Podcasts
Hacking Humans
Ep 348
Hacking Humans 7.31.25
Ep 348 | 7.31.25

Click for a pay bump?

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's Hacking Humans podcast, where, each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. We've got a special episode of Hacking Humans today. Joe and Maria are taking a summer break this week, and my special guest is Rob Allen, Chief Product Officer from ThreatLocker. Rob, welcome to the show.

Rob Allen: Hello. How are you?

Dave Bittner: I'm doing well. Thanks.

Rob Allen: Hang on a second. Did you just say two people were taking holidays today?

Dave Bittner: Indeed, they are.

Rob Allen: That is shocking.

Dave Bittner: I'm the last man standing. Yeah.

Rob Allen: You and me both, we are the last men standing.

Dave Bittner: I know, and I imagine for you, Rob, it's even stranger to hear that Americans are taking holiday, right?

Rob Allen: It is one of the things that I have struggled to adjust to. Well, sorry, when I say I struggled to adjust to it, I did initially struggle to adjust to it, but I got used to it pretty quickly. I consider any holidays now or any PTO to be basically socialism. So I think that makes me an American.

Dave Bittner: All right. Well, welcome to the club. We are going to be discussing Scattered Spider, which is a cyber criminal group that's -- they're known for being sneaky, persuasive, and also surprisingly young. And unlike a lot of the hacker groups that we talk about, who rely on technical tricks, Scattered Spider specializes in social engineering. And that makes that the perfect topic for us here on Hacking Humans. So let me toss it to you, Rob. I mean, when you describe Scattered Spider to people who may not be familiar with them, how do you do that?

Rob Allen: They apparently are a young, loosely affiliated, primarily English-speaking ransomware gang, and very effective ransomware gang, I might say. They've been responsible for some of the biggest breaches or events over the last couple of years. They seem to -- and I think the reason they've come back into the news of late is they seem to target kind of an industry at a time. So I think lately, they've been aiming at aviation. And interestingly enough, again, presumably because they figure there's quite a few bucks to be had there. But as you said, they are predominantly around or about social engineering. They're not so much about the, I suppose, you know, down in the weeds hacking and gaining access. They're more about persuading somebody to give them access.

Dave Bittner: And as you mentioned, they're kind of a loosely affiliated group, which I think is how they got the name "Scattered" in Scattered Spider. They're loosely organized there.

Rob Allen: I always wondered where these names came from. Well, I kind of know where the names come from, but equally, where do the names come from?

Dave Bittner: Yeah, I'm with you. And as the guy who quite often has to pronounce them or align them, because not every organization names these threat actors the same things. So we have, you know, Fancy Bears and Cozy Bears and Scattered Spiders. And I don't know.

Rob Allen: Well, listen, to be honest, they're bad, but they're not as bad as the nicknames for Linux distribution.

Dave Bittner: There you go.

Rob Allen: Yeah.

Dave Bittner: We'll take what we get, right? Right? Well, let's talk about social engineering specifically and the types of methods that these folks use that kind of set them apart from some of the other groups out there.

Rob Allen: A lot of it seems to be things like requesting password resets from understaffed and overworked support departments. A lot of it seems to be about applying pressure, which I mean, realistically, you know, a lot of social engineering does depend on. But it's kind of like, "Look, you're the third person I've spoken to about this now. I need it sorted out immediately. I'm on the phone to the CPO or the CTO or the CEO or whoever. I need this sorted right now." Those kind of tactics seem to be what they engage in. And again, because they're predominantly English speaking, a lot of organizations, a lot of, as I said, overworked and underpaid and underappreciated support departments will just say, "Oh, okay. I'll do it now." And they do it, and then they have access.

Dave Bittner: So because of that, being native English speakers, that doesn't sort of reflexively throw up red flags for the folks who may be on the other end of that support call.

Rob Allen: Yeah, very, very much so. Very much so.

Dave Bittner: So we talked about them being youthful. Is there anything significant to that, or is it as simple as a group of like-minded people with similar experiences banding together?

Rob Allen: I suspect that that's probably what it is, again, without any intimate knowledge one way or the other, but, you know, young people hanging out wherever young people hang out and, you know, of similar mindset and interests, I suppose, gather together. And, you know, if your moral compass is off somewhat and you figure there's a bit of money to be made in the likes of what they're doing, then it's, I suppose, an easy trap to fall into.

Dave Bittner: And when we say hanging out, where are the types of places that these folks are able to find each other?

Rob Allen: That's a really good question. I don't know. I would -- and again, as a verifiable not young person. I'm definitely joking with you.

Dave Bittner: Right. Right.

Rob Allen: Anything [inaudible 00:05:37].

Dave Bittner: The mall? But I guess what I'm getting at here is that it would be expected that they would be hanging out on dark web forums and things like that. Not your -- you know, these folks aren't taking part in an AOL discussion group or anything like that.

Rob Allen: Yes. No, presumably so. Presumably so. But I would imagine there's probably Signal chats and all sorts of stuff that people get invited to. And I mean, they -- apparently, they've got quite a tight inner circle of the core group. And then they have their, you know, lower-level people, and they've got affiliates. And as you said, the scattered nature of the organization, probably the "Scattered" in the name of the organization probably comes from that fact.

Dave Bittner: And what is it that they seem to be after here? Are they primarily financially motivated, or is this an espionage group? What are they after?

Rob Allen: Oh, yeah. I mean, there's estimates they've made upwards of 65, 66 million in attacks over the last number of years. I mean, I saw one organization apparently paid them a 10-figure sum, which is pretty incredible. And so, again, what they're doing appears to be working, and they don't appear to always actually use ransomware. They don't always run ransomware. In a lot of cases, it's probably more about data exfiltration, you know, selling access, that kind of stuff. But it's obviously -- again, based on the numbers, it's obviously pretty effective.

Dave Bittner: Yeah. For our listeners, can we kind of walk through what this process would look like? I mean, suppose I'm an organization that Scattered Spider has targeted. How would they initially come at me, and then how would the process play out?

Rob Allen: I think, particularly, it is about deceiving help desk personnel into things like resetting passwords or disabling MFA or re-enrolling a device in MFA. And as I said, it's often about sort of applying pressure to the individual. And, you know, as I said, "I'm on the phone to the CEO right now. I need this immediately." There's been some talk that they use AI-generated voices as well, which, again, is something that's becoming more and more prevalent now. The fact that those tools are so good and so easy to get your hands on. I mean, I've got an AI version of our CEO, Danny, and it's, quite frankly, terrifying. Now, I've used it for nothing more malicious than saying he loves Macs and Canadians and Scousers. But again, there wouldn't be beyond the realm's possibility that I could use my AI Danny to call, you know, one of our infrastructure guys or one of our support guys, saying, "Hey, I need this immediately." And so it's not beyond the realms of possibility. I mean, even -- this is an example that I often use, which is Danny at one stage -- or I remember this distinctly, but Danny, at one stage, about a year ago -- and bear in mind that we're a cybersecurity company. We are a well-educated and well-trained staff. Danny sent a message on Teams to everybody in the company saying, "I need you to download this and run it right now. Now, 40% of our staff tried to download and run the thing that Danny had just posted on Teams just because it came from, ostensibly, Danny. Now, anybody who knows Danny knows that he is only tangentially, at any given time, aware of the presence of his phone because he's very often on stage or, you know, doing anything really that involves his phone not being on his person. But 40% of, as I said, a well-trained and well-educated cybersecurity company's workforce trying to download and run an executable just because it came from the CEO was quite frankly terrifying.

Dave Bittner: And to be clear, this was just a test to see how you all did?

Rob Allen: Yes. Not very well, being the answer, but yes.

Dave Bittner: It's the cobbler's kids having no shoes, right?

Rob Allen: Exactly. Now, fortunately, I mean, obviously, it was just a test. It was just a little program that he'd mocked up, but it was something that we block anyway, because ThreatLocker effectively blocks everything. So all of the people who tried to run the thing weren't able to, but it also showed up on a unified audit going, this person tried to run it, this person tried to run it, this person tried to run it, multiplied by, as I said, 40% of our staff. So it was just a test, but I think it was a very instructional or educational test insofar as it shows the weaknesses in people. Because fundamentally, people very often are the weakest link. I mean, you can't blame everything on people, but I mean, these guys have obviously appreciated the fact that, look, you can do the really hard, difficult hacking stuff. You can be out looking for vulnerabilities. You can be trying to exploit those things, or you can make a bunch of phone calls to a support, as I said, overworked and overstressed support department, and you basically get access that way.

Dave Bittner: You know, it brings up a really good point, which is that I think a lot of people, when they find that they've fallen victim to this sort of thing or even fallen for, like, an in-house phishing test, they will feel really bad. They'll have a certain amount of shame. And we try to remind people that this can happen to anybody. And as you're saying, here, we have a company full of cybersecurity professionals and a not insignificant number of people in the company just did what who they thought was the boss asked of them without really thinking twice about it.

Rob Allen: Absolutely. So, I mean, it is not an exaggeration to say it could happen to anybody. I mean, look, we all know training is important and education is important, but look, we're SOC 2 certified. We have to do training every quarter. One of those things that people get trained on is don't just click on links because it came from somebody that you think it should come from or think would, you know, send you something like that. But as I said, it's a really good indication or illustration of the fact that, you know, realistically, with the best training, humans are still the weakest link in cybersecurity.

Dave Bittner: How do you take advantage of that teachable moment to turn that into a positive opportunity for the company to do better?

Rob Allen: Well, I mean, from our perspective, we use it. We tell people about it. We use it as an example that look, if our well-trained, well-educated staff are -- I'm not going to say this gullible, but this persuadable just because it came from who they thought it came from or who it came from, you know, what's a typical, ordinary, not as well-trained and educated environment going to be? I mean, we did a -- again, Danny used to do a little bit of just sort of part-time as a nice gesture of support for the school that his kids were in. And same kind of thing. He basically -- he just set up like a Gmail account saying, "Look, you know, this is Danny. I'm looking after your support. Need your password to do X, Y, and Z." And a frankly frightening amount of people literally said, "Hey, that's really cool. Here's my password." It's incredible.

Dave Bittner: Yeah, people are very trusting.

Rob Allen: Well, they are. And again, it only takes a little bit of information to get people to be more trusting. And that's what a lot of these gangs actually do quite well. I mean, another example from my quite distant past, I have to confess now because it was back in the days when I worked for an IT company back home in Ireland. And I'll never forget one -- I got a phone call one night from a guy that I just did bits and pieces for. You know, we had a bunch of Macs and, you know, set up his network and all this kind of stuff in his house. But he rang me one night, pretty much in tears, because he'd got an email to say that basically his everything had been hacked. "We've been watching you through your webcam. We've seen you've been on an inappropriate sites and we've take pictures of you while doing it." But the really interesting thing -- and look, it's a standard scam. It's a standard spam email. I think I probably get 50 of them a week. But the point is, and how they made it more believable was they actually said your password is, you know, 12345. Now, they'd obviously pulled that from a breach site from some other breach a long time ago. But they use that little nugget of believable information, which is "We know what your password is," and then gave him all of this other crap, which was, "We've hacked your everything. We can see what you're up to." And because of the believable part, he believed the whole thing. And again, applied the same to your overworked and underpaid help desk. You know, or if it, you know, it sounds like it's Danny on the phone. "Hi. It's Danny here. Listen, I need you to retell my password immediately. I'm going to send you a request right now." And it hangs up, even if it's AI Danny rather than actual Danny, you know, your overworked and underappreciated and underpaid help desk may well say, "Well, Danny was on the phone, so I'll do what he says."

Dave Bittner: You know, I had a similar thing happen with an associate who has a security company where they look after executives, you know, high-value, high-risk types of people. And he said, "Hey, for fun, is it okay with you if I go see what I can find about you and your passwords online?" And I said, "Okay. Sure." So he did. But you're absolutely right how disarming it is, because he started saying to me, "So tell me about this in your life. Is this your dog's name?" Right? Like, "What's the significance of this number? Is this -- was this the house number from when you grew up? Is this -- was this part of a phone number when you were in college?" You know, and so what it really did was like all of these things where I thought I was being clever and stealthy, but also making it so that my passwords were rememberable for myself were useless, you know, because in these password breaches, they could go in. And that's all that I think my friend did, was, you know, cross-referenced my name with a bunch of different password breaches and came up with this list. But it was so -- yeah, it was so easy to cross-reference with information about my life that is easily available online, my hobbies, my interests, you know, all those kinds of things.

Rob Allen: Well, it's one of the reasons why those things have become so ineffective now, because so much of that information is out there. The likes of the, you know, where did you grow up? Where did your parents meet? What's your mother's maiden name? And they're as good as useless in this day and age because so much of that information is out there and gatherable.

Dave Bittner: Yeah. Let's swing back to Scattered Spider. You mentioned at the outset that one of the things that kind of differentiates them or is notable about them is that they seem to focus on certain verticals at any given time. I think they hit the insurance companies for a while. And as you say, it seems like --

Rob Allen: They had a bit of -- they had a bit of a thing for casinos not too long ago.

Dave Bittner: Yes. Yes. Is there any reason why we think they're doing this? Is it simply for their own convenience, or what do you -- what do you think?

Rob Allen: I -- actually, genuinely, I have no idea. I would imagine that they -- perhaps, they try a particular vertical -- a particular industry. They have a little bit of success in that, and they go, "Oh, we could have other targets here that are just as vulnerable as the ones that we just hit." So I don't think it's any more strategic than, "Well, look, we've had success in this industry. Company X has paid us, you know, this amount. So maybe we can get the same off other companies in the same -- "

Dave Bittner: Yeah. I can't help wondering if there's kind of like a Dread Pirate Roberts thing going on where the -- you know, as their reputation grows and -- because certainly, if the shop down the street who does the same thing that you do gets hit and there's publicity about that, all of a sudden, you're going to be looking over your shoulder. And I wonder if that makes the negotiations easier for the Scattered Spider group when the reputation precedes them.

Rob Allen: Possibly. Possibly. Look, the fact that we're talking about it today, the fact that they -- I mean, the fact that they are a named group is something that means that their name, their tactics are -- you know, what they do and how successful they've been is out there. As you said, if somebody is affected or if somebody is hit by them, then fundamentally, they're probably more likely to take it seriously.

Dave Bittner: Well, let's talk about mitigations here in ways that people can best protect themselves. I mean, obviously, that is the business that you and your colleagues there at ThreatLocker are in. You know, what are some of the basics sort of universal guidance that you have? And then if you can think of any, what are some specifics here that people should be on the lookout when it comes to Scattered Spider in particular?

Rob Allen: Well, that's it. There's -- I suppose there's a couple of parts of that. I mean, as I said, they're quite unique insofar as they don't always deploy ransomware. They don't always try and encrypt data. And there are, you know, a lot of cases, a lot of these groups, that's their primary function. Now, they do often exfiltrate data as well, but it's with a view to effectively double extortion or getting paid twice potentially for the same data, or, you know, being more sure that you're going to get paid, which is how you guys got backups, so you're going to get back up and running again. Well, we're going to release your data on the dark web. So a lot of the groups do that sort of two-pronged approach. These don't seem to be as preoccupied with the actual ransomware ring. It seems to be more about getting access, getting data. I mean, obviously, they're quite -- well, evidently are quite adept at that. I mean, I suppose, like, obviously, stopping the ransomware shouldn't be tremendously difficult insofar as, like, they're using, you know, well-known ransomware strains or using Akira, AlphaV, and RansomHub and things that have been out there for some time. I mean, there's always new versions. There's always new things that people need to look out for. But realistically, ransomware is ransomware. It's just code. So if you block everything, then realistically, you're going to block the ransomware from running. Again, you need to pay and appreciate, and don't overwork your help desk staff would probably be a good place to start for a lot of organizations because they can very often be taken for granted. And you don't need to be that far up in the food chain to be able to do a lot of damage by, as I said, resetting a password for somebody who is in a position where they can do a lot of damage. So, again, those people need to be, again, trained, educated. You know, this is what you do. This is what you don't do on the [inaudible 00:20:41]. It doesn't matter who's shouting down the phone at you. It doesn't matter if you think it's the CEO, if you think it's, you know, who it is. These are the processes and the procedures. And if the process and procedures aren't followed, then there's going to be trouble. So, I mean, just I suppose common sense is a long way -- would go a long way towards preventing them being successful.

Dave Bittner: Well, and I think you bring up a really good point or important point, which is that if anybody is trying to turn the heat up on you, is trying to put you into an emotional state, like you say -- yeah -- by yelling at you or saying, "I don't have time for this," or any of those sort of aggressive things, that you need to take a step back and gather yourself or, you know, maybe say, "Let me call you back."

Rob Allen: Yeah. No pressure is -- any sort of pressure like that is an enormous red flag. I mean, it's the same with email. You know what I mean? "There's been a transaction on your account. You need to check it out immediately." I mean, basically, email scammers use pretty much the same tactics, you know, which is to push people's emotional buttons to get a response. Same applies to these social engineering ones, which is that they are effectively pressing people's buttons and seeing what happens.

Dave Bittner: Yeah. All right. Well, we are going to have a link to a really interesting article from our friends over at CyberScoop, who really dug into some of the details about Scattered Spider. So we'll include that link in the show notes. We're going to take a quick break to hear from our sponsor. We'll be right back. All right. We are back. And, Rob, it is time for our Catch of the Day. [ Music ] Our Catch of the Day comes from a listener who shared this -- was actually sent around from their campus IT department, and this is a phishing example. So I'll read it, and then we can unpack it together here. It goes like this. It says, "Hello. You are qualified for pay increase on your next paycheck. Follow steps below to immediately confirm your details. Allow few hours for your congratulatory letter to be delivered to your email after confirming your details below. Click here to confirm your details. We thank you for your ongoing commitment to excellence here and congratulate you on your outstanding performance. Please note and be advised that matter relating to salary are confidential in nature and should not be divulged to other employees. Sincerely, Human Resources." Rob, what do you think?

Rob Allen: I think the bad guys need to try harder in that case. Genuinely, could they not just go on to ChatGPT, put it in, and say, "Please, English this better"? Because it is not good. "Allow few hours."

Dave Bittner: Allow few hours. Yes, yes, yes.

Rob Allen: No. And also "matter relating to your salary," I mean, again, this has been known red flags for a long time, was that bad English, bad grammar is pretty indicative that it is not the person that you think is going to be -- or who is actually emailing you emailing you. But again, they're just massive red flags. And as I said, these scammers have obviously not tried very hard because they haven't gone to ChatGPT and said, "English this better, please."

Dave Bittner: Yeah, yeah. I guess the other obvious ones here are that this is something dealing with your paycheck. So they're looking for information related to that. We see a lot of these sorts of things where they try to get in the way of your --

Rob Allen: Oh, it's time-related. "You need to do this; otherwise, you're not going to get your massive pay increase."

Dave Bittner: Right. Right.

Rob Allen: The other thing is whoever gives money without being asked to give money. You know what I mean? How many companies do you know of that are saying your performance is outstanding, so we're going to give you loads of money without you asking for it?

Dave Bittner: Right. Right. It also seems to me like the kind of thing that your supervisor would come in and give you a pat on the back, right?

Rob Allen: Absolutely. Absolutely.

Dave Bittner: Not just send you an email from HR.

Rob Allen: Random email from HR.

Dave Bittner: The other thing that strikes me here is that they're saying that salary matters are confidential.

Rob Allen: Don't discuss this with anyone else. Yeah. Again, big red flag.

Dave Bittner: Keep it to yourself. Allow a few hours for the letter to be delivered, right? So give us time to steal all your money.

Rob Allen: Exactly. Exactly. Yeah. This is not a long one, but there is a lot in here packed into such a simple phishing message.

Dave Bittner: Yes.

Rob Allen: I mean, I'm interested as -- a few hours for a letter to be delivered to your email. It's not even a letter to be delivered; it's a letter to be delivered to your email.

Dave Bittner: Yeah. Yeah.

Rob Allen: Because it takes so long for emails to get from A to B.

Dave Bittner: Right. Right. All right. Well, that is our Catch of the Day. And, of course, we would love to hear from you if there's something you'd like us to consider for the show. You can email us. It's hackinghumans@n2k.com. [ Music ] And that is Hacking Humans brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

Rob Allen: I'm Rob Allen.

Dave Bittner: Joe and Maria will be back next week. Rob, thank you so much for joining us this week.

Rob Allen: It's been a pleasure, Dave. Thank you.

Dave Bittner: And thanks to all of you for listening. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is the host of T-Minus Space Daily at N2K and a frequent guest on numerous technology and cybersecurity podcasts. She is an artist, podcaster, journalist, and content creator with over 15 years experience in telling stories that engage and delight. She is always happy to geek out over space and cybersecurity, both professionally and personally!
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by ThreatLocker
Sponsored by ThreatLocker

ThreatLocker® is a Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. With ThreatLocker, you can allow only what you need and block everything else, including ransomware! Learn more.