked. While I have the unlocked phone, I disabled face ID, and I hand it back to you. Okay.
Joe Carrigan: Ah. Okay.
Dave Bittner: So now the next time you go to do anything on your phone, you need to enter your passcode.
Joe Carrigan: Right.
Dave Bittner: And either me or someone who's working with me --
Joe Carrigan: An accomplice. Right.
Dave Bittner: -- is watching you while you enter your passcode.
Joe Carrigan: Ah-ha.
Dave Bittner: And so then, once we have your passcode, we steal the phone.
Joe Carrigan: Now -- now the snatch happens.
Dave Bittner: And now we have the passcode. Yeah. So it seems like a bunch of steps to get at what you want. But it's also not that much. I mean, if you think about the things that are of value, it's really -- I put it on par with something like pickpocketing.
Joe Carrigan: Right.
Dave Bittner: You know, or any of these other scams we've heard about that require interaction with a person on the street, the boldness of interaction with someone. This is a scam that people have described, have been caught doing or had have -- have had happened to them. So I thought that was worth sharing for our listeners and to spread around that, if some stranger offers to out of the blue take your picture, just be wary.
Joe Carrigan: Yeah. Just say no. No. In fact, that -- well, I mean, I don't know. Maybe your inner Joe comes out and you -- get away from me.
Dave Bittner: That's right. Strange Joe's stranger danger. You can make -- we need to make T shirts that say, Express Your Inner Joe. Just Say No. Express Your Inner Joe. There you go. All right. Well, I will have a link to that story in our show notes. Of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. Joe, it's time to move on to our Catch of the Day. [ Soundbite of reeling in fishing line ]
Joe Carrigan: Dave, our Catch of the Day comes from Van who sent us an audio catch of the day. We haven't had one of these in a while.
Speaker 1: Hi, there. This is to inform you that Spectrum has applied a 50% discount on your monthly bill. To keep this offer active, please call back at 866-831-0892 from 8am to 5pm Pacific Standard Time. Thank you, and have a great day.
Dave Bittner: Hmm.
Joe Carrigan: Yeah. Interesting. You know what -- one of the things that strikes me about this message is that it's for Spectrum, which is not like a top-tier communications company. You know, they sell -- I know they do a lot of rural stuff.
Dave Bittner: Okay.
Joe Carrigan: Also, I think they're owned by Charter Communications.
Dave Bittner: Okay. So they're no Comcast.
Joe Carrigan: Well --
Dave Bittner: They're no Verizon. They're no AT&T.
Joe Carrigan: Right. Exactly. They're not one of the -- one of the big names you think of first. But, you know, when you go out to like western Maryland --
Dave Bittner: Yeah.
Joe Carrigan: Spectrum's all you have.
Dave Bittner: I see.
Joe Carrigan: So these guys are targeting a smaller group of people. And I don't know if by choosing a carrier that is mainly rural, they're hoping for a less sophisticated group of people. I don't know if that's the case. I wouldn't make that assumption about -- about people, but --
Dave Bittner: Yeah. I was going to come at it from a different direction and say, I wonder how easy is it for a scammer who's buying a phone list like this to know who your provider is, who your ISP is?
Joe Carrigan: That's a good question. Van doesn't tell us who his ISP is.
Dave Bittner: Yeah.
Joe Carrigan: Or if he does any business with -- with Spectrum.
Dave Bittner: Right.
Joe Carrigan: I'd like to know that, actually. I should have sent him an email back about it. But, eh. Too late now. So -- but, yeah. That's a good point. Yeah. They might know who your provider is and just tell you that, you know, whatever it is. You know, they have -- they have different messages for Comcast and for AT&T and for Verizon.
Dave Bittner: Yeah. In fact, I would -- I would hazard to say that, if I were a scammer and I wanted to buy a bunch of phone numbers, I could say I want to buy 1000 phone numbers of Verizon subscribers.
Joe Carrigan: Right.
Dave Bittner: And that would be probably pretty easy to do.
Joe Carrigan: You can probably get that list. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: That's interesting.
Dave Bittner: Absolutely. And so what are they hitting on here, Joe?
Joe Carrigan: It is -- I don't know what the scam is. This is just the lure with the hook is -- you know, the hook is in the call. So you call that number, and the scam begins.
Dave Bittner: And it's greed.
Joe Carrigan: And it's greed. Right. Ooh. I'm getting 50% off my telecommunication service. I don't know. Spectrum offers a lot of telecommunication services. I looked this up today --
Dave Bittner: Oh.
Joe Carrigan: -- and saw what they do. They do a lot.
Dave Bittner: Okay.
Joe Carrigan: So it could be high-speed internet. It could be TV. It could be cell phone service. It could be anything.
Dave Bittner: Ah. Yeah, which is interesting in itself because just saying Spectrum is vague enough that --
Joe Carrigan: Right. Yeah. It's not -- they're not saying Spectrum wireless, Spectrum TV, Spectrum internet service.
Dave Bittner: Right, right. Interesting.
Joe Carrigan: Yeah.
Dave Bittner: All right.
Joe Carrigan: It's a pretty good lure. I'll say that. It does sound exactly like -- like you would expect to get a call from that, but they're -- nobody's ever going to call you and say, Hey, we reduced your bill by 50%, especially out of the blue. Right.
Dave Bittner: Especially not a cable company. Yeah. I -- yeah. It's worth noting, too, that there aren't some of the red flags that we look for, like the -- it is well-written. The English sounds like a native speaker, you know. So some of the things that would make someone wary, they aren't there. Like you said, it sounds like a typical run-of-the-mill kind of soliciting call that you might get.
Joe Carrigan: Have you gotten any of the messages where the person -- it's a recording, and it sounds like the person is going, ah, yeah. And then they keep walking through like they're reading a script? Or they're trying to tell you something, but they're kind of making it up off the top of their head?
Dave Bittner: No.
Joe Carrigan: It's obviously a script. They're -- they're just -- I get those from time to time about something. I can't remember what it was. But it was like, Hi. This is Bob from company name. And I'm calling to invite you to try out our news, Trying to sound like he's leaving you a real message, right.
Dave Bittner: Right.
Joe Carrigan: They're not. It's just a -- it's just a mass -- mass call with a recording on it. That may not even be an actual person. I don't think this is an actual person, either. I think this is generated.
Dave Bittner: Yeah. I've heard, you know, through a combination of tools and so on and so forth, it takes a lot of effort to actually get my phone to ring.
Joe Carrigan: Right.
Dave Bittner: So --
Joe Carrigan: Let alone to get me to answer it.
Dave Bittner: Yeah. So if you -- let's just -- if you are not already in my address book, chances are I will not even -- never know that you even tried.
Joe Carrigan: Yeah. I will tell you this. I'm a big fan of the Google screen, call-screening services. It is pretty awesome.
Dave Bittner: Yeah.
Joe Carrigan: When I get a suspicious call, I screen call. Ninety percent of the time, it just -- they just hang up.
Dave Bittner: Yeah.
Joe Carrigan: It's great. Perfect.
Dave Bittner: All right. Well, again, our thanks to Van for sending us this Catch of the Day. Again, we would love to hear from you if there's something you'd like us to consider for the show. Email us at hackinghumans@n2k.com. Joe, I recently had the pleasure of speaking with Adam Bateman. He is cofounder and CEO at Push Security. And our conversation centers on phishing. Here's my conversation with Adam Bateman.
Adam Bateman: I started in the industry as a penetration tester, what was called a ethical hacker. So I was on the red team side. So, really, when it started out, I was simulating adversaries and attacking companies but with good intentions. Right. So the idea is that you target companies so that they understand an experience like a fire drill and so they know what it's like to go through an incident, and then you can improve the security. So I was on the other side simulating the attacks and doing the social engineering to try to get a foothold into the company in the first place. That was my first leg of my journey. Later on, I then flipped over to the blue team side like many of us do. You realize that actually a lot tips in the attackers' favor from this perspective. And so, naturally, you're kind of outnumbered really on the blue team side. So, like many, do jumped over onto the blue team side, looking at ways to defend. So I started off doing intrusion detection, instant response. And I got to see lots of phishing happening from the other side. Now I actually focus on cloud security and SaaS security, which is really outside of the traditional network-orientated attacks. But, in that world, phishing is entering a very interesting new era, and it's evolving quite a lot. So now I'm starting to think about how does this look going forward? So there's a lot of very interesting insights there.
Dave Bittner: Well, let's start out with sort of level-setting for ourselves. So, I mean, when it comes to phishing and people coming after folks, where do we stand? What's the state of things?
Adam Bateman: I mean, phishing has been one of the biggest problems in the industry for as long as I can remember. Like people say, humans are the weakest link. Your inbox is something you want to trust. It's a main place that you do work every day. And you can't be in a position where you're terrified to click a link all the time. And, as a result of that, people innately want to trust people. And, therefore you get through -- you know, that's the reason it gets through your defenses. So I think email phishing has always been the number one thing, and it's always about can you deliver an email that looks legitimate enough to trick someone into clicking a link that then performs some kind of action in some kind of way. Until recently, we've -- it's a cat-and-mouse game; keeps developing all the time. But email defenses have improved. They've got better and better. It's got harder and harder to do email phishing because things like, for example, just simple things like domain categorization, if you send an email from a particular location, it needs to come from a domain. And when you ask someone to click on a link, it needs to go to a particular domain. If that domain has a bad reputation, it's new, hasn't been sitting around the internet with a legitimate website for some time, it looks incredibly suspicious. Just simple controls like have made it trickier for attackers to go in this way. And isn't it -- you know, advances of AI and other things, the defenses have got a lot better as well. And that's really started to make people push into other methods, which is why we saw SMS phishing. And then most recently I'd say quishing, as it's interestingly named, which is effectively where you do the same thing. You're delivering a payload to a victim, getting them to click on a link. But rather than it being an actual link that could get caught by the defenses, it's a QR code. People, you know, see a QR code and feel curious to scan it. And so they do, and it then redirects them off to a particular location, and it goes that way. And we're seeing this happen much more recently because it's -- you know, it evades a lot of these defenses.
Dave Bittner: Once someone falls for the phish and either clicks the link or scans in the QR code, are we seeing evolution on the other side of that of what happens next?
Adam Bateman: Yeah. I mean, when we think about classic phishing, it's always really about entering sensitive information somewhere, whether it's credit card details, most commonly, your credentials, your username and password, some kind. We then saw an evolution of that, which was called spearphishing many years ago, which was all these different names around phishing. I don't know who comes up with them, but there they are. But spearphishing is basically, rather than trying to steal some information, you're trying to deliver a payload so a malicious attachment of some kind to make that happen. But I'd say the biggest concern or at least the area that we focus on a lot is around credential or password phishing. And so what you're really doing is trying to trick somebody to enter those details into a fake website of some kind. The most modern equivalent of that have been trying to phish people's SSO credentials so SSO being single sign-on, which basically is your single identity provider. So lots of people use Microsoft; other people use Google Workspace. Other people will use a third party SSO provider IEP like Okta, JumpCloud. There's numerous of these. And, obviously, these are high-value targets because, if an attacker tricks you into entering those credentials into a fake phishing site, they, you know, claim that login page that looks exactly the same, then the attacker can gain access to your single sign-on credentials, which then gives you access to a lot of downstream systems in parallel to that. And so securing the SSO is very, very important defense against -- against phishing.
Dave Bittner: Where do we stand when it comes to multifactor authentication? Is that -- is that holding strong?
Adam Bateman: Yeah. I mean, again, multifactor authentication has been a control which, as long as I can remember, has been something we've been trying to battle with in the industry. It's very, very important, very, very important to do. That has been a cat-and-mouse game. It started off -- if you think, to begin with, you don't have any multifactor, someone phishes your credentials, they just log in. And that's it. And so having a multifactor authentication in play would mean that then, you know, let's say the most basic version, a code is sent to your SMS, which you enter into the website. That means that the attacker might have the credentials, but they don't have access to that code. What then we started to see -- and, actually, very recently we're seeing this is attackers, particularly sophisticated adversaries getting very, very good at social engineering. And so they actually social engineer actual, you know, cell phone providers and trick them into doing like what's called a SIM-swapping attack where, effectively, you phone up and say, Hey. You know, I've lost my phone. I need to transfer my SIM on my number to a different SIM card, and it'd be granted. And there's legitimate reasons for doing this all the time. And so, you know, cell providers don't consider this a problem. And that allows you to then receive the SMS code. So we then started to see an evolution of that where it would then -- they would then send a push notification to your phone. So you might have a mobile app of some kind. And when you log into an application, it would just send a prompt to your mobile where you just say yes or no. And then what we saw from that was the evolution of what we call an MFA fatigue attack where an attacker would keep doing the prompts, you know, keep doing the login multiple times until then you get tired of getting the prompts, and you just --
Dave Bittner: Make it stop. Make it stop.
Adam Bateman: -- let go. Yeah. So it's evolved and evolved. A quite interesting attack that I've seen happening more recently has been around actually avoiding or intercepting MFA altogether. So I may have mentioned this to you before, but what you effectively do is send a victim a phishing website. And when they open that web page, it opens affectively like a tunnel or a window back through to a server or computer you control, which has another browser window open, right. So, effectively, it's what they call a browser in browser attack. So, for the victim, when they open it, they would see their actual normal login page, their Microsoft, their Google, their SSO login page. But what actually is happening is it's being tunneled through a server that you control. And so, when the person enters their credentials into that, you're able to effectively still not just the credentials but the MFA as well. It's quite a technical attack. I won't go into massive details in this side. But it's a very novel attack that we've seen. And so really where we've landed now is what we call, you know, hardware-based MFA. And it's a very important thing because, effectively, it's tying it to the device, right. So not -- it's not just about -- a password is something you have. It's to do with your credentials, and it's to do with your MFA code, whereas, when you've got hardware, it's also saying, and you must come from a device which is authorized. So you can log in from your laptop. But even if the attacker steals the MFA and the password, they can't log in because they're not on your laptop.
Dave Bittner: And I suppose this is also where things like YubiKeys, you know, hardware keys come into play that it's a similar level of security with those.
Adam Bateman: That's exactly an example of hardware. Yeah. You can do it used to certificate so using YubiKeys. But this current -- currently is seen as like a, you know, an anti-phishing version of MFA. The latest evolution of that, as we've started to see advanced actors now actually social engineer help desks and get help desks to add their device as an authorized device at which point they are then able to log in again. So this is why it's a cat-and-mouse game.
Dave Bittner: Wow.
Adam Bateman: But that, at that point, you know, it never ends. But the fact is that hardware-based authentication is maybe the best -- the best defense that we have.
Dave Bittner: Yeah. Where do you suppose we're headed here, then? As you look towards the future, what do you see?
Adam Bateman: So what I think is -- is really interesting is, as this cat-and-mouse game continues, and as I said, email defenses against phishing inside email clients is not perfect, but it is improving all the time. Now we're starting to see attackers move into other areas so not just SMS but actually very -- much more recently, we've started to see the rise in IM phishing. And that's instant message phishing. So things like Microsoft Teams, in particular, and Slack. And this is really interesting because, whatever this cat-and-mouse game looks like, the big universal defense that security teams have is awareness, training employees when an email looks suspicious. As many people are quite heightened towards thinking and looking and spotting suspicious activity in their inbox, but not so much in somewhere like Teams. And so what's happened in the last few years is that Teams always used to be for internal company communication. And now we've started to see them open up access to external organizations, so you can actually message people in other companies as well. And so what an employee would see is just a connection request from a -- from a third party company, which they press Accept. And then they are able to actually direct message with those individuals. And, when they do that, you can then deliver payloads in that way. We've actually seen in-the-wild attacks that are happening in Teams. We recently wrote a blog post about how that can happen in Slack, as well, some quite novel techniques to sort of hide your identity. And the problem with these IM platforms is that there's no really enforcement. You sign in, you create an account, you set a profile picture, you set a name. There's nothing to stop you from changing that name. So, in the example in our blog post, we showed how you could just be Mark Zuckerberg. And you just change the profile, and you start messaging people inside the company. And you can even do what we -- what we called a chameleon attack where you start messaging as one individual and then change your name and start messaging as another individual. So you can actually effectively corner a victim and start talking to them, you know, as if you're, say, the CFO and the CEO together to make the attack much more effective. So I think this is something that, you know, we're just on the precipice of seeing this happen, but this is something that in the industry I think we should be discussing about making employees aware that these phishing attempts can come through places other than just the inbox.
Dave Bittner: And I suppose this is really taking advantage of the preconceived notion people have that things like Slack and things like Teams, because they're so internally facing that they've been prevetted by the security team, that anything coming through there has somehow -- I guess someone having access to it, you automatically think, well, they're part of my organization. So that's safe.
Adam Bateman: Exactly. Yeah. Yeah, at most you see, you know, them being a contractor or something but at least a trusted party or somebody that's involved in a company. And you can put technical controls in for these things. So you can do things like -- they vary a little bit between Teams and cyber. Both have the ability to disable external -- the ability to talk to external organizations. You can also provide some level of allow listing. So you can say, you can do a connection with another organization but only if they are on this particular allow list, for example. But it's that classic trade-off between usability and security is really handy to be able to connect with customers and prospects and provide customer services over those channels. So -- so, yeah. It's a balance for each organization. But I think awareness that these attacks are happening is important for every security team and an employee to think about.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I like to hear about how people move around in this industry. And Adam starts off by talking about, you know, he came in as a red teamer, and then he went on to a blue teamer. And now he's doing cloud and SaaS security.
Dave Bittner: Yeah.
Joe Carrigan: That's -- that's interesting to me. I like to see how that happens. You know, it's -- I don't know. I, you know, you're not going to be pigeonholed in this -- in this career field.
Dave Bittner: Yeah. There's plenty of opportunity.
Joe Carrigan: Plenty of opportunity to move around. There's so much need and so many openings in cybersecurity that you're probably going to be able to move around very easily with -- because your skill set will line up well with -- with a movement within the field.
Dave Bittner: Yeah.
Joe Carrigan: There you go. There's the end of my pitch for everyone to start getting a cybersecurity career.
Dave Bittner: That's right.
Joe Carrigan: Phishing has -- is still one of the biggest problems. This is -- we have been hearing this a lot lately from our guests, that it doesn't -- you know, you think that phishing would -- would have gone away by now. No. It's still there. It still works.
Dave Bittner: Yeah. It works.
Joe Carrigan: And that's why it's still there, actually, is because it works. I say that every time. So even though this is still a big problem, defenses are kind of getting better.
Dave Bittner: Yeah.
Joe Carrigan: It's nice to see that. I think that AI and a lot of these AI products are going to make it a lot better hopefully. That's my hope anyway. I think that's a reasonable hope. I think that AI is going to have a real impact on phishing. I will agree with something that Adam didn't really say but kind of his tone of voice kind of alluded to that quishing, these terms are, again, terrible, right. Can we please stop saying quishing, right?
Dave Bittner: Smishing.
Joe Carrigan: Right. But quishing is like the worst of them. Right? It's the one that makes the hair on the back of my neck stand up.
Dave Bittner: Is it like the word moist?
Joe Carrigan: I actually would rather hear someone say moist than quishing.
Dave Bittner: Okay.
Joe Carrigan: I just -- it is -- this is an attempt to jargonize -- again, here we are back -- back to my pet peeve, jargonize QR code, malicious QR codes, right? And those QR codes are just they're everywhere now. And you never know if they're any good or not but.
Dave Bittner: Well, Joe, let me just say, irregardless of what you think --
Joe Carrigan: Dave.
Dave Bittner: Ladies and gentlemen, I am just poking the bear now.
Joe Carrigan: Next you're going to say beg the question --
Dave Bittner: Right.
Joe Carrigan: When you mean leads to the question or implies the question, not begging the question. There's another one that makes me angry. And linguists will tell me that I'm being pedantic about it or not even pedantic but antilingual. They say languages are natural. Like, there are some things that should -- just shouldn't happen like irregardless should never be said except to say it shouldn't be said. There.
Dave Bittner: What else, Joe?
Joe Carrigan: Oh, yes. SIM swaps are still a problem, although you can protect your mobile account with a pin. If you don't have a mobile account in your pin, do that tomorrow?
Dave Bittner: Yeah.
Joe Carrigan: It's free. It's simple. And it can really stop someone from doing a SIM swap on you.
Dave Bittner: Yeah. It keeps you from being low-hanging fruit.
Joe Carrigan: Right. Exactly.
Dave Bittner: Yeah.
Joe Carrigan: I like what Adam says about the multifactor authentication push notifications and notification exhaustion. If you start getting a bunch of multifactor push notifications from one of your apps, like Microsoft Authenticator will do this for authenticating to your Microsoft 365 account. If you start getting a bunch of those, change your password. And if the system is properly configured, that should stop it because now they don't get to the point where they get to send you a notification anymore. They just -- they just get a message that says incorrect password.
Dave Bittner: Let me ask you this, though, Joe. Shouldn't you wait until the MFA push notifications stop before you change your password?
Joe Carrigan: Yes. Yes, you should.
Dave Bittner: Just in case. Like, wait a day or so?
Joe Carrigan: Yeah, yeah because if -- because at some point in time you're going to be -- you're going to be trying to log in, and you're going to get that notification. And you don't know if that's your notification or one of the bad actors' notifications.
Dave Bittner: Exactly.
Joe Carrigan: Right. If you have an IT department, call them and have them help you with that.
Dave Bittner: Right.
Joe Carrigan: Browser in browser attack is something that really scares me.
Dave Bittner: Yeah.
Joe Carrigan: You know, he talks about the -- you know, you go to -- you open a browser to go to a link, and that just opens up essentially another browser in the attacker's computer. And you can't tell the difference. And you log in, and they can capture everything that you're doing on that. Not only that, but once you're done logging in, they can drop your connection and just remain in that session as you. You've essentially logged in on a remote computer for them. It's -- you know, it's kind of technical, and we don't try to talk about that or go too deep into the weeds here. But just imagine you -- you're just remotely going to whatever country it is and logging in as you at somebody else's computer.
Dave Bittner: Yeah.
Joe Carrigan: Bad idea.
Dave Bittner: Yeah.
Joe Carrigan: The best defense against this is one of those hardware tokens we talk about all the time, the YubiKey. This attack will not work with a YubiKey. And it's because of how YubiKeys generate or all the FIDO2 compliant devices generate their private keys based on the domain requesting the attack or the verification.
Dave Bittner: Yeah, yeah.
Joe Carrigan: So the attacker's domain will not be the same as the legitimate domain. So the FIDO2 key will say, Okay. I'm going to generate this key, but that's the wrong private key. And the challenge response will not work. It'll fail.
Dave Bittner: Right.
Joe Carrigan: So that's the best protection against that. So there you go. That's how you protect yourself against these attacks. When Adam is talking about the new problem with direct message platforms, or instant messaging platforms, these are things like Teams and Slack and Discord and even on your personal accounts on Facebook Messenger or Twitter, these things are -- I don't think they're top of mind in terms of awareness like email is. Like, if you ask anybody can you get a malicious email, I bet a lot of people say, Oh, yeah. You can get malicious emails. But if you ask somebody, can you get a malicious Teams message? I'll bet that you get a lower response rate of Yes. I'll bet people think inherently that teams is more secure, simply because it's an IM platform. Actually. I don't think that's why they think that. I think they don't. I think they think that because they just haven't thought about how this system works yet.
Dave Bittner: Well, I think they think of it as being, because it's internal facing --
Joe Carrigan: Right.
Dave Bittner: -- and the only people you're interacting with are other people in your organization.
Joe Carrigan: Correct.
Dave Bittner: I know if I was in a Slack channel and all of a sudden somebody from outside of my company popped up, I'd be like, Whoa, whoa, whoa, whoa, whoa, whoa. What just happened, you know, so.
Joe Carrigan: Right. But that happens in Teams. You can allow external companies to come into your -- send message to your Team's users. This is why I say, if it's possible for you to do this, lock those things down.
Dave Bittner: Yeah.
Joe Carrigan: Don't do that.
Dave Bittner: Yeah. All right. Well, again, our thanks to Adam Bateman for joining us. Once again, he is the cofounder and CEO at Push Security, and we appreciate him taking the time. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. The show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
