Looking forward in 2024.

Aaron Walton: There's one third actor that we've seen continually, that's known as GootLoader. The lures that they use and the social engineering that they use is for documents that contain legal agreements or something of that sort.

Dave Bittner: Hello everyone and a warm welcome to the "Hacking Humans" podcast. Every week we delve into the world of social engineering, scams, phishing plots and criminal activities that are grabbing headlines and causing significant harm to organizations all over the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week and later in the show my conversation with Aaron Walton. He's a threat intel analyst with a company called Expel. We're going over some of the details of their annual threat report. [ Music ] All right Joe, before we jump in here, a little bit of follow up. What do we got?

Joe Carrigan: Yeah Dave. Mateusz writes in, and Mateusz is a Polish guy living in Ludwigshafen, Germany.

Dave Bittner: Okay.

Joe Carrigan: And I'm sure my high school German teacher is reaching through the podcast to smack me in the back of the neck for messing up the pronunciation. Ludwigshafen.

Dave Bittner: Ludwigshafen.

Joe Carrigan: Ludwigshafen.

Dave Bittner: Ludwigshafen. Easy for you to say.

Joe Carrigan: Yes. All right. Mateusz just said, I wanted to quickly share something positive. How often do we get good news on this show?

Dave Bittner: That's right.

Joe Carrigan: Looking for a remote desktop solution to deploy in my home lab, I've landed on the website for RustDesk. This is an open source alternative to TeamViewer. As we know, those kinds of applications serve as a double-edged sword. They make the lives of both system admins and scammers easier. On the top of the webpage, there is a very visible warning message. It says, and I've actually pasted it from the webpage, because I wanted to see this for myself. Not that I don't trust Mateusz, I'm sure he's correct, but it says, warning, you may be being scammed. If you are on the phone with someone you don't know and don't trust, who has asked you to install RustDesk, do not install and hang up immediately. They are likely a scammer trying to steal your money or other private information. Mateusz goes on to say, this is a very responsible reaction from the RustDesk team. They are aware of the use case for their application, the malicious use case, and they took an effort to warn potential scam victims. So kudos to RustDesk and to you guys. I love the show. You make the social engineering side of cybersecurity very entertaining. Sometimes it's just sad to listen to. We do try to make it entertaining.

Dave Bittner: We laugh through the tears.

Joe Carrigan: Yes, we do laugh through the tears. I really enjoy driving to work and listen to your voices.

Dave Bittner: That's nice.

Joe Carrigan: I wish you all the best. Thank you, Mateusz. Thank you for sending us in. And yes, kudos to RustDesk.

Dave Bittner: Very good. Yeah.

Joe Carrigan: RustDesk, not the best name to roll off the tongue, kind of a tongue-twister.

Dave Bittner: No, RustDesk. No, that is a hard word to say.

Joe Carrigan: Yes.

Dave Bittner: All right. Well, thank you so much for writing in, and of course, we would love to hear from you. If there's some feedback you have for us, you can email us. It's hackinghumans@n2k.com. All right. I'm going to kick things off with our stories here this week, and my story comes from the CBC. This is written by Erica Johnson.

Joe Carrigan: That is the Canadian Broadcasting Company?

Dave Bittner: That is the Canadian Broadcasting Company. This is from CBC News, and Erica found herself being wooed by a scammer, by a romance scammer.

Joe Carrigan: Yes. I'm hopeful that Erica did not fall for this.

Dave Bittner: She did not.

Joe Carrigan: Okay, good.

Dave Bittner: But it's interesting. In fact, well, let's go through it bit by bit.

Joe Carrigan: Okay.

Dave Bittner: So she was contacted by this scammer who claimed to be named Bobby Brown. That's my prerogative, Joe.

Joe Carrigan: Right. That's right. Bobby Brown.

Dave Bittner: Not that Bobby Brown.

Joe Carrigan: Okay.

Dave Bittner: A different Bobby Brown. No. This was an oil drilling engineer living in Scotland who expressed romantic interest after finding Erica's social media profile online.

Joe Carrigan: You know, one of the things that oil drillers are known for is they make money. They have a lot of it.

Dave Bittner: Oh, that's true.

Joe Carrigan: Yeah.

Dave Bittner: It's also an extraordinarily dangerous job, right?

Joe Carrigan: And distant. Which is why they make a lot of money.

Dave Bittner: Yes. Yeah. Right.

Joe Carrigan: Remote, I should say.

Dave Bittner: So Erica is hip to these kinds of scams, and she said that she normally ignores them. But she decided that she was going to play along with this one.

Joe Carrigan: Okay.

Dave Bittner: So right away, Bobby quickly attempted to deepen their connection by asking for Erica's mobile phone number. And using terms of endearment in the communications, Erica says he came on pretty heavy, and his English didn't always make sense. He said, well, you are really an interesting woman. I would love to be a part of you. I want you to be mine, and I want to love you till the end of the world. He also said his favorite meal was macaroni and spaghetti with garlic.

Joe Carrigan: That sounds disgusting.

Dave Bittner: Right. What? Macaroni and spaghetti with garlic. With garlic. Yeah. Macaroni and spaghetti. I mean, it's good to mix up your pastas.

Joe Carrigan: No. No, it isn't, Dave. I can't think of anything -- you know, at home, we make our own pasta, Dave.

Dave Bittner: Oh, wow. Okay.

Joe Carrigan: Most particularly, my son, who is recently taken to doing this, loves making his own pasta. Are you the Italian Carrigan's? Yeah, that's right. We're the Italian Carrigan's. Okay.

Dave Bittner: Yeah.

Joe Carrigan: And, no, actually, we've learned to do this, actually, from some people with some Italian heritage.

Dave Bittner: Okay.

Joe Carrigan: But there is nothing that compares to fresh pasta. And I can think of nothing worse than having two different kinds of pasta in one meal.

Dave Bittner: Okay.

Joe Carrigan: It really makes me want to spin up Things Joe Hates, doesn't it?

Dave Bittner: Yes, it does.

Joe Carrigan: Makes you want to bring back that gem.

Dave Bittner: Yeah. All right. Well, moving on, Bobby sent her a photo of a street in Edinburgh, where he claimed to live.

Joe Carrigan: Isn't that Edinburgh? Or is that Edinburgh?

Dave Bittner: Edinburgh? Edinborough? I don't know how you pronounce it. Yeah, probably. Let's count on the fact that I'm mispronouncing it and go from there. Please don't write in.

Joe Carrigan: Okay.

Dave Bittner: He sent her a picture of a street in Scotland where the cars were parked on the wrong side of the street. And so Erica was suspicious of this.

Joe Carrigan: Right.

Dave Bittner: So after six weeks of back and forth, Bobby proposed, asked Erica to marry him. And so she confronted him and said, look, I know you're a scammer. Can we just be honest with each other? And Bobby said, yeah, okay, I'll tell you my story.

Joe Carrigan: Huh. Now, first off, this is interesting.

Dave Bittner: Yeah.

Joe Carrigan: I'm interested that Bobby did this. Bobby, not his real name.

Dave Bittner: Correct.

Joe Carrigan: But the fact that he just said, okay, I know the jig's up. Let's continue talking.

Dave Bittner: Yeah.

Joe Carrigan: Why? Why would he do that? Why don't we just move on to the next scam victim?

Dave Bittner: I don't know. I mean, you know, aren't we all just looking for a little human connection from time to time?

Joe Carrigan: Yeah. Now that now the veil is down, I can be honest and have a frank conversation with somebody. Maybe he wants somebody on the other side of the world. These guys are people too, right?

Dave Bittner: Yeah. So Bobby revealed that he was actually from Nigeria and that he'd been driven to fraud by poverty and that he worked for a boss who took half of the money that he scammed.

Joe Carrigan: Okay.

Dave Bittner: And he is one of the Yahoo boys that we've talked about.

Joe Carrigan: Yes.

Dave Bittner: For the particular label that these scammers out of Nigeria get.

Joe Carrigan: Oh, they've given it to themselves, given it to themselves.

Dave Bittner: Yeah. Yeah. But when you join up, yeah, you become a Yahoo boy.

Joe Carrigan: Right.

Dave Bittner: So he described to her how they go about things using stolen images, which is what he used in this case. The photo of the alleged Bobby was actually stolen from a German Facebook page. Quite handsome gentleman, might I add.

Joe Carrigan: Did he wear a kilt?

Dave Bittner: No. Well, you couldn't see him from the waist down. Who knows? So maybe.

Joe Carrigan: Right.

Dave Bittner: And they were targeting emotional vulnerabilities to try to get money from people. He mentioned two scams in particular. One is called the method. And the method is one where they ask women for photos of Apple or iTunes gift cards, and then they trade the cards or they trade the codes on the cards on the black market in exchange for cash.

Joe Carrigan: Right.

Dave Bittner: Now, he says what he would sometimes do is that he would tell his victims that he needed gift cards to buy data for his phone and that he was having trouble accessing his bank account from another country, but desperately wanted to stay in touch. So using the pressure of, if you don't send me this gift card, I won't be able to communicate with you.

Joe Carrigan: That is a good line, actually.

Dave Bittner: Yeah. It's very established.

Joe Carrigan: Yeah. And it will impact the relationship if you don't do it, because I won't be able to talk to you, not by any choice of my own, says the scammer.

Dave Bittner: Here I am stuck on this oil rig in the middle of the North Atlantic.

Joe Carrigan: Yep.

Dave Bittner: And then the other scam was called billing. And in this scam, he would send a frantic text to the woman that he was courting, telling her that his young son living in the U.S. had to be rushed to an emergency room and that he needs to send the hospital a $3,000 deposit, but he can't access his bank account. And because it's such a big ask, he will text the woman a photo of his son in a hospital bed with doctors at his bedside, which, of course, is a fake.

Joe Carrigan: Which is also fake. Yeah.

Dave Bittner: Yeah. But he sends that proof and whatever he asks of her, she gives to me. That's what he said.

Joe Carrigan: Really?

Dave Bittner: Yeah. So he says that he's remorseful, but he justifies his actions by the need to support his family amid challenging economic conditions in Nigeria. And the story really, you know, highlights the psychological manipulation in these romance scams and sort of outlines some of their motivations.

Joe Carrigan: Yeah.

Dave Bittner: So interesting story.

Joe Carrigan: This guy is doing quite well for a Nigerian in terms of the amount of money he's raking in from these scams.

Dave Bittner: Yeah..

Joe Carrigan: Even if he's only keeping half of it, he's doing pretty well.

Dave Bittner: I would imagine so. Yeah.

Joe Carrigan: If he's making $3,000 a pop, I think the average annual income -- this data might be old and I might be misremembering -- but it's less than $3,000. So if he gets two of these a year, he's doing okay.

Dave Bittner: Yeah.

Joe Carrigan: And I'll bet he gets way more than two a year.

Dave Bittner: Yeah. Could be. Yeah. It's just a shame.

Joe Carrigan: Yeah. It is a shame.

Dave Bittner: All right. Well, that is my story. What do you got for us, Joe?

Joe Carrigan: Dave, my story comes from Brian Fung at CNN.

Dave Bittner: Okay.

Joe Carrigan: And the story is that the Federal Communication Commission, the FCC, today, as we're recording this -- it'll be a week after the recording drops. But it says it is immediately outlawing scam robocalls featuring fake or artificial intelligence generated voices. So the FCC -- this is a unanimous FCC panel vote. The FCC has three or five people on it. I can't remember.

Dave Bittner: Yeah, I think there are three members. It's either three or five. But I think it's three. But I'll say it's unusual for the FCC to be unanimous on things these days, as divided as things are.

Joe Carrigan: It tends to be pretty partisan.

Dave Bittner: Yeah.

Joe Carrigan: But this extends the robocall rules to cover unsolicited AI deepfake calls. Who solicits AI deepfake calls? Wouldn't you say that all AI deepfake calls would be unsolicited?

Dave Bittner: Yes, I would. Right. I would. Yes. Yes. I would say that is descriptive rather than differentiating, the word unsolicited.

Joe Carrigan: Correct. This new ruling extends the existing law by recognizing those voices as artificial under federal law.

Dave Bittner: Okay.

Joe Carrigan: And so there's a quote in here from Jessica Rosenworcel. And she says, quote, Bad actors are using AI generated voices and unsolicited robocalls to extort vulnerable family members, imitate celebrities and misinform voters. And we're putting these fraudsters behind these robocalls on notice. Now, the scam robocalls most recently that they're referencing here is these voices or these calls that came in New Hampshire.

Dave Bittner: Right.

Joe Carrigan: That were impersonating Joe Biden, encouraging people not to go to the polls for the state's primary.

Dave Bittner: Right. He said, save your vote.

Joe Carrigan: Right.

Dave Bittner: The robocall said, save your vote.

Joe Carrigan: Yeah. Robo Joe Biden said save your vote.

Dave Bittner: Save your vote for what, Joe?

Joe Carrigan: I don't know how effective this is to the average voter, and I don't know what impact this has in a primary election. Right? Here in the United States, we have we have our primary election to decide which candidates are going to be advanced by the parties that we have in this country. And there are numerous different ways that happens. It happens by voting. And if you have a large enough party like the two big ones, the Democratic and the Republican Party, then you get put on state sponsored ballots. Then there's the Green Party where you can go in and vote for it. You can't vote for the Libertarian Party. They actually decide who their nominee is going to be based on the amount of money they raise for the campaign. But any party that's large enough, that has enough constituents to actually say, we want to be on the primary ballot, they can do that.

Dave Bittner: Yeah.

Joe Carrigan: So by saying to voters, stay home and don't vote, you're only going to impact the people that were going to vote in that party's primary anyway. Right. Unless it's like an open primary. Is New Hampshire an open primary?

Dave Bittner: I don't know, Joe.

Joe Carrigan: I don't either. I'm wondering what the usefulness of this is. But in a general election, this could be very disruptive. Something like this could be very disruptive. Joe Biden or somebody impersonating Joe Biden calling your home and saying, don't bother coming to the polls, we've already won the election. Thanks for your support.

Dave Bittner: Right.

Joe Carrigan: That would be bad. I don't see how effective this is for a primary. But anyway.

Dave Bittner: Well, I mean, suppose you had a really tight primary between, you know, you have two candidates who are in a tight primary.

Joe Carrigan: That's true.

Dave Bittner: You get a bunch of robocalls that alleges to be from one of them saying, hey, don't bother voting today.

Joe Carrigan: Like Republican primaries right now, there is no incumbent candidate. So there's a bunch of candidates running for the Republican nomination.

Dave Bittner: Yeah. I mean, my sense is that this is the FCC just trying to nip this in the bud.

Joe Carrigan: Yeah. Trying to get out in front of this.

Dave Bittner: Yeah.

Joe Carrigan: So here's something that's interesting is authorities said this week that they had linked those calls, those ones impersonating Biden to a Texas man and two of his companies. And there is an ongoing investigation that could lead to civil and criminal penalties.

Dave Bittner: Yep.

Joe Carrigan: So this is already illegal.

Dave Bittner: Right.

Joe Carrigan: So here's my question about this ruling. Does this help? Does this do anything? Is this effective at all? Do you anticipate this having any impact on the frequency or the effectiveness of these robocalls?

Dave Bittner: Well, I think if you take this ruling, which the publicizing of this ruling combined with the potential prosecution of the parties that did this specific case, I think they're hoping that that'll keep more people from doing it.

Joe Carrigan: Yeah. I mean, I think the prosecution of people -- and maybe the publication will. But I think those two things will impact people who are clowning about these kind of things. You know, can we do it? Do you think we can do it? The people that really have the malicious intent and particularly foreign actors are not going to be dissuaded by this. I don't think this is going to have any impact on any actor doing something like this.

Dave Bittner: Yeah. I mean, I don't know. I mean, I think part of what they're saying here is that if you do this, we will be able to find you.

Joe Carrigan: Yes.

Dave Bittner: So there's that.

Joe Carrigan: Well, I'm on board with this, obviously. I don't want fake robocalls going out to anybody. The fewer robocalls I get, the happier I am.

Dave Bittner: Right.

Joe Carrigan: Right. I mean, I certainly don't need AI generated robocalls. I had one the other day that was something and I asked a question and I got a response that was very similar to the first statement. And I'm like, I don't think you're a human and I hung up. So if this will stop that kind of call, I'm okay with that.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: The FCC does get to make these regulations on a regular basis. They do have that authority.

Dave Bittner: Right.

Joe Carrigan: Like we've said already, this was a unanimous vote, which is something rare in FCC voting history.

Dave Bittner: Yeah. The thing is, I mean, I don't think there's much ambiguity that this is a peril to the integrity of our elections.

Joe Carrigan: Right. Yeah.

Dave Bittner: So they're trying to get in front of this as quickly as possible. The other element of the -- and particularly as we are officially, you know, in the election year, we are underway. Please hold onto the bar.

Joe Carrigan: Of course. What is it you called it, silly season?

Dave Bittner: Yeah. But the other thing that I think this reflects is how these agencies like the FCC, and also we've seen the FTC going after some of the data aggregation companies in the past few weeks. So we've got the agencies who, given the inaction of Congress and the inability of Congress to take action on some of these things, the agencies are saying, okay, something needs to be done. We're going to do it. We're going to take the authority that we believe has been granted to us and we're going to take action here.

Joe Carrigan: Right.

Dave Bittner: And so I think that's what we're seeing here. And yeah, I think it's a good thing.

Joe Carrigan: I would agree with in this case and probably in the case -- I haven't looked into the FTC taking apart these data broker companies or going after these data broker companies, but these data broker companies are not good for anybody.

Dave Bittner: Yeah. The FTC is coming at them saying that their casual approach to sharing certain types of data could lead to real harm to people.

Joe Carrigan: Yeah.

Dave Bittner: And so because of that, they have the authority to go in and take action.

Joe Carrigan: Yeah.

Dave Bittner: I think that's realistic.

Joe Carrigan: Good.

Dave Bittner: All right. Well, we will have a link to that story in the show notes. Joe, it is time to move on to our Catch of the Day. [ Music ]

Joe Carrigan: Dave, our catch of the day comes from Chuck who writes, Dave and Joe, this was a particularly poignant example of a phish that will probably become much more prevalent with the upcoming tax season. It's that time of year, Dave, it's tax season. So we're going to start seeing tax fraud emails, and Chuck has sent this one along.

Dave Bittner: Okay.

Joe Carrigan: It looks really official.

Dave Bittner: It does. It's got the IRS logo at the top. It says it's from Internal Revenue Services.

Joe Carrigan: Red flag number one. It goes like this, as our record, we need to confirm your billing addresses informations to complete your 5,029 -- no, 5,029,000 -- I guess these are European numbers, Joe.

Dave Bittner: Right.

Joe Carrigan: $5,029 tax. It's either using a comma instead of a period in between the zeros, which is decidedly European and not American. But they're not doing it consistently.

Dave Bittner: Red flag number two.

Joe Carrigan: Right. Yeah. It's like the comma between the thousand periods and then where there should be a decimal point for cents, there's a comma.

Dave Bittner: All right.

Joe Carrigan: So very confusing. $5,029 tax refund for 2024 fiscal. Please sign to your account online to check your tax refund status. More details about the change we made to your tax return. We changed the amount claimed as recovery rebate credit on your tax return. The error was in one or more of the following. The Social Security number of one or more individuals claimed as a qualifying dependent was missing or incomplete. The last name of one or more individuals claimed as the qualifying dependent does not match our records. One or more individuals claimed as a qualifying dependent exceeds the age limit. That's it.

Dave Bittner: That's it.

Joe Carrigan: That's the end of it. Down at the bottom of the email, there's some very official looking verbiage that looks like it may have been taken directly from an IRS piece of stationery.

Dave Bittner: Okay.

Joe Carrigan: I don't know, but there is a big blue link right here in the middle that says sign into your account.

Dave Bittner: Ah, there it is.

Joe Carrigan: Yeah. That's what the goal is here to get access to your IRS account, maybe. I don't know.

Dave Bittner: Yeah. Steal your refund.

Joe Carrigan: Steal your refund or file a refund on your behalf or file a tax return on your behalf.

Dave Bittner: Right. With a big fat refund.

Joe Carrigan: With a big fat refund. Right. And then they get it.

Dave Bittner: Right. Right. Yeah. Interesting.

Joe Carrigan: A couple of things stand out aside from the obvious bad grammar. The IRS does not refer to a year as a fiscal year. They refer to them as tax years. Yeah. I mean, this just screams not from the IRS.

Dave Bittner: Right. Right. But the IRS is one of those organizations that catches people's attention, demands people's attention.

Joe Carrigan: Whenever I hear the terms IRS from somebody else, they get my full and undivided attention.

Dave Bittner: That's right.

Joe Carrigan: Hey, the IRS what? Doesn't matter what the next sentence is, I'm listening to it.

Dave Bittner: Yeah.

Joe Carrigan: These guys -- you know, like I said, I grew up in an accounting household and I have a healthy respect for the force these guys wield.

Dave Bittner: That's right. That's right. All right. Well, thank you, Chuck, for sending that in. We do appreciate it. And again, we would love to hear from you. Our email address is hackinghumans@n2k.com. [ Music ] Joe, I recently had the pleasure of speaking with Aaron Walton. He is a threat intel analyst with an organization called Expel and they recently put out an annual threat report. Here's my conversation with Aaron Walton.

Aaron Walton: We started doing this report within the last three years. We have a pretty wide customer base, and in doing so we get to see a lot of what's going on within a large number of industries. So we chose to start collecting this data and start getting a broad look at things. One of the things we also want to do continually at Expel is talk about ways customers can improve their environment. That's been one of our goals as well. So we'll talk about what we're seeing and also what resilience can be put in place to improve these situations.

Dave Bittner: Well, let's dig into the report here. What are some of the highlights or the things that stood out to you?

Aaron Walton: We talk about a number of different areas because we end up supporting endpoint cloud infrastructure. We do a lot in the identity space and we also have a phishing service. So some of the things that stood out to me, I think one of my favorite stories comes in when we talk about identity. This is because we had a few incidents involving a very prolific actor known as the Comm. This is a group of individuals. It also includes some other named threat actors such as Scattered Spider. And they have been in the news quite a bit recently. But within some of the customer environments that we watch over, some of these attacks were mitigated. And part of that was because these environments had these stronger authentication controls in their environment. And one of the reasons I like this is because we don't talk enough about the successes with when attacks like these end up getting thwarted. I think we can often talk about some of these controls such as just requiring managed devices or 2FA or MFA, but we don't talk enough about the successes that those can bring.

Dave Bittner: Well, let's talk about that then. When you look at what would be I guess a typical deployment of this sort of identity technology versus what you would describe as being a best practice, what's the contrast between those two?

Aaron Walton: One of the enhanced situations is ensuring that you're using multi-factor wherever you're able to. It's fairly easy to implement technology, but then you have to always go an extra step to ensure that you have multi-factor involved. These technically will work within the environment if you don't have it, but there's always that needed extra step. Similarly with one of these other stronger controls where you're requiring authentication from known network areas or you're requiring authentication from managed devices, again people logging in remotely, it works if you don't have the configuration set up. So it takes that extra step, but they can really make a large difference.

Dave Bittner: Can we talk about social engineering? I know that's something that you and your colleagues took a look at in this report. What are some of the trends you're tracking with that?

Aaron Walton: One of the trends that we talked about within the report was a campaign that's been targeting the hospitality industry quite heavily. And this is a campaign where the threat actor is sending emails that is imitating a customer and they're asking a question or they're asking for help. Within the email, they've provided a link that is attached to that. It will download an information-stealing malware. This is something that we've been seeing going on for about the past year and it seems to be pretty steady and keeps going on.

Dave Bittner: And what are mitigations for something like this? What do you recommend for folks to protect themselves?

Aaron Walton: It's tough in some ways, because when we're talking about social engineering and we're talking about this situation, the targeted individuals are usually those customer service representatives that are on the front end whose job is to really help individuals. So some of my recommendations are to make sure you have strong software controls. They shouldn't be able to download that, and that needs to be blocked. Sometimes you can do that through whitelisting what applications a user should run. This also makes sense in situations where this user might not have a lot of uses for the computer. In those situations, you can also consider, hey, do they need a full Windows computer? Are there other opportunities such as a Chromebook where Windows malware won't run? Unfortunately, I think it's an area where we have to be a bit creative, where we're thinking about what ways can we limit the attack surface for this particularly targeted set of users.

Dave Bittner: One of the things that caught my eye in the report was this notion that credentials are currency. Can you explain that to us? What do you mean by that?

Aaron Walton: In regards to cloud infrastructure incidents, the main thing that we saw was a secret compromise or credential compromise in that regard. Secret compromise being the tokens that you're using when you're communicating with cloud instances in order to make changes, often used with API so that the API is able to take actions on behalf of the organization or behalf of a web application.

Dave Bittner: One of the other things that I noticed was you all pointed out that we're seeing some of the same malware families year after year, that these folks keep coming back for more.

Aaron Walton: Yeah, that's something that's very unfortunate. That's something I had wanted to call out particularly because there's a number of threat actors that we've seen for years and haven't really been able to do anything about. Part of this is because they are typically on the early end of an infection, where typically whoever's delivering ransomware is getting a lot more attention and is getting the attention rather of the government and for those that are able to carry out law enforcement.

Dave Bittner: And What industries are you seeing that are being particularly targeted here? Do any particular verticals stand out as having a target on their back?

Aaron Walton: These threat actors that we're talking about that we see continually particularly don't seem to have a particular industry in mind. A lot of these threat actors that we see all the time are ones that are selling initial access to other threat actors so that if they want to steal data or if they want to use ransomware, they're able to do that. There's one threat actor that we've seen continually that's known as GootLoader. The lures that they use and the social engineering that they use is for documents that contain legal agreements or something of that sort. They use a technique called search engine optimization poisoning or SEO poisoning. This is when you take a lot of keywords and you stuff it into something. As a result, with Google searches, when you're looking for something like a legal agreement, you might find a web page that is infected that is being used by this threat actor, GootLoader. The attacker has actually been using the same landing page for five or six years now. When you click the link, what it ends up showing you is a forum post where it shows a newbie that's asking, hey, I want to find this legal agreement. And the name of it happens to be the same thing that you searched for. And the administrator of the forum says, oh, hey, here is the legal agreement you're looking for. And if you click that, what you end up downloading is a zipped JavaScript file that when executed sets up persistence and provides initial access to that host.

Dave Bittner: What are the take-homes here? In terms of the information that you all have gathered here, what are your recommendations for folks to better protect themselves in this day and age?

Aaron Walton: I think one of our top recommendations is defense in depth. Because within each of these attack techniques, there's always multiple points where you're able to detect something. And you want to make sure that you have those detections and the security tools in place so that you can detect that activity. It also becomes important to test and make sure that those are working accurately, making sure that the logging is available, making sure that you understand what the activity might look like when it does alert. [ Music ]

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, all too often, we in this business talk about security failures, but we don't really get to talk about the successes. And this is kind of a problem in the industry.

Dave Bittner: Yeah.

Joe Carrigan: I was reading something the other day, I think it was on LinkedIn. I don't know what drove me -- I was going in to do my weekly LinkedIn check and I actually looked around and somebody was saying, how do we justify our budget to management or to the senior leadership if we're doing a good job? It's really hard to do that.

Dave Bittner: Oh yeah, absolutely.

Joe Carrigan: Because you're saying nothing happened. That's great.

Dave Bittner: Look, congratulations board, we spent all this money and nothing happened.

Joe Carrigan: Right.

Dave Bittner: But there's always money to clean out the mess.

Joe Carrigan: Right, yeah, exactly. There's always money to clean up the mess.

Dave Bittner: Right.

Joe Carrigan: And I don't know, I think that money spent on prevention is well worth the effort.

Dave Bittner: Yah. It's harder to quantify that.

Joe Carrigan: Well, it's almost impossible to quantify no impact. Right?

Dave Bittner: Right.

Joe Carrigan: I mean, that's the situation. It's impossible to quantify it.

Dave Bittner: Yeah.

Joe Carrigan: Or maybe it's just that it's too easy to quantify it and the quantity is zero. It could be one of the -- I don't know. I get wrapped around the axle on this one a lot on how to voice it. But the problem still is plain to everybody that has to be part of this.

Dave Bittner: Yeah.

Joe Carrigan: Also, if your risk model allows restricting logins, like Aaron is talking, from known areas or from managed devices, you should do that.

Dave Bittner: Yeah.

Joe Carrigan: Right?

Dave Bittner: Yeah.

Joe Carrigan: Or if your risk model requires it, I would say do it. It's interesting that there is a current campaign, he talked about an email campaign, targeting people in the hospitality industry that is just a link to malware.

Dave Bittner: Yeah.

Joe Carrigan: I thought that was -- I'm like, that stuff still -- I mean, I'm not surprised that it still goes on. That doesn't catch me off guard. But we still have to cover the basics in this industry, especially with the people. We always get new people coming into all these different organizations. They all have to be trained. They all have to be able to recognize these things. I think that surface area is an interesting -- Aaron has an interesting way of looking at attack surface. Right? First thing he says is, if you can do application whitelisting, do that. That's very helpful. That would prevent any of these malware attacks from emails from running because, hey, this software isn't whitelisted, no, you're not running it.

Dave Bittner: Right.

Joe Carrigan: But he also brings up an excellent point. Can a Chromebook work for someone like a customer service agent? If their entire software suite is web hosted, then absolutely a Chromebook will work for that.

Dave Bittner: Yeah.

Joe Carrigan: You can get them nice Chromebooks, right? You don't give them the little crappy $200 ones, because they'll be miserable.

Dave Bittner: Right.

Joe Carrigan: But the security ramifications of that are real.

Dave Bittner: Yeah.

Joe Carrigan: Speaking of cloud services, I mean, that's software as a service. The other services you have are cloud services. But if you lose your tokens to an information stealer that you use to access the cloud via their APIs, that's the ballgame. That's really bad.

Dave Bittner: Yeah.

Joe Carrigan: So yeah, those need to be protected. I don't do a lot of cloud work, but I understand those things are -- sometimes people just put them in hard-coded files and that's where they stay.

Dave Bittner: Right.

Joe Carrigan: And I've seen that before even the cloud infrastructure was going on. Doing code reviews, you'd see passwords for accessing services just in the code.

Dave Bittner: Right. Right.

Joe Carrigan: Yeah. So if somebody ever decompiled that, they'd know exactly how to log in or just ran strings on it, really. You don't even need to decompile it. The threat actors that Expel is monitoring are targeting just about everyone. They're going across the industry. And some of them are using this search engine optimization poisoning that is -- first off, it irritates me that SEO is a thing, but it is. They're reverse engineering the algorithms that these search engines use, and they're pretty good at it. And then there's a follow-on or the specialized attack, not follow-on, specialized attack that goes after people looking for legal documents and just leads them to malware.

Dave Bittner: Right.

Joe Carrigan: That's an interesting niche. I wonder why they're doing that. Maybe because people that are looking for these kinds of legal documents are people that are known to have a certain amount of money.

Dave Bittner: Yeah.

Joe Carrigan: So maybe that's what the goal is. Defending yourself from any of these attacks, always defense in depth is a great, great tactic. Have multiple points of failure along the way. We talk about the cyber kill chain frequently.

Dave Bittner: Yeah.

Joe Carrigan: It's a long chain, so there are lots of opportunities along it to stop these things. So defense in depth can help you with that. Again, we hear multi-factor authentication. And a great suggestion from Aaron, test the system and make sure everything works. Do some penetration tests and see if it raises red flags. See if those kinds of things happen.

Dave Bittner: All right, well, our thanks to Aaron Walton for joining us. Again, he is from Expel, and we do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliott Pelzman. Our executive producers are Jennifer Eiben and Brandon Karp. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening. [ Music ]