Quiz scam nightmare.
Jaeson Schultz: There's a lot more avenues for them to reach people. And so I think, while email will always remain, you know, one particular channel that will see scams being delivered, scammers have kind of branched out and are using a lot of different methods in order to find potential victims.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, Jaeson Schultz joins us. He is a technical leader with Cisco Talos. We're talking about their research on scammers using Google Forms. All right, Joe. We've got some good stuff to cover here this week, I'm going to jump right in here.
Joe Carrigan: Okay.
Dave Bittner: I have a story from an organization called Ampere Sec. They're kind of mostly an industrial security company. But they have someone who works there called Kerry Tomlinson. And she runs a little division there called Ampere News. And she does some really interesting work. Kind of runs her own little news division there as part of the company. And she recently published a story about some deep fake romance scams. And let me describe how this works. So of course, we're familiar with romance scams.
Joe Carrigan: Indeed we are.
Dave Bittner: Somebody you know, pretends to have a romantic interest in someone, but they're really just interested in getting their money. And they will tell them anything to make that happen.
Joe Carrigan: Yes.
Dave Bittner: So --
Joe Carrigan: Drain their bank accounts.
Dave Bittner: Drain their bank.
Joe Carrigan: They will stick with it until the person either runs out of money or realizes it's a scam.
Dave Bittner: That's right. That's right. Taking advantage of the fact that everybody just wants to be loved.
Joe Carrigan: Right.
Dave Bittner: So what these criminals have done, and there's a -- there's a YouTube video that's part of the story we'll link to here that -- that really shows it, but I'm going to try to describe it here. They will use two phones. So phone number one is running a real-time deep fake software. So with this software, this is something you can get for your iPhone. You can get for your Android phone. Basically, you can load in a photo of someone, and it will use the camera on the phone to look at you and animate that photo in real time as if it were that person speaking.
Joe Carrigan: This is very similar to, like, the Snap filters that make you look like a little deer or a mouse or something.
Dave Bittner: Yeah. Exactly the same thing except here --
Joe Carrigan: Right. They're going photo.
Dave Bittner: They're going for photorealism. And they're pretty good. So they'll have that running on one phone. And then, with a second phone, they'll be having the call with the victim. But that second phone's camera is looking at the first phone's screen.
Joe Carrigan: I see.
Dave Bittner: So to the person they're having the conversation with, what they're seeing is the real-time animation on that first phone screen, which could be whatever they want it to be.
Joe Carrigan: Right.
Dave Bittner: And they show that they'll have -- and these scammers are pretty much exclusively men --
Joe Carrigan: Right.
Dave Bittner: -- at least in this story. That's all they show. But they'll pretend to be women. They'll pretend to be people of a completely different race or size or shape or anything. And it looks pretty realistic. This story shows that these scammers have been bragging about this on social media and posting videos of them doing their scams. And they show a bunch of these in the video that's part of the story. And they actually show them talking to some of their victims. And the victims just go right along with it. They explain some of the limitations of the software to the victim by saying, oh, I have a bad connection or you must have a bad connection or something like that, you know, and that's why it's not so clear.
Joe Carrigan: More likely that they'll push it off on the victim. But that's just -- I'm just being -- speculating here, but seems like the kind of person that does that kind of thing.
Dave Bittner: Yeah.
Joe Carrigan: That's a horrible, horrible person.
Dave Bittner: No, I think you're right. I think that's exactly what they do. Every opportunity to make that person question themselves and kind of weaken their resolve --
Joe Carrigan: Right.
Dave Bittner: -- they'll do that. And they're really good at it.
Joe Carrigan: So I'm going to ask you a question. Are these guys Nigerian?
Dave Bittner: I believe in this particular case some of them are, yes.
Joe Carrigan: Okay. Because we've heard before about Nigerian scammers bragging about how much they scam people out of.
Dave Bittner: Right.
Joe Carrigan: But we've never heard that about other -- other scamming groups, other locales. Like, there are huge scam centers in India.
Dave Bittner: Right.
Joe Carrigan: And I never heard about Indian guys scamming people. Huge scam centers in Eastern Europe and never heard those guys bragging about it.
Dave Bittner: Yeah.
Joe Carrigan: But I have heard about the Nigerians doing that.
Dave Bittner: Yeah. And I've -- we've reported here I want to say early on, on our show here. We talked about how there was kind of a cultural element of them saying that -- the Nigerians specifically saying, if I can scam someone, that's on them.
Joe Carrigan: Right.
Dave Bittner: They should be -- you know, they -- they don't feel any guilt about it.
Joe Carrigan: I will say this about the Nigerian government. They strongly disagree with that sentiment.
Dave Bittner: That's right. That's right.
Joe Carrigan: They are not happy about this.
Dave Bittner: No. If you're the -- if you're the leaders of Nigeria, this is not the number one thing you want, you know, your tourism board to have to talk about.
Joe Carrigan: When people think of your country, you don't want the first thing they think of to be scammers, right?
Dave Bittner: Right.
Joe Carrigan: And these guys are trying to represent -- they're the largest most -- or the most populous country in Africa. They're -- they're coming -- you know, they're a developing nation. They're coming into the world as an economic power.
Dave Bittner: Yeah.
Joe Carrigan: And they want -- they want not this. Not this.
Dave Bittner: Yeah, yeah. No, it's a fascinating story. And I recommend that everybody, if this is something that you're interested in, click through to the story. We'll have a link in the show notes. And there is a video that really shows how this works. I do want to highlight that there's some interesting advice about how to protect yourself here. First of all, just general skepticism. You know, remember that many of these profiles are fake. And if someone's trying to strike up a romantic relationship with you online, that, sad to say, odds are it's not real.
Joe Carrigan: Right.
Dave Bittner: But here's one I hadn't really thought of or heard of. Ask the caller to raise their hands or stand up because, evidently, the technology can't quite deal with that.
Joe Carrigan: Right.
Dave Bittner: And it breaks up.
Joe Carrigan: It misses the face. And if you -- if they stand up, you're going to see -- you're going to see the thing turn off briefly, and you're going to realize it's fake.
Dave Bittner: Yeah.
Joe Carrigan: Move around them. It's just getting the move around rapidly.
Dave Bittner: Right.
Joe Carrigan: I think I would say -- is on this list here watch for the platform change? In other words, you're on some dating app --
Dave Bittner: Yeah.
Joe Carrigan: Right. And now this person has asked you to move to some chat application where you can video chat.
Dave Bittner: Sure. Yeah.
Joe Carrigan: Right.
Dave Bittner: Yeah. Although, with this, I mean, they wouldn't necessarily have to do that, once we --
Joe Carrigan: No, they wouldn't. If the video chat can happen in the dating app, then this will go right through that.
Dave Bittner: Yeah. Exactly.
Joe Carrigan: But the difference is the dating apps also don't want these guys on there.
Dave Bittner: Right.
Joe Carrigan: So they delete these scam profiles as soon as they find out they're scam profiles.
Dave Bittner: Right, right.
Joe Carrigan: But that's why they want you off the -- off the platform so you can -- they can continue to talk to you about these things.
Dave Bittner: Right. And if you ask them, if you say, hey, Joe. I noticed that you aren't on the dating app anymore. What are you going to say to me?
Joe Carrigan: Oh, it's because of you, Dave. I love you so much I closed down my dating app.
Dave Bittner: That's right. The search is over.
Joe Carrigan: Right. Dave, you are my soul.
Dave Bittner: There you go. Don't let Lisa know. They talk about bringing a friend in to take a look at your new relationship. We've talked about this many times.
Joe Carrigan: Yeah. And the hard part there is really listening to your friend.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's -- one of the biggest problems with a lot of this is that when, by the time you bring -- a friend is involved in this situation, the victim is already so groomed by the scammer that they have been conditioned to think that the friend is jealous of the relationship --
Dave Bittner: Right.
Joe Carrigan: -- NS IA going to try to sabotage it just because it's -- it's something they don't have, the friend doesn't have.
Dave Bittner: Right, right. You don't want me to be happy.
Joe Carrigan: Right. They don't want you to be happy.
Dave Bittner: Yeah.
Joe Carrigan: So be prepared for that. As a potential victim of a romance scam, like, every single one of us actually is, even though we all like to think to ourselves, no, I'd never fall for that.
Dave Bittner: Right.
Joe Carrigan: Yeah. At some point in time, you will. You'll fall for something.
Dave Bittner: Yeah.
Joe Carrigan: If you have a friend who says you need to step back and think about this, they see something that you don't see. And you don't see it because you're too emotionally invested. Take a step back and think about it.
Dave Bittner: Yeah. I wonder, like, for that specific thing, how do you inoculate someone against that ahead of time?
Joe Carrigan: Make them listen to this podcast, Dave.
Dave Bittner: Joe, that's your answer for everything.
Joe Carrigan: It is. Actually, Dave, I actually believe it's one of the answers for I wish we could go out there and force people to listen to other people say, here's what happens during a romance scam.
Dave Bittner: Right.
Joe Carrigan: But you can't force anybody to do it.
Dave Bittner: Yeah.
Joe Carrigan: But it's -- it's -- so, I mean, that's the purpose of this show is to -- so everybody knows what the scam is before they see it because, if you know what the scam is before you see it -- you see it, I think you're less likely to fall for it.
Dave Bittner: Yeah.
Joe Carrigan: And there's research that says this as well.
Dave Bittner: Sure.
Joe Carrigan: So that's the best thing beforehand is, you know, you have somebody who's newly single. Talk to them about it. You know, say, Hey. You've got to watch out for scammers on this thing. Here's what to look out for. You look out for the -- the love bombing. You look out for the change of platform. You look out for the not willing to meet you in person or the faraway person.
Dave Bittner: Right. And then you look for the ask for money. And that's it. That's the -- that's how all this works. That's the process that you're going through. Yeah.
Joe Carrigan: It doesn't -- it doesn't sound like that to the victim, but that's exactly what happens.
Dave Bittner: Yeah. Another point they make that's a good one is to listen to the people at your bank.
Joe Carrigan: Yeah.
Dave Bittner: If they say the situation looks suspicious, believe them.
Joe Carrigan: Right. Yeah. They see it all the time.
Dave Bittner: Right.
Joe Carrigan: And you're probably not different from other people that have been scammed.
Dave Bittner: Yeah.
Joe Carrigan: If your bank says this is a problem, that should be a wake up call for everybody.
Dave Bittner: Yeah. I will say it's been heartening to see how much more deliberate training there's been from the folks in these retail positions, you know, the people at the counter at the bank, the people at the grocery store or the drugstore where you can buy your gift cards.
Joe Carrigan: Right.
Dave Bittner: There's been a good amount of training up of those folks just to -- to try to head these things off at the pass.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: I agree.
Dave Bittner: Yeah.
Joe Carrigan: And that's wonderful.
Dave Bittner: Yeah. Like I said, the video of this stuff is remarkable and really eye opening. So, you know, I think that's a great way to inoculate people as well. If you have folks you might -- you think might be a victim of this, send this video around --
Joe Carrigan: Right.
Dave Bittner: -- because, you know, a picture paints 1000 words, whatever it is.
Joe Carrigan: Yeah.
Dave Bittner: So -- and it's compelling.
Joe Carrigan: And there's 30 pictures in every second video.
Dave Bittner: There you go.
Joe Carrigan: What's that?
Dave Bittner: All right. 2221000 words every second. Okay. I'll take your word for it.
Joe Carrigan: I like doing that.
Dave Bittner: Right, right. All right. We will have a link to that story in the show notes. Joe, what do you have for us this week?
Joe Carrigan: Dave, I'm also going to go with a deep fake story today.
Dave Bittner: Okay.
Joe Carrigan: But it's not -- it's not a -- I'll tell you what happened.
Dave Bittner: Yeah.
Joe Carrigan: Somebody on social media in Baltimore County --
Dave Bittner: Okay,
Joe Carrigan: -- brought a video that was just audio that is purportedly the voice of the high school principal of Pikesville High School. His name is Eric Eiswert.
Dave Bittner: Okay.
Joe Carrigan: And they have said that this is his voice, and he is saying things in the video clips that are racist and anti-Semitic.
Dave Bittner: Oh, okay. Yeah.
Joe Carrigan: Have you heard this story?
Dave Bittner: No, I have not.
Joe Carrigan: Oh. Okay. I've listened to the audio, the unedited -- well, the audio that was initially released on -- on social media.
Dave Bittner: Yeah.
Joe Carrigan: It is edited, obviously so.
Dave Bittner: Okay.
Joe Carrigan: Right. There -- there are breaks where it stops. And it is conceivable to me that, if this clip is genuine, then somebody would just -- took out all the parts that were not relevant to the accusation of racist comments and just strung the racist comments together.
Dave Bittner: Sure.
Joe Carrigan: But --
Dave Bittner: Kind of like a ransom note letter.
Joe Carrigan: Yeah.
Dave Bittner: It sounds like a version of the ringer.
Joe Carrigan: It is definitely -- it is definitely, definitely edited.
Dave Bittner: Okay.
Joe Carrigan: And so I think that's interesting. The second thing is that Mr. Eiswert's defense is that that wasn't me. That's deepfake audio.
Dave Bittner: Okay.
Joe Carrigan: Okay. That's his -- that's his defense. Now, Baltimore County Schools is investigating this. But that didn't stop the news from going all over the place about it, right, some people even showing up at the principal's house knocking on his door to ask him questions.
Dave Bittner: Oh. News people, you mean.
Joe Carrigan: News people. Yeah.
Dave Bittner: Okay.
Joe Carrigan: So WJZ reached out to an expert. His name is Hany Farid. He's a professor at UC Berkeley.
Dave Bittner: Okay.
Joe Carrigan: Now, I don't know why WJZ would reach out to UC Berkeley when they have an institution like Hopkins so close.
Dave Bittner: It's your unbiased opinion, Joe?
Joe Carrigan: That's my unbiased opinion.
Dave Bittner: Okay.
Joe Carrigan: Very close.
Dave Bittner: Fair enough.
Joe Carrigan: We do have a media response department.
Dave Bittner: Duly noted.
Joe Carrigan: I did an interview yesterday.
Dave Bittner: Okay.
Joe Carrigan: And he says, I don't think you can say that this is authentic recording. And he's not -- he's not saying it's fake, but he wants to be very careful with his wording in this. And he says, I don't think you can say it's real. And I think, before we say it's real, you have to think about this. You have to get -- you have to do this investigation that Baltimore City Schools is doing.
Dave Bittner: Right.
Joe Carrigan: Right. Because he's talking to somebody. But I took a look around social media today and, in particular, TikTok. I don't have a TikTok account. But I just Googled it, and it led me to a couple of TikTok videos. There are people just absolutely buying in on this.
Dave Bittner: Yeah.
Joe Carrigan: And I don't know if this is real or not, but the news media has already showed up to his house. If this turns out to not be real -- and I haven't seen any news articles that have followed up on it. This happened about a week ago. Nobody is saying that we've determined that it's fake. There's no news that says we've determined that it's fake.
Dave Bittner: Yeah.
Joe Carrigan: Or that they've confirmed that it's real. So, you know, I wonder about the ethical implications of just showing up on some guy's doorstep to talk to him about something where he has a pretty modern and reasonable defense about -- about this, about something because it's entirely possible that this media is synthetic.
Dave Bittner: Sure.
Joe Carrigan: I think it needs to be analyzed. But even if you analyze it, the fact that the media has got a hiss behind it, I mean, you could have -- there could have been a bunch of different production values that went into this to cover up the artifacts, but maybe the artifacts are still there. I'd like to see it get analyzed.
Dave Bittner: Well, I think -- more interesting or as interesting is just the reality that this is where we are, right?
Joe Carrigan: Right.
Dave Bittner: And I think as we head into this political season, as a friend of mine used to call it, silly season.
Joe Carrigan: Yes. I'll keep calling it that, Dave, silly season.
Dave Bittner: We're just going to see more of this. And so you have the two sides of it.
Joe Carrigan: Right.
Dave Bittner: You can have anybody who says anything horrible, somebody gets caught on a hot mic saying something horrible, they'll be able to attempt the defense saying, yeah. It must have been a deep fake. Right? I never said that.
Joe Carrigan: Yep. There was a deep fake used in one of the recent primaries.
Dave Bittner: Yeah. In New Hampshire.
Joe Carrigan: Yeah, New Hampshire, where --
Dave Bittner: President Biden. Yeah.
Joe Carrigan: -- a tape of Biden calling people up going, Don't bother showing up at the polls.
Dave Bittner: Right.
Joe Carrigan: I've already won or something like that.
Dave Bittner: Right.
Joe Carrigan: I don't know.
Dave Bittner: Yeah.
Joe Carrigan: But, you know, like, I say defense for that is never trust any information on an inbound call. I detest when I get political telephone calls.
Dave Bittner: You, Joe?
Joe Carrigan: And the only thing I detest more than that is when I walk into the voting place and there's people there trying to sway my vote before I vote.
Dave Bittner: Yeah.
Joe Carrigan: I hate that.
Dave Bittner: I know.
Joe Carrigan: It's like, oh. Oh, I haven't made up my mind on who I'm going to vote for. Who should I vote for, random person on the street.
Dave Bittner: Oh, look. There's a sign. My mind is made up. Yeah.
Joe Carrigan: Right.
Dave Bittner: Yeah. I'll say the one -- well, one of the ones that rubs me the wrong way are sign wavers. You know, the people that, when the politician stand on the side of the road and distract traffic by waving signs --
Joe Carrigan: Oh, yeah.
Dave Bittner: -- with their names on them.
Joe Carrigan: Yes.
Dave Bittner: Sadly, I think the only way that's going to change is if somebody gets run over.
Joe Carrigan: Right. And maybe the politician.
Dave Bittner: That's what I mean. Like, that's the only way it's going to be, you know, stopped --
Joe Carrigan: Right.
Dave Bittner: -- because, I don't know, they have evidence that it works, or at least they believe it does.
Joe Carrigan: Yeah.
Dave Bittner: I don't know. But back to this thing about the --
Joe Carrigan: I saw a guy holding up a name -- his name on a sign waving at me one time, and I wound up voting for him because that changed my mind. No. That never happened.
Dave Bittner: Right. But it's just -- I think it's like an awareness kind of thing. I think what happens is, if you are not, if there's a particular position that you haven't really thought much about, you're more likely to hit the button or lots of people are more likely to hit the button for the name they've just seen more times.
Joe Carrigan: Yeah. That's probably true.
Dave Bittner: That's what they're -- that's what they're doing. They're just trying to get that name in front of you. And I can't blame them for that. But I think it's dangerous.
Joe Carrigan: Yeah. One of the good things about living in Maryland is we don't have to worry about the primary process.
Dave Bittner: Yeah.
Joe Carrigan: Because by the time Maryland votes in the primaries, the elections already been decided.
Dave Bittner: Yeah. True.
Joe Carrigan: So, I mean, it's --
Dave Bittner: Yeah. I guess it depends. Yeah. Certainly on certain levels. That's true.
Joe Carrigan: Right.
Dave Bittner: So, I mean, where do we end up with this? Is -- there's been talk about chains of custody for things like --
Joe Carrigan: Right.
Dave Bittner: -- video and audio.
Joe Carrigan: And this video just showed up on social media.
Dave Bittner: Right.
Joe Carrigan: So there is no provenance on this.
Dave Bittner: Correct.
Joe Carrigan: What we're talking about is provenance. How long, you know, who had this. Now, you're talking about the hot mic. Usually, that's like a newscaster sitting in a room.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, they just so happen to be recording.
Dave Bittner: Right.
Joe Carrigan: And then they catch somebody on a hot mic. That's good provenance.
Dave Bittner: Right.
Joe Carrigan: But this, this is not good provenance.
Dave Bittner: No. So do we dismiss it?
Joe Carrigan: I think we do the investigation.
Dave Bittner: Yeah.
Joe Carrigan: We ask -- we ask the -- cause he's talking to somebody in the room. He names somebody.
Dave Bittner: Right.
Joe Carrigan: So we interview that person, see if we can get any information out of that person, see if the stories add up.
Dave Bittner: Right.
Joe Carrigan: And then we run if -- you know, I say -- it's really simple to run a classifier on it and see if it comes up as fake. If it comes up as fake, definitely fake, you dismiss it. We're done, right?
Dave Bittner: Yeah.
Joe Carrigan: But if it doesn't come up as fake, then you're still going to have to do the -- the investigation because I can think of a number of ways that you can take a synthetic video or synthetic audio, modify it so it comes out sounding like an audio -- analog video -- analog audio --
Dave Bittner: Sure.
Joe Carrigan: And then putting it out on social media.
Dave Bittner: Yeah. I guess the bottom line here is you just can't take things at face value.
Joe Carrigan: No. You cannot take things at face value. That's right.
Dave Bittner: Yeah. All right. Well, we will have links to this story in the show notes. And, of course, we would love to hear from you. If there's something you'd like us to cover on the show, you can email us it's hackinghumans@n2k.com. Joe, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: David, it's again from Van who has another voicemail for us.
Dave Bittner: Oh. All right.
Joe Carrigan: And he says, I'm not sure what's going on with the music at the beginning. Maybe something to get your attention. And then you're curious when the music changes, which it does. It's very interesting. Who knows. But I think they have a reason. Keep up the good work on the show. So let's play the audio
Dave Bittner: All right. [ Music ] I want to take a nap.
Joe Carrigan: Yeah.
Dave Bittner: I would have hung up by now.
Joe Carrigan: Right.
Unidentified Person: This call is to authorize the payment of $1,499 for the recent order of Apple MacBook Pro on your Amazon account. If you do not authorize this payment, please press 1 to speak to our customer support representative.
Dave Bittner: Ah. There you -- there it is.
Joe Carrigan: Right.
Dave Bittner: Okay.
Joe Carrigan: So if you press 1, you get put through to a scammer.
Dave Bittner: Right.
Joe Carrigan: I get these calls. I've gotten -- I've gotten these calls one time.
Dave Bittner: Yeah.
Joe Carrigan: And I push 1, and I just start asking questions like, Tell me how this scam works. And, man, that makes those guys angry.
Dave Bittner: I'll bet.
Joe Carrigan: And, you know, I should probably just hang up. Like you said, halfway through I'd have hung up by now.
Dave Bittner: Right.
Joe Carrigan: But I can't help myself, Dave. I just have to do it.
Dave Bittner: All right. I mean, what do you think the music is about? There's -- it starts out with like an old timey cartoon sound.
Joe Carrigan: Yeah. Like a 1930s cartoon. Like, as soon as I do that, as soon as I hear that, I see a cow dancing with his arms, you know, elbows.
Dave Bittner: Right. Rubber hose limbs that they have.
Joe Carrigan: Exactly.
Dave Bittner: Exclamation points coming out of his head.
Joe Carrigan: Yeah. And then it changes to the sleepy time music.
Dave Bittner: Like spa music.
Joe Carrigan: Yeah.
Dave Bittner: Like I'm about to, I don't know, get a -- you know, a cucumber facial or something. That silly cucumber on the eyes. I guess it's to lull you into relaxation or --
Joe Carrigan: Yeah.
Dave Bittner: I don't know. It's weird.
Joe Carrigan: And then to panic you with the, Hey, we've just noticed a big purchase on your Amazon account.
Dave Bittner: Right. Right.
Joe Carrigan: Van also writes in with some follow-up on -- on his last voicemail about the Spectrum offer.
Dave Bittner: Okay.
Joe Carrigan: He says he's not a Spectrum customer, but it's likely that the phone number where he received that voicemail has been on a Spectrum support ticket in the past.
Dave Bittner: Okay.
Joe Carrigan: So maybe. Maybe he's under an area that Spectrum serves.
Dave Bittner: Right, right. Could be part of a data breach. Who knows.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. All right. Well, thank you, Van, for sending that in. And, of course, again, we'd love to hear from you. Our email is hackinghumans@n2k.com. Joe, I recently had the pleasure of speaking with Jaeson Schultz. He is a technical leader with Cisco Talos, a research team there, part of Cisco. And our conversation centers on some of their research on scammers who are making use of Google Forms. Here's my conversation with Jaeson Schultz.
Jaeson Schultz: Well, I do a lot of work on the anti spam side of things. Originally, when I joined Cisco, I was managing the SpamCop product and doing customer support for that as well. I still do a lot of work on the anti spam side. I maintain a lot of our spam traps and things. So I routinely go out and sign up for mailing lists and put email addresses out there just to see kind of what comes in. And this came in, and it looked slightly like a form-type message. And it caught my eye just because it was different than some of the form spam that we normally see.
Dave Bittner: So you're the guy taking one for the team by sign here for everything, right?
Jaeson Schultz: Yeah. I have no spam filters on my incoming emails, so I get a lot of email.
Dave Bittner: Wow. Well, let's talk about this specifically. Can you can you walk us through exactly what the bad guys are up to here.
Jaeson Schultz: Yeah. Certainly. So, you know, one of the ways that anti spam companies, you know, identify bad messages is sometimes by the path that the message takes. So if you have a mail server that's known to be sending a lot of spam, it will end up on a block list fairly quickly, and you won't be talking to it or receiving mail from it. And so spammers are aware of this. And so they're constantly looking for ways that they can either blend in with legitimate traffic or even hijack the reputation of a legitimate sender. In this case, the spammers are using Google Forms to take advantage of Google's own email infrastructure for doing the outbound sending.
Dave Bittner: Well, can we talk about some of the specifics here. I mean, what's the functionality within forms that enables this?
Jaeson Schultz: Right. So, in this case, the spammers are creating a form. And then, when you actually go to the settings for the form, you can make the form a quiz or a questionnaire. And then there's some other settings that are important for this to work. Releasing the grades, you know, if it's a quiz, you're going to release the grades. There's two options. One is to release the grades immediately. So you've got the answers already stored and, when somebody enters their answers, you can give them their scores right away. Or you can release the grades later after a teacher or professor has reviewed the answers and graded them. Probably for more like written responses and things, I would think. So they set it up for later after manual review. And what this does is this turns on the collection of the email address. So when someone fills out the form, they also have a form field that they fill out for their email address as well. And so then what happens is, when the form is generated, you can either send out the form to the various people who are going to be taking the quiz, or you can actually get a link to go to the form yourself. And that's what the spammers' doing in this case. They're going to this form that they've set up, and then they're filling out the form using the email address field of the intended recipient of the spam, of the victim. And then, when they do this, they end up on a screen in Google Forms that shows you all the different responses to your quiz, and you can then release the grades. And when you do that, you have the option to customize the message. And so, by releasing the grades, that forces Google Forms to then send an email to the victim, who, of course, did not fill out the form. This was done on behalf of the spammer. But they ended up getting the email. And, at the beginning of the subject line, you'll see that score released text, which is put there automatically by Google. >> Dave Bittner:, And so the notion here is that because this email is coming from Google, it's likely to make it through standard spam filters. Right. You know, part of the problem with spam is that, you know, spammers are constantly throwing things against the wall to see what sticks or what makes it past the filters. And by using Google's own email infrastructure, they go a long way. You know, you can't necessarily block all Google Forms if you're, you know, doing -- processing a lot of email. So, in a way, they're kind of blending in with all these legitimate forms traffic. And so it becomes very, very difficult to block unless you already know something about the content that they're going to be sending. In this case, you know, these messages came to some of our spam traps. And the content, you know, made it into our automated systems, which would block that very, very quickly. But it's one of those things where they can keep sending stuff until it gets through. And so it's a bit of a game of Whack-a-Mole, if you will.
Dave Bittner: To what degree do you suppose that they're using automation on their side?
Jaeson Schultz: Well, there's certainly a fair bit of automation. If you look at the final scam website, I mean, the attention to detail that they put into there, you first have to, you know, go to the website. And it asks you if you want to you login. And they've prefilled in a username and password so that you can just go ahead and log in. And then you go in and, you know, you -- there's a chat window with different supposed users who are, you know, talking about their -- their winnings or their -- the bitcoin that they've been able to cash in, right. Of course, all -- if you watch for long enough, you'll see the same messages kind of repeating over and over. But -- and you can actually -- they set it up so you can even comment in there if you wanted to. But, of course, you're commenting basically to yourself because that's not going out in any sort of a chat room that's visible to anybody else. Now, then, when you go in, they actually direct you -- if you want to claim your bitcoin, they direct you to a chat room where they actually have a -- what's a -- is supposedly an agent who's chatting with you. Now, this is also automated. You know, they -- you get the three dots as if they're typing, and then a message comes out. So they've gone to a lot of detail just to try to convince you that you're actually chatting with a real support agent. They don't give you much in the way of, you know, customize your response or customize your questions. So they've kind of thought that through. But I was just looking at the site earlier today. And at one point, you know, before you can click through to the final, you know, form where you're chatting through the support agent, you know, they've got, you know, the current balance, and they're -- they're kind of collecting your bitcoins. And one of the thing that's interesting is they're actually paying attention to whether that web page is live in the view or not. And if you navigate to a different tab, it kind of pauses the activity. They're even, you know, trying to hook people who are, you know, going to sit there and watch the automation that they've included in this web page for this scam. And one of the things that surprised me was just kind of getting to the end of the scam. And all they were asking for was about $64. And I was just thinking about, you know, the amount of effort that they went to, to build this web page to try to scam people out of bitcoin. Of course, bitcoin has been kind of going back up lately. So it doesn't surprise me that those scams are circulating a bit more now. But it definitely surprised me just in terms of the effort and the final website that they direct you to, as well as, since then, I've seen them branch out into other types of Google Forms spam. They've also been abusing Atlassian Jira. I'm kind of tracking these guys a bit behind the scenes, these guys who were behind this particular scam. And they branched out to a couple of different services that offer kind of similar things to Google Forms, you know, products where you can send transactional email, but then they're including links in those emails and hoping that people click there and go to the final scam website.
Dave Bittner: You know, it's interesting, from my own personal experience, I honestly don't think that much about spam. But as you and I are talking, I suppose that, in large part, that's because folks like you and your colleagues are out there making sure that most of it doesn't get in front of me.
Jaeson Schultz: Yeah. We definitely work hard to try to make that -- that the case. One of the other things I feel that's driving it is, you know, people spend a lot more time on various social media now. Discord, Facebook, Instagram, Telegram, you know, you name it. So there's a lot more avenues for them to reach people. And so I think, while email will always remain, you know, one particular channel that will see scams being delivered, scammers have kind of branched out and -- and are using a lot of different methods in order to find potential victims.
Dave Bittner: What are your recommendations, then, for folks to best protect themselves here?
Jaeson Schultz: Right. So, you know, there's a couple things. One, if you get a message from Google Forms, you know, you should probably -- you know, and it's talking about bitcoin, I mean, this just seems like what would -- what would Google Forms have to do with an account that you had bitcoin stored? So that's kind of the first red flag to me. But then, when you go there, they're telling you, oh, you haven't logged in for a while. You have a bitcoin that you can cash out that's worth, you know, $45,000. This sounds too good to be true. And when things sound too good to be true, they often are. So, you know, using a bit of common sense in terms of the email that you receive and then, of course, you know, not necessarily clicking on links that are sent to you unsolicited, right, and this is especially important when you're dealing with things like messages that might come from a bank or some other website where you know you have an account, you know. You wouldn't want to navigate to these websites independently of the email you got and login just on your own. And, you know, if there's something you need to do or some message in there, and then that's where you will see it. So, you know, be extremely wary of anything that's sent to you through email or even unsolicited through social media.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I like his method here. Yeah. Go out and sign up for a bunch of accounts and get a bunch of email accounts, and then turn off all the spam filters and see what you get.
Dave Bittner: Right.
Joe Carrigan: Gives you an idea what's going on.
Dave Bittner: Like slathering yourself with honey and going out in a forest full of bears.
Joe Carrigan: Right. Let's count how many bears there are.
Dave Bittner: Right.
Joe Carrigan: Oh, there's one. Yeah. I think you only get to one.
Dave Bittner: He's getting closer. Yeah. Right.
Joe Carrigan: Spammers know the lay of the land here. And, you know, they're not -- they're not dumb. They know what they're doing. And they know that there are spam filters out there that do this analysis. And they're going to try to get around any of that classification that they can.
Dave Bittner: Right.
Joe Carrigan: So that's why they're using Google Forms. It's a great way to do that.
Dave Bittner: Yeah.
Joe Carrigan: And this is a very convoluted use of something that Google developed to make what I think is testing students easier, where they create a quiz, and then you go in and you fill out the quiz. And then you click Submit. And then they can look at the results and say send a -- send an email.
Dave Bittner: Right.
Joe Carrigan: This sounds like it might be labor intensive, but I'll bet this can be automated very quickly. And you and -- you and Jaeson touched on that.
Dave Bittner: Yeah.
Joe Carrigan: I'm thinking this is automated.
Dave Bittner: I would think so. I think Google would have some kind of API or something.
Joe Carrigan: Yeah.
Dave Bittner: I don't know. Interesting.
Joe Carrigan: Yeah. Why they would do an API to let people fill out forms, though, is kind of weird. Or maybe they're just making calls to the form.
Dave Bittner: Yeah. Who knows.
Joe Carrigan: You know, resubmitting it. That could be. What's interesting is that, unless you block -- you can't really block all the forms, right, everything from Google Forms. Or maybe you can if you -- if you have a business policy that says we're never going to use Google Forms and not allow people to use Google Forms, right? Unlikely business policy, right.
Dave Bittner: Right.
Joe Carrigan: But unless you know the text, you probably can't get it. You can't block it.
Dave Bittner: Yeah.
Joe Carrigan: And if your spam filters do somehow manage to stop this, they do realize this is a spam email, these guys can just change how they're doing it so it comes through.
Dave Bittner: Right.
Joe Carrigan: They have all the time in the world. I like -- like the story at the end of the scam you get a message that says, To collect your bitcoin, go here, right? Ooh, I'm going to get some bitcoin. And then you're waiting for them as if you were talking to a real person. You're waiting for a scammer.
Dave Bittner: Yeah.
Joe Carrigan: I don't know. I find that a little insulting, Dave. If you're going to scam me, be on the phone for me. Or be on --
Dave Bittner: You want a scammer with a good sense of punctuality, right?
Joe Carrigan: Right. I want -- I want the personal attention from a scammer.
Dave Bittner: You want a scammer who respects your time.
Joe Carrigan: Right. Exactly.
Dave Bittner: If they're going to take your money, the least they could do is respect your time. I understand.
Joe Carrigan: And be a real person on the other end.
Dave Bittner: Yeah.
Joe Carrigan: You know.
Dave Bittner: Okay.
Joe Carrigan: I mean, don't be like the AT&T customer service or -- or Verizon customer service. We don't have to press 1 to get -- don't do that. You're a scammer. You've got me.
Dave Bittner: Okay.
Joe Carrigan: Never mind. I shouldn't be joking about this. But it does -- it is interesting that they mimic the miserable experience we all have with customer service --
Dave Bittner: Right.
Joe Carrigan: -- because --
Dave Bittner: It makes it seem more authentic.
Joe Carrigan: It does. Exactly my point. It makes it seem more authentic.
Dave Bittner: This is some authentic misery.
Joe Carrigan: Right.
Dave Bittner: Oh, boy. >> Joe Carrigan:. You know, it's like that thing if it's too good to be true, it probably is. Right. And this is terrible.
Joe Carrigan: Right. This is too good to be true.
Dave Bittner: Right. Yeah.
Joe Carrigan: I think it's interesting that when the -- when the window loses focus, and Jaeson is talking about the window losing focus, they stop adding up your bitcoin, right? Like how much bitcoin you received stops counting. And you come back to the window, and it says, Okay. Well, we'll resume the counting. That's like a demand on your attention.
Dave Bittner: Yeah.
Joe Carrigan: Facebook videos do this. Like, if you start a Facebook video and then you click on another tab because you just want to listen to it. The first video stops. I refuse to watch videos on Facebook anymore.
Dave Bittner: Yeah.
Joe Carrigan: I won't do it. I'll just look up the video on YouTube and then keep it running in the background.
Dave Bittner: Yes. I think that's safe. To me, Facebook is like a big poster child for the second location prohibition.
Joe Carrigan: Yes. Yeah.
Dave Bittner: You know, like --
Joe Carrigan: Never go to the second location.
Dave Bittner: Right, right. Don't watch a video on Facebook. Don't browse to a website on Facebook because everything you do, every interaction, if you do it through Facebook, they're tracking everything.
Joe Carrigan: Right.
Dave Bittner: So just be cautious.
Joe Carrigan: They're using Atlassian, as well, the Jira platform to send out emails to people. Anything that sends emails has a potential to be abused this way. Like, we talked frequently about the PayPal email -- emails.
Dave Bittner: Right.
Joe Carrigan: These are legitimate emails from PayPal that scammers are using under the one month free services, and they're sending out invoices, hoping that they get paid.
Dave Bittner: Yeah.
Joe Carrigan: And Atlassian is doing -- is trying to automate the process of Jira, which is a software development management tool, to get emails, to send emails. But that goes right through spam filters or has a higher chance of going through spam filters.
Dave Bittner: Right.
Joe Carrigan: They're also looking to now exploit social media apps. They're just going through WhatsApp, Facebook, Twitter. They're just hitting you -- or X, I guess we say now.
Dave Bittner: I say ex Twitter.
Joe Carrigan: X Twitter.
Dave Bittner: Yeah.
Joe Carrigan: Because you're an ex Twitter user?
Dave Bittner: Yeah. And I think it's more -- X is just a terrible name. So -- and X Twitter because the other thing you can say is the platform formerly known as Twitter. So it's, like, just shorter to say X Twitter.
Joe Carrigan: That's what we used to say about Prince.
Dave Bittner: Exactly. Exactly so --
Joe Carrigan: You know, I was on Twitter or whatever it is today.
Dave Bittner: Yeah.
Joe Carrigan: I was -- something came up when I went -- had to go there to look at something.
Dave Bittner: Yeah.
Joe Carrigan: And I'm signed in with my professional account. And I retweet something. I think I retweeted the tweet about last week's show that our team put out because every week I send a plug out; and our media person, Megan, sent -- puts it up on Twitter.
Dave Bittner: Okay.
Joe Carrigan: So I retweeted that. And it goes, Well, let's validate you're not a bot. I'm like, what? How -- I don't interact with this platform enough for you to think I'm a bot.
Dave Bittner: Right. Right.
Joe Carrigan: You just don't have enough information.
Dave Bittner: Yeah.
Joe Carrigan: But I think this is them trying to get me to pay the eight bucks a month, which I won't do. That's -- that's not going to happen.
Dave Bittner: Right.
Joe Carrigan: So sorry. Sorry, Elan. You're not getting eight bucks out of me. No social media company is ever going to get a dime out of me.
Dave Bittner: Okay.
Joe Carrigan: Period. There you go. Grumpy Old Joe again. Your best defense? Be suspicious. Always go to the website directly of any of these companies, especially if it's a financial company or your email company.
Dave Bittner: Right.
Joe Carrigan: They should not be sending you links to external services like this.
Dave Bittner: Yeah.
Joe Carrigan: Like, if my bank sent me a link, legitimately sent me a link and said, Go fill out this Google Form, I think I'd go close my accounts. I'd be like, now, they don't take security very seriously here. I don't think my bank would do that. But, damn, who knows.
Dave Bittner: All. Right. Well, again, our thanks to Jaeson Schultz from Cisco Talos for joining us, we do appreciate him taking the time. That is our show. We want to thank all of you for listening. A quick reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Eliot Pelzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
