WhatsAppening here?
Dave Bittner: Hello, everyone, and welcome to the "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-minus Space Cyber Briefing," Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave. And hi, Joe.
Dave Bittner: We've got some good stories to share this week, but first, we've got some follow-up. Joe, you want to start things off for us?
Joe Carrigan: I do. I have an interesting story this week.
Dave Bittner: Okay.
Joe Carrigan: My wife --
Maria Varmazis: Finally.
Joe Carrigan: I -- what? It's not a chicken update, so no.
Maria Varmazis: Okay.
Joe Carrigan: My -- Dave, you recall back in October, we lost Fred.
Dave Bittner: Yes.
Joe Carrigan: Yes, Fred was a good boy. He was a big dog, but he was a good boy.
Dave Bittner: He was a good boy. He visited the studio here more than once.
Joe Carrigan: He did.
Dave Bittner: He was a very good boy.
Joe Carrigan: And he came in and he said hi to Dave and he sat down. Oh, he did nose through the trash because that was well, that's dog`
Dave Bittner: And Fred liked to be pet.
Joe Carrigan: Oh, yes, he was very pushy, very pushy. One of the sweetest dogs I've ever known.
Dave Bittner: He was.
Joe Carrigan: So we lost Fred back in October, and my -- we still have Josie because we also have two cats now, Josie and the pussycats.
Dave Bittner: Okay.
Joe Carrigan: That's the joke. So my wife is like, I think I want to get another dog, but I want to get another miniature poodle or something similar like Kevin, because Kevin was our first dog, and she really loved Kevin a lot. He was a good boy as well. So she actually starts looking around, and she got targeted by a puppy scammer.
Dave Bittner: Oh.
Joe Carrigan: Now, can you -- I'm going to ask both of you: can you guess the platform? Guess the social media site she was on.
Dave Bittner: Wow, this is hard. What could it be? I don't know. Is it the book of the face?
Joe Carrigan: It is the book of the face.
Maria Varmazis: Book of the face!
Joe Carrigan: Facebook.
Dave Bittner: Right.
Joe Carrigan: She actually engages. She says, Where are you guys located? And they say they were located in Pennsylvania. And she says, Well, that's great. I love these pictures of these dogs. I'd like to come up and meet them. And they were like -- eventually they start telling her, yes, well, that's fine, but we don't reserve any dogs until you send a deposit. And I'm like, scam. Because she's talking to me the whole time she's doing this. I'm like, this is a scam. And she goes, are you sure? I'm like, positive this is a scam. And she says, Okay, well, let me see if we can just go up and visit the dogs. Right? Because -- and she goes, look, I don't want to reserve a dog. I just want to come up there and see the dogs you have before sending you any money. And they're like, no, no, we can't do that, because that reserves a dog and we can't reserve a dog. We're very reputable people. We're very honest and very open about what we're doing here, right? Constantly saying that kind of thing about it. And I'm like, uh-huh, total scam. And they were like, you can give us a deposit of $500.
Dave Bittner: Oh.
Joe Carrigan: And I'm like, that's a big deposit. And I'm like, eventually, she's like, no, I really want to come up and see the dog. And then I'll tell you what, we'll come up, we'll see the dog, we'll meet the dog. And if we pick out a dog, we'll write you a check on the spot for $500 for the dog. Right? And they go, How about you send us a deposit of like 250?
Maria Varmazis: How about "two-fifty"?
Joe Carrigan: Right.
Dave Bittner: Would you believe?
Joe Carrigan: Right. yes. They reduce the amount, and eventually, my wife, you know -- actually, my wife caught on very quickly after I pointed out: oh, yes, this is a scam. We've talked about them on "Hacking Humans." And eventually, she said, look, it's obvious to me that you're a scammer. You're not interested in selling, you're not -- there are no dogs. And looking at the pictures, the dogs were all like beautiful little fluffy puffballs.
Dave Bittner: yes.
Joe Carrigan: And I'm almost positive they were AI or at least AI-enhanced. But, you know, it's another scammer reported to Facebook. I can almost be --
Maria Varmazis: Oh, they'll be right on it.
Joe Carrigan: Yes, they're on it. Right.
Maria Varmazis: Yes, yes. They've got their best men on it.
Joe Carrigan: Yes.
Dave Bittner: So, how did she start her search on Facebook for puppies?
Joe Carrigan: I don't know. That's a good question. She may have just gone -- looked for puppies, you know, poodle puppies.
Dave Bittner: Facebook marketplace, maybe?
Joe Carrigan: No, it wasn't Marketplace. She was looking for business sites, I think. Or maybe she was on Marketplace. I don't know. I don't know. Actually, that's a good question, Dave. I'll have to ask her that.
Dave Bittner: yes, interesting. Well, I'm glad you didn't get scammed.
Joe Carrigan: Nope, didn't get scammed.
Dave Bittner: Yes, lots of puppies come out of Pennsylvania. There's a lot of puppy mills up there.
Joe Carrigan: Yes.
Dave Bittner: Unfortunately.
Joe Carrigan: Yes. It's not great. We got our dog from Virginia, Kevin, when we got him.
Dave Bittner: Yes. Josie just some random dog that, you know, some beagle got loose and impregnated a boxer. And so now I have this dog that looks like -- now I have this dog that looks like she's made out of spare parts with a little tiny boxer head and a big staunch beagle body with a beagle tail and long legs. Right, right. She made a trip through that transport mechanism from the movie The Fly.
Joe Carrigan: Right [laughs]. I think she's adorable.
Dave Bittner: Of course you do.
Joe Carrigan: Right.
Dave Bittner: Yes.
Joe Carrigan: My daughter thinks she's an ugly dog.
Dave Bittner: Aw. Your daughter's probably just jealous of all the love and attention she gets [laughs].
Joe Carrigan: My wife is definitely jealous.
Dave Bittner: There you go. Alright. Well, I have a couple of things to share with you and our listeners this week. First of all, I had a very strange thing happen on a recent road trip. I was driving to visit some family on the eastern shore of Maryland, which is about two hours away, my destination. And if you're familiar with this area in Maryland, if you're heading towards the eastern shore, Ocean City, you drive down Route 50. You cross over the Bay Bridge, and Route 50 takes you all the way there.
Joe Carrigan: Right.
Dave Bittner: So I am most of the way there, and I'm driving along, minding my own business.
Maria Varmazis: There he was.
Dave Bittner: And I look on the other side of the road, and I see that the traffic is backed up coming the other way. I'm thinking, oh, that's odd. So I look over to see what's causing the backup. Is there an accident or something? There was an emu running around on the highway.
Joe Carrigan: Oh, this story.
Maria Varmazis: What?
Dave Bittner: Yes. There was an emu.
Maria Varmazis: Is this a normal thing that happens where you live?
Dave Bittner: It is not. No. And for our listeners, I'll just say emus are not native to Maryland.
Joe Carrigan: Right.
Dave Bittner: We have a very low, very low population of emus.
Joe Carrigan: But it's not zero.
Dave Bittner: It is not zero.
Maria Varmazis: Not zero.
Dave Bittner: No, no, no. There's like a children's petting zoo near us that has an emu.
Joe Carrigan: I told you when I was riding the bike around the BWI bike trail, I was being stared at by an emu.
Dave Bittner: Right.
Maria Varmazis: Is the petting zoo missing an emu? Could that be related to the one?
Dave Bittner: Well, that is in fact what happened. This emu had escaped from a farm. I learned later when I tried to look up the news story just to make sure that I wasn't hallucinating.
Joe Carrigan: Hunh. There's something you don't see every -- maybe I'm going crazy.
Dave Bittner: Right. It's like if there were someone in the car with me, I would have said, You do see the emu, don't you?
Joe Carrigan: Right. Is the emu in the room with us right now, Dave.
Dave Bittner: That's right. Maybe. So the emu's name was Dexter. He had escaped from -- he had escaped from a local farm. It took the state troopers four hours to capture Dexter, but he was taken back safe and sound to recover from his little adventure back at the farm.
Joe Carrigan: Emus are quite wily.
Dave Bittner: They are, and they're fast.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: Australia had a whole thing with them.
Joe Carrigan: Did I ever tell you about how I found out about the Great Emu War?
Dave Bittner: Should I say yes?
Joe Carrigan: Yes. It's a Google search. I was doing a Google search with my son on the Great Gatsby, and I type in "the great," and the first suggestion is "emu war." And I'm like, what? Wait a minute.
Dave Bittner: And then Joe is gone for the next two hours.
Joe Carrigan: I never got back to my son. I never got back to my son about the Great Gatsby at all. I just got enthralled in the Great Emu War.
Dave Bittner: Yes. No, it's a page turner. It is.
Maria Varmazis: I think that's one of those, your search habits are influencing what comes up because I tried that, and I get the Great Gatsby.
Joe Carrigan: Really?
Maria Varmazis: I'm not getting it. I'm very sad that he did not get the Great Emu War.
Joe Carrigan: Well, let me try it again. Maybe then --
Dave Bittner: I'm putting it in mine: The Great Gatsby.
Joe Carrigan: Yes, Gatsby. Yes.
Dave Bittner: Emu War isn't even on the list.
Maria Varmazis: Yes, same. Whereas on mine, like the fourth or fifth option is the "Great Greek." So I'm telling you --
Dave Bittner: Ah, there you go.
Maria Varmazis: Which is the name, apparently, of a restaurant in my neck of the woods. I didn't even know.
Dave Bittner: So the emu was safe and sound. But I also have from my travels a chicken story. By the way, Joe, thank you for the eggs.
Joe Carrigan: Yes.
Dave Bittner: Joe -- ladies and gentlemen, last week, Joe dropped by the office and delivered a half-dozen farm-fresh eggs.
Joe Carrigan: From the day before.
Dave Bittner: Yes, they were delicious. I ate them over the course of a couple of lunches, and they were delicious. I have to ask, Joe, I don't know if I'm imagining this. Is it so that these eggs have a thicker shell than the egg you get in the supermarket?
Joe Carrigan: Oh, yes, they do. Yes.
Dave Bittner: That's what it felt like when I was cracking them open. I was like, man, these eggs are hardcore.
Joe Carrigan: Yes.
Maria Varmazis: Yes. I bought eggs from my neighbor the other day, and I had the exact same reaction. I said, these eggshells are really thick. And the eggs were delicious. But yes, that's so funny you say that.
Joe Carrigan: Yes, they are thicker. Probably because the eggs in the store are maximized for profit, and calcium might be more expensive. I don't know.
Dave Bittner: Well, they grow -- yes, I guess they grow quickly. So maybe -- who knows? Who knows? But yes, but anyway, delicious. Thank you, Joe. They were delicious.
Joe Carrigan: You are more than welcome.
Dave Bittner: I appreciate it. But anyway, I got to my destination visiting a family member out on the Eastern Shore, and she actually has two neighbors who have chickens. And the one right next door has a rooster. Ask me how I know.
Joe Carrigan: Yes. I know exactly how you know. You found out at like 5:30 in the morning, didn't you?
Dave Bittner: So we're sitting there in the backyard, sitting on -- you know, just chatting, sitting on some chairs, and the chicken coop is in view, and I see the hens and the rooster walking around. And I see something else in the chicken coop. What is that? Is it a rabbit? Is it -- no, it was a rat.
Joe Carrigan: A rat? Oh yes.
Dave Bittner: It was a rat in the chicken coop.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: And this rat was just living his best rat life. Like, he didn't have a care in the world. He wasn't trying to hide.
Joe Carrigan: Like Templeton from Charlotte's Web.
Dave Bittner: Exactly what I thought. He was like Templeton. And I was kind of surprised that the rooster didn't try to evict him.
Joe Carrigan: No, the roosters, rats actually will kill chickens. They are not to be trifled with.
Dave Bittner: Oh.
Joe Carrigan: They are smarter than mice. I don't know how I know this much about rats, but one of the things that I'm doing is, I'm building a new coop because the current coop is too small. And when we were looking at options, my wife's like, What about that one? On the ground. If it's on the ground, just envision the underneath of that teeming with rats.
Dave Bittner: Right.
Joe Carrigan: And that's what I used every time: "teeming with rats."
Dave Bittner: Well, this had at least one rat, and I don't know. I think it would be disconcerting to me if I lived next to a chicken coop that also had a rat population.
Joe Carrigan: Yes.
Dave Bittner: I might have words with my neighbor. But maybe I'm just being unrealistic about what to expect.
Joe Carrigan: In the words of Jerry Clower, maybe you need to go out and have a rat killing'.
Dave Bittner: Yes, there you go.
Joe Carrigan: Right.
Maria Varmazis: Well, rats are the number one reason why I will never have chickens, because I do not ever want to be dealing with that.
Dave Bittner: Yes. Well, I said what this neighbor just needs is a good snake, right?
Joe Carrigan: Yes, rat snake.
Dave Bittner: Yes.
Joe Carrigan: The problem is, rat --
Dave Bittner: [singing] I don't know she swallowed the fly.
Maria Varmazis: Yes [laughs].
Joe Carrigan: You need a bunch of snakes because you will never keep up with the breeding capabilities of a rat or a mouse.
Dave Bittner: Yes, that's what we need. A whole den full of snakes. That's good. That's good. Just gather up all the rat snakes in the state and then take them down to your chicken coop and just let them loose. Sure. You ever hear the stories about the --
Maria Varmazis: What's that joke from the Simpsons where they have like the snake bashing day? Come on, like --
Dave Bittner: Yes. Right.
Joe Carrigan: Yes. And eventually they wait for the gorillas to freeze to death in the winter.
Dave Bittner: Right. There's another story, though. Somebody built a house on top of a garter snake nest, like a historic garter snake nesting site.
Joe Carrigan: Really? Yes, thousands and thousands of garter snakes would come to nest underground. They didn't know this when they bought the house. Right.
Dave Bittner: [laughs] Anyway. Alright. I'll tell you what, let's take a quick break to hear from our sponsors. When we come back, we will actually dive into some "Hacking Humans" stories. Stay with us if you haven't already left. Alright, we are back. Joe, I am handing the microphone back to you. What are you going for us this week?
Joe Carrigan: I have two stories because they're pretty quick, but the first one is coming from WBAL, and I saw this in a lot of different places because I think this comes from their broadcast group, which I think is Sinclair or no, Hearst. Hearst broadcast. And this is from Damali Ramirez, who is a researcher, a data researcher, for Hearst Broadcasting. And it is a really interesting graphic representation of the fraud losses that Americans have suffered. Sixteen billion dollars last year. And if you scroll down the article, they have some pretty good breakdowns. Of course, the top five costliest schemes, if you guys haven't looked at the articles, anybody want to guess at Number 1?
Dave Bittner: I would guess romance scams.
Joe Carrigan: Ah, romance scams. Good guess. Number 2. But the Number 1 is malicious investment and investment advice.
Dave Bittner: Ah, okay.
Maria Varmazis: Oh, yes, that makes a lot of sense.
Joe Carrigan: Six point four billion dollars. Okay. Romance scams, 1.2. Government imposters, three-quarters of a billion dollars. Business imposters, another three-quarters of a billion dollars, and then job scams and employment agencies, almost half a billion dollars.
Maria Varmazis: That's going to be rocketing up the charts, I'm sure.
Joe Carrigan: Absolutely. Because that one is turning out to be very successful. I mentioned I was talking with a recruiter, an actual real live recruiter recently.
Dave Bittner: Yes?
Joe Carrigan: And he was, I was like, look, I get a lot -- you know, I'm sorry I was so abrupt, but I didn't actually, I don't know if I apologized. Anyway, I owed the guy a call. I said, you know, we got a lot of scams here. I get a lot of scams. And he goes, you would not believe the level of scams that I have to deal with in dealing with people and dealing with job seekers. They're all, everybody's scamming.
Dave Bittner: Yes.
Joe Carrigan: Both ends are scamming this.
Dave Bittner: Yes. It's awful.
Joe Carrigan: It's terrible.
Dave Bittner: Yes.
Maria Varmazis: [inaudible 00:15:35], yes.
Joe Carrigan: Yes. The next article, or next graphic, infographic, and these are interactive infographics, which I really like. Which states reported the most fraud, most fraud schemes per 100,000 residents? So they actually do it per capita, which is good. Anyone want to guess at the highest state, the state where there were the most reported fraud cases per hour?
Maria Varmazis: "Reported" is an important word there, right? I would guess Florida.
Dave Bittner: Oh, Florida's a good guess. I would guess California.
Joe Carrigan: Florida is a good guess. Florida is pretty high on the list. California is significantly lower.
Dave Bittner: Okay.
Joe Carrigan: But number one is Nevada with 892 reports per 100,000 people.
Maria Varmazis: Yes. Okay. That makes some sense.
Joe Carrigan: Interesting --
Dave Bittner: Why Nevada? Or why do you say that makes sense, Maria?
Maria Varmazis: I think gambling people who are maybe people who are more primed to be like, I want to throw some money in the direction of something that could be a good bet.
Dave Bittner: Okay.
Maria Varmazis: Because, yes.
Joe Carrigan: Yes, I'm not a big gambler. So, I mean, other than when she's right. I mean, I just can't. I just remember, you were talking Simpsons references earlier. There's an episode where they build a casino, and Burns, of course, owns it. And he says, I've discovered the perfect business model. People shuffle in, empty their pockets, and shuffle out. And that's how I view casinos. I mean, they don't get to build those big, huge buildings by giving money away.
Dave Bittner: No.
Joe Carrigan: Then there's losses, how much money people lost. And this is amazing. Arizona has the highest per capita loss of $6.1 million per 100,000 residents, which means that, like, each person, if you average that out, everybody lost like $61.
Dave Bittner: Oh.
Maria Varmazis: That's where that money went.
Joe Carrigan: Yes.
Maria Varmazis: Blew out of my pocket. I think this is interesting. Anyway, we'll leave a link in the show notes. I really think this is a great article. Take a look at it. The other story I have, which is really pretty short, comes from Maine, from the Portland Press Herald, written by J. Craig Anderson, and this is about a municipality up there called Harpswell, and they lost $189,000 to a vendor payment scam. Now, it doesn't say in this article whether it was business email compromised the vendor site, or if it was just an impersonation attack, like with some Gmail address or something, or a lookalike domain or something. It doesn't say. They just said that they received the email to change instructions to divert payments for this $189,000 payment to somebody else, and that went through, and the money got sent. They very quickly realized they had been scammed. They contacted law enforcement, and they can't talk about it right now because it's an ongoing legal investigation.
Dave Bittner: Right.
Joe Carrigan: But one of the things they're saying is we are now looking at strengthening our policy for these kinds of things, the internal payment authorization and verification protocol.
Dave Bittner: You think?
Joe Carrigan: Yes. Here's what irritates me about this the most. First off, these taxpayers have lost money. That's Number 1.
Maria Varmazis: Yes, that's a lot of money.
Joe Carrigan: Yes, especially for -- I get the impression this is a small municipality.
Maria Varmazis: Pretty much guaranteed.
Joe Carrigan: Right. So it's probably not an insignificant loss, right? Like the state of Maryland got defrauded out of this much money, nobody would blink.
Dave Bittner: Yes.
Joe Carrigan: You know, but the time has long passed. We've seen these attacks over and over and over again. They've been in the news. Baltimore City was actually hit by one of these like two years ago. And it's time. If you work for a municipality or even a company, you need to address this process and how this works, because this is a very common vector. So -- and that's really the only solution for it is, you know, because you're not going to get the -- there is no technological solution to this problem, because sometimes somebody may in fact change their banking details. They may say, I'm done working with this bank, I'm going to go to another bank and I have to redirect my funds over there. Don't just trust an email on that. That is insufficient.
Dave Bittner: Right.
Joe Carrigan: You need to say, Oh, okay, well, then here's what we're going to need to do and come up with a process.
Dave Bittner: Right.
Joe Carrigan: Maybe they have to come in and verify this information in person.
Dave Bittner: And get some verification from the bank.
Joe Carrigan: Right.
Maria Varmazis: Are towns on their own -- okay, so I just have to wonder because I Googled Harpsville really quick. It's a town of 5,000 people.
Dave Bittner: Oh wow.
Maria Varmazis: So, I mean, it is -- that's tiny. That's practically a little more than a village. So, I'm wondering: is there something that towns can look to? I mean, 5,000 is really small to sort of copy and paste what the good policy is? Or I mean, are they all trying to homebrew this from scratch?
Joe Carrigan: That's a good question. I'm going to have to do some research on that.
Dave Bittner: Well, my story has some advice here, so we'll wait for that as well.
Joe Carrigan: Right. They do have insurance. so I think --
Dave Bittner: Well, that's good.
Joe Carrigan: They're probably going to be covered for the loss, right? Which is nice. But yes, still out there. The payment fraud is still going on.
Dave Bittner: Oh, yes.
Joe Carrigan: And it just happened.
Dave Bittner: It's a hot one. Yes. Alright. Well, we will have links to both of those stories in our show notes. Maria, what do you have for us this week?
Maria Varmazis: Well, a story that definitely caught my eye. This one comes in via the Threat Hunter team at Symantec and Carbon Black. So, before I jump into the story, gentlemen, I was trying to figure out what the established metric is for median dwell time for an attacker to be sort of sitting and waiting and doing their nasty stuff on someone's system. I could not find a consistent answer. It really does depend on who you ask.
Dave Bittner: Let me pause you there, Maria. What does that mean?
Maria Varmazis: The "dwell time" is basically the time in which an attacker is sitting on a system and either exfiltrating data or trying to establish a foothold or just being in a place they shouldn't be.
Dave Bittner: Right.
Maria Varmazis: So dwelling in it, if you will.
Joe Carrigan: They're not instantiating any kinetic effects, except maybe data exfiltration.
Maria Varmazis: Well, that -- kind of not a great thing to be doing.
Joe Carrigan: Right.
Maria Varmazis: Hanging out in a place they shouldn't be.
Joe Carrigan: Right.
Maria Varmazis: Dwelling in it. And it's a number. There's attached to it how many days an attacker will be dwelling in a thing. And the idea for a defender is to get that number down. You don't want an attacker sitting in your system for very long, because the longer they're there, the more damage they're going to do. >> Joe Carrigan:Right. So we want to be able to find out that they're there as fast as possible. So, the goal, as you know, good guys, is to get the dwell time number down. In any case, I was trying to figure out what a sort of established number is for how long an attacker tends to dwell in a system, and I don't know if either of you have a number for this, because I found a bunch. I'm just curious if either of you have heard anything.
Joe Carrigan: Last I heard was like 180 days.
Maria Varmazis: One hundred eighty?
Joe Carrigan: It's been a -- yes. But that was that's the last metric I remember hearing.
Maria Varmazis: Wow.
Joe Carrigan: Maybe that's -- I mean, that's really old, though.
Maria Varmazis: Well, you could be right. I mean, here's the thing: I was seeing things from 10 days, 8 days, 14 days. I saw some that said six months, so it does seem to be really all over the place. So 180 is possible, but man, that is a long time. So this wasn't like a quiz to see if you got it right or wrong. I'm genuinely saying, I can't find like a consistent number. But let's just say, I saw a lot of things in the realm of a week to two weeks on average is often considered like what we're seeing for attacker dwell time in an organization system. And the reason I'm bringing this up is the story that I'm covering today that comes again from the Symantec Carbon Black Threat Hunter team was about a five-month-long espionage campaign against a senior executive who was working at a major global stock exchange, and this espionage was specifically targeting this person's Outlook account. And again, I want to repeat that the attackers were doing this, they were dwelling, if you will, for five months, which is a long time if we're saying that the average is usually a week or two weeks before they're found out. So five months is epically long.
Joe Carrigan: And they're working on a stock exchange?
Maria Varmazis: Yes. So the target was it -- works at a major global stock exchange, not named, but one can imagine.
Dave Bittner: There's only a handful of them.
Maria Varmazis: There's only a few. Many bazillions of dollars moving through them. So if this person is a senior executive and five months dwelling on their account and looking at their entire Outlook account. So you can just imagine what this person was talking about, who they were talking to, what kind of information they had access to, you know, their contact list, their calendar. I mean, that is the game right there. If you've got that information for five months, I mean, that is a gold mine for an attacker. So -- and it's interesting in the post that the Threat Hunter team put together about this, I'm just going to quote it. They said: We don't normally publish on single-victim incidents, but the focus and operational discipline on display here and the central role mailbox theft plays in espionage operations more broadly makes this a useful illustration of what a targeted intrusion against a senior individual can look like over months rather than over days. And I really thought the phrase "focus and operational discipline" was worth highlighting because, again like, to carry out an attack against someone like this, and for five months the attacker was not detected. That 150 days of dwell time is a lot. And the blog post goes into a lot of detail. I'm going to do some nutshell, because we don't need to get into every step, but y'all can read it if you want. But the attackers basically took a lot of really tiny steps and were very, very patient in making their footprint as small as possible. They didn't get greedy, they didn't, you know, they didn't overshoot. Like, they were, they really took their time and exfiltrated data, really bit by bit, drop by drop. And the attackers also hid their traces essentially by using cover from legitimate services to look as legit as possible. So that's how they were able to essentially dwell on that system for five months. So, importantly, because I'm sure someone's going to ask, we do not know how the attackers initially got in. So, maybe one day there will be an update to this story, so we can conjecture, but genuinely we don't know yet if it was phishing or whatnot. We have no idea. But once the attackers were in and they managed to get a foothold on the victim's system, they would schedule tasks with names that looked like legitimate Adobe, Lenovo, or OneDrive system services just kind of running as they often do in the background. Because I don't know about you, I don't often look at my task manager, just to be like, hey, what's running? Do I recognize all of these things?
Joe Carrigan: Yes, I do that pretty frequently.
Maria Varmazis: Wait, so you actually do that?
Joe Carrigan: Yes.
Maria Varmazis: Really?
Joe Carrigan: Yes. I did this morning. Or last night.
Maria Varmazis: Okay, do you think a senior executive --
Joe Carrigan: No.
Dave Bittner: Joe's pretty self-aware when it comes to these things.
Joe Carrigan: Right.
Maria Varmazis: And Joe, can you tell me that every single thing that's running in your task manager, you definitively know what it is and can identify it.
Joe Carrigan: Sometimes I Google what the processes are. If I see something I don't recognize, I go, what is that? And I look it up and it's, oh, this is a Microsoft process for indexing or something. But yes -- I don't know. When I go looking, I do some investigation. But I'm a cybersecurity professional. You know, it's what I do for a living. And you know, I don't do exactly this, but you know, I've always been paranoid on this kind of stuff. And I've always wondered, hey, what's running on my system?
Maria Varmazis: That's a good thing.
Dave Bittner: For me, I have done this. I do it from time to time, but for me what usually triggers it is that the fans will start spinning up on my laptop.
Maria Varmazis: That's right.
Dave Bittner: And I'll be like, because I have a MacBook Pro here, and it -- rarely do the fans ever make a peep. So if they start spinning up, I'm like, wait, somebody's lost the plot.
Maria Varmazis: Somebody's mining Bitcoin using my machine.
Dave Bittner: Yes, right. Something's going on. And then -- but like Joe said, nine times -- well, nine times out of ten -- every time I've looked it up, I have never found anything malicious, but what I have found is some kind of indexing tool that's just going to town.
Maria Varmazis: Yes, I was going to say, you and I are both running on Mac. So for us, it's activity monitor and not task manager, but same idea. And I always have mine running, but I will absolutely 'fess up. There are a lot of little things running there. I don't know what they are, and I probably should, but I don't. But I'm just 'fessing up.
Dave Bittner: You're too busy clicking links.
Maria Varmazis: That's true. And honestly, my machine is probably just a Typhoid Mary of all sorts of things.
Dave Bittner: [laughs] That's right.
Joe Carrigan: [laughs] Typhoid Mary.
Maria Varmazis: It's just -- honestly, it's a miracle that I'm even here right now.
Joe Carrigan: That you're online at all.
Dave Bittner: No. You're Patient Zero when it comes -- when a day comes and they try to figure out what caused the great downfall of Western society.
Maria Varmazis: It was me.
Dave Bittner: Maria.
Maria Varmazis: Me, personally. I did it. You're welcome. Yes. So going back to this story and not my terrible security hygiene, the attacker in this case would have these legitimate-looking tasks, you know, running in the background, and would also re-register these tasks every few weeks during their campaign of data exfiltration. So they established persistence. And then for command and control, the attacker used a persistent instance of Dropbox, which a lot of us have running all the time. And later they also used OneDrive Personal, another completely legitimate tool. And then drip by drip, really slowly in tiny little chunks, they would exfiltrate data from the Outlook account. And again, I'm going to emphasize they did this very slowly. So this was never enough data leaving that would trigger an alert or even downgrade system performance. So no fans were spinning, nobody was overclocking their system. It was just like real quiet, real in the background. And nothing that would make the person who was targeted here actually think to check their task manager and go, what's going on that's taking up like 95% of my CPU. Nothing like that. So nothing looked suspicious, nothing acted suspicious. So that five months of dwell time makes a lot of sense in that case. So there's no necessarily, like, takeaway for the average person here because this was clearly highly targeted espionage. And if there's anything actionable to be done here, it's for an IT professional.
Dave Bittner: Right.
Joe Carrigan: Yes.
Maria Varmazis: But it was very interesting that the attackers also really left very little trace of themselves. There was not enough information from the tools that they used or other clues left behind, like system identification and info. There was not enough left behind to even make a guess about who the attacker might be, which is just like, wow. I just, I find this story super fascinating. And I want to mention for the IT pros who may be listening, going, oh, Symantec did actually publish the indicators of compromise. So, if this is something that sounds like it might be relevant to you, there are IOCs published on the blog post that you can look at. But I just -- very interesting that slow and steady won the race on this one. And also, the attackers were very careful, meticulous, and patient. And we don't always see stuff like that.
Joe Carrigan: Do we know what kind of data they exfiltrated?
Maria Varmazis: I don't. That was not published either. So, yes, I can't imagine it was anything people want out there.
Dave Bittner: Well, I talked to somebody recently, I can't remember who it was. I was interviewing somebody who was talking about this kind of espionage and how sometimes these people are just looking for the movements of the market.
Joe Carrigan: Right.
Dave Bittner: They just want insider information.
Joe Carrigan: Yes, that is --
Dave Bittner: And that's what they use.
Joe Carrigan: That's exactly what this screams to me. I don't know what an executive at a stock exchange gets in terms of information, but I'll bet they have better access than the average person does. They might have earnings reports early. I don't know if they do. This is one part of the business world I don't know.
Maria Varmazis: Yes. Yes.
Joe Carrigan: You know, the investing world. I don't know when people find out earnings. Are they at -- I know that you have to file these earnings with the SEC. So if I was a malicious actor, I'd be targeting the SEC for the earnings reports or the filings before they come in. But I think you can time that with public release. I don't know. I wish I knew.
Maria Varmazis: So it sounds like we need to poke around on Polymarket to see if somebody made a pretty penny.
Joe Carrigan: Oh, yes. Yes, I'll guarantee you if you look into this, there were some big trades before large earning announcements that people made a lot of money on. And that was probably -- that would be my guess as to what the outcome of this was. And this is probably some very sophisticated criminal organization.
Dave Bittner: We did a story about a week ago about, I believe it was a Google engineer who was accused of having access to the, I guess, Google publish lists of what are the most popular search terms for the past year, six months, whatever it might be. And this person had access to that before it was released publicly, and made a bunch of polymarket bets on what they would be. And one big because he knew what they would be.
Joe Carrigan: Is Polymarket the -- Polymarket's the futures organization?
Dave Bittner: I don't know how you'd label this --
Maria Varmazis: You gamble on everything.
Dave Bittner: Yes, it's just bet on -- yes.
Joe Carrigan: But it's not gambling because these are actually investment vehicles, and that's how they're getting around the gambling.
Dave Bittner: You're -- okay, if you say so.
Maria Varmazis: Okay, [inaudible 00:33:46].
Dave Bittner: I keep them at arm's length. But anyway, his betting was conspicuous enough that I think that was part of how they tracked him down seeing he was -- and you know, the same thing with the SEC. They've got finely tuned systems for trying to sniff out this stuff. But I think, as Maria points out, like, one of the things about this is discipline and patience.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Dave Bittner: And yes. Alright, interesting story. So, we'll have a link to that in the show notes. I tell you what, let's take a quick break here. We will be right back after this message. Alright, we are back, and it is my turn here. My story comes from the folks at BitDefender. This is a story they shared. It's called The Deep Fake Boss Scam: How to Verify Requests Before It's Too Late. So we'll just set this up. Imagine that you get a video call from your CEO, and at first glance, everything looks right. The face looks right, the voice sounds like them. And they tell you that a confidential deal is underway and they ask for an urgent fund transfer. Would you stop and question it?
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Joe Carrigan: Only because I'm on this show and I've seen this exact scenario before.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right. Well, according to BitDefender, this scenario is becoming increasingly prevalent. The bad guys are using AI to create these convincing deep fakes of executives and business leaders. And these personas can appear in video meetings or on phone calls or voice messages, and they're there to exploit the trust that the leader has earned with their employees, perhaps also fear.
Joe Carrigan: Right.
Dave Bittner: But they're pointing out that this isn't just a theoretical thing. Hundreds of thousands, in some cases, millions of dollars have been lost after the employees were convinced that they were speaking with the leaders of their companies. They pointed out one case where attackers used an AI-generated voice clone to impersonate the CEO and trigger a fraudulent transfer of funds. There was another one where an entire video conference was populated with synthetic versions of executives and colleagues. So not just one person. Imagine getting on a Zoom call.
Joe Carrigan: And there's the board of directors.
Dave Bittner: Right. Right? Like an AI intervention.
Joe Carrigan: Right. Dave, we love you and we care about you.
Maria Varmazis: Oh, man. The flop sweat, immediately.
Dave Bittner: Right, right. And they were persuading the employees to move large sums of money. And imagine, you -- I imagine most people today, you think, well, okay, maybe they could scam a one-on-one with my boss, but surely the entire half a dozen people of the whole board of directors, that can't be faked. But according to this article, it can. So, you know, they use a lot of things we talk about here all the time: authority, urgency, familiarity, and then they apply pressure for the person to act quickly, again, using sensitive financial matters. And people are reluctant to challenge their boss. And they point out that remote work, hybrid work, increases the opportunities for this sort of thing because it's harder to go down the hall and knock on your boss's door and say, Did you just ask me to transfer $2 million when you're working at home?
Maria Varmazis: Well, yes, and also presuming that the executive is in the office, which in my experience is almost never the case. They're usually traveling or in a meeting or whatever.
Dave Bittner: That's true, right? All in air quotes. So they point out the effective defense, something we talk about here all the time: verification. Confirm these requests through a separate communication channel.
Joe Carrigan: Right.
Dave Bittner: You should have a multi-person approval process, so your organization should require anything above a certain amount of money, should get in front of more than one set of eyes. And then also training, your employees to recognize these sorts of manipulation tactics. They say if something involves money, sensitive data, or access to critical systems, pause, verify.
Maria Varmazis: Yes.
Dave Bittner: And be sure to follow the established procedures. But you need to have these procedures in place. And they're just emphasizing here that this AI, the capabilities of these AI systems, is growing every day, and these deep fakes are getting more and more convincing. They're getting faster. So there's not so much of a pause between a question and an answer when an AI is responding to things. So people really need to, unfortunately, become more skeptical of what they see and hear and really lean into these verification processes. What do you guys make of this?
Joe Carrigan: Yes, I think that the policy angle of this is the key. Similar to the story I did about the company, the municipality. There we go. Haven't been sleeping well lately, Dave. Yes, so the municipality who lost all that money. You really have to focus on the policy and the training, and just be aware that this is out there, that these people are getting scammed. When we first saw this kind of thing happening, it was with email. And the people who were -- this is before LLMs were big and popular and available, the people were imitating the language style, the linguistic writing style of the CEO to get somebody in a distant part of the organization to send millions of dollars for exactly this kind of thing. Hey, we got a secret deal coming. Don't tell anybody.
Dave Bittner: Right. And I would also add to that the gift card scams where you get a text message from the CEO that says, hey, I'm in a meeting or I'm at a conference. I need you to do me a quick favor.
Joe Carrigan: Right. Yes, that -- I don't know. That seems like, I mean, that's going to impact the individual more financially than it is the company. But, you know, you still want to protect against that, and maybe have the company, or the CEO say, Look, or everybody, every manager, it's our corporate policy that we will never ask you to run a personal errand for us.
Dave Bittner: Right.
Joe Carrigan: And that includes buying us gift cards.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Especially. Yes.
Joe Carrigan: Right.
Dave Bittner: Alright. Well, we will have a link to that story in the show notes. And again, we would love to hear from you if there's something you'd like us to consider for the show. Please email us. It's "Hacking Humans" at n2k.com. Alright, Joe, Maria, it is time for our catch of the day. [ SOUNDBITE OF REELING IN FISHING LINE ] [ Music ]
Joe Carrigan: Dave, our catch of the day comes from a listener named Pete from the Netherlands. And he writes, Hi, Dave, Joe, and the one and only Maria.
Maria Varmazis: I promise I didn't pay this person.
Joe Carrigan: Okay. You guys have seen it all on the show: fake princes, dubious package tracking links, endless romance scams. But I think I have a fun Catch Of The Day nomination for you, a cybersecurity consultant who is so desperate for a payday that they are actively trying to bypass the integrity of the entire IT sector. I was approached on LinkedIn by a self-proclaimed quote "senior consultant" end quote, offering a massive laundry list of IT and cybersecurity certifications, everything from a CISSP to Salesforce. I have the CISSP, but I've never bothered to get the Salesforce thing.
Dave Bittner: Okay.
Joe Carrigan: Instead of asking about the coursework, I decided to test her and ask her straight up: Can I just buy them? Her answer was shocking and hilarious: yes, you can.
Maria Varmazis: Oh, gee okay.
Joe Carrigan: Can I just buy these certifications? So maybe now, maybe now I will get that Salesforce.
Dave Bittner: There you go.
Joe Carrigan: I've attached screenshots of the conversation. Right. Yes, screenshots are on my laptop, so nobody can judge me by my reception or terrible battery status while I appreciate that.
Maria Varmazis: Yes. Way to look out for yourself.
Dave Bittner: Smart thinking there, Pete.
Joe Carrigan: Yes. Do you want to just get into this?
Dave Bittner: Yes. Let's get into it. So, Maria, why don't you start off? The person's getting all this started is named Ankasha. So, why don't you go ahead and I will play the part of Pete.
Maria Varmazis: Hello, warm greetings. Thank you for adding me to your network. Wishing you a wonderful day ahead. Well, I am a trainings consultant for IT and cybersecurity certifications. Good heavens, do I need to read all of those?
Dave Bittner: No. That is a copy and paste. Basically, all of them.
Joe Carrigan: Right.
Maria Varmazis: Okay. Are you looking for any certification and trainings? Like, I mean, it is just, you name it, it's in this list.
Joe Carrigan: It just ends with "or any other."
Maria Varmazis: "Or any other," question mark?
Dave Bittner: Can I just buy them?
Maria Varmazis: Yes, you can. May I know which certification you are looking for, your profile growth and skill development, so that I can arrange details for you.
Dave Bittner: Salesforce. Yes, we can assist you with Salesforce training and certification. I will request my training manager to provide you with comprehensive details regarding the certification, training, and the entire process. Please confirm me your contact number so I can arrange the details for you as per your comfortable time. I don't want the training, just the certification.
Maria Varmazis: Okay. Is this your right WhatsApp number? Hey, Pete, I'm awaiting for confirmation so that we will provide you all the details regarding the certification.
Dave Bittner: I really don't want to make phone calls about this.
Maria Varmazis: Not for call without any permission. Only WhatsApp, texting, you can.
Dave Bittner: Not interested anymore.
Maria Varmazis: Okay, no problem.
Dave Bittner: So Pete goes on. Joe, do you want to read this part where he describes where he says the smoking gun?
Joe Carrigan: Yes, here's my -- he says, here's a quick breakdown of their playbook, The Smoking Gun. In the second screenshot, she openly admits that I can bypass the exams and just purchase the certificates directly. Official bodies like Salesforce or Cisco obviously never do this, meaning they are either selling worthless fake PDFs or offering an illegal proxy testing service. The platform pivot, which is when she wants to go to WhatsApp, as soon as I showed interest, she aggressively tried to move the conversation over to WhatsApp. Is this your WhatsApp number or only WhatsApp texting you can? Which I can barely get through as a sentence, so bad I can barely get through it.
Maria Varmazis: Only WhatsApp texting you can.
Joe Carrigan: Right. That's a classic move to escape LinkedIn's automated fraud detection systems, which is 100% correct. It's the ultimate irony: a scammer attempting to sell cybersecurity credentials through blatant fraud. Love the show. Keep up the fantastic work. Pete.
Dave Bittner: Wow. Well, as someone who has a PhD from Harvard, let me just say that I was on top of this from Step 1.
Joe Carrigan: Right. You know what? I think I might get a fake, like, PhD thing from like Harvard or Stanford or something, just hang it up in my office and see if people notice that -- wait, you have a PhD from Harvard? No. What's that?
Dave Bittner: That's -- you should make one from all of the Ivy League schools and just rotate them every week. See if anybody notices that your PhD from Harvard became a PhD from Yale became a PhD --
Joe Carrigan: Dartmouth.
Dave Bittner: Yes.
Joe Carrigan: I did go to Dartmouth once for about a week.
Dave Bittner: There you go [laughs]. Okay. Like a --
Joe Carrigan: That's one of my favorite things to tell people. I went to Dartmouth. You did? yes. I went to Vanderbilt, too. Just went there. That's all.
Dave Bittner: Nice -- nice cafeteria.
Joe Carrigan: Right.
Dave Bittner: Yes, alright. Well, again, thank you, Pete from the Netherlands, for sending this in. We do appreciate it. And if you have something you would like to send us, please do. Our email address is "Hacking Humans" at n2k.com. [ Music ] And that is our show brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights to keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to "Hacking Humans" at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Iben. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
