Tap, pay…and prey.
Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-minus Space Daily podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave. Hello again, and hi, Joe.
Dave Bittner: We've got some good stories to share this week. First, let's get into some follow-up here. Joe, the most important news --
Joe Carrigan: Correct.
Dave Bittner: -- of the week is what?
Joe Carrigan: Chicken news.
Maria Varmazis: Chicken news.
Joe Carrigan: Chicken news. And you'll notice I spelled in the script, I spelled C-H-I-G-G-E-N, chickens. That's how we say it at home. My daughter has three eggs.
Dave Bittner: Wow.
Joe Carrigan: Three eggs.
Maria Varmazis: Wait, your daughter?
Joe Carrigan: Yes, this is my daughter's --
Maria Varmazis: The chickens of the, of your daughter's.
Dave Bittner: The daughter's chickens lays the eggs. Okay.
Joe Carrigan: Yeah, I don't know how many eggs my daughter actually has.
Dave Bittner: That's what I was going to say.
Joe Carrigan: Right.
Dave Bittner: She should treat them, ut they have great value if she only has three.
Joe Carrigan: Correct. What you are looking at here, Dave, right now is about $400 an egg.
Dave Bittner: Oh, yeah. That's really good.
Maria Varmazis: In this economy, yes, congratulations. You guys are egg-unaires.
Joe Carrigan: Right. So you got to put on your tuxedo to have a little scrambled eggs.
Dave Bittner: Oh, we can't, so you can't sell these eggs for $400 a piece.
Joe Carrigan: I'm just saying for you to enjoy them yourself.
Dave Bittner: Right.
Joe Carrigan: Put on your tuxedo, you know, fancy dress up, because --
Dave Bittner: It's a $400 egg, what else you going to eat for $400?
Joe Carrigan: You're never going to do that. Well actually, each egg, each egg that adds, that comes out will lower the cost. And the limit is, well it's not zero, but it's, it'll be pretty close to cheap.
Dave Bittner: Yeah.
Joe Carrigan: So anyway, yeah so my daughter's flock is now laying. This is the second flock she had. You remember we had one flock that was taken out by an insider threat, Ellie the dog, just went down there and murdered all those chickens. I still address that dog as chicken killer.
Dave Bittner: Oh, okay.
Joe Carrigan: And my chickens are doing --
Maria Varmazis: First of his name.
Joe Carrigan: Yes, first of his name.
Dave Bittner: How far do you suppose you are from eggs now, Joe?
Joe Carrigan: Well, going by this, when did my daughter, when did I talk about the chickens getting eggs? When Pope Francis died, I remember it was the same weekend, so it was Easter. So then shortly after that, my daughter bought another 11 chickens, or 12 chickens, and now they're laying here. So that was, what, April, and now we're in November. So a little back of the napkin math, I should start getting eggs in the spring, Dave.
Dave Bittner: Okay. All right, well, that'll be exciting.
Joe Carrigan: And I don't think one of my chickens is going to lay any eggs.
Dave Bittner: No?
Joe Carrigan: Yeah, it might keep my neighbors up in the morning, but.
Dave Bittner: Oh no. Oh no.
Joe Carrigan: Yes, I believe it is a rooster.
Maria Varmazis: It might make a good stew, though, so get that wine ready.
Joe Carrigan: This chicken is too good looking to turn into stew. My plan is, because we can't have the rooster on our land, because we have less than three acres, you can't have roosters. But if he is a rooster, which I'm pretty sure he is, my plan for taking care of him and getting him off my property is to actually put him in the fair, because he's really a good-looking chicken.
Dave Bittner: Oh, I see.
Joe Carrigan: And I'll put him in there as what they call a cockerel, which is a male chicken that is under a year of age.
Dave Bittner: Okay.
Joe Carrigan: And that means that he will be, you know, into the cockerel class, and then maybe he's an Americano chicken. And man, he is, I mean, when I say he's good looking, man, he is a good looking chick. He's a handsome bird. I should look this good. My wife is very upset that we're probably going to have to get rid of him. But, so I think we can find him a good home because of how handsome, how dashingly handsome he is.
Maria Varmazis: I'm offended that you haven't shown us a picture of this bird.
Joe Carrigan: I will get you a picture of it.
Maria Varmazis: Because you can't talk about how good-looking it is and not share it with us. I mean, that's just mean.
Dave Bittner: Yes, sure. All right. Well we'll look forward to that next episode.
Joe Carrigan: Yeah, if I get home before the sun gets down.
Dave Bittner: Speaking of good-looking chickens, I put a link in here. Are either of you familiar with the Jackraptor project?
Joe Carrigan: No.
Maria Varmazis: No.
Dave Bittner: So, this is a breed of chicken. I think Joe just saw the picture.
Joe Carrigan: I did.
Dave Bittner: This is someone who is basically trying to return chickens to their velociraptor roots.
Joe Carrigan: Now, hold on. I think they're closer related to T-Rex, aren't they?
Dave Bittner: Who knows?
Maria Varmazis: Oh, that scares me. Oh my God.
Joe Carrigan: Good Lord.
Dave Bittner: Right, did you ever think you'd see a chicken that would look as badass as these chickens?
Joe Carrigan: I mean, this chicken looks like he's a killing machine.
Dave Bittner: I don't want to meet this chicken in a dark alley. No.
Maria Varmazis: It looks like a hawk.
Dave Bittner: No.
Joe Carrigan: Well, you say a hawk.
Maria Varmazis: It's a raptor, yeah.
Joe Carrigan: I have seen videos of when hawks come in the chicken pens and there's a rooster there that hawks may not survive that.
Dave Bittner: Yeah.
Joe Carrigan: The rooster is perfectly capable of killing that hawk. And that hawk is a killing machine in and of itself.
Dave Bittner: Right.
Maria Varmazis: Well, it makes sense. Otherwise, I mean, they got to be able to defend themselves somehow. They can't be just total easy prey.
Dave Bittner: Yeah.
Maria Varmazis: So, yeah, wow.
Joe Carrigan: Fifty bucks they want for a raptor, to join the Raptor Reserve.
Maria Varmazis: For a little dinosaur that you can keep in your coop.
Dave Bittner: What could go wrong?
Maria Varmazis: That's just, oh my god. It's both cool and nightmare fuel.
Dave Bittner: I know, yeah. I thought this would appeal to you, Joe. I could picture this being just your kind of thing to have, not just any chicken, have a dino chicken.
Joe Carrigan: Right. Well, I mean, that's what we call our little dinosaurs out back.
Dave Bittner: Yeah. Well.
Joe Carrigan: You know, they move around.
Maria Varmazis: How do they taste is my question. And I know they taste like chicken. But do they taste like dinosaur nuggets or like what?
Dave Bittner: It's like particularly buff chicken.
Joe Carrigan: Right.
Dave Bittner: Right. These chickens strut around and make all the other chickens feel inadequate.
Maria Varmazis: I mean, I feel inadequate looking at this chicken.
Joe Carrigan: That's what roosters do.
Dave Bittner: All right. We'll have a link to jackraptor.com in the show notes. It's something to see, isn't it?
Joe Carrigan: Yeah.
Maria Varmazis: Wow.
Joe Carrigan: You should definitely take a look at this.
Dave Bittner: Yeah.
Joe Carrigan: Especially if you're into chickens like I am.
Dave Bittner: All right, let's get to some stories here today. I am going to lead things off today. And I feel like this is, not justification, what is it when you feel satisfied?
Joe Carrigan: Vindication.
Dave Bittner: Vindication, thank you, Joe. Thank you for my live thesaurus.
Joe Carrigan: I am the human thesaurus.
Dave Bittner: Yeah, this is an exclusive report that Reuters released as we're recording this, this came out today. And Reuters did a deep investigation into Meta, which of course is the Facebook, Instagram, and WhatsApp company. I suspect the three of us all have a similar opinion of Meta --
Joe Carrigan: Yep.
Maria Varmazis: Uh-huh.
Joe Carrigan: I think we've made that pretty clear on this show.
Dave Bittner: Yeah, and so that's the vindication here. So this story is looking into Meta's ad network, particularly its fraudulent ad network.
Joe Carrigan: Really.
Dave Bittner: Yes. Reuters got a hold of some internal company documents from Meta, and what, I'll just roll through some numbers here. We all know Meta has a problem with fraudulent ads.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: Like scammy ads. Every flavor of scammy ad is on the Meta platform. And of course, Meta claims that they're trying to clear that out.
Joe Carrigan: Hey, we deleted a bunch of accounts.
Dave Bittner: Yeah, yeah. Well, these numbers run contrary to that claim.
Joe Carrigan: Right.
Dave Bittner: So Meta's platforms, according to their own numbers, see an estimated 15 billion ads that the company classifies as high risk.
Joe Carrigan: Fifteen billion ads.
Maria Varmazis: Well, so that's not just their total number of ads, that's just the high risk ad.
Dave Bittner: No, no, this is the high risk ad. This is, every day, users of Meta's platforms see an estimated 15 billion ads that the company itself --
Maria Varmazis: Not individually.
Dave Bittner: It's just one guy who's, he's got bloodshot eyes, yeah, sitting in a dark room. And these are ads that show clear signs of being fraudulent. So these are the fake e-commerce sites, the bogus investment schemes, the illegal online casinos, and the banned medical products, okay.
Maria Varmazis: I wonder what's that ratio compared to things that they're pretty sure are legit. I mean, is that, do they have a ratio or a percentage there?
Dave Bittner: I think we might get to that.
Maria Varmazis: Okay.
Dave Bittner: So their internal systems flag these advertisers themselves as suspicious. But instead of removing them outright, what do you think Meta did?
Joe Carrigan: Well, they just flag them as suspicious and take the money.
Maria Varmazis: Goose egg.
Dave Bittner: You're close, Joe. You're on the right path. Maria.
Maria Varmazis: I don't think they do anything based on what I've seen.
Joe Carrigan: Maybe they increase the price of the ads.
Dave Bittner: Yes, that's what they do.
Maria Varmazis: Oh my gosh.
Joe Carrigan: Are you kidding me?
Dave Bittner: No.
Maria Varmazis: You can scam our user base, but you're going to pay.
Dave Bittner: That's right. That's right. We're in this together.
Joe Carrigan: Everybody's got a price, I guess, including a billionaire like Mark Zuckerberg.
Dave Bittner: That's right.
Maria Varmazis: How do you think he became a billionaire?
Joe Carrigan: That's right.
Dave Bittner: Yeah. Yeah. So if Meta's algorithms aren't 95% sure that an advertiser is a scammer, the solution from their point of view is to raise their ad rates, kind of like a fraud tax.
Joe Carrigan: Okay. So when you say 95% sure, does that mean that, if they are 95% sure that this person is a scammer, they jack up the price.
Dave Bittner: I'd come at it a different way. If there's a 5% chance that they're not a scammer, then they don't delete the account.
Joe Carrigan: Okay.
Dave Bittner: Instead, they raise the price.
Maria Varmazis: Do we know how much they raise the price by? Is it prohibitively high or just, you know, they --
Dave Bittner: I don't know. I know. And I don't see that in this article.
Maria Varmazis: I would be so curious to know if it's literally just like a little surcharge or if they're actually trying to price them out of business at scale. I doubt it.
Joe Carrigan: That would be an effective means if you make this economically infeasible for the attackers.
Dave Bittner: Yeah.
Joe Carrigan: And that may be the goal, but I'll bet --
Dave Bittner: Well, that's the claimed goal.
Joe Carrigan: Right.
Dave Bittner: Meta says that's the claimed goal, but obviously it's not slowing them down.
Joe Carrigan: Right.
Maria Varmazis: No, no, no.
Dave Bittner: Right.
Maria Varmazis: I'm kind of tempted to try this to see if I can make a fake ad and see what the price difference is with the legit one.
Dave Bittner: Yeah. So in 2024, according to Reuters, Meta made about $16 billion off of these high-risk ads.
Maria Varmazis: Yowzah.
Joe Carrigan: Okay. That's a good amount of revenue.
Dave Bittner: That's about 10% of their revenue. So Meta knows what they're dealing with here. According to the documents that Reuters got, their own researchers, Meta's researchers, concluded that Meta's products had effectively become a pillar of the global fraud economy. With one of their internal presentations estimating that its platforms were involved in a third of all successful scams in the U.S.
Joe Carrigan: Oh my gosh.
Maria Varmazis: Wow. Wow. Can we give them a little trophy? Pillar. Global fraud economy.
Dave Bittner: So Meta, of course, disputes this. They say that this is an exaggeration. They said to Reuters that the documents that Reuters got distort their approach to fraud and that they invest heavily in integrity and that they had removed more than 134 million scam ads this year alone.
Joe Carrigan: A hundred and thirty-four million scam ads.
Dave Bittner: Yeah.
Joe Carrigan: Wait a minute.
Maria Varmazis: Wow.
Joe Carrigan: Wait a minute, wait a minute, 140, what was the number of scam ads that happen every day?
Dave Bittner: Was it five billion a day?
Joe Carrigan: Fifteen billion.
Maria Varmazis: With a B.
Joe Carrigan: Fifteen billion, and they've removed 100 and some million this year.
Dave Bittner: A hundred thirty-four million this year.
Joe Carrigan: This year, okay, so we'd have to do the math here, but I mean, let's just, let's give them 100 days and just knock that number up. That's 1.5 trillion --
Dave Bittner: Yeah.
Joe Carrigan: -- malicious ads.
Dave Bittner: It's not one to one though, because the 15 billion is just exposure, not individual ads places.
Joe Carrigan: Right, but they're saying they removed 134 million of these ads.
Dave Bittner: Yeah.
Joe Carrigan: Which is nothing compared to the hundreds of, the trillions of malicious ads they're showing.
Dave Bittner: Right.
Maria Varmazis: Yeah, a million is less than a billion.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: By three orders of magnitude.
Maria Varmazis: That's just math.
Dave Bittner: It gets worse.
Maria Varmazis: Oh, cool. Love this. Love this for us. Love it so much.
Dave Bittner: Again, according to Reuters, Meta's own records reveal the company weighs how much scam revenue it could afford to lose. So they have an internal policy that they call their revenue guardrail, which limits enforcement actions that might cost more than 0.15% of total earnings. So for context, that's about $135 million out of $90 billion.
Joe Carrigan: Right.
Dave Bittner: So this is couch cushion change --
Joe Carrigan: Right.
Dave Bittner: -- for Meta.
Maria Varmazis: Point one five percent.
Dave Bittner: Point five, in other words, if their cracking down on scams exceeds 0.15% of their total earnings, they got to dial it back. They're leaning in a little too hard.
Maria Varmazis: Like not even a rounding error, 0.15%. That's wow.
Dave Bittner: Yeah.
Maria Varmazis: The greed. The greed is just eye-watering. Amazing.
Dave Bittner: So again, Meta takes issue with how Reuters is presenting this. Meta says that their long-term plan is to gradually reduce scam-related revenue from about 10% in 2024 to maybe only 6% by 2026. Of course, regulators are trying to turn up the pressure here. The SEC is investigating Meta's role in financial scams. UK regulators have found that Meta's products account for over half of payment-related scam losses last year, more than every other social platform combined.
Joe Carrigan: Right. Wow.
Maria Varmazis: Yeah.
Dave Bittner: So, I was thinking about this, and I mean, this is all possible because of the lack of regulation that Meta has, their space has, right. These online platforms are comparatively unregulated. Imagine if you are a bank and you knew people were doing fraudulent business through your bank, and instead of kicking them out of the bank, you just charged them more.
Joe Carrigan: Right.
Dave Bittner: Right? Like, regulators wouldn't be okay with that. And here we are.
Maria Varmazis: Where are the regulators? Where are they?
Dave Bittner: Yeah.
Maria Varmazis: Well, I think we know.
Joe Carrigan: By the way, I did the math, 15 billion ads per day, 15 billion fraudulent ads per day is 5.4 trillion fraudulent ads per year. And if Meta has removed, actually, well, you can't really say, because when they say they remove an ad, they probably remove an ad campaign.
Dave Bittner: Yeah.
Maria Varmazis: Yeah, I don't think you can one to one it, as Dave said, it's a little, it's squirrely, but the ratio's off. I mean, it's just, it's not even close to enough.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. So some possible things that could get Meta to straighten up and fly right in terms of regulatory pressure, they could be imposed with something like real ad buyer verification. Basically, know your advertiser in the same way that financial institutions have to perform know your customer checks. Put a greater burden on Meta to know who is doing the advertising. They could have mandatory transparency reporting. They could have independent auditing of their algorithms and ad systems. They could have regulated response time obligations. One of the things this article points out is how even if something's taken down, it takes forever for it to be taken down.
Maria Varmazis: Yeah.
Dave Bittner: And then allow them to be liable for platform-enabled fraud.
Joe Carrigan: Yeah.
Dave Bittner: People come at them.
Joe Carrigan: I think, I think that's the one that's going to get them. Because I'm sure, in their EULA, there is a binding arbitration clause in there.
Dave Bittner: Yeah.
Joe Carrigan: So you can't sue them. I think you take that away. Take that away and say that, you know, if you're scammed out of money, then you don't have to go through binding arbitration. You can go directly to a class action lawsuit.
Dave Bittner: Right, right. So it's an interesting expose. We'll have a link to this story again from Reuters in the show notes. It's quite a read and once again, just reinforces how much, I think we're all in agreement among the three of us that if there were an alternative, we would be there in a second.
Joe Carrigan: Yep.
Maria Varmazis: Yeah, we sure would. No.
Dave Bittner: There isn't. I just feel yucky every time I finish, close out a Facebook window or something, like I want to take a shower.
Joe Carrigan: Yeah. It's gross.
Dave Bittner: Yeah. All right. Well, that is my story this week. Maria, you are up next. What you got for us?
Maria Varmazis: Well, there's some interesting research from the Howler cell team at Cyderes. Is that how we say the company name, Cyderes?
Dave Bittner: I think so.
Maria Varmazis: Yeah. They found a systemic supply chain risk in Windows updaters. And this was ringing a bell. I think we talked about potentially vulnerable updaters or updater apps being an interesting attack vector. And then this research came through, and I was like, oh yeah, that sounds familiar. Let's dive into that. So the Howler Cell team branded this, and I love this, yet another acronym in InfoSec, the Bring Your Own Updates, BYOU, attack vector that lets attackers hijack trusted updaters to run arbitrary code. Which makes sense when you think of how a Windows installer works, what they're doing. It's running a lot of code. So if you can essentially hijack that legitimate process, then you can bypass a whole lot of security protocols, but also a lot of them aren't even looking at this process. So, you know, why would they be, why would that be hijacked? So yeah. The idea is that the attackers would abuse legitimate update clients, as I said, to pull from the internet and run attacker controlled packages. And because updaters and update paths are usually signed and trusted, this kind of activity can look normal and then can bypass endpoint detection response, AV, and app control. So I'm going to read a little blog update, not update, a little blog excerpt that Howler Cell wrote, because I think it just summarizes it beautifully, and then I'll dive into what they found. So they said, bring your own updates, or BYOU, allows attackers to hijack trusted updaters to execute arbitrary code quietly after gaining initial access, because the binaries are signed, the paths are trusted, and the behavior appears normal. This abuse often evades traditional security controls. And one example is the app Advanced Installer, which is an app and deployment tool that is used by many of the largest organizations in the world, and it can be leveraged to infect remote computers with malware, potentially leading to a devastating supply chain attack. And I keep saying app, but I really mean application. Sorry, it's a, this is an application, not an app.
Dave Bittner: So is this like, You know, I'm updating the drivers for my printer or --
Maria Varmazis: You're updating some software, some piece of software.
Dave Bittner: It could be anything.
Maria Varmazis: Literally anything. Yeah, the blog post actually has a whole list of legitimate software that uses this advanced installer app because you don't want to have to, if you're creating software for a thing, you don't want to have to go, and I now have to create an installer for the software. If a perfectly good one already exists, I can use that installer to ship what I got to do. So essentially, it's kind of going, this attack is attacking earlier in the, I don't know, it's not the supply chain, but just kind of going backwards a step. Instead of attacking the software, you're attacking the software that is used to update the software. It's really interesting when you think about it. So giving the lay of the land, the Howler Cell team found a vuln in Advanced Installer 22.7 back in May where they found that the updater would accept unsigned update packages by default. So the first step here was that the updater would support flexible options that can point to remote HTTP endpoints or network shares without integrity checks. Then the attackers could supply a crafted update config that references malicious payloads. And then the updater downloads and executes them after presenting a totally normal looking UI prompt. In other words, if the payload is unsigned or unchecked, it would get executed in the user context when presented as a normal update. So very, very stealthy. And then we should note that Advanced Installer does have mitigation for this, but it is opt-in, which is often where things get tricky. And that opt-in mitigation is install only digitally signed update packages signed with the same certificate as the updater. But as you might imagine, many installers and deployments do not enable signature enforcement, including advanced installer's own updater in some cases. I'm like, whoa, it goes all the way down. So Howler Cell, which again, they did the research into this, they warned that this is not isolated. Many installer frameworks, not just Advanced Installer, and signed update clients expose similar attack surfaces. So I kind of hinted at the beginning of my story about why this is dangerous, because again, it's not attacking software, it's attacking the thing that updates the software. So popular installer tooling like this guy means many vendors and internal applications may inherit the weakness of a vulnerable advanced installer, for example. Signed binaries and normal updater behavior will let malicious code run under the guise of legitimate updates, that's not a big surprise. And then this kind of activity specifically, because it's really not an attack path that we've seen very often, it can completely bypass endpoint defenses that actually whitelist trusted installers or assigned paths. And then, as you might imagine, if the attacker gets initial access because of the level of access that you have through an installer, they can pretty easily maintain persistence and then distribute malware broadly via trusted update mechanisms. So the Howler Cell folks said that in a real world scenario that you could easily imagine this leading to supply chain poisoning, where a single compromised updater or poisoned package could then distribute malware to many different corporate customers. And again, in the case of Advanced Installer, this previous version anyway, a lot of legitimate software that you would recognize uses this. So it's actually quite scary to think that this is a single pane of glass, as you will, if you want to use that terrible phrase. And then attackers do not need administrative privileges or authentication in this specific exploitable flow. They only need the ability to influence the updater URL or config, which is kind of wild if you think about it. Wow, I'm wondering why we haven't heard of this one as much before. I'm sure it has existed. It's just fascinating to read about. So the team that researched this do have some mitigation suggestions here. So for IT admins who have the ability to do this, they're recommending that they scan their environment for updater binaries and runtime use of URL or config options. They do recommend using endpoint detection and response rules to flag updater processes that spawn network downloads or launch unsigned executables. Of course, using block lists and allow lists is really important. So of course, you want to block malicious domains and create allow lists specifically for update endpoints only, legitimate ones, requiring code signing for internal application releases and enforcing signature checks and deployment tools. That is, again, the big loophole here that this type of attack is exploiting. So making sure to keep that included. And then including update security checks in procurement and vendor risk assessments, because again, I don't think a lot of people are aware that this is even a thing. Certainly I wasn't. So the nutshell is that BYOU, the bring your own updates, new thing, new stealthy thing, it is powerful. It is a stealthy attack pattern. It does hijack trusted signed update channels to run malware, which I thought was really fascinating, honestly. Defaults matter. So again, in the case of this specific advanced installer version, the default was that there was a mitigation, but it was opt-in. Opt-in mitigations are really not enough, and this is pretty clear. And then for folks who have this kind of visibility into the processes internally, treat update mechanisms as a high-risk part of the supply chain. This is some pretty, this is super fascinating. I found this blog post really interesting. I never would have thought of update mechanisms as even a way that an attack could be introduced but got to add that to the pile. It's just really interesting to think how that could be a way in and then present such a problem for so many different software and companies. So yeah, fascinating, something to be aware of.
Dave Bittner: So help me understand here, and I'm going to try to, I feel like perhaps for some of our listeners, we may be in the technical weeds with some of this.
Maria Varmazis: A little in the weeds for me too, admittedly.
Dave Bittner: Pull out my weed whacker.
Maria Varmazis: Sure.
Dave Bittner: So is the idea here that I'm again, I'm just going to use my printer as an example, right. I decide I want to check to see if there are any updates for my printer. I go search for updates for my printer. I get a link that says, good news, there's an update for your printer. Is the fact that I'm going to an unknown location, is that what's going to get me the infected update to my printer via an installer? Or have the bad guys actually infected the installer at the printer provider's website? Do we know?
Maria Varmazis: I'm trying to, I think the part where my brain's getting a little stuck is this is not like a driver thing. So that's, they make a point of saying this is not specifically that kind of a thing. It might help to look at the, for example, the list of different companies that use Advanced Installer in this specific case. So it's things like Dell, eBay, Apple, Sony, a lot of these companies that might be deploying their own software. Somewhere in the process the configuration is not done correctly. So the installer itself is being exploited.
Dave Bittner: Yeah. I guess I'm trying to figure out where at what stage of the game do the bad guys get in?
Maria Varmazis: I'm trying to figure out if this is, I don't think this is something where someone's going to a website and it's not it's not a consumer level thing. This is going to be more of an enterprise thing. So, so yeah, it's.
Joe Carrigan: When I first started in the tech field, one of my jobs, we had an updater inside for Windows. Like, your Windows system could update itself by going out to Microsoft, but if every computer in our network which was at the time, just one big network, and that's a security nightmare. But if every computer went out at night to update, it would shut the, you know, it'd be a denial of service. You wouldn't be able to do it. So what they had on the inside was they had one updater server, one update server that would go out and pull the update from Microsoft. And then that could be distributed in a managed way across all the Windows machines in the, in the environment.
Dave Bittner: Right.
Joe Carrigan: So it sounds like it's something like that.
Maria Varmazis: Yeah, it's, I think this is definitely something where like the average employee at one of these companies is not going to encounter this. But when you're talking about the update path, this is something where if somebody pulls something, yeah, I don't, that's a great question, actually, Dave. Where exactly does the attacker come in here? Where does the, where does the the misconfig become introduced? I'm not entirely sure.
Dave Bittner: Okay.
Maria Varmazis: And part of the reason I'm kind of a little quiet right here is I'm going back and rereading the blog post to see if I missed that. So it allows attackers to hijack the trusted updaters. So the paths are trusted. So that's a great question. Maybe I'm missing something here. There is a malicious update configuration file. So somehow whoever is responsible here is being pointed to the malicious config file. And then it's being hosted on a remote server. So you have to trick the updater into presenting the update. I'm not sure I actually understand that part either, Dave. That's a good question.
Dave Bittner: Sounds like they have to get in somehow to --
Maria Varmazis: They have to get in somehow, yeah.
Dave Bittner: -- Change the configuration on the updater.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah, it's a thing where it's doable. But again, it's not like it's a phish where it's a thing where the average user has to be aware of it.
Joe Carrigan: Yeah, and it's kind of like, you know, instead of, you know, poisoning your glass of water, you're poisoning the water supply.
Dave Bittner: Right.
Maria Varmazis: Yes. Yeah, it's, yeah, that's a really great way of putting it. So, yeah, I'm looking, I'm reading through the blog post and I'm thinking to myself, I'm looking at like the checksum and stuff, and usually that's people make sure to run them and, you know, use and check against the checksum. But why would that be bypassed in this case? I don't know because people are working fast and miss stuff.
Dave Bittner: Right.
Maria Varmazis: I'm not really sure. I feel like this is where our IT friends could definitely fill me in on this one because I have not had to do that as part of my job. So I'd love to know.
Dave Bittner: If one of our listeners has more detailed insights into this or can help spell it out, let us know. We'd love to hear from you, and we'll provide some clarification as we find out ourselves. But I guess the bottom line here is, be careful where your installers come from.
Joe Carrigan: Well, I mean, the bottom line is turn on what should be already turned on, right.
Maria Varmazis: Yes.
Joe Carrigan: Only install signed updates from the same certificate that installed the software initially or from, use the PKI infrastructure. I just did it again. I'm going to burst into flames. The I in PKI stands for infrastructure. Use PKI to validate everything.
Maria Varmazis: Yes, and remember, the mitigation for this is opt-in. So if you're not opted in, you're not --
Joe Carrigan: And it shouldn't be. This product should be secured by default.
Maria Varmazis: Yeah, it really should.
Joe Carrigan: Yeah.
Maria Varmazis: And actually, that's something that Howler Cell mentions at the end, is that they did responsibly disclose this one to Advanced Installer, and they, yeah, they said that it basically, they're aware of it, but it doesn't sound like that issue's been entirely mitigated. I don't want to miss, what's the word I'm looking for?
Joe Carrigan: Misrepresent.
Maria Varmazis: Misrepresent exactly what's going on, but they're saying that essentially what they've identified is an --
Joe Carrigan: I'm two for two.
Maria Varmazis: Yeah. I'm having a total brain fart on words today, but yeah, it sounds like this is still somewhat of an issue.
Dave Bittner: Joe, you need to play Wordle today.
Joe Carrigan: Right.
Dave Bittner: All right. I'll tell you what, we will have a link to that story in the show notes. Let's take a quick break. We'll be right back after this message from our show sponsor. And we are back. Joe, you are up next. What you got for us?
Joe Carrigan: Dave, my story comes from everybody's favorite news source, Fox News.
Maria Varmazis: Hey.
Joe Carrigan: Surprisingly, surprisingly, it's not a political post, though.
Dave Bittner: Okay.
Joe Carrigan: So it's a story about it from Kurt Knutsson with two S's in his name, which I think is weird, but he's a cyber guy report. It's not really weird. It's probably just the way his family spells his name and always has.
Dave Bittner: Yeah.
Joe Carrigan: So sorry, Kurt. But there's a couple of things in this story that are not exactly 100% correct, but there are, the story is about ghost tapping scam, which targets tap-to-pay users. Dave, you pay with your Apple phone, correct?
Dave Bittner: I do, I pay with my Apple phone, I pay with my Apple Watch. In fact, the last time I was on vacation, I got into Disney parks using my Apple Watch.
Joe Carrigan: Really?
Dave Bittner: You can just tap on a little thing, and then a little thing, light would turn green, and they'd say, please come in, sir.
Joe Carrigan: Right.
Dave Bittner: It's very fancy.
Joe Carrigan: Open the velvety rope, you know.
Dave Bittner: That's right.
Joe Carrigan: Come on in, Mr. Bittner.
Dave Bittner: Mr. Mouse is waiting for you, Mr. Bittner.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: In your private dining room.
Dave Bittner: That's right.
Joe Carrigan: So here's how this works. They're talking about the wireless technology that's in your credit cards, which is an RFID chip. And this story talks about scammers who use near-field communication devices that mimic legitimate tap-to-pay systems. Now, I think, technically, the device is an RFID reader, not a near-field communication, because that's what you have on your phones. And your RFID is what's in a credit card, because there's no power on an RFID system until it comes into contact with an RFID reader's field. It's essentially a small radio field.
Dave Bittner: Yeah.
Joe Carrigan: I think I'm being way pedantic about this, but --
Maria Varmazis: You're not known for pedantry, Joe.
Joe Carrigan: Right.
Dave Bittner: You?
Joe Carrigan: Yeah, me? So what happens is these scammers pose as charity vendors or market sellers who only accept tap payment, and they will come up to you and they'll say, hey, I've got to get this done really quickly. I got a hundred other people I got to talk to. And they don't want you to pay attention to anything that's going on in terms of the amounts. And then they will charge you far more than you initially thought you were being charged. There's some real world cases here where people have lost hundreds or a thousand dollars. There are also using systems that come close to like your wallet and go through your wallet. They are able to emit a field into your wallet. Now, I think this, Dave, you and I are both amateur radio operators, right.
Dave Bittner: That's true.
Joe Carrigan: So we're familiar with antenna design.
Dave Bittner: Yes.
Joe Carrigan: So if you have a regular RFID reader, it has an antenna inside that emits a signal. The RFID goes into that field, is actually powered by that field. This is the same way that you would like charge an electric toothbrush.
Dave Bittner: Yeah, you know, I can't remember if you were with me, Joe, but I saw Kevin Mitnick demonstrate this once. Of course, Kevin Mitnick, who has passed away.
Joe Carrigan: Yes.
Dave Bittner: But he was a world famous hacker for the folks who may not know who he is, famous, notorious, depending on your opinion of Mr. Mitnick, but he was always nice to me.
Joe Carrigan: Yes, me too. I did meet him once.
Dave Bittner: Yeah.
Joe Carrigan: He signed some of my 2600s that said Free Kevin on the front of them.
Dave Bittner: Oh, nice.
Joe Carrigan: Yes.
Dave Bittner: So Kevin was also kind of famous for having business cards that were lockpick kits.
Joe Carrigan: I have one of those too.
Dave Bittner: Yeah. So I saw Kevin do a demonstration where he had a specialized piece of equipment that could basically do these kind of scans at a distance.
Joe Carrigan: Right.
Dave Bittner: And very effectively.
Joe Carrigan: So what that is, is a directional antenna. So if you focus the energy, and actually because the attacker is in control of the transmitter, they can emit a lot more energy than is needed for a standard transaction. Now, good news is that modern chips use the same kind of tokenization that happens on your Apple Pay and your Google Pay and your Samsung wallet and all that stuff.
Dave Bittner: Okay.
Joe Carrigan: So they're not going to steal your credit card details, but these guys aren't really doing that. What they're doing is they're just running a bunch of charges on your credit card or your debit card. So the question is how to protect yourself from this? You as an individual, of course, you have to go out and buy one of these fancy RFID blocking wallets or card sleeves. It's essentially a little Faraday cage is the term of art.
Dave Bittner: Yeah.
Joe Carrigan: The, when the signal encounters that, it doesn't go any further, stops it.
Dave Bittner: Right.
Joe Carrigan: And then verify before you tap. In other words, look at the amount you're being charged before you tap the tap-to- pay device, if they're using a regular device. Set up instant alerts. I have this on every credit card that I have that will allow it. Every time a charge is made, I get an alert. And I can look at my phone and see how much I was charged.
Dave Bittner: Yeah.
Joe Carrigan: So I know exactly how much I paid for my bagel and coffee at Dunkin' Donuts. They always ask, do you want a receipt? I'm like, nah, I got a text. Out the door I go. So that's really how you protect yourself. Be cautious in crowded areas. I mean, that's really not very helpful. I mean, you're not going to be sitting there with your head on a swivel going, who around here has the Yagi antenna pointed at my butt, right? That's just not something any normal human being is going to do.
Dave Bittner: I don't think that's a phrase that's ever been uttered in the history of the English language, Joe.
Maria Varmazis: Add that one to the pogo stick one, Joe. What was the, what was the --
Joe Carrigan: What do I hope to accomplish on this pogo stick?
Dave Bittner: Yeah. Who's got the Yagi pointed at my butt?
Joe Carrigan: Right.
Maria Varmazis: Okay, we really need some Joe merch ASAP.
Dave Bittner: That's why Joe's no longer invited to the Ham Radio Club meetings.
Joe Carrigan: Right. Right.
Dave Bittner: So, a couple things here. Another tap to pay thing that I'm a big fan of that I've used several times in the past month for the first time is they have tap to pay with your iOS devices in the Washington DC Metro. This is wonderful.
Maria Varmazis: Oh yeah, that's right. Yeah, yeah, yeah.
Joe Carrigan: So you don't have to go to a fare machine anymore or a fare card machine.
Dave Bittner: Nope, nope. You just strut on up with your phone, tap it on the little receiver thing, the gates open. In you go.
Joe Carrigan: Out you go.
Dave Bittner: Yeah. And on the other end, you tap it again and you're all set. It's wonderful. It's the way it should be. So let me ask you this.
Joe Carrigan: Yeah.
Dave Bittner: I was at a venue last week. Actually, both Maria and I were at a venue last week. We were at a cybersecurity conference where we were presenting.
Joe Carrigan: My invitation must have gotten lost in the mail.
Dave Bittner: Must have.
Maria Varmazis: Did mention you though, Joe.
Joe Carrigan: Oh, good. Okay.
Dave Bittner: So.
Joe Carrigan: Say my name.
Dave Bittner: In the, this was an auditorium. So imagine movie theater seating.
Joe Carrigan: Okay.
Dave Bittner: And so --
Maria Varmazis: I know where you're going with this.
Dave Bittner: -- I'm sitting in the seat and I'm looking at the stage and I look on the seat in front of me. There's a little label that says, all it says is tap your phone here.
Maria Varmazis: Yep.
Dave Bittner: And there's a little like, you know, Wi-Fi looking logo.
Maria Varmazis: A little NFC. Yeah, the field. Yep.
Dave Bittner: So let me ask you, Joe.
Joe Carrigan: Right.
Dave Bittner: You're sitting there.
Joe Carrigan: Yeah.
Dave Bittner: Every single seat in the place has a tap your phone here on the back of it. Well, actually, I should probably ask Maria. She's the clicker.
Maria Varmazis: Yeah.
Dave Bittner: What do you do?
Maria Varmazis: I did not do the thing. I was so tempted, though. The intrusive thoughts were very loud.
Dave Bittner: I'm so curious what happens if I do tap my phone here.
Maria Varmazis: It was also annoying me because it's like, okay, even if I wasn't an InfoSec person, it doesn't tell me what to do that for. It's just bad messaging. It doesn't say, tap it for what reason? What am I going to get out of this? Like are you going to charge me a million dollars? Are you going to download something to my phone? I mean, are you going to make it explode? I don't know.
Dave Bittner: Are you going to bring me a cocktail?
Maria Varmazis: Yeah. [ Overlapped Speaking ] So, yeah, they don't tell you what to do it for. And I was thinking to myself, maybe it's just a magnet and it just lets your phone stick there. I have no idea, but I don't want to find out. I actually I didn't do it.
Dave Bittner: Well, I did.
Joe Carrigan: Oh, you did. [ Laughter ]
Dave Bittner: I took one for the team.
Joe Carrigan: What happened when you did that?
Dave Bittner: So a little alert popped up on my phone that said, you know, do you want to connect to, and I'm just making up a name here, like locationvendor.com. So it's some kind, it's connected to some kind of service that the venue pays to use. I'm guessing that it is a way to order drinks and food and stuff like that from your seat through your phone, because it'll tell them what seat you're in. That's my guess. Now, so, I clicked enough, I tapped and that popped up. I did not click through.
Joe Carrigan: Right.
Maria Varmazis: Oh.
Dave Bittner: Because --
Maria Varmazis: So you didn't give them your payment information, Dave.
Dave Bittner: I did not, no.
Maria Varmazis: Dang it.
Dave Bittner: I did not. But sort of what you were saying, Maria, like, the lack of information that they give you on this, all it says is --
Maria Varmazis: It bothered me.
Dave Bittner: -- it says tap your phone here. Like, okay. And I did.
Maria Varmazis: Taking the paranoia tinfoil hat off, I was like, for what reason? Like what is the point of this?
Dave Bittner: Yeah.
Maria Varmazis: it bothered me a lot.
Dave Bittner: Yeah.
Maria Varmazis: Because if it was the Wi-Fi, it didn't indicate that at all. Like, hey, tap here to join the Wi-Fi. It would have just been so easy and they didn't do it.
Dave Bittner: Right, right. It's like walking down the street and seeing a big red button that just says press button.
Joe Carrigan: Right.
Dave Bittner: Right.
Maria Varmazis: You know I would press that button.
Dave Bittner: I know Joe would too.
Joe Carrigan: I would. That is something I would do. I'd look up first to make sure there's not some kind of like Looney Tunes safe hanging above of my head or a piano.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. That would be my first thing to do, but then once seeing just clear sky, I'd push that button.
Dave Bittner: And that's when the trap door opens beneath you.
Maria Varmazis: See, the answer is you use a very long stick.
Dave Bittner: Right, right.
Joe Carrigan: A broom handle.
Dave Bittner: Oh, yeah. All right, well, we will have a link to that story in the show notes. Joe, Maria, it is time for our catch of the day. [ Music ]
Joe Carrigan: Dave, our catch of the day comes from the phishing subreddit. And it says you are, the subject is an elect evite.
Dave Bittner: Yeah, the elect, the elect invite, it says.
Joe Carrigan: The elect, I'm sorry, I read that totally wrong, I botched that.
Dave Bittner: It's okay.
Joe Carrigan: It's an elect invite.
Dave Bittner: Yeah.
Maria Varmazis: Here, let me help you out here, Joe, there you go.
Joe Carrigan: Thank you, even better.
Dave Bittner: All right, so it goes like this.
Joe Carrigan: Oh, hold on, we should tell everybody what Maria just did. She enlarged the image so I could read it.
Maria Varmazis: I made it bigger so you can read it.
Joe Carrigan: For my old man's eyes.
Dave Bittner: Oh, okay.
Joe Carrigan: Thanks, Maria, that's really great.
Dave Bittner: The large print edition, yeah. It goes like this. Esteemed applicant, the elect extends a singular invitation. You have been observed, your ambition, discretion, and resolve set you apart. The world is shaped by those who know how to act unseen, those who understand power and responsibility alike. If you accept, your first step is private and small. Reply to this e-mail with yes upon receipt. An envoy will contact you with further instructions. Membership is not a promise of fortune. It is access to counsel, knowledge, and a community bound by strict secrecy and mutual aid. Those who join do so with solemn commitment to the circle's code. Discretion is paramount. Keep this invitation to yourself and respond only by the channel above. Mr. J, the Council of the Ecliptic.
Maria Varmazis: Oh, my God. Yes. A million times, yes. I'm in.
Joe Carrigan: We find a hard time not responding to this with yes, just to see where this goes.
Dave Bittner: It's like the stone cutters.
Joe Carrigan: Right.
Maria Varmazis: We do. Yes.
Joe Carrigan: Also, it sounds like the guy from Men in Black, Mr. J, and you're going to be Mr. K when you get there.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right.
Maria Varmazis: The Council of the Ecliptic. Oh my God, I want to be part of this. That sounds amazing.
Joe Carrigan: So do you know what the ecliptic is?
Dave Bittner: No.
Joe Carrigan: The ecliptic is the path of the, from the Earth's point of view, it's the path that the sun and the moon and all the planets take through the sky. So it's where all the zodiac, all the zodiac signs are. I see Sagittarius, Leo.
Dave Bittner: Okay, interesting.
Maria Varmazis: So this is --
Dave Bittner: I'm surprised you didn't know that, Maria. Space person.
Maria Varmazis: I was thinking, I've never heard ecliptic I don't know astrology stuff. That's not a thing I'm familiar with, but --
Dave Bittner: Yeah.
Maria Varmazis: -- I was thinking okay so if it's, if it's about the zodiac does this mean this is outreach from the Zodiac Killer?
Dave Bittner: Is he in jail now? Didn't they catch him?
Joe Carrigan: Who knows.
Maria Varmazis: They caught the Zodiac Killer?
Joe Carrigan: Didn't they kill you --
Dave Bittner: I don't know, he's probably like the --
Maria Varmazis: Ted Cruz is in jail?
Dave Bittner: He's probably like the Dread Pirate Roberts, where they just roll over a new one every now and then. So looking at this, several things jump out. They want secrecy from you, they want you to act right away.
Joe Carrigan: Right.
Dave Bittner: They're offering exclusivity. They're flattering you. They're saying you have ambition, discretion, and resolve that set you apart. So yeah, pushing a lot of emotional buttons here, trying to get you to reply, and then I'm guessing that probably the membership fee is pretty steep.
Joe Carrigan: Yes, that's probably where, that's how they get you, Dave.
Dave Bittner: Yeah, the ongoing membership fee. It's really the breakfast fees that get you. It's not just the membership, it's the ongoing stuff.
Joe Carrigan: So the Golden State Killer is the one they caught, and that's who I was thinking of. The Zodiac Killer who was active in San Francisco Bay, they have not, he's not been identified.
Maria Varmazis: Well, as I said, it's Ted Cruz, so we're good. It's fine. He's all right. We know where he is. This is a meme. I'm not serious. Please don't sue me, Ted Cruz.
Dave Bittner: Yeah, Ben Yelin's from the San Francisco area. Just saying.
Maria Varmazis: Have we seen him in the same room as the Zodiac Kille?
Dave Bittner: Well, I mean, he's not there anymore, so maybe he had to flee the area. You never know. These are how rumors begin.
Joe Carrigan: Some of these killings happened, I think, maybe before Ben was born.
Dave Bittner: Yeah. Well, it's always a good idea to say something bad about a lawyer, you know, because they're not going to come after you. All right, well, that is our catch of the day, and of course, we'd love to hear from you. If there's something you'd like us to consider for the show, please e-mail us. It's hackinghumans@n2k.com. And that is our show brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an e-mail to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Tre Hester. Peter Kilpi is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazes.
Dave Bittner: Thanks for listening.
