Podcasts
Hacking Humans
Ep 284
Hacking Humans 4.4.24
Ep 284 | 4.4.24

Cyber crime chronicles featuring scams, spies, and cartel schemes.

Show Notes
Transcript

Dave Bittner: Hello, everyone and welcome to N2K CyberWire's Hacking Humans podcast, where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave. >> We got some good stories to share this week and are joined once again by our N2K colleague and host of the T-minus Daily Space podcast, Maria Varmazis. Maria.

Maria Varmazis: Hi [laughs]. How is everybody doing? >> Good. It is delightful to have you back. Thank you.

Dave Bittner: We will be right back after this message from our show sponsor. [ Music ] All right. We are back. And before we jump into our stories here, we have some quick follow-up from a kind listener who wrote in. This is a listener named Leo who wrote in and said, "Just finished listening to Episode 282." This is where we were talking about recruiters and how do you know if someone is a real recruiter or not. And Leo said, "My thought, ignore everything the recruiter gives you in terms of contact information. Call the company they claim to represent. Ask to talk to the recruiter. No such recruiter? Scam. If the recruiter exists, but has no idea what you're talking about? Scam. If they exist and can confirm they've reached out to you, full speed ahead." And Leo says, "Maybe ask them to confirm their direct number." He says, "I still like the idea of always calling the company directly for any or all contact." So yeah, I think Leo has got some solid advice here. Everybody agree?

Maria Varmazis: Yeah. Good Logic tree there. I liked it. Scam, not scam. I mean, it's good [laughs].

Dave Bittner: Right. Right. It's -- I can imagine the flow chart.

Maria Varmazis: Yeah. Yeah, it makes a lot of sense. I think it's a good practice to keep in mind. And it is more work for people who are looking for jobs, but it's worth, you know, protecting yourself, especially if you're in a sort of vulnerable state.

Dave Bittner: Yeah, absolutely. All right. Well, let's move on to our stories here. I'm going to kick things off for us here. So, let me ask the two of you a question. Let's say you are a big-time Mexican drug cartel.

Joe Carrigan: All right. Right. I like this question.

Maria Varmazis: [laughs] I'm in.

Dave Bittner: Just -- mention yourself. Things are going great. You know, like you're intimidating the local towns. You are shipping the things across the border that you're doing. You're --

Joe Carrigan: I'm selling so much cocaine.

Dave Bittner: Yes. You have a -- and you are a cartel that has a history of being involved in drug trafficking.

Joe Carrigan: Right.

Dave Bittner: But, you know, businesses die if they don't grow. Right?

Joe Carrigan: That's right.

Dave Bittner: So you -- it's time to diversify.

Joe Carrigan: Okay.

Dave Bittner: Well, this story is about the criminal cartel from Mexico called the Jalisco New Generation who have decided to diversify to not only have drug trafficking, but they're going to be defrauding seniors through timeshare scams.

Joe Carrigan: Okay.

Maria Varmazis: Oh, it's like they're going legit. It's less bad or something [laughter]. Less bad than murdering people. I don't know.

Joe Carrigan: Can I correct you on pronunciation?

Dave Bittner: Sure.

Joe Carrigan: Jalisco.

Dave Bittner: Jalisco. Thank you. Thank you very much.

Joe Carrigan: It's a state in Mexico.

Dave Bittner: Muy bien.

Joe Carrigan: Yes. [laughs] All right.

Dave Bittner: So that, now that Joe has corrected me, please don't write in. So Jalisco, I should have known that. Thank you. Yeah, no, that you're right. Absolutely. All right. I appreciate the correction.

Joe Carrigan: It's also the name of one of my favorite Mexican restaurants, Tex-Mex restaurants in Texas, Agave Jalisco.

Dave Bittner: Ah, okay.

Joe Carrigan: Good food.

Dave Bittner: Very good. So I know there are probably people who are listening to us who are saying that -- who are thinking that timeshare scam is redundant.

Joe Carrigan: Right. First thought into my head, by the way.

Dave Bittner: Yes. So -- but what these folks are doing are actually going after folks who already have timeshares. And there are a lot of people out there who have timeshares. There are a lot of people out there who have timeshares and enjoy their timeshares. So what happens here is the cartel members, they pose as sales representatives. And they call people who have timeshares and they offer to buy those timeshares for high amounts of money. And now -- and timeshares are notoriously difficult to get rid of.

Joe Carrigan: Yes.

Maria Varmazis: Yes.

Joe Carrigan: In fact, there are legal companies here in the US who have a business model that is helping you get out of a timeshare.

Dave Bittner: Yes. And it seems like that's who these folks are trying to emulate. That's who they're pretending to be. And I think the fact that there's awareness that that sort of company exists probably plays to their favor here.

Joe Carrigan: Yes.

Dave Bittner: So they will call someone up, offer a high sum of money, and then demand upfront fees for services to help get you out of your timeshare. But of course, they're never actually going to buy your timeshare. The whole thing is a scam.

Joe Carrigan: Just an advanced fee scam.

Dave Bittner: It's an advanced fee scam. Yeah.

Maria Varmazis: Yeah.

Dave Bittner: And these folks have set up call centers in Mexico, and they're primarily targeting American and Canadian timeshare owners.

Joe Carrigan: Now are they targeting people who have timeshares in Mexico?

Dave Bittner: It seems like they're targeting Americans and Canadians who have timeshares. And I don't know -- I'm not a hundred percent sure if they're deliberately excluding their countrymen and women in Mexico.

Joe Carrigan: Well, what I'm asking is, is the timeshare physically located in Mexico? Are they --

Dave Bittner: Oh, some of them are, yeah.

Joe Carrigan: Okay. So like if I have a timeshare like in Ocean City, Maryland, are they still going to target me? Is that a risk?

Dave Bittner: I think yes. I think they might. I think they'll go after anybody who they can verify has a timeshare.

Joe Carrigan: I see.

Dave Bittner: And I suspect that that is not a difficult list to buy. Right?

Joe Carrigan: Yeah.

Dave Bittner: So they've set up some call centers here. An interesting note is that, reportedly they are bribing some of the employees at the resorts to get the information about the guests.

Maria Varmazis: Ah, there you go. Yeah. Okay.

Joe Carrigan: That's, yeah. So they don't -- they don't even have -- well, I guess they do buy it just not legally.

Dave Bittner: Yeah. And of course, you know, most of these folks that they're going after are older folks. A lot of retirees have timeshares. And a lot of them are trying to get rid of these timeshares because they want to -- rather than passing on the timeshare, they want to liquidate the timeshare and pass on the assets to their families. And like we said, it could be hard to sell a timeshare. And you often don't get out what you put into it which is, you know, nature of the beast, I guess.

Maria Varmazis: Often --

Dave Bittner: What's that, Maria?

Maria Varmazis: I was going to say often don't get out what you put. I thought the -- I don't know much about them aside from they're supposed to be giant scams. Right? So --

Joe Carrigan: Right.

Dave Bittner: Yeah.

Maria Varmazis: Did anyone ever end up on top except for the people who sell those timeshares [laughs]?

Joe Carrigan: I don't know. Well, I've always been afraid to even consider a timeshare as an option. Just because there are lawyers out there, lawyer companies out there whose job -- who sell the service to get you out of them. I don't want to get into something that I'm going to need a lawyer to get out of.

Maria Varmazis: Yeah.

Dave Bittner: [laughs] I think what it comes down to is that -- this is my hot take on this, is that --

Maria Varmazis: Hot takes [laughs].

Dave Bittner: Yeah. A timeshare is not an investment in terms of you're buying property that you're then going to sell at any point and make a profit on. I think a timeshare is an alternative to money that you would be spending on a vacation or travel or whatever. So the value is that you can have pretty well-known cash flow. You're going to know what the timeshare costs. You're going to know what you're going to pay every year. And if you balance that against -- let's use Disney World as an example. Right. If you go to Disney World every x number of years, you could buy a timeshare down in Orlando. And you can run the numbers and see, well, is this timeshare going to cost me less than what I pay for, you know, our family vacation that we take every year, every other year? So, you know, you can run the numbers and see if it makes sense. I think the problem is that a lot of the timeshare industry is full of folks who are not honest, who are not upfront and end up giving people bad deals. So -- but I don't know -- it could -- I guess it's a high enough percentage of folks are that way that they've earned this bad reputation. But I honestly don't know if that's universal.

Joe Carrigan: Yeah. I have no idea. Yeah.

Maria Varmazis: I was going to say, I also don't know how much money we're talking about, like how much of timeshare usually costs, or I have no clue.

Dave Bittner: Yeah. Well, this story talks about how one retired couple was defrauded of nearly $900,000 --

Maria Varmazis: Oh my gosh.

Dave Bittner: -- by the cartel through a series of escalating fees and non-existent fines and also investment opportunities. So it sounds to me like the cartel found they had a hot one on the line.

Joe Carrigan: Yeah and just drained them.

Dave Bittner: Drained them. Right. And it wasn't just the timeshare that they got them on the hook for other investment opportunities and away they went. And cartels being cartels, this story talks about one cartel-owned call center. There were some folks who were found murdered.

Maria Varmazis: Oh, geez.

Dave Bittner: So there's -- it's just not -- it was certainly not a victimless crime.

Joe Carrigan: No.

Maria Varmazis: No.

Dave Bittner: And these cartels are brutal. And of course, it's hard for law enforcement to go after these folks because they're not in our country. And --

Joe Carrigan: And they essentially have armies around them. You know, they're -- these cartels are well armed.

Dave Bittner: Yeah. So I guess the bottom line is here just to, you know, make sure that you and your loved ones are aware of this and extra cautious if you do have a timeshare or someone calls you looking to help you get out of your timeshare that there's a chance that it may be one of these criminal organizations who are trying to take advantage of you. I'd say this was a new one to me. Like, if you'd asked me list 10 things that a Mexican cartel is going to pivot to business-wise, I wouldn't have said timeshare scams. But it just goes to show you they'll chase the money wherever it is.

Maria Varmazis: Yeah. Yeah. Wow. Geez.

Dave Bittner: All right. That's what I have this week. Joe, you want to tell us your story next?

Joe Carrigan: Yeah. I got -- I have a connection on LinkedIn named Keith, who posted a link to a Tech Crunch article. And we'll put a link in the show notes, of course. But in 2013, Facebook acquired a company called Onavo. Onavo. O-N-A-V-O.

Maria Varmazis: Onavo?

Dave Bittner: Yeah. Onavo. Yeah.

Joe Carrigan: Which is designed or described rather as a VPN-like service. Now, I don't know what that means. VPN-like.

Dave Bittner: Is that like kosher style, right? [laughter].

Joe Carrigan: Yeah.

Maria Varmazis: The Diet could be hands.

Joe Carrigan: Kosher style and cheese. Right.

Maria Varmazis: Yeah.

Dave Bittner: It's not actually secure. It just kind of feels that way.

Joe Carrigan: Right. They -- in 2019, Facebook shut this site down when TechCrunch reported that they have been secretly paying teens to use the service.

Dave Bittner: Yeah, I remember that.

Joe Carrigan: So -- in mid-March, a federal court released some new documents that are part of a class action lawsuit between some customers and Meta now. And it seems like Meta was very concerned about the competition they were receiving from Snap, who were the owners of Snapchat. Dave, are you a Snapchat user?

Dave Bittner: Nope.

Joe Carrigan: Nope. Me neither. Actually I have an account. I don't have the app on my phone. Maria, Snapchat

Maria Varmazis: Used to a very long time ago, but not anymore.

Joe Carrigan: Okay. Good.

Maria Varmazis: Yeah. When it was first -- when it was new, and I was a social media manager, it was my job to figure out how to do this kind of thing. And --

Joe Carrigan: Oh, right.

Maria Varmazis: And I used it. And I just -- not from, it's been a very long time.

Joe Carrigan: As a social media manager, it's -- I'll tell you. I have never felt like such an old man as when I was at Grace Hopper and a young lady from Snap came over and was showing me how to use Snapchat. And I'm like, "But there's no buttons on it." She said, "You don't need buttons. You just swipe to do different things." And I'm like, "I don't like this very much."

Maria Varmazis: Tactile feedback. Yeah.

Joe Carrigan: Right. Yeah. So Facebook very concerned about the competition they were getting from Snap. So they started a project and they gave it a really cool name, Project Ghostbusters. Now the ghost is the logo for Snap, right?

Maria Varmazis: Yes.

Joe Carrigan: For Snapchat. So there was an email that was dated June 9th, 2016 that was part of this document set this court released. And in that the Zuck wrote, and I'm going to quote from the email that's from the article from TechCrunch. "Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we have no analytics about them. Given how quickly they're growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels to write custom software. You should figure out how to do this." I'm sorry. "Panels or custom software. You should figure out how to do this." So in another email that came out a month later, July of 2016, the Onavo team -- Onavo. I just can't look at that word and say it for some reason. They proposed a solution. They said kits that can be installed on iOS and Android that will intercept traffic and for specific subdomains. And they said -- and this is another quote, "This will allow us to read what would otherwise be encrypted traffic so we can measure in-app usage. This is a man-in-the-middle approach."

Dave Bittner: Yes, it is.

Joe Carrigan: Okay. A later email said, we now have the capability to measure detailed in-app activity and then from parsing Snapchat analytics collected from incentivized participants in a Onavo's research program. Okay. So this is what's happening. Facebook is paying people mostly they're targeting teens and anybody under the age of 35 to use this Onavo product. Right. Then they are using this Onavo product to intercept their traffic that's going to Snap.

Maria Varmazis: Yeah. Okay. All right.

Joe Carrigan: So they can get the analytics. Later on the project was expanded to include traffic that was going to Amazon and to YouTube, which is Google's product.

Dave Bittner: Right.

Maria Varmazis: Yeah. Yeah.

Joe Carrigan: Now, there's a man here, Pedro -- I'm going to mess up his last name. Canahauti, who is then head of Security Engineering. And he expressed a little bit of concern. He's now actually with 1Password. But there's a quote in an email from him that said, "I can't think of a good argument why any of this is okay. No security person is ever comfortable with this. No matter what consent we get from the general public, the general public just doesn't know how this works."

Maria Varmazis: Yeah. Good for him for saying that. Yeah.

Joe Carrigan: Yeah. And he is not with Meta anymore. I don't know if -- I don't know why he's not with Meta, but he -- this was in 2016. And I looked at his LinkedIn post. He left pretty far after that. I don't know exactly when, but it wasn't like this. It wasn't like, "I'm -- that's it, I'm out." So you know, I've seen some questions on, you know, question. How are they doing this? Like at the bottom of the article, in the comments and in other LinkedIn posts, one person has asserted that they are -- actually, two people have asserted that Meta is installing their own root certificates, which I think is probably the correct answer. Because if they can install their own root certificates, then all the traffic will be trusted by the device. So whenever you see somebody asking you to install a root certificate, there is almost never a good reason to do that. The one exception to this is that some DOD sites require that you install DOD-signed self-signed route certificates. Because the DOD has a concern about that being -- those certificates -- the certificate train that's outside of their custody being corrupted. So that might be a good use case for this. But other than that, I can't think of another reason to do that.

Dave Bittner: Oh, wasn't this on mobile devices?

Joe Carrigan: It was on mobile devices. So those mobile devices still have certificate stores on them and trusted route certificates. So if -- and I know I'm getting down to the cryptographic weeds here. But these certificates are trusted throughout the internet. And there are certain people who issue these trusted route certificates. And then they use those to sign other certificates. And it's all signed all the way back down to -- or it's all signatures all the way down to the website and then back up. And you can verify the entire chain mathematically. But if I just put a new root certificate in there, I can verify anything mathematically from that root certificate.

Dave Bittner: And the goal is?

Joe Carrigan: And the goal is now when your device starts sending traffic to the VPN software, and I present to you my root certificate, your device goes, okay, I trust this root certificate. Here's all the information that you need to encrypt or that it needs to be -- that -- so in other words, the app Snapchat at app might be thinking that it's talking to Snapchat. But it's actually talking to another trusted root certificate.

Maria Varmazis: Okay.

Dave Bittner: So the bottom line here is that Meta was able to snoop on Snapchat traffic.

Joe Carrigan: Correct.

Dave Bittner: -- that was -- Snapchat was saying is was telling its customers and its users that this stuff is all end-to-end encrypted.

Joe Carrigan: Correct. And well, it's probably encrypted with TLS, right? Which is every webpage is now encrypted with TLS. But you know, those firewalls that inspect packets, encrypted packets, encrypted traffic?

Dave Bittner: Right.

Joe Carrigan: They do the same thing. They have their own certificate that has to be installed on the endpoint. And then, the endpoint trusts that device. And then it looks inside the packet, the unencrypted packet. It's essentially impersonating the main website.

Dave Bittner: Okay.

Joe Carrigan: So that's all it's doing. This app could be impersonating the website. Now there's another option where there's -- it's -- I'm really getting technical. I don't want to do this. But I could -- they could be ooking at the traffic before it gets encrypted if they insert themselves into the code with a properly -- with something called a network extension.

Dave Bittner: Yeah. Well, okay. So all --

Joe Carrigan: They're -- the end result is they're looking at traffic that should be encrypted and they're -- yeah. They're essentially intercepting traffic and decrypting traffic that way.

Maria Varmazis: Okay. Yeah. Joe, my question is, for the end user, you had mentioned about the whole thing about root certificates. How would an end user know any of that? I mean, especially you're talking about on a mobile phone. Is this one of those they were supposed to read the finest of fine print and see that buried in their situation?

Joe Carrigan: I would bet. But I would guess that the operating system probably says you have -- this is us asking to install a root certificate. Do you accept it? And I will -- I'm willing to bet I've not seen this, but I'm willing to bet that there's a setup procedure that says yes and accept the root certificate. So yeah.

Dave Bittner: I could also imagine that if they -- especially if they were paying people to use this, that they're going to have a specific walkthrough. Or they're going to say, "So next, the OS will pop up a screen that says, do you accept the route certificate?"

Maria Varmazis: Yeah. This is expected. Just hit yes. Yeah.

Dave Bittner: Click yes to get your $15. You know?

Joe Carrigan: Exactly.

Maria Varmazis: Yeah. Yeah. Yeah.

Joe Carrigan: So yeah, this is, you know, I don't know. Do think that

Dave Bittner: It's despicable Joe.

Joe Carrigan: Yeah. Of course.

Maria Varmazis: Yeah. It's a huge breach of trust. Yeah, of course.

Dave Bittner: Yeah. It's despicable. And, you know, I -- look time after time, Facebook demonstrates that they are a company that does not deserve anyone's trust.

Joe Carrigan: No, absolutely not. I mean, that's my first question on this is why would anybody trust a VPN product from Facebook ever?

Dave Bittner: Well, yeah. First -- yeah. I doubt it was presented to them as being that.

Joe Carrigan: No, they said, "Here's 20 bucks a month, use this product."

Maria Varmazis: Yeah. And who are the people? And this is probably teenagers using this. You probably needed the money. Right. So they don't care. They're like, "Sure. Facebook and Snoop on me all it wants. I don't care. I don't use it anyway and give the -- yeah." They're I can just hear that.

Joe Carrigan: And they're collecting -- they're collecting information about Snap's traffic. And my question is, is the next step lawsuits from Amazon, Snap and Google? Because if I was working at Amazon, Snap or Google in their legal department, I'd be like, "They did what? They specifically targeted our traffic to learn how we -- first of all, that sounds anti-competitive." Right?

Dave Bittner: Well, at what point are you violating the Computer Fraud and Abuse Act?

Joe Carrigan: Yeah. Good question.

Dave Bittner: I mean, I guess they're not infiltrating someone else's computer. Like you know

Joe Carrigan: Right. The end point is users --

Dave Bittner: In an unauthorized way. Yeah.

Joe Carrigan: And they could --

Maria Varmazis: And they're going to say they had consent. Right?

Joe Carrigan: They had consent.

Dave Bittner: Right. They had consent to look at the traffic. Yeah. Yeah. It's the EULA. It's the EULA.

Joe Carrigan: But are they violating the EULA for Snap by being essentially a customer on the other end being the man in the middle? Because they have to maintain both ends of that communication channel.

Dave Bittner: That's an interesting point because, it would not surprise me if Snap, for example, had something in their EULA that prohibits users from doing an end around like this. That -- to me, that would seem like pretty, pretty straightforward boiler plate that would be in there.

Joe Carrigan: Yeah. I would bet it is.

Maria Varmazis: It's interesting.

Dave Bittner: I don't know. Yeah. I mean, like, I could imagine someone spinning up a class action suit about this sort of thing.

Joe Carrigan: This is already the result of a class action suit.

Dave Bittner: Oh, I see. Okay.

Joe Carrigan: So that's what this came out from two people who are suing Meta for violating their privacy. I think -- I'm going to predict that this is going to result in another lawsuit from either Snap, Google or Amazon. Because -- or perhaps somebody asking for the FTC to investigate for anti-competitive behavior because they're deliberately trying to get analytics on Snap another social media platform that's a direct competitor with them. And they're break -- I don't know. I'm sure they could argue that they're not breaking user trust by doing it. But they're this all seems really, really underhanded.

Dave Bittner: But that's kind of Meta's thing.

Joe Carrigan: It is. Yeah.

Dave Bittner: Like, I mean, you know, again, let's not forget the origin story of Facebook is a hot or not database of was it Harvard grads? Harvard students.

Maria Varmazis: Harvard grads that went to the Ivys, and then yeah. I remember it well.

Dave Bittner: So I mean, that's the foundational premise of what all this is about, where it started. I remember when I first signed up for Facebook, and it was a much, much more innocent time. And I remember being presented with the thing from Facebook that said, "Hey, if you upload your address book, that will help us connect you with your friends. And we can have pictures on their profiles, and we can do all this kind of stuff. And it'll be -- it'll really be great." And I remember thinking to myself, well, that sounds great. That will be helpful. Not in a million years did I imagine, again, simpler time, that they would do all of the stuff they've done with this information. And that's what they're taking advantage of from day one. That's what they've they've taken advantage of people's innocence and their ignorance. And it seems like a foundational principle of the company.

Joe Carrigan: Yeah. Makes me sick. Like I said, I would close my Facebook app tomorrow or my Facebook account tomorrow and asked them to delete all my information if it wasn't the only way I could communicate with so much of my family.

Maria Varmazis: Yeah. Same here. That is the exact same problem that I have. Family and school stuff for my kid, where that's the only place this stuff is ever posted is on Facebook. I can't get off the thing. Drives me crazy.

Dave Bittner: I heard someone say last week that Facebook is like chemotherapy. It has its uses, but at its root, it is poison. Kind of like that.

Maria Varmazis: Yeah. That's a good -- that's good way of thinking.

Dave Bittner: All right. Well, we will have links to this story. And before we get to Maria's story, we're going to take a quick break here to hear a message from our sponsor. [ Music ] All right. We are back. Maria, what have you got for us this week?

Maria Varmazis: This one's an interesting one. That comes to us via Brian Krebs at Krebs on Security. Good old Krebs. So this is a elaborate phishing attack that sort of subverted my own expectations. Instead of just plain old tricking a user into taking an action, it first pesters the heck out of them with system-level prompts on Apple devices. So Krebs has this write-up of several users that wrote into him who all experienced the same attack. And one of them, his name is Parth Patel, and he walked Krebs through it. And basically, what he experienced was all of his Apple devices all at once, like his watch, his iPads, his iPhone, all lit up or blew up. As he said, with dozens upon dozens upon dozens of system notifications that all said, reset password, use this iPhone to reset your Apple ID password. And these were not fake system notifications. These are all legitimate. They came from his phone. And they were, you know, the gray notification bubbles with the exclamation points. And I should note that you can't ignore these notifications when they come up. It locks your phone out until you take an action. So Parth and everyone else who received this kind of attack had to go through each and every single one of these system notifications one by one and hit allow or don't allow. And in his case, he got like over a hundred of these. Other people were getting them at like the wee hours of the night. But again, dozens upon dozens of this barrage of system notifications just forcing you to take an action. Otherwise, you can't use any of your Apple devices until you've cleared them all. So I'm just imagining if I got one of these, or if I got hundreds of these all at once, I would get so annoyed. I'd probably eventually just go, ah, heck with it. Allow, why not? Let me just reset my password.

Joe Carrigan: [laughs] Make it stop.

Maria Varmazis: Please make this go away. I'm just trying to get on with my life. I have no idea what's going on. But like, this is -- some people figured they like sat on their phone, you know, like you butt dialed the system prompt. I can imagine people going, oh, whatever. And so when you do that, you will get texted from Apple a one-time password to reset your password. One time -- yeah. One time password to reset your account, I should say. And this is where the scam becomes apparent because also coincidentally, if you go through all of these notifications and hit don't allow, or if you do the allow, you get a phone call from "Apple Support." And I'm using air quotes on "Apple Support" right now. Great. On an audio-only podcast, nobody can see me doing that. [laughs] "Apple Support" with the official number, even showing up on your phone saying, "Hey, oh, I think you just got a reset prompt. Could you share that code with me?" And I'm sure all our listeners know that's a big, big red flag that, you know, you never share that kind of code with anybody. And that somebody calling you for that, no matter how much of your PII they offer up, it's a scam. And thankfully, the folks who read Krebs are very, very savvy, and they know this. So they all hang up on the calls and said, you know, "We'll call you back or whatever." And none of them fell for it. So essentially that is the scam. You get pestered to death. MFA bombing is what it's called. You get pestered to death to initiate that password reset process. And then somebody pretending to be from Apple Support will call you and ask for it. And then if you offer up that information the scammers can initiate a password reset on the account, lock you out, and then even remotely wipe your device. So that is the attack. There is not a great mitigation for this yet. Apple really needs to rate limit the password reset.

Joe Carrigan: Yeah, I was going to say, yeah, I got a great, great, there's --

Maria Varmazis: A great mitigation, right?

Joe Carrigan: Great mitigation right now. Rate limit that.

Maria Varmazis: Yeah. I don't know why they haven't done that. Hopefully, maybe by the time this episode publishes, they will have done this because this is a pretty new attack apparently on Apple devices, even though MFA bombing is not new.

Joe Carrigan: Apple [crosstalk] a pretty good job. MFA bombing is not new. But this is -- we've not seen this with Apple before, but we can assume this has been there for a while as a vulnerability.

Maria Varmazis: Absolutely. So, Joe, my question to you is, what is the incentive for the attacker to do this to MFA bomb you and then wipe your device?

Joe Carrigan: They get access to your account. And they -- when they wipe your device, they lock you out of your account. That's probably why they're doing that. Maybe there's some value in your account. Maybe there's you know, because if you have your iCloud account then you have all your images, maybe they want to ransom that to get it back from you. Thinking of -- I'm thinking of how I would monetize this were I a bad guy? The first one is I could ransom back their account to them, say, you know, you don't get your access unless I get a thousand dollars. Look at all these pictures of your kids, you know, these, you know, those kind of things. Or you know, God forbid you've been taking -- you've been doing something you shouldn't do and taking photos of yourself that you send to your very close people.

Maria Varmazis: Oh yeah. Yeah. Yeah. Yeah.

Joe Carrigan: Yeah, you have those on there. Let's see, what else? Sell the account as a way -- I mean, I don't know. I'm not an Apple user. Does Apple give you access or can you access other services? I think you can access other services with Apple, right. With your Apple ID.

Maria Varmazis: Oh, yeah. Yeah. Definitely. And it tries to get you to do that. Actually, Apple really wants you to do that. Because they sign in with Apple prompts on every app I can think of now.

Joe Carrigan: Yeah. I get that with Google as well. Being an Android user, I never make use of that. I have a password manager I use that for -- to keep my authentication separate just because of exactly this kind of reason. So yeah, if anybody ever does compromise my Google account, they will get access to my Google account. They will not get access to anything else. Because I just don't use it -- I guess maybe they can get access to my Zillow account. Because I do just click on it for there because it's as easy. And I, you know, what do I have on Zillow? Nothing Here. Here's some houses I've saved around my house. Because I want to see --

Maria Varmazis: I've been stalking your neighbors a little bit.

Joe Carrigan: No, keeping an eye.

Dave Bittner: He is slowly building a compound. You know, by buying up all the houses on his street.

Joe Carrigan: That's why I have all the, all the land favored out in West Virginia. That's where the compound's going, Dave.

Maria Varmazis: The compound.

Dave Bittner: Fair enough. I'm curious with this. Do we suppose that in order to trigger this password reset, are you already past the point of stuffing the credentials? Right? In other words, do you already have someone's username and password to get to the point of triggering --

Joe Carrigan: You have their username. I don't think you have the password. I think you're utilizing your --

Dave Bittner: Because that's what you're trying to reset.

Joe Carrigan: Reset your password feature.

Dave Bittner: Right. Right. Right. Right. Yeah, that makes sense.

Maria Varmazis: Yeah. Or at the very least, their phone number, I think, was the other thing that Krebs was saying is that through any of them bazillions of leaks, our data has been leaked through at this point. At some point someone's phone number got offered up. And that's what they're trying, so, yeah. I mean, that's the interesting thing to me also is there were sort of suggestions at the end of Krebs post, which are always helpful about like, what can you as a user do? And it was sort of like, you know, maybe try to use like a Google Voice account or something to fake a phone number when you put your phone number in online, which is, I know some security users -- savvy security users do that. Security users is not the term I should use, but security savvy folks, I should say. But I was just trying to think like, if this happened to someone I know who's not as security savvy, what would my advice be? Aside from, obviously don't give up that code if someone calls you. Like, if you're getting bombarded by an MFA bombing attack, like aside from just turn your phone off and throw it out the window, what the heck do you do?

Joe Carrigan: Right. Yeah. This happened with Microsoft Authenticator and a recent attack over the summer, over last summer that happened. It wasn't the Twitter account hack that was different. That was a social engineering attack. But this -- well, I mean, I think MFA bombing is a social engineering attack. You're wearing somebody out. You're fatiguing them. You know, my big concern is that you -- is that -- because I think I actually read some of this article from Krebs is -- and Krebs makes a point, you could fat finger the response and accidentally hit the Yes. I want to authenticate my, you know -- I want to change my password from this phone. And then you get the code and you get the phone call. And now you've escalated yourself to, you know, to front and center of the scammer's attention. And that's kind of a dangerous place to be.

Maria Varmazis: It sure is. Yeah. Well, let's hope that Apple fixes at least the rate limit on these password reset requests. So then this won't be a possible attack vector for them, not for Apple, for attackers. [laughs].

Joe Carrigan: And I think Apple will come up with a good solution to this. I mean, one of the things I've always said about Apple, even though I'm not in the Apple cult, is they do a really good job of keeping their users secure. That is a priority for them. So much so that Tim Cook one time that some made a comment about, if you think that we should sell our user data for bigger profits, I want you to sell Apple stock because this isn't a stock for you. He told investors to do that, to sell the stock, which I think is bold. No other CEO has ever said that. But I think he understands that's part of their advantage. So absolutely. I think they're going to come up with a good solution here. I would like it to happen very quickly though.

Maria Varmazis: Agreed.

Dave Bittner: Well, yeah. I would suspect having someone as well-known as Krebs on this will certainly get their attention.

Joe Carrigan: That will expedite it.

Maria Varmazis: Yeah. Sure will.

Dave Bittner: Yeah. All right. Terrific. Well, again, we will have a link to this story in our show notes. And we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. Joe and Maria, it is time to move on to our catch of the day. [ Music ]

Joe Carrigan: Dave. Our catch of the day comes from Van. And it's another voicemail catch. So it -- and Van writes, "It sounds like Joe's social engineering calendar is correct again, which is great." Maria, have I explained to you my social engineering calendar?

Maria Varmazis: I'm pretty sure I know what it is. I can -- yeah.

Joe Carrigan: It's like the liturgical calendar in --

Maria Varmazis: Yeah. Like every year, a certain time of year certain scams come up. Yeah.

Joe Carrigan: Yeah. Yeah. Like recently we were in Lent. Now we're going to be in Pentecost. Well, here we are right before tax season. We're in tax fraud.

Maria Varmazis: Joe, I'm Orthodox. Lent has started for me. FYI.

Joe Carrigan: Oh, are you Orthodox? So Lent -- no, lent didn't just start for the Orthodox, is it?

Maria Varmazis: I'm in week two.

Joe Carrigan: Week two.

Maria Varmazis: Yeah. My Easter is not till May.

Joe Carrigan: Easter is Sunday.

Maria Varmazis: Easter is in May for me. I'm just saying.

Joe Carrigan: Anyway. [ Laughter ] Listen to Dave. Listen to the Catholic and the Orthodox argument on what Easter is. We need a medical council.

Maria Varmazis: This is exactly what people want to hear on Hacking Humans.

Joe Carrigan: Right. Yeah, absolutely. I want to know when the solid chocolate bunnies go on sale. That's what I want to know.

Maria Varmazis: That would be Sunday afternoon when I will be buying them for my kid.

Joe Carrigan: That's right. There's your advantage to being Orthodox.

Maria Varmazis: It's true.

Joe Carrigan: You can buy all the -- right. Yeah. So Van sent this voicemail along. Dave, do you want to play it?

Dave Bittner: Sure.

Van: Hey there, happy Monday. Bill over at the tax group calling about your past filings. I'm at 943-218-9030. We show you might be one of the people that still has some past taxes owed. And our company helps you get enrolled in the new zero tax program. Any small or large amounts that you may have would be basically non-collectible through the program. Give us a call back. We can help you get set up. It doesn't take very long. It's one and done set up. I'll keep the account open through the end of the week. And again, my number is 943-218-9030. Thank you.

Dave Bittner: Well, Joe, this seems totally legit to me.

Joe Carrigan: Does it?

Dave Bittner: Yeah, sure. Why not? I mean, it's not the dog's barking in the background or whatever. I mean, zero tax programs. Sign me up.

Joe Carrigan: Yeah, it sounds like some guy -- and I don't even know if this is real or synthetic audio. I mean, it sounds like it might be a little synthetic. It might be some guy just leaving you with a voicemail. I don't know.

Dave Bittner: It sounded real to me. I mean, I have to say, it sounds like it's right out of an episode of Better Call Saul.

Maria Varmazis: That or the attackers are scaling. And they are using artificial voices and the dogs are to make it sound real.

Joe Carrigan: Yeah. Could be. Yeah, that's true.

Dave Bittner: Van notes that this is a low-pressure strategy. You know, like, "Hey, you want this thing? Give us a call. But they do have the artificial time horizon of calls by the end of the week. Because that's when we'll shut your -- close your account. I want to advise everybody of this. There is no such thing as a tax zeroing program. A zero -- you know, like the -- if you owe the IRS money, you're going to owe the IRS money.

Maria Varmazis: And also the IRS will tell you. They will --

Dave Bittner: And they will write you a letter.

Joe Carrigan: They'll write you a letter.

Maria Varmazis: They'll write you a letter. Ask me how I know.

Dave Bittner: They'll not.

Joe Carrigan: I know how you know, Maria.

Maria Varmazis: It's not because I'm Greek. Don't say that.

Joe Carrigan: No. [ Laughter ]

Maria Varmazis: Greeks and taxes is sort of a notorious thing. I know.

Dave Bittner: Oh, I've never heard that.

Joe Carrigan: I was not aware of that.

Maria Varmazis: Oh, well now you now. I leaned into my own stereotype that you didn't know about.

Joe Carrigan: There we go.

Maria Varmazis: There you go.

Joe Carrigan: I hadn't heard of it.

Dave Bittner: Well, I'll be cautious from now on. Thanks, Maria. [ Laughter ]

Joe Carrigan: I love talking taxes with my son. He gets very stressed out when I start telling him stuff. And he's just like, because he is an accountant..

Maria Varmazis: Oh, I was going to say, you like talking about taxes in general.

Joe Carrigan: Well, actually --

Dave Bittner: So his actual knowledge runs up against your willingness to bloviate about things regardless of whether or not you actually know about them.

Joe Carrigan: No, I just tell him here's what I'll do. I'll just ignore this letter from the IRS. He goes, "Don't do that."

Maria Varmazis: Oh, now I get it.

Joe Carrigan: There's nothing to do. What are you going to do? Shoot me?

Dave Bittner: Yeah. You're using the letters from the IRSs as kindling. And he's --

Joe Carrigan: Like, no, set them on fire. What is that? I don't know.

Maria Varmazis: Sure if I ignore this, it'll sort itself out. Whatever. Yeah.

Dave Bittner: I don't know. Final notice, huh?

Maria Varmazis: Who takes that seriously anyway? Yeah.

Joe Carrigan: No, I take every letter I get from the IRS very seriously. Whenever I see IRS in return letter, that gets my undivided attention. And that -- in fact, we've talked about this before, that if someone were to use this kind of attack on me, they would immediately have my attention. Not this voicemail attack. Because I know right off the bat, no, there's no such thing as a zero-tax program. But if somebody says, "Hey, I'm from the IRS," they immediately get my undivided attention. Because I grew up in a house with accountants. You know, I come from a pretty large accounting family. A lot of accountants in my family.

Maria Varmazis: You're giving up too much info. Giving up --

Joe Carrigan: Surprising number of accountants in my family. And the, you know, the -- just the unmitigated fear that people have that has been instilled in me with the IRS. Like I've actually in years past, somebody said, "Hey, do you want to work as a contractor for the IRS?" I said, absolutely not. Nope. Nope. My family -- there are members of my family, large section of my family would never talk to me again if I did that.

Dave Bittner: I don't know. I mean, I understand the fear. I'll say most of -- well, my experiences with them have all been pretty good in that even when they have given me undue attention of the people that I've worked with there have all seemed to be reasonable people and, you know.

Joe Carrigan: I'll agree with that.

Dave Bittner: Just looking for a good outcome for everybody.

Joe Carrigan: I've made phone calls and gotten really great people on the phone who have answered the exact question -- the question with the exact reason I called. So --

Dave Bittner: All right. Well, thanks to Van for sending that in. Again, we would love to hear from you. Our email address is hackinghumans@ntwok.com. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jsu.edu. Maria, please share with our audience what is the best way for them to find out more about the T-minus podcast.

Maria Varmazis: Well, our website is space.n2k.com. And you can also find T Minus Space Daily and all your favorite podcast apps.

Dave Bittner: N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Iban. The show is mixed by Trey Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is the host of T-Minus Space Daily at N2K and a frequent guest on numerous technology and cybersecurity podcasts. She is an artist, podcaster, journalist, and content creator with over 15 years experience in telling stories that engage and delight. She is always happy to geek out over space and cybersecurity, both professionally and personally!
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.