Psychology and scams.
Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's "Hacking Humans" Podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and we are joined once again by our N2K colleague and host of the T-Minus Space Daily podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi. I'm back.
Joe Carrigan: Welcome back.
Maria Varmazis: Thanks.
Joe Carrigan: All right, and we will be right back after this message from our show's sponsor. [ Music ]
Dave Bittner: All right. We've got a lot of good stuff to share this week, but first we have some follow-up. What do we have here, Joe?
Joe Carrigan: We do. Bob sent this note in along with the Catch of The Day, but I thought this belongs in the feedback section, so that's where I put it.
Dave Bittner: Okay.
Joe Carrigan: I'll take complaints later, I guess. But Bob says, "I share segments of each episode with family members and encourage them to listen on their own for their own safety. The recent Geek Squad phone number scam was particularly worrisome for some of my elderly friends and family members. Love the show, and Maria is a great addition."
Maria Varmazis: Oh, thanks.
Dave Bittner: Yes, and I would agree. "I realize that you are the Click and Clack of the cyber security realm. So and he says, "If you get that old reference" --
Joe Carrigan: Don't scam like my brother.
Dave Bittner: Right.
Maria Varmazis: Don't scam like my brother.
Dave Bittner: That is --
Maria Varmazis: I'm from Massachusetts. I definitely get that reference.
Dave Bittner: Yeah. That is high praise.
Maria Varmazis: Yes, it is.
Dave Bittner: From anybody. I mean, that, you know, those guys were -- I went back and listened to some of their older stuff today because of this email. I was like, wow.
Joe Carrigan: So do you think you're Tommy or Ray?
Dave Bittner: I don't know. [ Laughing ]
Joe Carrigan: Okay.
Dave Bittner: I don't know. I don't know which one I am.
Joe Carrigan: Okay.
Dave Bittner: I didn't listen to that show enough to, I knew who they were, even though I wasn't an avid listener.
Joe Carrigan: Okay.
Dave Bittner: So I don't -- I couldn't identify which one was which. I knew they were actually brothers.
Joe Carrigan: Yeah.
Maria Varmazis: Yes.
Joe Carrigan: Oh yeah.
Maria Varmazis: The Magliozzi brothers. Yes.
Dave Bittner: I still listen to them. The podcast still has old reruns of it, and I just -- I love their infectious laughter. It just makes me happy.
Joe Carrigan: Yeah.
Maria Varmazis: I love when you listen to old episodes, and the phone line clarity is so great and you're like, oh yeah, that's what it was like before we all went to cell phones.
Joe Carrigan: Right.
Maria Varmazis: Yeah. Oh yeah, I could actually understand people. It was great.
Dave Bittner: Right. That's true. Now you're making me hate the current technology, Maria.
Maria Varmazis: Yeah, you're welcome. Yeah, we all just remember like, oh, yeah, copper lines are pretty great. Yeah, all right.
Dave Bittner: Yeah. All right. Yeah. All right. Well, let's jump into our stories here this week. I'm going to kick things off for us, and mine actually comes from a blog post. This is someone named Terrence Eden who wrote up a story about some bank scammers, and I'm going to walk you through this, and I'm really going to borrow from the blog post a lot because Terrence does a really great job of setting the story here. They write: "You receive a call on your phone. The polite call center worker on the line asks for you by name and gives the name of your bank. They say they're calling from your bank's fraud department. All right?
Maria Varmazis: Hang up.
Dave Bittner: "Yeah, right, you think. You think obvious scam. You tell the caller to do unmentionable things. They sigh. The caller says, 'I can assure you I'm calling from Chase Bank. I understand you're skeptical. I'll send a push notification through the app so you can see this is a genuine call'. And your phone buzzes, and you tap the notification, and up on your screen pops up a message from the Chase app that says, are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. And you can either click yes, it's me or no, it's not me."
Joe Carrigan: Always click no, it's not me. [ Laughing ] Well, I just shut you down, didn't I?
Maria Varmazis: Wait. I don't understand the question. Is it yes, it's me? No, it's not -- who? Okay. Yeah. All right. The question is weirdly phrased.
Joe Carrigan: It is.
Dave Bittner: So Chase -- so but let's back up here. I mean --
Joe Carrigan: Right.
Dave Bittner: -- so this is a pop up that's coming from the legit Chase --
Joe Carrigan: App.
Dave Bittner: App. And someone who says they're from Chase is saying to you, this is how I'm going to verify that I'm actually from Chase, and without you doing anything, they have triggered the Chase app on your phone to pop up this message that asks you if you're on the phone with Chase, to verify that you're in a conversation with someone from Chase.
Joe Carrigan: So let me guess. They're on the phone with Chase and asked for -- and Chase has said, we're sending a push notification?
Dave Bittner: Well, we'll get to that, Joe.
Joe Carrigan: Okay.
Maria Varmazis: Okay. Yep. It's odd that it says you need to enter your passcode though.
Dave Bittner: Well, the passcode comes next. So that's on a further screen. So it's asking you to enter a passcode on the next screen. Right now, it's just asking if you are on the phone with Chase. So it's a yes-or-no question. Are you on the phone with Chase or not?
Maria Varmazis: Okay.
Dave Bittner: If you answer yes, then that's going to trigger a passcode. If you answer no, then presumably, you know, someone from Chase will hang up or, you know, if this popped up randomly and you weren't on the phone with someone, then you'd say, no; it's not me, and then the folks at Chase would know that someone who's not you was calling in. Does that make sense? Are we clear?
Maria Varmazis: Okay, yes.
Dave Bittner: All right, but Joe is on the right track here because this is a genuine pop-up from the genuine app.
Joe Carrigan: Right.
Dave Bittner: This is, this is on your phone. This is not -- your Chase app has not been hacked, but Joe's suspicions are correct that what is happening simultaneously is while someone from the scammers has called you, they have also called your bank pretending to be you. So the scammers' accomplice calls the bank. They pretend to be you. The bank sends you the in-app alert to say, is this you, to say are you on the phone with someone from Chase, right? So they're taking advantage of the ambiguity in the messaging on the app. You could very easily think that you are on the phone with someone from Chase. You got a call from someone who claims to be from the Chase Fraud Department. The app pops up and --
Joe Carrigan: Right.
Dave Bittner: -- asks you --
Maria Varmazis: It's really weirdly worded. I've just got to say, I just -- it's very strange.
Joe Carrigan: Right. If this is the actual text from the app, there's a defect in the software --
Dave Bittner: Okay.
Joe Carrigan: -- and it's a design defect.
Dave Bittner: Okay.
Joe Carrigan: Maybe even a requirements defect. It's really deeply embedded in the software --
Dave Bittner: Okay.
Joe Carrigan: -- because the question here is, are you on the phone with Chase? That's not the right question to ask somebody.
Dave Bittner: Okay.
Joe Carrigan: The right question to ask somebody is, did you call Chase?
Dave Bittner: Well, it kind of says that.
Joe Carrigan: It says, are you on the phone with Chase?
Dave Bittner: And then next it says --
Joe Carrigan: We need to check it's you on the phone to us --
Dave Bittner: To us.
Joe Carrigan: Right. Kind of call -- it says that.
Dave Bittner: Right.
Joe Carrigan: It kind -- this is not lucidly clear.
Dave Bittner: I think you're right.
Joe Carrigan: Yeah. It needs to be lucidly clear.
Dave Bittner: Yeah.
Maria Varmazis: Yeah. Hadn't you not told me this story just now, I wouldn't understand why they were asking me this question, and I wouldn't understand why I would ever say, no, it's not me. Like who else would it be would be sort of my question?
Joe Carrigan: Right.
Maria Varmazis: Yeah. That's just very oddly worded.
Dave Bittner: Right.
Maria Varmazis: Am I on the -- did you call Chase? Yes, I did, or no, I didn't. You know, not, yes, it's me. No, it's not me.
Dave Bittner: Right.
Joe Carrigan: Right.
Maria Varmazis: I'm like, who is it? Yeah. It's weird.
Dave Bittner: Right. Right. But you can see how someone would get caught by this, right?
Maria Varmazis: Yeah.
Dave Bittner: I mean, it's very --
Maria Varmazis: I'm getting stuck right now.
Joe Carrigan: Right.
Dave Bittner: It's very confusing but also very convincing because as we said, this is the genuine Chase app popping up this message asking you if you're on the phone with Chase. So it's kind of functioning as intended, right? It's actually the folks at Chase. See, it's interesting because I'm going to say it's the folks at Chase that are being scammed, but they're not. They're putting their security measures in play to make sure that the person who's calling Chase is actually you. The person who's claiming to be you is actually you, but it's not you.
Joe Carrigan: Right. I'm going to go ahead and say they are -- this is a defect. I'm going to stick with my stance on this.
Dave Bittner: Okay.
Joe Carrigan: That this is a defect, that this is a vulnerability in their process and actually in their software.
Dave Bittner: Yeah.
Joe Carrigan: And it's really, I mean, it's not like a software bug. It's a text bug because these are just strings in the software. You can change this really easily. You don't even have to do regression testing on it. You're only changing strings. I mean, maybe your test requirements say that, but anyway, you know, from a software engineering perspective, this is a very easy fix. And in fact, I'm looking at this article now, Dave, and it says -- it calls this pop up a security disaster, and it should say something like, did you call us? If someone has called you claiming to be from us, hang up now. And then Maria, to your point, it says down here, yes, I'm calling Chase. No one -- no, someone called me.
Maria Varmazis: There you go. Yeah, yeah, that's much more clear.
Joe Carrigan: What it should look like.
Dave Bittner: Yeah.
Joe Carrigan: That is what it should look like. It should not look like, are you on the phone with Chase?
Maria Varmazis: Because it sounds like I am as far as I know.
Joe Carrigan: Sounds like I am.
Dave Bittner: As far as I know, right? This --
Maria Varmazis: Yeah.
Joe Carrigan: I lay this right at the feet of Chase. This is terrible.
Maria Varmazis: Yeah. I agree. Honestly, if you didn't know this scam was a thing, how on earth would you know what it's trying to protect you from?
Joe Carrigan: And you know who knows this scam is a thing? Chase. Chase knows this scam is a thing. They know it.
Dave Bittner: Well, let's back up here for a second because suppose -- separate from this scam. So let's pretend like we don't know about this scam.
Joe Carrigan: Okay.
Dave Bittner: What would we think about this measure from Chase for trying to verify whether or not it's actually you on the phone?
Joe Carrigan: If it weren't for this scam, we might think this was good, right? Hey, look. They're doing a verification across another channel.
Dave Bittner: Right.
Joe Carrigan: That isn't the phone call.
Dave Bittner: Right.
Joe Carrigan: Right?
Maria Varmazis: Yeah. You're right. You're right. Honestly, yeah.
Joe Carrigan: Yeah.
Maria Varmazis: I never would have thought a scammer would work with another human being. It requires talking to someone in tandem. I just -- who wants to do that?
Joe Carrigan: Right, yeah.
Dave Bittner: That's what they're good at, though. It's a two-person --
Maria Varmazis: I know. It's high effort. I'm just like, I'm lazy. I can't imagine wanting to do that.
Joe Carrigan: It's a dual-bad-guy scam.
Maria Varmazis: It's just like they have to -- one has to nudge the other with their elbow going, now.
Joe Carrigan: Right.
Dave Bittner: Right.
Maria Varmazis: You know, so they'll come on.
Dave Bittner: Right. I agree that the wording of this needs to be improved, and I will also say that the high-level advice that we always give here is you're never going to get an incoming call from these people.
Joe Carrigan: Right.
Dave Bittner: Right? And if you do, what do you do? You hang up.
Maria Varmazis: Hang up.
Dave Bittner: You say, I'll call you right back.
Joe Carrigan: Right.
Dave Bittner: And then you call the number that you know is a legit number for the tech support people.
Joe Carrigan: The fraud number.
Dave Bittner: But this is, you know, look, if someone falls for this, I can understand why.
Joe Carrigan: Right.
Dave Bittner: Yeah. It's a tough one. It's very clever. All right. Well, we will have --
Maria Varmazis: Got to hand it to them.
Dave Bittner: We will have a link to that in the show notes. Maria, you're up next. What do you have for us this week?
Maria Varmazis: Well, I have a story from The Register by way of RSA, which none of us are at, at this current time.
Dave Bittner: So our, yeah.
Maria Varmazis: I was going to say, go ahead, Dave.
Dave Bittner: Well, no, I was going to ask you to explain what RSA is.
Maria Varmazis: Oh, goodness. What isn't RSA? No, RSA is one of the big, big cybersecurity conferences that happens in San Francisco. It's a lot. I used to have to go every year, but a lot of news has broken at RSA. A lot of companies sort of hang on to their big stories and, you know, release it at RSA, and we're seeing a lot of that happening right now as the -- I should probably not be referring to this. This is coming out later, right? So never mind, a lot of that happens at RSA. So one of the stories that came out at RSA early on in the conference was that ransomware somehow has found a way to get even worse.
Joe Carrigan: Oh, good.
Dave Bittner: Oh, boy.
Maria Varmazis: Yay, yeah. That's so great. So at the Google Security Threat Intelligence Panel at RSA, the Mandiant CTO, Charles Carmakal, I guess that's how you pronounce his last name, Carmakal, Carmakal, shared that Mandiant is seeing an uptick in ransomware criminals using a terrible new tactic to try and extort their victims, and they are psychological attacks is how they're sort of summarizing it. These are extortion phone calls to the company executive, the company that is being ransomwared, made from the phone number of one of the executive's children. So imagine that you're the executive just going about your day, and you're getting -- not going to ignore a phone call that's coming from your child, presumably, if you're a decent human being.
Joe Carrigan: Right, right.
Maria Varmazis: So, basically, either an attacker has spoofed your child's phone number, or they have done the social engineering to do an e-SIM swap, or maybe even a physical SIM swap. Either way, at the very least, an attacker knows your kid's phone number, or worse, has somehow compromised their phone, or maybe, at the very worst, has physical access to it. So I'm just like, oh my god. So imagining you're the executive again, and you see your kid's phone number. You answer as you normally would, and instead of hearing, you know, the squeaky voice of your 12-year-old complaining that the Wi-Fi is not working, you hear some deep-throated man demanding some large sums of money. So when I heard this story, I just -- my heart dropped, and the Mandian CTO said a bunch of different quotables, but one quote just really, okay, I'll read it to you now. "It's less about, do I need to protect my customers, but more about, how do I better protect my employees and protect the families of employees? That's a pretty scary shift." Yeah, and I'm not an RSA, but I cannot stop thinking about that quote, and the chill that must have come over the entire conference room when he said that, because now your employees' families are in scope. If you're a defender at a company dealing with ransomware, that is a nightmare, frankly.
Dave Bittner: Yeah.
Maria Varmazis: So I don't know what else to say about this, aside from that's just horrific. Yeah, thoughts?
Dave Bittner: Well, I had a conversation about this a couple weeks ago with Chris Pierson, who's been a guest on our show. He runs a company called BlackCloak, and one of their specialties is protecting high-level corporate folks and high-net-worth folks. Before I saw this story, so this was a couple weeks ago, he was sharing to me this was the latest thing that they were -- or one of the latest things that they were tracking, that this was a shift, and how, like you say, how horrible it is. And you need to have family code words, things like that, you know, to help verify what's going on and who it is -- says they are. The thing that strikes me about this is that when you get a call that you think is from your kid, and it's someone else, and they're immediately going to start telling you some kind of story, just the -- like emotional trap door that that hits you with. Like you just have the bottom drop out from underneath of you.
Maria Varmazis: Of course.
Dave Bittner: And any hope of rational thought is just gone.
Maria Varmazis: Yeah, you're terrified. What happened to my kid? You know, is my child physically in danger right now?
Dave Bittner: Right.
Maria Varmazis: I mean, this is, frankly, evil. It's really --
Joe Carrigan: It is, yeah.
Maria Varmazis: It's evil.
Dave Bittner: If it's a SIM swap, then the hang up and call back attack --
Maria Varmazis: That won't work.
Dave Bittner: You'll just get that guy back on the phone.
Maria Varmazis: Yeah.
Joe Carrigan: Right.
Dave Bittner: You know, if they're spoofing your number, you hang up. You call back, you'll get your kid, but the SIM swap, no, you'll get them again.
Maria Varmazis: Yeah. It's, I mean, it just -- I don't know why I thought maybe people's families were off limits in this realm, but clearly, they're not.
Dave Bittner: No.
Joe Carrigan: No.
Maria Varmazis: So, you know, man, just another thing for people to be aware of, I suppose, but who needs this? I mean, seriously.
Dave Bittner: I mean, I wonder to what degree the fact that the folks who are doing these crimes are often so far away, right? It's not like, you know, the godfather, where if you wrong someone or you come after someone's kids or family, you know, Rocco is going to show up with some brass knuckles and set you straight. You know, like it doesn't work that way because of the distance.
Joe Carrigan: You've got to make sure you're at the baptism, though, Dave. [ Laughing ]
Dave Bittner: Right. Right.
Maria Varmazis: Yeah, I guess if you are an executive at a company of any size, this is just something to be aware of, but I don't even --
Joe Carrigan: Right. Put a pin code on your mobile provider account.
Dave Bittner: Well, that's another thing Chris was telling me, is that exactly to your point, Maria, the part of this is educating the executives, so that if they do get something like this, they have at least some hope of recognizing it is, you know, for what it is and maybe acting in a rational way, but I wouldn't.
Joe Carrigan: I have a different thought about this.
Dave Bittner: Yeah?
Joe Carrigan: You know, one of the biggest things that I hear from people and I'm trying to talk to them about cybersecurity is, I'm not a target. Nobody is interested in me, but these people, executives, shouldn't think that way. I am a target. People are interested in me.
Dave Bittner: Right.
Joe Carrigan: What should I do?
Maria Varmazis: Yeah.
Joe Carrigan: You know, I mean, the fact of the matter is that everybody is targeted. It's just a matter of who's going to target you, and if you're an executive, you know, or a high-ranking government official, you're going to have a lot of attention focused on you, and your security model needs to reflect that because your risk is much higher than the average person.
Maria Varmazis: Yes.
Joe Carrigan: The scammer is not calling you. The scammer is probably not going to be able to get your information, right? You probably have some other way of doing that, but the incredibly tactically good person is going to call you. They are going to target you. They're going to do their reconnaissance. They're going to find out who your kids are, where they go to school, all that stuff.
Dave Bittner: Yeah.
Maria Varmazis: Yep. Yep. One thing that was interesting in some of the comments on this, because this was also posted on Slashdot, which is actually where I first heard about it. My blood ran cold when I read it. Do you think this would actually make ransomware attacks less effective? Like if you basically threaten somebody's kids, at that point, I imagine some people are just going to double down and say, bleep you, I'm definitely not complying now. I mean, I imagine people may have the opposite reaction, but I'm just curious if they think this is actually going to be effective. Although, again, I wish it wasn't happening at all.
Dave Bittner: If you have a vengeful streak in you, this would certainly trigger it, wouldn't it?
Joe Carrigan: Yes.
Maria Varmazis: Liam Neeson is going to come right after you.
Joe Carrigan: Right. Exactly.
Dave Bittner: If I have a vengeful streak, right? If.
Maria Varmazis: If, yes. Well, the other thing this made me think of is I know for executives at really big companies, they have those sort of courses they take you on about personal security, and I imagine if they don't already know about this in these courses, they need to bake this in in terms of also stuff you need to keep in mind about how people might be trying to compromise your family to get to you --
Dave Bittner: Yeah, It's just --
Maria Varmazis: -- terrible as that is.
Dave Bittner: Again, you know, Chris Pierson from BlackCloak really opened my eyes to a lot of this stuff that I was simply ignorant of that, you know, if you get to be a certain level of executive with a large public company, you're not allowed to drive your car anymore.
Maria Varmazis: Yeah.
Dave Bittner: Because it's too big a risk to the organization. Like you have to have a professional driver.
Maria Varmazis: Yep.
Dave Bittner: I didn't know that.
Maria Varmazis: Yeah. Their threat model is real different from ours.
Dave Bittner: Yeah. It really is.
Maria Varmazis: Podcasters don't have to worry about that.
Dave Bittner: It really is a different world. No, no.
Joe Carrigan: If I get hit by a bus tomorrow, really nothing else in the world changes.
Dave Bittner: Oh, Joe.
Maria Varmazis: Oh, Joe, that's not true. You know that's not true.
Dave Bittner: It would take at least a couple of weeks for me to get used to only having Maria on the show. [ Laughing ]
Maria Varmazis: Oh, wow. [ Laughing ]
Dave Bittner: All right. Well, on that.
Joe Carrigan: Yeah.
Dave Bittner: We are going to take a break to hear from our sponsor before we hear Joe's story. We'll be right back after this. [ Music ] All right. We are back, and Joe, it is time for your story. What do you have for us here this week?
Joe Carrigan: Well, Dave, we all agree that email is just awful, right?
Dave Bittner: Yes.
Maria Varmazis: Yes.
Joe Carrigan: One of the biggest problems with email is that by default, and until surprisingly recently, this was incredibly true, there is no way to stop somebody from just impersonating someone else and sending an email to you.
Dave Bittner: Yeah.
Joe Carrigan: And there are technologies out there that prevent that from happening, but they have only been developed within the last 15 years. They've only been like released as RFPs. Anyway, the first one is called SPF, not sunscreen stuff, but it's Sender Policy Framework, and this allows the owner of a domain to specify which computers are authorized to send email for the domain. And then there is something called DKIM, which is Domain Keys Identified Mail. This was a joint effort between Yahoo and Cisco years ago, and Yahoo was like, we've got all this spam coming in. It would be nice to validate this. This uses public keys and private keys to sign a message so that you can verify that it actually came from the person or the mail server that it's coming from. And then on top of these two technologies, there's a relatively newer one called DMARC, which is Domain Message Authentication Reporting and Conformance. And DMARC makes sure that the domain in the from part of the email address matches the domain in the SPF headers and the DKIM parts before it lets anything through, or before it -- you know, it makes sure those things match up. It actually doesn't stop things from coming through unless you tell it to, but here's the thing: DMARC allows senders to define the policy that recipients should implement on their end. So --
Maria Varmazis: Okay, I need you to translate this into -- sorry. I caught most of that.
Joe Carrigan: Okay. So let's say I --
Maria Varmazis: I am who I am supposed -- I'm pretending I'm part of an organization. I'm authorized to send an email on behalf of that organization.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Joe Carrigan: So you are mariamail.com, right?
Maria Varmazis: TM, yes.
Joe Carrigan: Right, and one of your users sends an email out from their account at mariamail.com. The recipient can -- has the option to make sure, with SPF, to make sure that the IP address that sent the email out is authorized to do so.
Maria Varmazis: Okay.
Joe Carrigan: Using DKIM, they can make sure that it actually came from your domain.
Maria Varmazis: Yep.
Joe Carrigan: And then they can use DMARC to say, well, what does Maria Mail want me to do with this message if it doesn't match up? So if I, from Joe's Evil Mail, send out something impersonating Maria Mail, DMARC can say, you can just let it through and tell me about it, or you can quarantine it, or you can just block it.
Dave Bittner: So DMARC goes out to the world and says, if you receive a message from Maria Mail, this is how you should handle it?
Joe Carrigan: Yes.
Dave Bittner: Okay.
Joe Carrigan: And the way this works is, it is all of these technologies, SPF, DKIM, and DMARC, are what are called text records in the DNS, I wanted to say system, but it's actually the S is for system, so it's not the domain naming system-system, the domain name system.
Dave Bittner: Okay.
Maria Varmazis: So it's DNS, yes.
Joe Carrigan: Interesting that this is not part of Simple Mail Transfer Protocol, or SMTP. This is actually patched on security to the mail system that is still the same kind of mail system we've been running with since the 60s, or maybe a little bit later.
Maria Varmazis: Since Pine?
Joe Carrigan: Yeah, since Pine, right, exactly.
Maria Varmazis: Okay. All right.
Joe Carrigan: Geez, I remember Pine.
Maria Varmazis: I used Pine.
Joe Carrigan: I did too.
Maria Varmazis: Okay.
Joe Carrigan: So these are very effective if you configure them properly, but as you can imagine, because these are all just text records in the DNS system, you have to set these up properly. Additionally, because they're DNS text records, anybody can read them. So there is a story from the record from Jonathan Greig [assumed spelling], who, this is the news organization from Recorded Future, about a recent security advisory issued by the FBI, the NSA, and the Department of State about a North Korean group dubbed KimSuky. I have a problem with that name, KimSuky. It sounds more like a Japanese name than it does a Korean name, but the organization's goal is to steal and gain valuable geopolitical insight by compromising policy analysts and other experts. So they go out there and they try to just, they're not -- it's not like the Lazarus Group, which is all into crypto. These guys are actually part of the intelligence operation, and they're targeting organizations with improperly configured DMARC policies, right? So now what they're doing is they are effectively masquerading as people from these organizations. So if Maria had her DMARC record configured so that it would just report back to Maria when a fraudulent email comes in, that doesn't really stop the email from coming in. Also, if the DMARC record has some kind of error in there, the receiving system may not process it to fail safe. It may process it, just go ahead and allow it through instead of just blocking. It may not default to that. So there's a ton of different ways this is going, but they're looking at these DMARC records and they're going out there and they're seeing what's happening. Now even if you're suspicious of an email and you check the reply to section, it would still appear like it came from a legitimate domain because it just slid right through the DMARC system because one of these records was not configured properly.
Dave Bittner: Is DMARC mandatory?
Joe Carrigan: It is not. Well, it depends, actually. That's an excellent question. If you want to send an email to a Gmail user, and your email server sends more than like 5,000 messages a day to Gmail, yes, Gmail makes it mandatory.
Dave Bittner: Right.
Joe Carrigan: It is not mandatory for the protocol. SMTP will work. If you set up an email server somewhere out there on the interwebs, you will have to manually go out and enforce DMARC and all these other underlying technologies. You have to do this as the recipient. So this has to be configured properly on the sender's end, and it has to be configured properly on the recipient's end.
Dave Bittner: Oh, goody.
Joe Carrigan: If either one of those things are not done properly --
Maria Varmazis: No opportunity for failure there.
Joe Carrigan: Right. Yeah, so one of the things this group is doing that I think is really interesting is they are using content from emails previous in a conversation, and that lends authenticity to these spoofed emails. They have been observed creating fake usernames and using legitimate domains to impersonate individuals. So if I can compromise someone's account, even if DMARC is all configured properly, and I can start creating usernames on that email system, it doesn't matter, right? If I've compromised that account, I can send out emails. The system will sign them with the DKIM. The receiver will look up the DMARC record and say, everything looks right.
Dave Bittner: Yeah.
Joe Carrigan: Here you go, user. Here's an email.
Maria Varmazis: They checked all the boxes that say it's legit.
Joe Carrigan: They checked all the boxes, right.
Maria Varmazis: Yeah, yep.
Joe Carrigan: So again, we find fundamental security very important. Anyone who is doing work in the U.S. or South Korea who's working on North Korean or Asian or China policy should be aware of this. The advisory warns people to be wary of emails with innocuous communication followed by strange links and attached documents from different email addresses. So just, you know, be mindful of this kind of stuff. I don't know. There's nothing the average user can do. What has to happen is underlying is your security department has to be enforcing DMARC rules, right? They have to have the DMARC set up. The rules for the sender have to be set up right. The enforcement for the receiver has to be set up right.
Maria Varmazis: So forward this episode to your beleaguered security and/or IT teams.
Joe Carrigan: Right, tell them. Make sure. Make sure our DMARC is all configured as well as we can make it.
Maria Varmazis: There you go.
Dave Bittner: There's nothing a security team likes more than a well-intentioned user just lumbering into their office and telling them how to do their job.
Joe Carrigan: Hey, you know what you guys need to do?
Dave Bittner: Hey, I got more work for you all. You're not busy here or anything, are you?
Maria Varmazis: Slam the door open. You guys busy?
Joe Carrigan: Right.
Dave Bittner: Meanwhile, there's like garbage cans on fire, people running around screaming.
Joe Carrigan: Yeah.
Dave Bittner: Hey, what's up, buddy? How are you?
Joe Carrigan: Yeah. It is amazing that we've gone this long, and email is still as bad as it always has been.
Dave Bittner: Still terrible, yeah.
Maria Varmazis: It's so janky.
Joe Carrigan: I mean, it is.
Maria Varmazis: It's still so janky. It's amazing.
Joe Carrigan: That's an excellent word. I mean, that's a slang term, but it is. It is like the hobble, the patched-together Frankenstein's monster of the internet. It refuses to die.
Dave Bittner: Well, it's because no one has ever had the guts to cut it off.
Joe Carrigan: Right.
Dave Bittner: You know, like if someone -- you know, let's say you had Google and Microsoft and Apple, right, who got together, the three of them, and they said, all right, this is it. We're done.
Joe Carrigan: Email is dead.
Dave Bittner: Right. Right. We have a new system. It's encrypted. It's this, that, and the other thing. It's secure.
Joe Carrigan: Everything's signed.
Dave Bittner: Right. We're going to open source it, but from now on, this is how it works.
Joe Carrigan: Right.
Dave Bittner: The problem is, as, you know, you just, you've got all these legacy systems, and people are still going to want to use the old stuff, and it has to be compatible with the old stuff.
Joe Carrigan: Yeah.
Dave Bittner: So it's just not practical to cut it off. But that's, if that had happened 30 years ago, we'd be in a much better place. [ Laughing ] Seriously.
Joe Carrigan: Thirty years ago, nobody envisioned this, this internet, this dumpster fire that is now the internet, 30 years ago. Thirty years ago, the internet was wonderful, Dave.
Dave Bittner: I know.
Joe Carrigan: It was so beautiful.
Dave Bittner: Hope and promise.
Joe Carrigan: Yeah.
Dave Bittner: We can have all the world's knowledge at our fingertips.
Joe Carrigan: That was so great.
Maria Varmazis: It was.
Joe Carrigan: We could use Gopher to find information.
Dave Bittner: That's right.
Joe Carrigan: And Finger to find people.
Maria Varmazis: I was asking Jeeves so much.
Joe Carrigan: Jeeves? That's right.
Dave Bittner: All right. Well, we will have a link to that story in the show notes. Joe, it is time to move on to our Catch of The Day. [ Reeling Fishline ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Bob, who also sent us the nice note earlier, and he said, "I immediately thought of you guys when I received this message." And it is a message, it looks like it comes from the U.S. Department of State, but he moused over the email, and it is going to a Gmail address, which he notes, not an authentic State Department email.
Dave Bittner: No, generally not.
Maria Varmazis: No.
Dave Bittner: It's like a random string of characters and numbers.
Joe Carrigan: Yeah, somebody just set up a Gmail address.
Dave Bittner: Yeah.
Maria Varmazis: Born in 1987, judging by their email.
Dave Bittner: Right.
Joe Carrigan: Right. Well, it says, "Warning, notice of Social Security Number suspension. Attention, due to fraudulent activities, your Social Security Number, SSN, will be suspended within the next 24 hours. We are writing to inform you that your social security number is being suspended due to the FTC's discovery of unlawful activities in Texas involving your identity. The Department of Justice has been tasked with prosecuting your case according to the Criminal Code Act 1950 and other criminal offenses in Texas, including the Proceeds of Crime Act 2002. Count I, Drug Trafficking, Section D of Act 258. Count II, Act of 1986, Money Laundering. Count III, Theft by Deception, Texas Supreme Court Code Conduct 1986. A legal complaint has been filed against you as of today. In accordance with our standard operating procedure, law enforcement agencies have uncovered 25 bank accounts opened with your social security number to perpetuate a $14 million fraud. In the entire state of New Mexico, these accounts were used for unlawful activities such as money laundering, narcotics trafficking, and Internal Revenue Service fraud. The Department attempted to deliver legal documents to your most recent known address, but U.S. Marshals who made a visit discovered the house deserted. If you have received this email, it implies that we have exhausted all other means of contacting you. If you are innocent of the allegations, please contact the OIG at the number shown below. To file an appeal, you can contact the Office of the Inspector General, Social Security Administration." Wow.
Dave Bittner: Wow.
Maria Varmazis: Cool story, bro.
Joe Carrigan: Yeah, cool story, bro. Exactly. Couple of things, couple of things. Number one, the Social Security Administration, by the way, the watermark on the back of this is huge.
Maria Varmazis: Yeah. You know, it almost makes the letter illegible.
Dave Bittner: Yeah.
Joe Carrigan: Fortunately, Dave, a professional, makes the reading.
Dave Bittner: It was hard to read.
Joe Carrigan: It was, but you did it in one take again, Dave.
Dave Bittner: Thank you.
Joe Carrigan: Ladies and gentlemen, even when I give him total gibberish, sometimes he will read it in one take, almost every time.
Maria Varmazis: He's a professional.
Dave Bittner: Well, you know what? It's just my, you know, how like a big -- like a python can disconnect its lower jaw to swallow a pig?
Joe Carrigan: Yeah.
Dave Bittner: I can do that with my brain.
Joe Carrigan: Ah.
Dave Bittner: And the words just flow directly from my eyeballs to my mouth without any processing, without any consideration. I just -- I give them no thought. Actually, as Click and Clack used to say, "unencumbered by the thought process."
Joe Carrigan: Right.
Dave Bittner: That's what happens with me when I read these.
Joe Carrigan: You're like the pigeon that finds the cancer cell in the mammogram.
Dave Bittner: That's right.
Joe Carrigan: Right, yeah? He doesn't know what he's looking at. He just knows what a cancer cell looks like when he gets a piece of like birdseed or something.
Dave Bittner: That's right. That's right. So I rather -- this is all about just a -- it is a lack of thought. That's what it is.
Joe Carrigan: Well, it is impressive.
Dave Bittner: It is.
Joe Carrigan: An impressive lack of thought. The Social Security Administration is an independent administration. It is not part of the Department of State. So that would not add up immediately, and I would think it would be like part of the Department of Treasury or something like that.
Dave Bittner: Yeah.
Joe Carrigan: But it isn't. It's not part -- I don't know where it used to be. It did used to be somewhere.
Dave Bittner: They're invoking the Federal Trade Commission?
Joe Carrigan: Yeah, Federal Trade Commission, which is also --
Dave Bittner: The Department of Justice.
Joe Carrigan: I -- yeah. The Federal Trade Commission is also --
Maria Varmazis: New Mexico?
Joe Carrigan: Or maybe they're part of -- no, they're part of Commerce.
Dave Bittner: Yeah.
Joe Carrigan: Never mind. So many departments to know. You know, if this came to me, I'd be like, criminal offenses in Texas, I'm like, uh-oh. What did I do last time I was in Texas?
Dave Bittner: Right.
Joe Carrigan: May not have been legal.
Dave Bittner: Crossing state lines.
Joe Carrigan: Right, yeah.
Maria Varmazis: But the email is also signed by -- that looks like Ken Paxson. So like, isn't he Texas Attorney General? None of this makes any sense, but you know, who's looking at the details? I just love how they tell this really long, involved story, and it's like, and yes, this is the first you're hearing of any of this.
Joe Carrigan: Right. My favorite part is the abandoned home.
Dave Bittner: Right.
Joe Carrigan: Like somehow --
Maria Varmazis: Dun-dun, dun.
Dave Bittner: Wait a minute. Did I abandon a home recently? I can't remember. I, oh, you know what? I did abandon a home recently. Ugh. One step ahead of the U.S. Marshals.
Joe Carrigan: Yep.
Dave Bittner: As usual.
Maria Varmazis: How many homes do you have, Dave? That you can abandon?
Dave Bittner: All of them.
Maria Varmazis: All of them.
Dave Bittner: Yes.
Maria Varmazis: Yes.
Joe Carrigan: Yeah, well, you know, you, you've got to stay one step ahead of the law, and you never know when you're going to need to lay low for a while.
Dave Bittner: That's right.
Maria Varmazis: Oh, that pied-a-terre? I forgot about that one.
Joe Carrigan: You've got to move around. That's the only way to beat the system.
Dave Bittner: Yeah, that's right. Well, and you know, when you have multiple families like I do who don't know about each other in multiple states, you know, know, why do you think I have to host all these podcasts?
Joe Carrigan: That's right.
Dave Bittner: It's --
Joe Carrigan: So many mouths to feed.
Dave Bittner: Yeah, that's right. That's right.
Joe Carrigan: And nothing makes the money roll in like a podcast.
Dave Bittner: No, no, no. It is, oh, man, it is --
Maria Varmazis: Joe, a little too close. Listen.
Dave Bittner: Says Joe who works for someone else.
Joe Carrigan: Right. [ Laughing ]
Dave Bittner: All right. We're going to get ourselves out of here in one piece too late.
Joe Carrigan: Yes.
Dave Bittner: But, Bob, thank you so much for sending this in. We do appreciate it, and of course we would love to hear from you. If there's something you'd like us to consider for our Catch of The Day, you can email us. It's hackinghuman@n2k.com. [ Music ] That is Hacking Humans brought to you by N2K CyberWire. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmizis.
Dave Bittner: Thanks for listening. [ Music ]