Playing on Kindness.
Stacey Cameron: [0:00:00] Some people are just really kind, and they genuinely want to help, which is interesting. 'Cause of my personality, I love helping people. But when I'm doing social engineering, I'm kind of playing on their kindness, you know, using various deception tactics. It was kind of surprising, sometimes, how easy it was just to get in a building and people to let you in and let you on their networks and just start accessing things without knowing who you really were.
Dave Bittner: [0:00:23] Hello, everyone. And welcome to The CyberWire's “Hacking Humans” podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [0:00:44] Hi, Dave.
Dave Bittner: [0:00:45] As always, we've got some interesting stories to share. And later in the show, we'll have Joe's interview with Stacey Cameron. She's from DirectDefense, and she's going to share her experiences as a physical pen tester. But before we get to all that, a quick word from our sponsors, the good folks at KnowBe4.
Dave Bittner: [0:01:04] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate. But you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.
Dave Bittner: [0:01:40] And we are back with some interesting stories this week. Joe, what do you got for us?
Joe Carrigan: [0:01:44] This one comes from Itamar Shatz over at Effectiviology. I hope I'm saying his name right. He has an article about the Ben Franklin effect.
Dave Bittner: [0:01:52] All right. What is that? Certainly, I know who Ben Franklin is, but what is his effect?
Joe Carrigan: [0:01:56] Right. It is the effect that asking someone to do you a favor will make them like you more, especially if that person feels neutral towards you or even has a little bit of animosity towards you, or dislike. And the backstory for this comes from Franklin's autobiography. He had a rival legislator who harbored some animosity towards him.
Dave Bittner: [0:02:15] Right.
Joe Carrigan: [0:02:16] And Ben Franklin found out that this guy had a book in his library - a rare book. So Ben Franklin asks this guy if he can borrow the copy of the book.
Dave Bittner: [0:02:25] OK.
Joe Carrigan: [0:02:26] And the guy obliges Ben Franklin. And a week later, Franklin returns the book with a note expressing gratitude for the lending of the book and saying how much he enjoyed the book. And then he found that the next time he talked to him, the guy was much more amenable, right?
Dave Bittner: [0:02:41] Right. That's interesting. So it's sort of a way to endear yourself to someone - a little bit of a roundabout way.
Joe Carrigan: [0:02:47] Right, exactly. And there were two studies that are in this article on Effectiviology that Itamar talks about here. And he says one where the participants are asked to return money as a personal favor to one of the researchers - the money is money they've received during the study. So, you know, as part of a study, they might reward people for money.
Dave Bittner: [0:03:07] Right. Sign up for this study and get $10 or $20 or whatever.
Joe Carrigan: [0:03:09] Right. Well, yeah. But that's right. So at some point in time in the study, a researcher approached the subject and said, you know, it would really be a great favor to me if we could have this money back, so we can do X, Y or Z with it - right? - maybe have more research, maybe do something else. But when they were asked that, people tended to rate the likeability of the researcher higher than when they weren't asked, which is interesting.
Dave Bittner: [0:03:31] Yeah.
Joe Carrigan: [0:03:32] There was a second study that found similar results for subjects who were asked to help with a puzzle. This makes me think of a personal friend of mine who is a fan of this kind of thing. He's a psychologist by training, and he worked in industrial psychology. And I remember a time when sudoku became a thing, right?
Dave Bittner: [0:03:49] Oh, yeah. Yeah.
Joe Carrigan: [0:03:49] And he said, hey, there's a new puzzle; come help me solve this puzzle. And I'm thinking about how much I like my friend Steve.
Joe Carrigan: [0:03:59] And I'm wondering if he was just saying, you know - maybe he was thinking, Joe would like this puzzle. But it's not outside of the realm of possibility that Steve was going, let me see if I can get Joe to like me better (laughter).
Dave Bittner: [0:04:08] Right.
Joe Carrigan: [0:04:10] 'Cause that's - he thinks that way. And not that there's anything wrong with this, 'cause Steve and I actually, I think, have a healthy relationship.
Dave Bittner: [0:04:15] OK. But what's going on here behind the scenes? Why is this effective?
Joe Carrigan: [0:04:19] So - right. This stems from our innate ability, I think, to want to help people. We are evolved - as tribal creatures, when we see one of our own in need, we have this innate need to help them.
Dave Bittner: [0:04:31] Right. We have empathy.
Joe Carrigan: [0:04:33] We have empathy. And we get an emotional reward for doing something for somebody. But it turns out that emotional reward also carries with it the increase of the likeability of somebody else. So social engineers will use this to try to gain access, as usual, to things they shouldn't necessarily have access to. So they may come in and ask for a favor. I need to get in here. Can you help me out with this?
Dave Bittner: [0:04:55] Right. Right.
Joe Carrigan: [0:04:56] And they may use it just to - just to give it as an icebreaker.
Dave Bittner: [0:05:00] Yeah. I'm hoping you can help me with this.
Joe Carrigan: [0:05:01] I'm hoping you can help me with this. I'm looking for some information on a person. Once they've got the conversation going, they've already disarmed the person they're trying to talk to, and they're starting to glean the information that they need to glean.
Dave Bittner: [0:05:13] No, it's interesting. Yeah. The Ben Franklin effect - I had not heard of that.
Joe Carrigan: [0:05:16] I had not heard of it either until I read this article. It was a great article.
Dave Bittner: [0:05:19] Yeah. It's an interesting story - definitely worth checking out. Moving on to my story this week, this is a story from the security folks at Flashpoint. This is from David Shear and Mike Mimoso. And the name of the article is "Targeting Popular Job Recruitment Portals About More Than PII," where PII is personally identifiable information. We've talked about this - about how recruiting folks are targets because of the kinds of documents they have to deal with.
Joe Carrigan: [0:05:49] Right. And HR folks, as well.
Dave Bittner: [0:05:50] Right.
Joe Carrigan: [0:05:51] ...And anything with hiring people.
Dave Bittner: [0:05:52] Right. And so what this story highlights is that while, yes, that is true, there is a lot of that going on, there is another sort of fraud going on here where people - they'll either pretend to be a company that they're not, or they may gain access to a company that they're not and post phony job offers on recruiting boards.
Joe Carrigan: [0:06:14] OK.
Dave Bittner: [0:06:15] So let's say I'm someone who is looking for a job. Let's go even farther and say I'm someone who's desperate for a job.
Joe Carrigan: [0:06:22] Right.
Dave Bittner: [0:06:22] And I see this offer from a company that I know about. This is a well-known company, a company with a good reputation. And so I apply for this job and what I think is applying to this legitimate company. And they say to me, well, we're going to have you do some work with some payment processing or handling merchandise - things like that.
Joe Carrigan: [0:06:43] Right.
Dave Bittner: [0:06:44] And it turns out what they're actually doing is - what the bad guys are doing is they're setting these folks up to be, basically, mules to facilitate money laundering or other cash transfers. And the mule has no idea that what they're up to is illicit.
Joe Carrigan: [0:06:59] Right.
Dave Bittner: [0:06:59] And they think they're working for a legitimate company. But behind the scenes, the bad guys have set up this way to basically funnel the money through this unwitting person who just thought that they were applying for a job with a legitimate organization, and they're passing the money through, laundering that money for the bad guys.
Joe Carrigan: [0:07:16] How are they doing that?
Dave Bittner: [0:07:17] I don't know all of the specific details. I know what generally happens is that the unwitting victim gets a percentage of the money that flows through. So they'll say to you, hey, you know, we're this legitimate company. You're going to be an independent contractor for us, and we have people buying stuff. And what's going to happen is I need you to set up a bank account, and people are going to buy these things, and that money is going to go to your bank account. And then every month, you're going to transfer everything you get, minus 10 percent, to this other bank account.
Joe Carrigan: [0:07:49] So it kind of sounds like the Nigerian prince scam.
Dave Bittner: [0:07:52] I mean, it's along the same lines.
Joe Carrigan: [0:07:54] Right.
Dave Bittner: [0:07:54] But basically, you know, they're adding a hop for the money to flow through.
Joe Carrigan: [0:07:58] Right. They're making - yeah. I understand they're making the money harder to trace.
Dave Bittner: [0:08:00] Exactly.
Joe Carrigan: [0:08:01] And these people are actually getting 10 percent.
Dave Bittner: [0:08:03] Right.
Joe Carrigan: [0:08:03] I wonder if these people are actually criminally liable. They may be.
Dave Bittner: [0:08:07] Well, I suspect technically, they probably are.
Joe Carrigan: [0:08:10] Right.
Dave Bittner: [0:08:10] I don't know, you know, if you sat them in front of a judge or a jury and they told the story...
Joe Carrigan: [0:08:14] I didn't know that I was doing this for an illicit operation.
Dave Bittner: [0:08:17] Right.
Joe Carrigan: [0:08:17] They'd probably get off.
Dave Bittner: [0:08:17] Here's how I was scammed. Here's all of the - you know?
Joe Carrigan: [0:08:20] Yeah. But that doesn't stop the fact that they're probably going to get prosecuted for it, or there's a good chance they could get prosecuted for it, right?
Dave Bittner: [0:08:25] Oh, yeah. No, no.
Joe Carrigan: [0:08:26] That can make - that alone can make your life miserable for a very long time.
Dave Bittner: [0:08:29] They are likely setting themselves up to have a very bad day.
Joe Carrigan: [0:08:32] Right.
Dave Bittner: [0:08:33] And so if you go to the article here from the folks at Flashpoint, they have some tips for HR organizations to protect themselves against these sorts of things. I'm not going to list them all here, but it's something to look out for. And again, one of those social engineering things - playing on someone's desperation, looking for a job, willing to do whatever it takes to make some money...
Joe Carrigan: [0:08:55] Right.
Dave Bittner: [0:08:55] ...And being fooled by what they think is a legitimate brand with a strong reputation.
Joe Carrigan: [0:08:59] Yep.
Dave Bittner: [0:08:59] All right. So those are our stories. It's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: [0:09:07] So, Dave, we have an email from a listener, who we will keep anonymous. And the email reads like this. (Reading) Having just listened to a recent podcast from you, I would like to share with you the time that I got human hacked. I was a part-time midcareer graduate student in computer science and happened to overhear a conversation between my professor and a couple other students. He described the company who had hired him as a consultant. He thought they were really onto something and that they had a way of getting multiple processors onto a chip such that each processor would only cost about 25 cents. This professor specialized in parallel processing. It was about 20 years ago. He described how the company was very nice to him and brought him to their facility, providing him with luxurious accommodations and so forth, and then sent him home.
Joe Carrigan: [0:09:55] I then decided to invest some of my retirement savings in that company. Well, the company tanked, eventually becoming a penny stock and going away. At no time did any of their literature describe the microprocessor advance that they had made. My conclusion is that by wining and dining a number of academics, and then by signing them to NDAs that they knew would be violated, they ensured that there would be a market based on faulty reasons for evaluation of the stock. And, of course, how can someone complain if they thought they may be guilty of violating an NDA or some other rule? Appeals to greed are all too common.
Dave Bittner: [0:10:30] Interesting. So let's unpack this. What's...
Joe Carrigan: [0:10:32] Right.
Dave Bittner: [0:10:33] My favorite part, of course, is the part about signing people into nondisclosures that they knew would be violated.
Joe Carrigan: [0:10:37] Right.
Joe Carrigan: [0:10:39] This is an interesting letter. I definitely think that wining and dining professors and having them sign NDAs they might violate is probably part of the psychological plan of this company. I don't know where this occurred, but if this occurred in the U.S., then there are regulations about this, and one of the pieces of regulation is that you have to have documents that tell investors what your company does.
Dave Bittner: [0:11:01] Right.
Joe Carrigan: [0:11:02] And falsifying those documents is punishable by large fines and possibly even prison sentences. So always read.
Dave Bittner: [0:11:12] Yeah. I mean, it's interesting sort of, this notion of generating a whisper campaign.
Joe Carrigan: [0:11:16] Yeah, it is. It is a...
Dave Bittner: [0:11:18] …Intentionally planting a story.
Joe Carrigan: [0:11:21] I don't doubt that that occurred. And I don't doubt that that was the intention.
Dave Bittner: [0:11:24] Yeah. And this person sort of fell to it - thought, well, here, I have some information that no one else has.
Joe Carrigan: [0:11:31] Right. I'm going to be rich.
Dave Bittner: [0:11:33] I'm going to get in on the ground floor, and I'm going to be rich. And unfortunately, for this listener, it didn't happen.
Joe Carrigan: [0:11:39] It didn't work out, right.
Dave Bittner: [0:11:40] And I guess they learned a valuable lesson.
Joe Carrigan: [0:11:41] Their stock was deemed worthless.
Dave Bittner: [0:11:43] Yeah.
Joe Carrigan: [0:11:43] I've had a number of stocks deemed worthless...
Dave Bittner: [0:11:45] Right.
Joe Carrigan: [0:11:46] ...When I invest early on.
Dave Bittner: [0:11:47] Yeah. Coming up next, we've got your interview with Stacey Cameron. But first - a word from our sponsors at KnowBe4.
Dave Bittner: [0:12:00] And now back to that question we asked earlier about training - our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on-demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it. And we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [0:13:02] So Joe, you had an interesting interview this week. Who did you talk to?
Joe Carrigan: [0:13:05] I spoke with Stacey Cameron, who works now for DirectDefense. And she and I used to work together. And she was a physical penetration tester for a company we used to work for.
Dave Bittner: [0:13:14] All right. It's interesting. Let's check it out.
Stacey Cameron: [0:13:17] I focused a lot on our social engineering with email phishing and customizing certain surveys and what have you for telephone phishing, as well as a lot of the physical penetration testing. So that was sort of the fun part - the recon and dressing up to be a different person. Let's start on that part.
Joe Carrigan: [0:13:35] So when you were going to try to get somebody to do something for you, what was your process?
Stacey Cameron: [0:13:39] A lot of times, I'll look to see what was my target, right? And, of course, this was all ethical. We had a contract signed, including get-out-of-jail-free cards if we didn't get caught. But I would have to see what the target was. So I would look into their environment. What are they susceptible to? If I'm going into a building, then I'm going to do some on-site reconnaissance as well as some Internet searching. Sometimes, there are plans online. Sometimes, there are security cameras details online - just different ways to see how to get into the building. But I will tell you something. Sometimes, I would have all of this detailed research that I've done and all these plans of attacks, and when I get on-site, I'll just see something else open up, and I'll just walk through the door.
Stacey Cameron: [0:14:14] So my plan was just usually to see my particular artist and see how - target. I can even tell my chance when I didn't research - didn't go to the best, and I went to a facility with all men, so I didn't come prepared for that aspect - but, yeah, pretty much figuring out which type of industry I'm working with and hitting some of their weak points. A lot of things are online - even LinkedIn or social media sites - so you can always find a way in. But sometimes if I'm just walking into a building, I'll go in at lunchtime. They're going in and out a lot anyway. They're thinking about food. They'll just let anyone in.
Joe Carrigan: [0:14:46] So the first part was a lot of reconnaissance then...
Stacey Cameron: [0:14:48] Yes.
Joe Carrigan: [0:14:48] ...You know, which is standard issue for any practice. But once you got on-site, did you use any tricks of the trade to talk to somebody, to, you know, kind of manipulate them into doing something they probably weren't supposed to do?
Stacey Cameron: [0:14:59] Yeah. So sometimes I kind of just sort of would see what the situation looked like. If people were busy doing something else, then I'll kind of ask them questions to see - you know, if they don't want to be bothered, then they'll just let you in. Sometimes, I'll pick up keys and say, I'm here returning something. They'll let you in the building. And sometimes, I'll - some other tactics I would use - grief. You sort of play on people's - their kindness. You know, there is a lot of that still out there. But, yeah, I'll come in and like, hey, you know, I just lost someone in the family; I'm just trying to get some work done - or what have you. And then, you know, they really don't want to bother you. They want to let you mourn - so a lot of different tactics I would go with back-and-forth, just depending on the situation.
Joe Carrigan: [0:15:38] What was most challenging about getting in to these facilities? What was the most difficult thing to do?
Stacey Cameron: [0:15:43] In one case in particular, one of the things that was most difficult to do would be when I didn't have the chance to do some of the research on the facility. And let's say I've picked - I'm dropping lunch off for an individual. Then I'll come in, and if it doesn't work, then the difficult part of that is I've sort of burned my face. And if there's no one else there, then you begin to look suspicious to continue coming up and pursuing methods in. So sometimes finding the angle of attack is sometimes difficult. Other times, it's really easy, and people just let you in. But usually, places that are a little bit more vigilant in their security, sometimes, there'll be folks there that are on alert - so just being crafty enough with your initial plan of attack.
Joe Carrigan: [0:16:25] And was there anything that you ever found that you thought was just surprising?
Stacey Cameron: [0:16:29] Just how - I don't want to say gullible, but I guess it is kind of gullible. But some people are just really kind, and they generally want to help, which is interesting because with my personality, I love helping people. But when I'm doing social engineering, I'm kind of playing on their kindness, you know, using various deception tactics. It was kind of surprising sometimes how easy it was just to get in the building and people to let you in and let you on their networks and just start accessing things without knowing who you really were.
Joe Carrigan: [0:16:55] And if you were to provide some advice to somebody on how to avoid being fooled, what would your message be? What would be the take-home that you'd give them?
Stacey Cameron: [0:17:02] In everything you're doing, just sort of pay attention to what information you're giving out because it's really easy just to get sucked into a conversation and just start wanting to divulge information. But anytime you're giving out any type of information or giving access to something, just kind of just second guess yourself. Just ask a question. Why am I opening this door again? Or why am I letting you in? Why am I giving you a password? Why am I giving you my birthday? Or why am I telling you information about someone else? So just sort of kind of always ask yourself internally, why do I need to give this information?
Stacey Cameron: [0:17:34] I mean, there are definitely cases that things are legitimate asks. For instance, someone will call you for donation. This could be a charity that you donate with. But that's a really good social engineering tactic. Just sort of have a practice of things that you won't do. Just sort of know in advance. You know, if someone calls me, always, you know, go to your own source and call them back. And they'll be fine with that. But sort of just knowing before you give out information - just sort of second guess yourself. Just ask yourself a few questions. Just make sure. Why does this person need my information? Is there a safer way to provide it to them? Anytime someone initiates the conversation with you, then just sort of question those things. Always continue to keep yourself, you know, educated, and educate those around you.
Stacey Cameron: [0:18:16] If there are things that you don't want people to share about you - sometimes other people around you are susceptible to social engineering tactics, and people will use that. If you have a preference, just be like, hey - you know, with your family and friends - If someone wants my number, let them come directly to me. Or if you're not familiar with someone - you know, just sort of these things that are ever vigilant and all your due diligence within - especially when you're dealing with children or sometimes the elderly. I've seen a lot of cases where people will call them up, and they're like, well, they have my phone number, so they must be a legitimate source. And it's not always the case. So just sort of educate us around you as well - especially those that have access to your information.
Joe Carrigan: [0:18:54] All right. Stacey Cameron, thank you very much.
Stacey Cameron: [0:18:56] Thank you so much, Joe. It's been a pleasure talking with you.
Dave Bittner: [0:19:00] Wow, it's interesting stuff - I mean, the stories she has to tell.
Joe Carrigan: [0:19:04] Right.
Dave Bittner: [0:19:04] …Really fascinating. And to me, what particularly I took away from it is the effectiveness of using that - like we've talked about - that impulse that people have...
Joe Carrigan: [0:19:16] Right.
Dave Bittner: [0:19:17] ...To want to help.
Joe Carrigan: [0:19:17] Right. And she would use even mortality - right? - you know, your own mortality...
Dave Bittner: [0:19:22] Right.
Joe Carrigan: [0:19:22] ...As a way to get into places. She'd show up, and, you know, she could emote very well - you know, be in tears and say, I have to talk to somebody about a person that just passed away. And how can you not help that when somebody comes in and is exhibiting these kind of emotions?
Dave Bittner: [0:19:35] Right.
Joe Carrigan: [0:19:36] That is powerfully appealing, I believe.
Dave Bittner: [0:19:39] Yeah.
Joe Carrigan: [0:19:39] That was a great interview. I really enjoyed talking to Stacey.
Dave Bittner: [0:19:41] Yeah, really interesting. And it struck me - this impulse that we have to be helpful. You know, I decided a long time ago in my own life that I would rather be helpful and get burned every now and then then live my life a cynical person.
Joe Carrigan: [0:19:57] Right.
Dave Bittner:  You know, that's the risk reward I'm willing to take.
Joe Carrigan: [0:19:59] Right. I try to be helpful, as well. I still maintain the cynicism. You know, my cynicism comes in the state that, yeah, I'm going to get burned. And I'm just going to be like - I'm going to take it and move on.
Dave Bittner: [0:20:10] So your cynicism is on the side of knowing that every now and then...
Joe Carrigan: [0:20:13] Right.
Dave Bittner: [0:20:13] ...Somebody's going...
Joe Carrigan: [0:20:14] It's going to happen. I'm going to be helping somebody. But it is going to happen to me at some point in time. I'm probably going to get scammed somehow.
Dave Bittner: [0:20:19] Yeah. But I think - yeah, I guess, just for me, I'd rather continue being a helpful person and be OK with the fact that, every now and then, someone will get me, rather than walking around with my defenses up all the time.
Joe Carrigan: [0:20:31] Right.
Dave Bittner: [0:20:32] You know, be careful but not to the point where - I don't know - it's taking away from my humanity, my ability to interact with other people.
Joe Carrigan: [0:20:39] And generally speaking, that's a good idea. But when you're working in a secured environment, that's when you have to put those feelings aside and not be willing to help people.
Dave Bittner: [0:20:47] No, that's an excellent point. That's an excellent point. You've got to be able to dial it in.
Joe Carrigan: [0:20:51] Right. And one of the things that she pointed out in this interview that was really good - if you can stop somebody from penetrating - she used the phrase burn her face. It doesn't mean something as horrible as it sounds. It means now that she's gone in - if she fails the first time attempting to go in, she can't try a second time because she'll be recognized.
Dave Bittner: [0:21:09] Right.
Joe Carrigan: [0:21:09] And just stopping the attack the first time is the best option, right?
Dave Bittner: [0:21:15] So she'd have to wait for a shift change with the security guards.
Joe Carrigan: [0:21:18] Exactly, right.
Dave Bittner: [0:21:19] All right. Good stuff, Joe, good stuff. And that's our show.
Dave Bittner: [0:21:23] Thanks to our sponsor KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. And don't forget to sign up for their Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about what they're up to at isi.jhu.edu.
Dave Bittner: [0:21:53] “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [0:22:10] I'm Joe Carrigan.
Dave Bittner: [0:22:11] Thanks for listening.