I have been practicing honesty and truthfulness my whole life.
Asaf Cidon: [00:00:00] Generally, we define spear phishing as phishing attacks that are targeted, that they're not kind of mass phishing attacks that are just sent to a very large number of people but are targeted to a specific person.
Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans". This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bitner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:32] Hello, Dave.
Dave Bittner: [00:00:33] We've got some good stories to share this week. And later in the show, we've got my interview with Asaf Cidon from Barracuda Networks. He's got the results from some research they've done on spear phishing and social engineering.
Dave Bittner: [00:00:45] But first, a word from our sponsors at KnowBe4. Step right up, and take a chance. Yes, you there, give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they A - my late husband wished to share his oil fortune with you, or B - please read
Dave Bittner: [00:01:30] And we are back. Joe, we're going to start off. We got a little feedback from a listener.
Joe Carrigan: [00:01:34] All right.
Dave Bittner: [00:01:35] This is from a gentleman named Louis. He says, longtime listener, first-time emailer.
Joe Carrigan: [00:01:38] (Laughter).
Dave Bittner: [00:01:39] I had two quick bits of feedback on the episode where you talked about call centers being targets for scammers and the CDC GandCrab ransomware campaign.
Joe Carrigan: [00:01:49] That was last week.
Dave Bittner: [00:01:50] Yep. Yeah. He says, you mentioned rather than use KBA - that's a knowledge-based authentication.
Joe Carrigan: [00:01:55] Right.
Dave Bittner: [00:01:56] A call center could employ some kind of MFA.
Joe Carrigan: [00:01:59] Multi-factor authentication.
Dave Bittner: [00:02:00] That's right. He said, this is what my bank in Australia does. Wait a minute - Australia. (Imitating Australian accent) They use KBA...
Joe Carrigan: [00:02:06] (Laughter).
Dave Bittner: [00:02:06] ...And ask for things like client number, address, DOB and so on. But then also, they ask if they can have my phone and could read out a code if I were to send one. It's not perfect, but it would stop most run-of-the-mill scammers that have just enough info on me. I'm sure a sophisticated person could also steal my mobile number first, but I'm hoping I'm not that much of a target. What do you think, Joe? (Laughter).
Joe Carrigan: [00:02:28] Yeah, he's right. Even the - an SMS text message, which is the least secure form of multi-factor authentication, is much more secure than not having it and, I would argue, probably more secure than knowledge-based authentication. The amount of effort in intercepting an SMS message is not trivial. First, you have to either social engineer the cell phone provider to get them to switch the phone number over to your phone. If the person has a pin on their account - which you should have a pin on your account - then you're going to have a really hard time doing that...
Dave Bittner: [00:02:58] Yeah.
Joe Carrigan: [00:02:58] ...Or you need to get physical access to the phone to clone it and then get a copy of the SMS message as well. Both of those are kind of difficult. But if you are the target of somebody capable and willing of doing that, then they're capable and willing of doing a lot more.
Dave Bittner: [00:03:10] Yeah, yeah. Well, he goes on. Louis says...
Joe Carrigan: [00:03:12] Right.
Dave Bittner: [00:03:12] ...On the GandCrab somewhere, I recently heard someone on another show talking about a very useful website called No More Ransomware. You can get free decryptors there for a bunch of ransomwares. There's one for GandCrab, which works up to a certain version of the malware.
Joe Carrigan: [00:03:26] Right.
Dave Bittner: [00:03:26] Yeah. And he's - I am familiar with that, and it is a good resource.
Joe Carrigan: [00:03:30] It is. It's an excellent resource. A lot of these ransomware implementations are not done well, so there's a good chance you can just go here and find a decryptor for your files. And that should be your first stop.
Dave Bittner: [00:03:42] Yeah, all right. Well, thanks, Louis, for sending that in. Time to move on to our stories. I'm going to kick things off this week. This story is from a Facebook group that happens to be made up of listeners of the "Make Me Smart" podcast. That's the podcast with Kai Ryssdal And Molly Wood. They are the hosts for "Marketplace." And a gentleman named Rob wrote in. And he said, wow - just fell for a PayPal scam, which was surprisingly clever.
Joe Carrigan: [00:04:04] Huh.
Dave Bittner: [00:04:05] He says, you might want to read this to avoid this scam. Please share.
Joe Carrigan: [00:04:08] Right.
Dave Bittner: [00:04:08] He says, I Googled call PayPal to get PayPal's number so I could ask them a question. And a phone number came up to call. I called it. It looked legit because it said on Google that this was the number for paypal.com.
Joe Carrigan: [00:04:21] Ah.
Dave Bittner: [00:04:22] And he lists the number.
Joe Carrigan: [00:04:23] I have fallen for something very similar to this recently that I'll talk about after this.
Dave Bittner: [00:04:27] He says, they asked me for my email - just my email and not a password. And in order to verify who I am, they sent me a verification code to my phone. This verification code came from the same number PayPal always has used to send me verification codes, so I trusted it. I told them the verification number. And to me, this seemed very legit, as how could they know my phone number? And how could they send me verification texts from PayPal if they weren't PayPal? Right?
Dave Bittner: [00:04:53] Wrong - he says, they simply went onto paypal.com, typed in my email address, which I gave to them, and then clicked to reset my password by sending a text. This prompted PayPal to send a text verification to me, which I told to them. Then they accessed my account. He says in order to stall me, they then told me I would need to go to Walmart or 7-Eleven to get a Google verification code in person. I've never heard of that before, Joe. That's an interesting one (laughter).
Joe Carrigan: [00:05:19] Neither have I, but that's a very clever angle.
Dave Bittner: [00:05:21] Yeah. He says, this was simply to stall me, get me off my computer and go out for a while so they could steal some things.
Joe Carrigan: [00:05:26] Yup.
Dave Bittner: [00:05:27] I realized this was a bonkers request. So I hung up, went to the actual PayPal website to get the actual PayPal phone number, then called them. And he says, I'm straightening things out right now.
Joe Carrigan: [00:05:37] Excellent.
Dave Bittner: [00:05:38] He says realize that your Google results are not true results. Most of the first results are ads, even ones from scam artists, which slip past these tech giants because they don't vet things before making them live.
Joe Carrigan: [00:05:50] That is 100 percent correct.
Dave Bittner: [00:05:52] Yeah. So he included a screenshot of this search just by searching on Google, call PayPal. Sure enough, the first thing that pops up, it says paypal.com - contact us. And it has this bogus phone number.
Joe Carrigan: [00:06:05] Right.
Dave Bittner: [00:06:05] I'm surprised that at this stage of the game, this is slipping by Google.
Joe Carrigan: [00:06:10] Yeah.
Dave Bittner: [00:06:11] This is so overt.
Joe Carrigan: [00:06:12] It is. I had something similar happen to me. And Robert, if you're out there listening, thank you so much for sharing your story. Many people don't like sharing their stories, but this is an important story to share. And I'm going to go ahead and share something that happened that was very similar to me.
Dave Bittner: [00:06:25] All right.
Joe Carrigan: [00:06:25] I needed to call Comcast, who's my ISP and my cable TV provider. So what do I do? I Google Comcast customer support number, and something very similar to this comes up. And I hit it, and I dial the number. And the first clue that I had was actually a dead giveaway - is that I got a live person on the phone.
Dave Bittner: [00:06:45] (Laughter).
Joe Carrigan: [00:06:46] A person immediately...
Dave Bittner: [00:06:47] That's like - wow.
Joe Carrigan: [00:06:47] ...Answered the phone, and I go, wait a minute.
Dave Bittner: [00:06:49] This can't be right.
Joe Carrigan: [00:06:49] This...
Unknown: [0:06:53] (LAUGHTER)
Joe Carrigan: [00:06:53] But I was furious. I said, who is this? And he goes, this is Tom or something like that. And I'm like, oh, I see. You ran a Google ad, and I clicked through it. Well, you just lost money on the Google ad because you're going to have to pay for my click, and now you're going to pay for this phone call. And I hung up...
Dave Bittner: [00:07:06] Wow.
Joe Carrigan: [00:07:06] ...Like the grumpy, old man that I am.
Dave Bittner: [00:07:08] (Laughter).
Joe Carrigan: [00:07:08] But I fell for it. I fell for the exact same thing.
Dave Bittner: [00:07:11] Yeah.
Joe Carrigan: [00:07:12] And if the guy had had something that said, hey, this is Comcast, I would have clicked through any of those automated systems...
Dave Bittner: [00:07:17] Right.
Joe Carrigan: [00:07:17] ...But would've gotten to him eventually and probably done what he told me. His big fault - the red flag here was that he answered the phone as a person.
Dave Bittner: [00:07:24] Wow. Well, this is a good one. This is - I was not familiar with this. So like I said, I'm surprised that Google doesn't do a better job of screening for this sort of thing. It's all - it's right out there out in the open.
Joe Carrigan: [00:07:36] It is.
Dave Bittner: [00:07:37] So thanks, Rob, for sharing this. This is an important one.
Joe Carrigan: [00:07:40] Yeah. Don't Google your - the numbers you need. Go to the place's website.
Dave Bittner: [00:07:44] Well - but also, I think the point is don't trust the numbers, particularly in ads.
Joe Carrigan: [00:07:49] Yeah. But I mean - But, Dave, these ads look like search results.
Dave Bittner: [00:07:52] Yeah. Well...
Joe Carrigan: [00:07:52] They absolutely look like search results.
Dave Bittner: [00:07:54] Yes, yes. It does say ad on it, but you're right. The thing is...
Joe Carrigan: [00:07:56] It does - very tiny.
Dave Bittner: [00:07:57] It's the thing that pops up at the top of the list. That's - and that's the problem is that these people can pay to be at the top of the list by making it an ad.
Joe Carrigan: [00:08:05] Right.
Dave Bittner: [00:08:05] And so yeah, like you said, go to the company's website. Get their customer service number from there.
Joe Carrigan: [00:08:10] Or scroll down in the search results a little more.
Dave Bittner: [00:08:12] Yup. All right. Well, that is my story this week. Joe, what do you have for us?
Joe Carrigan: [00:08:16] Dave, my story comes from Zack Whittaker at TechCrunch, who has a story about a spam server that was found by security researcher Bob Diachenko. And Bob found the server because the spammer did not set a password on it.
Dave Bittner: [00:08:30] Really?
Joe Carrigan: [00:08:30] Just left it open.
Dave Bittner: [00:08:31] All right.
Joe Carrigan: [00:08:32] So he went out and did some investigating. When he found the server, it was dormant, but it was ready to go again. Bob reported this to TechCrunch, and TechCrunch And Bob did some digging on this. And they found that when the server was operational, it had sent more than 5 million emails over the course of 10 days.
Dave Bittner: [00:08:46] Wow.
Joe Carrigan: [00:08:46] One hundred-sixty thousand of these emails had people click on them. Now, that's a 3 percent success rate, which kind of seems high to me for spam. First off, it seems high that enough would get through that 3 percent of the people would click on the link.
Dave Bittner: [00:08:59] That it would even be put in front of them.
Joe Carrigan: [00:09:00] Right. I would expect that 3 percent of the spam email would make it through the filters. It's pretty impressive. But here's how the system worked. First, the spammer had 3 million email credentials - username and passwords...
Dave Bittner: [00:09:13] OK.
Joe Carrigan: [00:09:13] ...On this server.
Dave Bittner: [00:09:15] Oh, stored there.
Joe Carrigan: [00:09:15] Stored there.
Dave Bittner: [00:09:16] OK.
Joe Carrigan: [00:09:16] And he was using those to log into an email account. And if he was successful, the first thing he did was he would pull email addresses and subject lines from messages in the sent folder.
Dave Bittner: [00:09:29] To harvesting those.
Joe Carrigan: [00:09:30] Exactly.
Dave Bittner: [00:09:31] OK.
Joe Carrigan: [00:09:31] So once he had those, he would send that information off to a second server, which would then generate a custom email to the email address with the subject line that they'd already seen from the original sender.
Dave Bittner: [00:09:43] Oh.
Joe Carrigan: [00:09:44] Right? So the next thing it would do is that system would then push the email out to a proxy server. And the proxy server was actually composed of multiple cell phones with cellular data connections. And these cell phones would change their IP addresses every so often to keep from being tracked.
Dave Bittner: [00:10:01] Right.
Joe Carrigan: [00:10:02] And then the cell phone would log back into the original email account that had already been compromised and submit the email to be sent along. And it would look like it was coming from the actual sender because it was coming from their account. So if you did the typical forensics in opening up everything on the email to look at where it came from, it actually did come from the sender's account.
Dave Bittner: [00:10:24] Wow.
Joe Carrigan: [00:10:25] So it looked very legitimate. So that's why these things were getting such a high click rate and probably going through the spam filters because the spam filters were like, oh, here's another message from this person...
Dave Bittner: [00:10:34] Right.
Joe Carrigan: [00:10:35] ...With the same subject line before in the same email chain. I've seen this.
Dave Bittner: [00:10:38] This is a known person.
Joe Carrigan: [00:10:39] Right. This is somebody that the recipient of this email has already sent an email to or has already received emails and looked at and didn't flag as spam. This one's probably spam, too.
Dave Bittner: [00:10:47] Yeah.
Joe Carrigan: [00:10:47] So they're using a combination of two things. Number one, they're using some, I guess, finagling to get around the AI that does the spam filtering. But then they're using the subject line that you've already seen to get you to think this is part of an email conversation.
Dave Bittner: [00:11:02] Right.
Joe Carrigan: [00:11:02] Right.
Dave Bittner: [00:11:03] Just another message in a string of emails.
Joe Carrigan: [00:11:04] It is. And this is a fascinating article. It's a little bit technical, but I still think it's a good read that everybody, even if you're not very technical, should go ahead and read this article. It's very interesting. When Bob found this, he'd gotten in touch with TechCrunch. And TechCrunch got in touch with the hosting provider, and they managed to get the hosting provider to, essentially, disconnect this server from the network. And the OC provider was cooperative, which is great. And when they noticed the 3 million credentials, they gave those to Troy Hunt. So Troy is probably in the process right now of adding those to haveibeenpwned.com and may already be done with it.
Dave Bittner: [00:11:39] What an interesting look inside of how one of these operations can work.
Joe Carrigan: [00:11:44] Yeah. They found a dashboard opened up. This guy had a gooey (ph) dashboard open that would show him his success rate for logging into things. Check the article out. It's pretty good.
Dave Bittner: [00:11:52] All right. We'll have a link for it in the show notes. Joe, it is time to move on to our Catch of the Day.
Unkown: [0:11:58] (SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:01] Our Catch of the Day comes to us this week from a listener named Zachary. And he sent us this letter, and it reads like this.
Dave Bittner: [00:12:10] (Reading) Very good morning. I went through your impressive profile, and I was compelled to share a business proposal over capital project with you which I know you will be highly surprised for receiving such proposal over the. Did you receive my previous email sent on the 24th March 2019? I am resending you same message with complete details of this project. Kindly reconfirm and your readiness to handle the fund transfer to your nominated account and your readiness to manage the investment for my client. I am hereby officially introducing myself. My name is Glen Penny, a U.S. citizen, and lives in Abu Dhabi, UAE, working as a business consultant for Atlas Precious Metals, DMCC, based in United Arab Emirates. I am currently in Benghazi, Libya, and can be reached by email, or my mobile phone is indicated below. We are making a business project inquiry. My client is seeking for capital projects to put up their huge capital. We are discussing movement of all my client asset, which comprises a huge amount of money and 1,000 gold bar, which they have choosing your location as their investment destination. I want to tell you that success and accomplishment comes not by chance but by hard work, diligence, determination, absolute honesty and truthfulness, and I have been practicing all these all my life, and that is simply the secret behind all my achievements. I will be glad that you are putting all these ingredients into practice. It is also worthy to mention here that I am just an ordinary agent whose job and assignment with asset owner is to make available a capital individual or company who can help them manage and invest their fund and asset. The agent commission wants the execution of the project is completed is my primary aim of involvement. Finally, I will not forget to notify you that there is only one thing needed for a successful execution of this project, and that is trust. Transparency is another important factor. And of course, dedication should be of tremendous important. Creating a good working relationship with the fund owner is extremely very important. I don't have to remind you that a transaction of this magnitude requires total commitment. On this ground, you have to always squeeze out enough time from your busy schedules to enable you pay attention to the success of this project.
Joe Carrigan: [00:14:07] (Laughter).
Dave Bittner: [00:14:08] (Reading) In the business of this kind, communication is indisputably a must-do affair. That is to say you have to be in a steady communication if you are ready to handle this project. In conclusion, you will have to maintain steady communications because that is the only sure way to bridge the gap created by distance which exists between us. Kindly contact me for further details about the project. Upon your response and acceptance of the contract, complete information on what next will be provided. Glenn Penny.
Joe Carrigan: [00:14:35] Hmm.
Dave Bittner: [00:14:35] Wow. That was a lot there, Joe.
Joe Carrigan: [00:14:37] I'm just going to take a wild guess here.
Dave Bittner: [00:14:39] (Laughter).
Joe Carrigan: [00:14:39] Glenn Penny is not a native English speaker.
Dave Bittner: [00:14:42] Do you think?
Joe Carrigan: [00:14:42] Yeah.
Dave Bittner: [00:14:43] Hmm.
Joe Carrigan: [00:14:43] That's wild speculation on my part. (Laughter) This is awesome.
Dave Bittner: [00:14:47] Gold. It's gold.
Joe Carrigan: [00:14:49] It's gold.
Dave Bittner: [00:14:49] Thousand kilograms of gold.
Joe Carrigan: [00:14:51] That's right.
Dave Bittner: [00:14:51] Twenty-four karat gold, 99.6 percent purity.
Joe Carrigan: [00:14:55] Yep.
Dave Bittner: [00:14:56] Yep. We're going to be rich, Joe.
Joe Carrigan: [00:14:57] Yeah. That's right.
Dave Bittner: [00:14:58] (Laughter).
Joe Carrigan: [00:14:59] My favorite part is, hey, we got to keep communicating, don't forget that, and I have been practicing trustfulness all my life.
Dave Bittner: [00:15:04] Yeah. Well, yeah. He's somebody you can count on.
Joe Carrigan: [00:15:05] Honesty and truthfulness, that's what it was. Yeah. Well, you can believe him, right?
Dave Bittner: [00:15:08] Joe, I don't know why we keep doing this show because week after week, we have these opportunities.
Joe Carrigan: [00:15:13] Right. We should be millionaires by now, Dave.
Dave Bittner: [00:15:13] We should just cash in on these things.
Joe Carrigan: [00:15:14] (Laughter).
Dave Bittner: [00:15:16] It's so nice of our listeners to share them with us, to share and spread the wealth.
Joe Carrigan: [00:15:20] Yes.
Dave Bittner: [00:15:21] Well, thank you, Zachary, for sending this in. That is absolutely a fun one. So that is our Catch of the Day. Coming up next, we've got my interview with Asaf Cidon from Barracuda Networks. He's got the results from research they've done on spear-phishing and social engineering.
Dave Bittner: [00:15:35] But first, a word from our sponsors at KnowBe4. And what about the biggest, tastiest piece of phishbait out there? If you said, a., my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door b., please read important message from HR, well, you're getting warmer. But that one was only No. 10 on the list. But pat yourself on the back if you picked c., a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked d., take me to your leader? No. Sorry. That's what space aliens say. But it's unlikely you'll need that one, unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:16:45] Joe, we are back. I recently had the pleasure of speaking with Asaf Cidon. He is from Barracuda Networks. And they've done some research on spear-phishing and social engineering. Here's my conversation with Asaf Cidon.
Asaf Cidon: [00:16:57] Generally, we define spear-phishing as, you know, phishing attacks that are targeted, that they're not kind of mass phishing attacks that are just sent to a very large number of people, but are targeted to a specific person.
Dave Bittner: [00:17:10] What sort of data did you gather with this report?
Asaf Cidon: [00:17:12] We surveyed, essentially, across, you know, all types of spear-phishing attacks. We categorized them into three buckets. So what we call a brand impersonation. So these are attacks that are impersonating brands we use on a day-to-day basis, like Outlook or DocuSign, you know, Apple, Dropbox, et cetera. Then employee impersonation or BEC, where these are attacks that are actually impersonating someone in your organization. For example, your boss or your CEO. And finally, blackmail or sextortion emails, which is a new type of attack that we've recently been seeing, you know, kind of rapidly rising in the ranks where the attacker's kind of trying to extort the recipient to send them bitcoin.
Dave Bittner: [00:17:54] And so what are the trends that you're tracking here?
Asaf Cidon: [00:17:56] So we're tracking a few different trends. So first of all, we're tracking the percentage of these different types of attacks. And one of the interesting things is we saw that these blackmail or sextortion emails are, you know, already more than 10 percent of spear-phishing. And that surprised us because, you know, they haven't been around for that long. So clearly, this is a new and effective attack. We've also tracked other characteristics, like the subjects of these attacks, or which services are impersonated and most frequently, in terms of the brand impersonation.
Dave Bittner: [00:18:28] And what are you finding there? Who are they imitating?
Asaf Cidon: [00:18:30] So in terms of the brand impersonation, you know, the most common one is Microsoft or Outlook, which is not really surprising because, you know, vast majority of the emails that participated in the study were Outlook emails. And so the easiest thing to phish if you're an attacker is, you know, is to steal the actual credentials to the email account of the recipient. It's also very valuable. And, you know, after that, it's a slew of other services that are just used very commonly. You know, like DocuSign, and Dropbox, and Apple and others. So those were the most common ones.
Dave Bittner: [00:19:02] An interesting thing I see you noted here in your research was that the attackers would often include the victim's email address or password in the subject line of the email.
Asaf Cidon: [00:19:12] That's right. So especially with these blackmail or sextortion emails, what attackers are doing is, they're including a password of the recipient within the email text. By the way, these are usually old passwords. So usually the, you know, recipient would have already changed this password on any of the services they use. But this really adds an element of, I think, personalization and almost, like, a shock factor to the email. And so I think that's why a lot of these emails are so effective because people are kind of saying, oh, man, this this person actually has my password. They're not kind of bluffing here. They probably have access to a lot of my sensitive information.
Dave Bittner: [00:19:50] Now, do you have any sense for what the success rate is of these folks?
Asaf Cidon: [00:19:54] It kind of really depends. So first of all, we don't have direct knowledge for a given attack. We don't necessarily know if it was successful or not. So we could see if the user clicked on it or even responded to it. But beyond that, we really can't see. We can make educated guesses, though. So I would venture to guess that all of the attacks that we're seeing are very successful because it's really kind of a law of natural selection. Attackers wouldn't be using these attacks if they weren't successful. They have a cost of launching these attacks so they need the ROI to be high.
Asaf Cidon: [00:20:27] And so in particular, you know, the BEC or employee impersonation attacks, those, we know that, you know, the FBI actually tracks them. And so we know that they're highly lucrative. The past few years, there's been over $12 billion in wires sent to bank accounts owned by the attackers. So that's obviously very lucrative. But even these sextortion emails, we guess that they're highly effective because they've basically gone from almost zero traffic to more than 10 percent of the spear-phishing traffic in just a matter of a couple of months. So the reason for that is probably because, you know, they're getting a lot of clicks, and a lot of bitcoin's getting transferred.
Dave Bittner: [00:21:05] One of the other things that I noted here is that there was a sense of urgency that the attackers used. And that's something that comes up a lot on this show, that, you know, they're trying to make you feel like you have to do something now.
Asaf Cidon: [00:21:17] That's right. Attackers employ several different social engineering cues or techniques to really get the recipients to do what they want, and one of those is urgency. So urgency serves several purposes - probably the most important one - and makes the recipient, you know, quickly respond to the email and do so before they realize that this email is fake. So either, you know, if you're asking the recipient to send you a wire transfer, or if you're asking them to click on a link because there's some urgent security alert on their account, right, you really want to make the recipient, you know, take action.
Asaf Cidon: [00:21:51] And also, urgency just always compels us to take action, especially if it's from, you know, an authoritative source. So if you're getting an email from your CEO that's telling you to do something urgently, you know, all of us will probably pay a lot of attention to that email. Or if we get a very urgent alert from a service that we use every day, like Outlook or DocuSign, you know, that's also going to cause us to pay attention.
Dave Bittner: [00:22:13] What was your sense in terms of who they are targeting within organizations? Are they going right for the top, for the CEOs, or are they trying to get folks lower down the organizational chart? Who do they seem to be aiming for?
Asaf Cidon: [00:22:26] In terms of the targets, you know, we do see that sensitive positions and departments are slightly overrepresented, which were really surprising. So, you know, the finance department, the HR department or executives. However, the data is quite uniform, you know, the target's kind of scope. So it is really across the entire org. So I'll really caveat that. I mean, when I say that there's a slight - you know, we see a slight bias towards those departments, I mean we're talking about, like, maybe 20 percent of the attacks. So they're slightly overrepresented. But really, it's really across the board. Oftentimes, attackers are just trying to get in, no matter through whom. And oftentimes, it's easier to get in through kind of lower-level, mid-level employees, or even employees that are not in sensitive departments.
Asaf Cidon: [00:23:10] In terms of the folks that are being impersonated, that is a little bit more skewed towards folks in positions of power. So the CEO is going to be the most highly impersonated person in the company, typically, and then after that, you know, the CFO or other powerful individuals. But, you know, oftentimes, attackers will also impersonate colleagues or managers of the particular person they're trying to target. So what I'd say is, you know, these threats are really across the board. If just the CEO is aware, you'll be fine - that's not the case at all.
Dave Bittner: [00:23:39] So what are your recommendations then for organizations looking to protect themselves? What sort of steps should they take?
Asaf Cidon: [00:23:45] There's a few kind of best practices that we recommend to protect against these attacks. So, you know, the first one, you really want to make sure that you have security systems in place that can actually stop these types of attacks. And, you know, unfortunately, legacy security systems, email security systems, are usually going to fall short just because, you know, a lot of these attacks don't contain obvious malicious signals, you know, like malware or obviously malicious links.
Asaf Cidon: [00:24:11] So you really want to use something more flexible and more kind of intelligent, so ideally, AI-based solution that has the ability to really detect anomalies in these emails. So that's kind of your first line of defense. But beyond that, all of these emails are really taking advantage of our weaknesses as - you know, our psychological weaknesses...
Dave Bittner: [00:24:31] Right.
Asaf Cidon: [00:24:31] ...So our weaknesses as humans.
Dave Bittner: [00:24:33] Yeah.
Asaf Cidon: [00:24:33] And so security awareness training - you know, effective security awareness training that actually also tests, you know, these types of scenarios, like tests emails coming from your boss or, you know, phishing links that are coming from services that you use every day is also really helpful in mitigating these attacks. And then finally, there's just the general sanity of anybody using online services. That includes multifactor authentication, you know, strong passwords with a password manager, ideally. All of those, obviously, also help with these cases.
Dave Bittner: [00:25:04] So Asaf is really singing our tune, isn't he?
Joe Carrigan: [00:25:07] Yes, he is...
Dave Bittner: [00:25:08] (Laughter).
Joe Carrigan: [00:25:08] ...Absolutely. One of the things I noticed early on in the interview is Asaf talks about how they have broken up spear phishing into three other categories of brand impersonation, business email compromising, extortion. This, in our academic world, is what we call an ontology, right? It's a way of naming things. Like, you can think of a taxonomy, like how we name animals. It's also an ontology. I really wish there was a better way to standardize this kind of thing because if we could do that for security, we would have such a better understanding of things, I think - just kind of starts off with this basic, nebulous thing. And it kind of organizes itself. But I really wish there was a way to formalize it. That's just an aside. For the extortion emails, the password proof can be a very powerful tool...
Dave Bittner: [00:25:47] Yeah.
Joe Carrigan: [00:25:47] ...In getting inside your head. Like, hey, here's your password. Imagine if you're still using that...
Dave Bittner: [00:25:50] Right.
Joe Carrigan: [00:25:50] ...Password, right?
Dave Bittner: [00:25:50] I know a secret.
Joe Carrigan: [00:25:51] Right, exactly.
Dave Bittner: [00:25:53] Yeah, yeah.
Joe Carrigan: [00:25:53] I've got you. This seems, to me, like one of the most terrifying things that anybody could ever receive, you know? Even if you know it's a scam, there's still that little nagging bite in the back of your head that says, I wonder if it's real.
Dave Bittner: [00:26:05] Yeah. What else do they know?
Joe Carrigan: [00:26:06] What else do they know? Exactly.
Dave Bittner: [00:26:07] Right. They got this secret from me.
Joe Carrigan: [00:26:09] Yeah. They didn't get it from you. They got it from some other breach.
Dave Bittner: [00:26:11] Right.
Joe Carrigan: [00:26:11] So relax. Breathe.
Dave Bittner: [00:26:14] (Laughter) Take your time. Slow down.
Joe Carrigan: [00:26:15] You're going to be fine.
Dave Bittner: [00:26:16] Yeah.
Joe Carrigan: [00:26:16] I agree with Asaf's assertion that the extortion emails work because we're seeing the increase in their usage. And he said they've grown to 10 percent of the spear phishing emails in just a couple of months.
Dave Bittner: [00:26:27] Yeah.
Joe Carrigan: [00:26:27] That's remarkable. And he's 100 percent correct. There is an economic cost for these people to implement these. And while it's relatively low, they do have to see an ROI on it. I may not agree with it has to be a remarkably good ROI - return on their investment. I mean, they're - these people a lot of times are coming from countries where if they can make $15 in a day, they're doing pretty well.
Dave Bittner: [00:26:46] Yeah.
Joe Carrigan: [00:26:47] Any return on investment is a good return on investment.
Dave Bittner: [00:26:49] Yeah.
Joe Carrigan: [00:26:49] ...Because you can scale this up pretty well, right?
Dave Bittner: [00:26:52] Right. Right. Well - but it makes sense that they would latch onto something that's working.
Joe Carrigan: [00:26:56] Absolutely.
Dave Bittner: [00:26:56] It'd be interesting to see, how quickly do they burn through that?
Joe Carrigan: [00:26:59] Right.
Dave Bittner: [00:27:00] Word gets out. Awareness gets raised.
Joe Carrigan: [00:27:02] Yeah. I...
Dave Bittner: [00:27:02] And it doesn't work anymore.
Joe Carrigan: [00:27:03] I imagine that in the future, we'll see this go up a little bit more. And then it will start to go down as awareness builds. This will be - become about as common as the Nigerian prince scam...
Dave Bittner: [00:27:13] Right.
Joe Carrigan: [00:27:13] ...Which still is around. It will always be around. It will always be out there.
Dave Bittner: [00:27:17] (Laughter) It's one of the classics, yeah.
Joe Carrigan: [00:27:17] ...Because - yeah. It will become one of the classics. I guarantee it.
Dave Bittner: [00:27:20] Yeah.
Joe Carrigan: [00:27:20] Urgency - we hear this again. It's just another form of an artificial time constraint, right? And that's one of the big social engineering tools. And Christopher Hadnagy talks about it. It's absolutely imperative that when somebody is telling you that this is an urgent problem via email, that you need to just relax.
Dave Bittner: [00:27:38] Right.
Joe Carrigan: [00:27:38] Go make a cup of tea. Make a cup of coffee. Talk about it with somebody else. Another interesting part of this - and he kind of hinted at this, but he didn't say it. But business email compromise involves some level of open-source intelligence gathering. So I like that he's talking about the kind of people that get impersonator - usually CEOs, CFOs, those kind of people. That's pretty easy to find out. And then if I can find a target in the company that works in the financial department, that's only two pieces of information.
Joe Carrigan: [00:28:04] But when I start doing things where I'm getting really deep into the organization and I find two people in the financial organization and I start imitating email from one of those people to another person, that's a lot more open-source intelligence gathering that has to be done. That is groundwork that needs to be done. But these business email compromise scams have - as we talked about in this podcast before, are remarkably profitable.
Dave Bittner: [00:28:27] Yeah.
Joe Carrigan: [00:28:28] They're very profitable.
Dave Bittner: [00:28:29] Yeah.
Joe Carrigan: [00:28:29] They're going to put the time in...
Dave Bittner: [00:28:30] Right.
Joe Carrigan: [00:28:31] ...To do this.
Dave Bittner: [00:28:31] Right. It's worth - that investment pays off...
Joe Carrigan: [00:28:33] It does.
Dave Bittner: [00:28:34] ...Quite, I guess, often enough that they keep doing it.
Joe Carrigan: [00:28:36] And it pays off big. It's remarkable. Bruce Schneier - we - I've quoted it before. Security is not a product. It's a process. I'm paraphrasing here. A lot of these business email compromise attacks can be thwarted simply by implementing better policies and processes. It's a company policy that when someone sends you an email, that you make the phone call back for the transfer or that two people have to be involved in the process of transferring money out or maybe even three people, depending on what your risk level is. You know, and every company will have to decide this for themselves. But I think that people are well-served by taking a look at what their risks are, how much risk they're willing to accept and how much impediment to the process they're willing to put in to mitigate these risks.
Dave Bittner: [00:29:19] No, it's a good point, that notion of taking a risk-based approach. And that's not a one-size-fits-all type thing.
Joe Carrigan: [00:29:26] Right.
Dave Bittner: [00:29:26] All right. Well, that is our show. Thanks for listening.
Dave Bittner: [00:29:29] We also want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:29:45] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:53] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:30:12] And I'm Joe Carrigan.
Dave Bittner: [00:30:13] Thanks for listening.