Hacking Humans 5.30.19
Ep 51 | 5.30.19

Be willing to admit you don't know everything.


Wayne May: [00:00:01] Trust your gut if it seems too good to be true - because as I said earlier, everybody knows about the old ones. Be willing to learn. Be willing to admit that you don't know everything.

Dave Bittner: [00:00:11] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:29] Hello, Dave.

Dave Bittner: [00:00:30] We've got some interesting stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with the head of a group that call themselves Scam Survivors. They provide online resources for people who've been victimized by scammers.

Dave Bittner: [00:00:44] But first a word from our sponsors, KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:17] And we are back. Joe, I'm going to kick things off this week. We're going to jump right into our stories. Mine comes from Google. This is their security blog. And the article is titled "New Research: How Effective is Basic Account Hygiene at Preventing Hijacking?"

Joe Carrigan: [00:01:33] Aha.

Dave Bittner: [00:01:33] Really, some interesting stuff here. This is a good report. We'll have a link to it in the show notes. And I recommend everybody check it out. A concise report with a lot of good information in it. I'm going to do a good bit of reading directly from this because it is so concise. It's actually hard to distill down any more concise than it is.

Joe Carrigan: [00:01:51] Yeah. I'm looking at the article now. It's maybe, like, a two-minute read.

Dave Bittner: [00:01:53] Basically, Google teamed up with some researchers from New York University and University of California, San Diego, to try to find out how effective basic account hygiene is at preventing hijacking. Now, of course, Google has some built-in tools where they try to prevent, you know, people taking over your accounts, spots, so on and so forth. But they gathered up some really interesting statistics here. They said if you've signed into your phone or you've set up a recovery phone number - this is with your Google account - they have two-step verification. They found that an SMS code sent to a recovery phone number blocked 100% of automated bots...

Joe Carrigan: [00:02:31] Right.

Dave Bittner: [00:02:31] ...Ninety-six percent of bulk phishing attacks...

Joe Carrigan: [00:02:34] Huh.

Dave Bittner: [00:02:34] ...And 76% of targeted attacks.

Joe Carrigan: [00:02:38] It stopped the automated attacks dead in their tracks.

Dave Bittner: [00:02:40] Yeah. Now, what's interesting, to contrast this, is they found that if you didn't have SMS enabled, the protection rates for phishing could drop as low as 10%.

Joe Carrigan: [00:02:52] Right.

Dave Bittner: [00:02:53] The built-in things that Google has, they were still effective against bots. But for phishing and targeted attacks, as low as 10%. That is a wide gap.

Joe Carrigan: [00:03:01] Right. Right. That's on the knowledge-based authentication.

Dave Bittner: [00:03:04] Right.

Joe Carrigan: [00:03:05] Knowledge-based challenges were as low as 10% effective in stopping someone from taking over your account.

Dave Bittner: [00:03:11] Right. And that's where they ask you a question. What was the street you grew up on? What was - what's the name of your dog?

Joe Carrigan: [00:03:17] We've talked about this before, how easy that stuff is to get.

Dave Bittner: [00:03:19] Right.

Joe Carrigan: [00:03:19] What I think is fascinating here is the SMS code. When I talk about two-factor authentication or multi-factor authentication, I talk about it from least secure to most secure.

Dave Bittner: [00:03:28] Right.

Joe Carrigan: [00:03:28] And I always start with SMS code because even if you get an SMS code, there are ways to social engineer that out of a person.

Dave Bittner: [00:03:35] Right.

Joe Carrigan: [00:03:35] Right? And there are ways to actually get around it and to breach other security. You can clone a SIM card, or...

Dave Bittner: [00:03:40] Right. Right.

Joe Carrigan: [00:03:41] ...Or something, and actually get the code yourself. But I'm not amazed that it stopped 100% of the automated attacks 'cause that's the biggest bulk of these things, right? And when the automated attack sees a prompt for a second factor here, it's not going to continue. It's just going to stop and go on to the next account and try to breach that.

Dave Bittner: [00:03:56] Sure.

Joe Carrigan: [00:03:56] Ninety-six percent for a bulk phishing attack for something as simple as an SMS code, and then even 76% for targeted campaigns against an individual...

Dave Bittner: [00:04:06] Yeah.

Joe Carrigan: [00:04:06] ...That is a huge bump in security.

Dave Bittner: [00:04:08] Right. From 10% to 70, or in the 70s or the 90s. The high 90s (laughter).

Joe Carrigan: [00:04:14] Yes. That's really good. Even just using something as simple as SMS, which is not the most secure form of multi-factor authentication, can really, really help you out.

Dave Bittner: [00:04:21] It's interesting. They bring up the point - they said, you know, given the benefits here, why don't they require them for everybody?

Joe Carrigan: [00:04:27] Right.

Dave Bittner: [00:04:27] Why not just make it so that you have to do this?

Joe Carrigan: [00:04:29] Yeah. I've been wondering that for a long time. We just need to move on to having multi-factor authentication as the default.

Dave Bittner: [00:04:35] Yeah. Well, they say in this report that those challenges obviously introduce friction.

Joe Carrigan: [00:04:40] Right.

Dave Bittner: [00:04:40] But also, it increases the risk of account lockout. They said, in their research, 38% of users did not have access to their phone when they were challenged.

Joe Carrigan: [00:04:49] Ah.

Dave Bittner: [00:04:50] That seems high to me.

Joe Carrigan: [00:04:51] Yeah.

Dave Bittner: [00:04:51] But that's the number they had. They said 34% of users could not recall their secondary email address. So that's one of the things you can have as additional protection, is a secondary email address where they can email you and, you know, verify the account.

Joe Carrigan: [00:05:07] And that is not nearly as effective as even an SMS code.

Dave Bittner: [00:05:11] Correct.

Joe Carrigan: [00:05:11] Automated attacks are stopped, 73%, with a secondary email address. I'm betting that's based on an attempt to reuse a password on the secondary email attack.

Dave Bittner: [00:05:21] Mmm hmm. Now, one of the points that they make here is that they actually have an additional level. If you're someone who feels as though you are a high-risk person, Google has an advanced protection program.

Joe Carrigan: [00:05:32] Right.

Dave Bittner: [00:05:32] And that involves physical security keys.

Joe Carrigan: [00:05:35] Right. You don't even need to be a high-risk person. If you go out and buy a YubiKey - or Google has their own product. I think they call it Titan?

Dave Bittner: [00:05:41] Mmm hmm.

Joe Carrigan: [00:05:42] You can just use those. I use a YubiKey for my Google authentication. And, you know, it was a $40 investment, and it works great.

Dave Bittner: [00:05:49] Yeah.

Joe Carrigan: [00:05:50] And they say this stops 100% of all the attacks.

Dave Bittner: [00:05:53] Yeah. Yeah. In this research, they say zero users that use the security keys fell victim to targeted phishing during their investigation.

Joe Carrigan: [00:06:00] Right.

Dave Bittner: [00:06:00] Yeah.

Joe Carrigan: [00:06:01] Targeted attacks did not work when you used a YubiKey.

Dave Bittner: [00:06:04] So it - that...

Joe Carrigan: [00:06:04] Or something similar.

Dave Bittner: [00:06:05] ...It works.

Joe Carrigan: [00:06:06] Right. It works.

Dave Bittner: [00:06:06] It just works (laughter).

Joe Carrigan: [00:06:07] Exactly.

Dave Bittner: [00:06:07] (Laughter) Right, right. The other thing they pointed out is that Google has five things you can do right now to stay safer online. They have a blog post about that. I'll just go through these quickly 'cause they are good. One is set up a recovery phone number or email address, and keep it updated. That's basically what we've been talking about.

Joe Carrigan: [00:06:24] Right.

Dave Bittner: [00:06:24] Use unique passwords for your accounts. We certainly have covered that here. Keep your software up to date. That's both the software you're using, your operating system. Set up two-factor authentication, something we talk about all the time.

Joe Carrigan: [00:06:38] Yep.

Dave Bittner: [00:06:38] And then the last one - perhaps a little bit self-serving for Google - they say take the Google security checkup, which goes through your Google account and gives you an idea of how strong it is.

Joe Carrigan: [00:06:48] Right. I think Facebook has this, as well?

Dave Bittner: [00:06:50] Yeah. My password manager has one, as well. You know, just and it goes through and checks to make sure you're doing what you should be doing.

Joe Carrigan: [00:06:56] Your password manager, I think, checks with Troy Hunt's database to see if anything's been in Have I Been Pwned?, right?

Dave Bittner: [00:07:01] I believe so.

Joe Carrigan: [00:07:02] Yeah.

Dave Bittner: [00:07:02] I believe so. But it even goes through and just - like, if it notices that I'm reusing a password somewhere...

Joe Carrigan: [00:07:07] Ah.

Dave Bittner: [00:07:07] ...It'll ping me and say, hey, knock it off.

Joe Carrigan: [00:07:10] That's - (laughter)...

Dave Bittner: [00:07:11] Please, you know...

Joe Carrigan: [00:07:11] Don't do this. This is bad.

Dave Bittner: [00:07:12] Right. Please allow us to generate a safer password, a unique safe password for you. So that's my story this week. I highly recommend you check out this article. The gap between the haves and the have-nots here was wider than I thought it would be.

Joe Carrigan: [00:07:26] Yeah.

Dave Bittner: [00:07:26] The difference that SMS makes, and particularly, that hardware key, to basically solve this problem...

Joe Carrigan: [00:07:31] Right.

Dave Bittner: [00:07:31] ...If you have a hardware key.

Joe Carrigan: [00:07:32] Exactly.

Dave Bittner: [00:07:33] I was not expecting that, and it's impressive. So take a couple minutes and do check it out. It's worth your time.

Joe Carrigan: [00:07:38] Yep.

Dave Bittner: [00:07:39] What do you have for us this week, Joe?

Joe Carrigan: [00:07:40] Dave, generally, we think of social engineering as an active attack, right?

Dave Bittner: [00:07:43] Yep.

Joe Carrigan: [00:07:44] I'm going to come after you, and I'm going to tell you some kind of lie. Imagine, if you will, a passive form of social engineering.

Dave Bittner: [00:07:50] Go on.

Joe Carrigan: [00:07:52] So Forbes has this article by Suzanne Rowan Kelleher that touches on this topic.

Dave Bittner: [00:07:56] OK.

Joe Carrigan: [00:07:57] And the topic is USB charging stations in airports. And I'm going to go ahead and say anywhere, for that matter.

Dave Bittner: [00:08:04] OK. So I go to the airport.

Joe Carrigan: [00:08:06] Right.

Dave Bittner: [00:08:06] And my flight's delayed. My phone is getting low on power.

Joe Carrigan: [00:08:09] Right.

Dave Bittner: [00:08:09] And the airport has conveniently set up a charging station for me...

Joe Carrigan: [00:08:13] Right.

Dave Bittner: [00:08:13] ...Where I can plug into a USB port.

Joe Carrigan: [00:08:15] It's got the USB port right there on a wall or maybe on a desk or something.

Dave Bittner: [00:08:19] Yep.

Joe Carrigan: [00:08:20] ...Or maybe on a chair.

Dave Bittner: [00:08:20] Right.

Joe Carrigan: [00:08:21] You can plug into this thing, and it will provide power to your phone and charge your phone.

Dave Bittner: [00:08:24] Right.

Joe Carrigan: [00:08:24] Right. As a free service.

Dave Bittner: [00:08:26] Yeah.

Joe Carrigan: [00:08:26] Right?

Dave Bittner: [00:08:26] Convenient.

Joe Carrigan: [00:08:27] Yes. The problem with these things is that these USB charging stations can be modified by an attacker to install malware on your phone, or even to download data from your phone without your knowledge.

Dave Bittner: [00:08:37] Hmm.

Joe Carrigan: [00:08:38] Right?

Dave Bittner: [00:08:38] OK.

Joe Carrigan: [00:08:39] And a friend of the CyberWire, Caleb Barlow from IBM, has a great quote in this article. I'm going to read it exactly 'cause it ties in to our analogy with personal hygiene.

Dave Bittner: [00:08:48] OK (laughter).

Joe Carrigan: [00:08:48] Right? And he says, plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth. You have no idea where that thing has been.

Dave Bittner: [00:08:58] (Laughter).

Joe Carrigan: [00:09:00] (Laughter).

Dave Bittner: [00:09:00] OK. I can't unsee that. All right. Very good.

Joe Carrigan: [00:09:02] (Laughter).

Dave Bittner: [00:09:02] Very good.

Joe Carrigan: [00:09:04] And that's exactly right. You really don't know what's on the other end of this. Now imagine I'm an attacker, and I want to lure people in with a sense of false security.

Dave Bittner: [00:09:11] Right.

Joe Carrigan: [00:09:11] I'm going to say, well, you know, we think of the airport as a very secure place. Right?

Dave Bittner: [00:09:15] Yeah. You've passed through security, already on your way to where you're going to sit and wait for your plane.

Joe Carrigan: [00:09:19] Exactly. What are the odds that somebody has come in here and maliciously acted on these USB ports?

Dave Bittner: [00:09:25] Right.

Joe Carrigan: [00:09:25] Probably low.

Dave Bittner: [00:09:26] Yeah. I'd say so.

Joe Carrigan: [00:09:27] It may not be, though. It may be higher. And state actors are turning to this because they're targeting travelers...

Dave Bittner: [00:09:33] Mmm.

Joe Carrigan: [00:09:33] ...Because they have a lot of valuable information.

Dave Bittner: [00:09:35] Yeah. And I guess a plane ticket is not an expensive thing to pay for...

Joe Carrigan: [00:09:39] No, it is not.

Dave Bittner: [00:09:40] ...To get you past that security point...

Joe Carrigan: [00:09:42] That's absolutely correct.

Dave Bittner: [00:09:42] ...If you're targeting those folks.

Joe Carrigan: [00:09:43] And I've gone through airport security with some pretty suspicious-looking electronics.


Dave Bittner: [00:09:50] Yeah. The nature of the work you do.

Joe Carrigan: [00:09:52] Right. Yeah.

Dave Bittner: [00:09:53] Sir, I'm going to have to ask you to step aside here.

Joe Carrigan: [00:09:55] There was none of that, Dave.

Dave Bittner: [00:09:55] (Laughter).

Joe Carrigan: [00:09:56] I said, look, these are electronic prototypes I've built. If you want me to open them and explain them to you, I can do that. 'Cause I was positive that they were going to say, huh, this looks kind of suspicious. They didn't blink twice at it.

Dave Bittner: [00:10:08] Huh.

Joe Carrigan: [00:10:09] They went through, and they said OK. And these were, like, cigar boxes with wires all over 'em.

Dave Bittner: [00:10:13] (Laughter).

Joe Carrigan: [00:10:13] Right?

Dave Bittner: [00:10:13] That's kind of terrifying, Joe.

Joe Carrigan: [00:10:14] Yeah. Yeah.


Dave Bittner: [00:10:16] OK.

Joe Carrigan: [00:10:16] There are two better solutions. And Caleb talks about this in the article, but these are things I would recommend. No. 1, bring your actual power adapter with you and plug that into a 110 outlet on the wall.

Dave Bittner: [00:10:27] Mmm hmm.

Joe Carrigan: [00:10:28] That's great if you're traveling domestically. If you're traveling internationally, it might be a little bit more difficult 'cause they use different kinds of power outlets, right?

Dave Bittner: [00:10:33] Mmm hmm.

Joe Carrigan: [00:10:34] But make sure you have a universal power outlet in that case because generally speaking, the power outlet is less likely to be a source of malicious software than the USB port. And the other is, bring your own power bag. Like, a little battery pack. I have one of these. When you and I were traveling a couple weeks ago, I used one of these to keep my phone charging so I could use the mobile hotspot. It's a great idea. The third one - this is not necessarily a good option, but it's called the USB condom.

Dave Bittner: [00:10:59] OK.

Joe Carrigan: [00:10:59] So a USB connection has four wires in it, and two of them are used for power and two of them are used for data.

Dave Bittner: [00:11:04] OK.

Joe Carrigan: [00:11:05] And what a USB condom does is it just provides no connection to the data pins. So now even if you plug into one of these infected ports, you won't get anything malicious happening to you because there's no way for the port to communicate with your phone because there's no data connection. There's no power connection.

Dave Bittner: [00:11:18] Right. Right. Right.

Joe Carrigan: [00:11:20] Now, if you recall a couple months ago - some time ago, you and I were talking about Kevin Mitnick...

Dave Bittner: [00:11:24] Yeah.

Joe Carrigan: [00:11:25] ...Building a prototype of malicious USB condoms.

Dave Bittner: [00:11:27] Right. Right. Yeah.

Joe Carrigan: [00:11:28] (Laughter) So now you have that worry to go about. So, you know, you should just X-ray your USB condom and make sure it's not one of Kevin's. We all have access to X-ray machines, right, Dave?

Dave Bittner: [00:11:37] Oh, sure, yeah. That's practical. And if you don't, just, you know, stop by the airport, just go up to the folks there at the security line, tell them that you're not actually taking a flight, but could you just run this device through? I'm just - I don't know what's inside of it, and I'd like to see. They'll be totally OK with that.

Joe Carrigan: [00:11:51] Yeah, well, will they really be OK with that, Dave?

Dave Bittner: [00:11:53] No, they...


Dave Bittner: [00:11:54] They will not be OK with that. They are completely humorless. They will not be OK with that. So I guess the big picture here is...

Joe Carrigan: [00:12:03] Right.

Dave Bittner: [00:12:03] ...You need to know the chain of custody.

Joe Carrigan: [00:12:06] Right. Yeah, the supply chain of your products.

Dave Bittner: [00:12:08] Yeah. Buy it from a reputable dealer.

Joe Carrigan: [00:12:11] Right. Or the cable that came with your phone is probably a good product, right?

Dave Bittner: [00:12:14] Likely.

Joe Carrigan: [00:12:15] Unless it was interdicted in the supply chain, but you never really know, right?

Dave Bittner: [00:12:19] And if you're a person who's likely to fall victim to that, chances are you already know that.

Joe Carrigan: [00:12:23] Right.

Dave Bittner: [00:12:24] And you're going to have things in place to protect yourself from those...

Joe Carrigan: [00:12:27] Exactly.

Dave Bittner: [00:12:27] ...Possibilities.

Joe Carrigan: [00:12:28] For the vast majority of people, this is kind of a low-risk thing worrying about a malicious cable. But I would say worry about these malicious USB ports in airports or anywhere else. You know, I was at my daughter's graduation yesterday, and they had a huge table of USB charging cables, right? And I was walking up, looking at them, and there was a woman across the table from me. She goes, the Apple ones are over here, and she plugs it into her phone (laughter). And I'm like - inside of my head, I'm going no.

Dave Bittner: [00:12:56] (Laughter) Yeah. Yeah.

Joe Carrigan: [00:12:57] But I'm like, no, don't make a scene here.

Dave Bittner: [00:12:59] My favorite one was recently at a trade show. At their booth, NSA had a free charging station.

Joe Carrigan: [00:13:04] (Laughter).

Dave Bittner: [00:13:08] And they made light of it, you know.

Joe Carrigan: [00:13:09] (Laughter).

Dave Bittner: [00:13:11] They knew what they - they got the joke, you know. They got it.

Joe Carrigan: [00:13:14] Right. That's hilarious, by the way.

Dave Bittner: [00:13:15] Yeah. Yeah.

Joe Carrigan: [00:13:16] I'm glad to see that the NSA is not without their humor...

Dave Bittner: [00:13:19] Yes.

Joe Carrigan: [00:13:19] ...Unlike the TSA.

Dave Bittner: [00:13:20] There you go. There you go. Right. Right. All right, Joe, it's time to move on to our Catch of the Day.


Dave Bittner: [00:13:29] Joe, our Catch of the Day this week is a scam that is known as the trunk box scam.

Joe Carrigan: [00:13:34] The trunk box scam.

Dave Bittner: [00:13:35] And this - there's an echo in here.

Joe Carrigan: [00:13:37] I have never - (laughter).

Dave Bittner: [00:13:37] And this comes from the website scam-detector.com.

Joe Carrigan: [00:13:41] I have never heard of this scam.

Dave Bittner: [00:13:42] It's a variation of stuff we've heard before...

Joe Carrigan: [00:13:46] OK.

Dave Bittner: [00:13:46] ...As a lot of these seem to be.

Joe Carrigan: [00:13:48] Right.

Dave Bittner: [00:13:48] But it goes like this.

Dave Bittner: [00:13:49] (Reading) Good day. I am Mrs. Ayesha Gadhafi, the second wife of the late Mr. Ahmed al-Gadhafi al-Qahsi, the commander of Libya's elite special forces and the son of Colonel Gadhafi, the Libyan leader. I'm contacting you to assist me to retrieve the sum of 50 million United States dollars being deposited in Ivory Coast by my late husband. But as we arrived here due to the political problem during the former regime of President Babu, I ordered the security company to move the consignment to their affiliate office in Jakarta, Indonesia, for safekeeping, which they did via a diplomatic immunity. So I will give you every of their contact in Indonesia for retrieving of the consignment as the fund was deposited on my name. As a matter of fact, I and my only son and the entire family of my father-in-law were trapped in a bunker here in Tripoli after my late husband was captured on 12 of October 2011. I managed to sneak out with my son with the help of a security guard on duty that fateful day and crossed us to the border presently I am hiding in West Africa without any other means of communication except my laptop...

Dave Bittner: [00:14:54] And, evidently, a reliable Wi-Fi connection.

Joe Carrigan: [00:14:56] Right.


Dave Bittner: [00:14:59] (Reading) I hope to arrange for my travelling out if possible to your country for an investments of this fund and to safeguard my life because I know the regime of my father-in-law has collapsed after his death. Please, for your kind assistance, I will offer you 25% of the total sum after you have retrieved the consignment. All the legal documentation concerning the deposited funds are with me. I will only write power of attorney making you the new beneficiary of the deposit so that the security company can release the consignment to you.

Dave Bittner: [00:15:25] And it goes on. I'm not going to read the whole rest of it.

Joe Carrigan: [00:15:28] Right.

Dave Bittner: [00:15:28] At the end - (reading) the only information you need to provide is your full name, your direct telephone, your home address, your country, your age, your occupation and a copy of your ID or passport.

Dave Bittner: [00:15:38] What could possibly go wrong here, Joe?

Joe Carrigan: [00:15:40] I don't know, Dave. You are going to have your identity stolen. That is what's going to happen here.

Dave Bittner: [00:15:44] Yes, at the very least. And actually, over on the website where we got this from, over at scam-detector.com, they describe that this is actually pretty elaborate, that - if you contact these people, they will continue to contact you. They will send you photographs of the people involved. They'll send you copies of passports to try to set up the authenticity of this and so on and so forth.

Joe Carrigan: [00:16:05] Wow.

Dave Bittner: [00:16:05] But - yeah. And ultimately, what they're after is they're going to have you send them some money as a transfer fee or something like that.

Joe Carrigan: [00:16:14] OK.

Dave Bittner: [00:16:14] So they're after that transfer fee.

Joe Carrigan: [00:16:15] So they're not just after your identity.

Dave Bittner: [00:16:17] No. They're after about 2,500 bucks or so in exchange for 25% of $50 million.

Joe Carrigan: [00:16:24] Right.

Dave Bittner: [00:16:25] So pretty straightforward here. I don't think there's any mysteries of what's going on but a pretty good one.

Joe Carrigan: [00:16:30] Yep.

Dave Bittner: [00:16:31] All right. Well, that is our Catch of the Day. Coming up next, we've got Carole Theriault. She has an interview with the head of a group that call themselves Scam Survivors.

Dave Bittner: [00:16:39] But first - a word from our sponsors, KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:17:32] And we're back. Joe, Carole Theriault recently spoke with a gent who heads up an organization called Scam Survivors. Now, to protect his identity, he only goes by the name of a Welsh Wayne. Here's Carole with the story.

Carole Theriault: [00:17:45] Do I have a fascinating chat for you guys to earwig on today? So in Wales in the United Kingdom, there is a team of scam fighters who run a volunteer organization known as Scam Survivors. The idea here is to provide guidance, information and all manner advice to people who are being scammed. Actually, as the Welsh Wayne will explain in a second, many of the requests to Scam Survivors involve the person needing evidence of the scam so that they can show their loved one that the online romance or online business deal is really an evil ruse by an online thief.

Carole Theriault: [00:18:27] Imagine how awful it would be if your mom or sister, uncle, friend, was obviously being phished but they just couldn't see it from their own vantage point? Now, Wayne, who only shared his first name with me, says he fights scams anonymously. That piqued my interest. First, I asked Wayne to tell me a bit about Scam Survivors before I dug into how he got into this line of work and just why did he think his online identity needed to be kept anonymous? Here's Wayne.

Wayne May: [00:18:59] What we do is we provide as much information as we can about the scammers themselves - the emails, the phone numbers, the pictures they use. And then we have all the advice on how to deal with being scammed. So it's, like, a two-pronged approach to it. There's as much information on this is how to spot the scammer and then if you're scammed, this is what you need to do.

Carole Theriault: [00:19:23] Now, let's get back to you. So why are you guys using anonymous online identities for this operation?

Wayne May: [00:19:31] Well, we have to because we've had things like death threats. We constantly get DDoS'd on the site. The first time was around three months after we started. We were on a shared host at the time. And the attack was so big, it actually took down the entire node, so it took down over 100 other sites as well. And we...

Carole Theriault: [00:19:49] Wow.

Wayne May: [00:19:49] Yeah, we were very politely asked to leave.


Wayne May: [00:19:54] So we have to have our own dedicated host now. So we are protected. It's all DDoS protected, and we could - we still get the attacks, but even when it does happen, we don't get affected by it.

Carole Theriault: [00:20:04] Right. And one of your identities are mentioned on your site, so the four of you were kind of behind the scenes helping people out in an anonymous fashion.

Wayne May: [00:20:13] Yeah. What we've done is create - almost created personas, as it were, where my real name is Wayne, but it's not Wayne May.

Carole Theriault: [00:20:22] Right, right.

Wayne May: [00:20:23] So we've all come up with real first names, fake last names, and we've done it this way so we don't mess up when we do interviews or if we speak to people. I want to call somebody by their real name where I should be using their fake name. So it's a way to protect ourselves and not slip up because it would be so easy to say my real name was Michael, which it isn't right.

Carole Theriault: [00:20:49] Right.

Wayne May: [00:20:49] ...For somebody to say Michael instead of Wayne. So if we all used our real first names, we're not going to mess up. And our first names are so common anyway, it doesn't really matter.

Carole Theriault: [00:20:59] And how did you get into this, into working with Scam Survivors?

Wayne May: [00:21:03] Well, I started off in 2005 as a scam baiter.

Carole Theriault: [00:21:08] Oh.

Wayne May: [00:21:08] I was basically looking online one night bored, just looking for funny things. And I found this quiz - which Nigerian spam are you? So I did the quiz. It came up with some name I've never heard of. I Googled it, and I found the entire baiting community just opened up to me. I sat there all night reading these things and laughing to myself, thought this is brilliant. I really want to be a part of this.

Carole Theriault: [00:21:35] So what kind of things were you reading? Like, what kind of thing...

Wayne May: [00:21:38] Some of the ones that were more technical. There are - like, some people would just - will bait to do something silly and that's it. I liked the whole - there were ones, for example, where they were taking photographs of somebody that was part of the scam and then making it appear to be footage from a security camera. So - I kind of liked that cleverness about it. So I joined up. I messed around for a bit talking to different scammers. And then I had a romance scammer contact me. And I really didn't like it because I knew that this was really a guy pretending to be a female.

Carole Theriault: [00:22:15] How did you know?

Wayne May: [00:22:16] By the way he was talking. A guy that doesn't know the female body that well is going to speak in a certain way.

Carole Theriault: [00:22:25] OK (Laughter). Enough said (laughter).

Wayne May: [00:22:29] Yeah. There's this thing on "Red Dwarf" where Rimmer has pretended to be a female. And he turns and said, I'm having a woman's period.

Carole Theriault: [00:22:36] (Laughter).

Wayne May: [00:22:38] That kind of way that they speak...

Carole Theriault: [00:22:40] Right.

Wayne May: [00:22:41] ...You know, no, this is not a female. So I didn't, like - as I said, you know, I felt really uncomfortable, like I needed to scrub myself down with bleach after. And somebody said, well, if you felt that way, they were having to pretend to be a female. Imagine how they felt. And that was my light bulb moment. I felt uncomfortable. I'm going to make them feel 10 times as bad. And I got a real kick out of making them feel bad.

Carole Theriault: [00:23:05] Are you talking threats, things like that?

Wayne May: [00:23:07] No, no, no.

Carole Theriault: [00:23:08] OK. So trying to make it too intimate for them to try and make them feel uncomfortable the way they did to you.

Wayne May: [00:23:13] Yes.

Carole Theriault: [00:23:14] Got you.

Wayne May: [00:23:14] Exactly. And there were very few people actually dealing with romance scammers at the time. And people would come to me, say, my mother, my brother is being scammed at the moment. Would you bait this scammer to help convince them that it is a scam? So over the course of about a year or so, I started dealing less with having fun with the scammers and more helping the people who were being scammed or helping the people who were having to deal with people being scammed. So it went from just being this fun thing to an actual, I'm helping people now.

Carole Theriault: [00:23:48] Wow. So that's kind of interesting. That kind of flips it over, doesn't it?

Wayne May: [00:23:51] Yeah.

Carole Theriault: [00:23:52] What kind of people get in touch with you? So what kind of problems do they present you with?

Wayne May: [00:23:57] It could be all sorts of problems 'cause we cover all online scams. It could be somebody who's being the victim of a sextortion scam. This week, we had somebody whose mother is being scammed by a romance scammer, and he's asked us to help prove that it's a scammer. Somebody may have an email, and they're not sure if it's genuine or not, and they could come to us.

Carole Theriault: [00:24:18] Right.

Wayne May: [00:24:19] It's basically, if you have any question at all about online scams, you can come to us on Scam Survivors, ask us the questions, and we will try to help you.

Carole Theriault: [00:24:27] And do people kind of ask you to, like, bait a scammer? Is that typically something that they still request?

Wayne May: [00:24:34] It does happen from time to time. Not as much these days because we have so much information that we're now able to say, yes, it's definitely a scammer, and here's why - because they've said this, or they've done that.

Carole Theriault: [00:24:45] Right.

Wayne May: [00:24:45] So there's less having to prove to them through baiting the scammer and now more this is how the scammers work. They've done this. They will be doing this next. So it's become easier through time because I've been doing this for 13 years now. I have 13 years' worth of knowing what the scammers do.

Carole Theriault: [00:25:04] Yeah, and how they operate. Just studying it every day. Yeah. What's your relationship with the authorities? Are they fans of Scam Survivors, or do they turn a blind eye? Or...

Wayne May: [00:25:14] It depends. We work, for example, with the Better Business Bureau. Steve Baker in the Better Business Bureau is a really nice guy. We've worked with him on a bunch of things. For the most part, we do get on with law enforcement. We've had the FBI, Met Police. NCIS Norway contacted us asking for help.

Carole Theriault: [00:25:34] Do you feel that people are more aware of scams today than ever before, or do you think we're still sitting ducks?

Wayne May: [00:25:43] I think people are aware of the traditional 419 scams. They're the kind of, we've got this money, you just need to pay this amount and then we'll send it to you. Everybody knows that. You see comedians doing it on shows, for example. But it's the newer ones that are coming out, the cleverer parts of the scams that people aren't aware of. For example, with a romance scam, everybody says, don't send money to somebody you've never met online. But then what they are doing now is creating fake courier companies. And they say, well, I've sent you some presents. And then the courier company says, we need these extra admin fees, or whatever. So you're not giving that person money. You're just covering the costs to receive something yourself.

Carole Theriault: [00:26:26] Right.

Wayne May: [00:26:27] So it's a constant having to keep up with the new things that are happening and educate the public on those.

Carole Theriault: [00:26:34] Is your job rewarding? Because you're anonymous, right? So it's not like you have lots of people high-fiving you for your work in real life. Does that pose questions for you? Do you ever kind of think, I wish I could claim this?

Wayne May: [00:26:47] Well, we kind of accept that that's how it is. We have, for example, on our sextortion form, there's an option there where you can leave feedback, and sometimes we'll get some really nice feedback on there. But yeah, we appreciate the fact that people aren't going to be able to phone us up and say, you're doing a great job. That's just how it is. We are able to sleep at night knowing that we've done this, that we've been able to help people. And that's enough for us. We don't get paid for doing this. I'm the only one of the group really who does any kind of media stuff.

Carole Theriault: [00:27:17] And they must be very grateful that you do this 'cause it helps spread the word. What advice do you have? If you've got your finger on the scam pulse, so to speak, what is the most modern advice that you can give them that they may not have had before in terms of avoiding scams?

Wayne May: [00:27:32] I think every bit of advice has been given before. It's that whole trust your gut if it seems too good to be true. But I think, if anything, it's be willing to learn about the new scams that are coming out. Because as I said earlier, everybody knows about the old ones. Be willing to learn. Be willing to admit that you don't know everything. And come to people like us at Scam Survivors and other sites, as well. And try to suck in as much knowledge if you can because there are so many people out there with this knowledge willing to share. So if you want to know about these scams, you may know so much, but there's also so much more to learn about.

Carole Theriault: [00:28:11] Maybe for IT administrators this is particularly important because they're of course not just looking after their own systems, but that of the entire company. So for them to stay really on top of this by checking out sites like yours is a great way to do it.

Wayne May: [00:28:25] Yeah. And if anybody wants to come to us, ask us any questions, we are always quite happy to speak to people.

Carole Theriault: [00:28:32] Well, Wayne, thank you very much. This has been very enlightening.

Wayne May: [00:28:36] No problem. Thank you for the chance to speak about it.

Carole Theriault: [00:28:39] (Laughter) You know, I got to come clean. Before I spoke with Wayne, I don't think it ever occurred to me that there would be tons of people out there worried about their loved ones being duped by an online scammer and that that would be a huge area where support like what Wayne is offering is needed. I mean, think about it. He has taken on the job of trying to prove to people that they are being phished by giving them evidence and giving them examples of it happening before. Boom, I say. So if you have a loved one that you're concerned about, don't despair. Check out Scam Survivors. And, of course, tell them to listen to this podcast. This was Carole Theriault for "Hacking Humans."

Dave Bittner: [00:29:28] Interesting stuff, huh, Joe?

Joe Carrigan: [00:29:29] Yes. No. 1, Wayne is a fan of "Red Dwarf." So...

Dave Bittner: [00:29:34] (Laughter) Kudos to Wayne.

Joe Carrigan: [00:29:35] That puts him up in my book, right?

Dave Bittner: [00:29:36] (Laughter) OK. Very good.

Joe Carrigan: [00:29:37] I love that show. Wayne is doing good work here. And it is a shame that he will never get to hear it from people that he impacts. But I'll tell him and his friends over there at Scam Survivors that this is good work.

Dave Bittner: [00:29:47] Yeah.

Joe Carrigan: [00:29:47] And it's important work, and it needs to be done. I find his story about how he got into it very interesting. He just stumbled across scam baiting and then just worked into helping people out. That was...

Dave Bittner: [00:29:56] Yeah, became almost like a hobby for him.

Joe Carrigan: [00:29:58] Right.

Dave Bittner: [00:29:59] Yeah.

Joe Carrigan: [00:29:59] It's also interesting that Scam Survivors has amassed enough information about these kind of scams. They can tell you, yes, this is a scam. Here's what's going to happen next. You show somebody that kind of predictive power just because you're familiar enough with these scams and familiar with how they work and you know the patterns. If you can tell somebody that here's what's going to happen next, that is going to be immensely powerful in helping them realize that they're in a scam.

Dave Bittner: [00:30:23] Oh, yeah.

Joe Carrigan: [00:30:24] Right?

Dave Bittner: [00:30:24] Yeah. You know, it's funny. I had a friend who was dealing with some unwelcome advances from a coworker to the point where she was talking to the police about it.

Joe Carrigan: [00:30:33] Really?

Dave Bittner: [00:30:33] Yeah. And so she tells me. She's having this conversation with the police officer, and the police officer's like, so did he do this? And she says, yeah. And then he did this. Yeah. And then after that, he did this. Yeah. (Laughter) Like, the police officer knew every single step along the way. And...

Joe Carrigan: [00:30:49] Right. He knew the pattern.

Dave Bittner: [00:30:50] He knew the pattern.

Joe Carrigan: [00:30:50] Right.

Dave Bittner: [00:30:51] And to her, this was just - you know, it was great for her to hear that because she knew it's not just me, you know, that...

Joe Carrigan: [00:30:57] Right.

Dave Bittner: [00:30:57] ...These things have patterns. And this police officer knows what he's talking about and, you know, hopefully is going to be able to help me because he has a sense for where it's going to go from here.

Joe Carrigan: [00:31:06] Right. Right.

Dave Bittner: [00:31:07] Yeah.

Joe Carrigan: [00:31:08] And now he can intervene before anything gets too far.

Dave Bittner: [00:31:11] Right.

Joe Carrigan: [00:31:11] The advice he says - trust your gut - is good from the outside perspective, right?

Dave Bittner: [00:31:15] Yeah.

Joe Carrigan: [00:31:16] So if we looked and saw that somebody we knew was getting scammed, and we had a gut feeling that they were getting scammed, that's good advice. But from the inside, your gut feelings may not be accurate, right? So I would say also that for anybody who's listening that you have to have the ability to be wrong. You have to understand that you could be wrong.

Dave Bittner: [00:31:37] I would also say have a trusted friend...

Joe Carrigan: [00:31:41] Right.

Dave Bittner: [00:31:41] ...Family member, whatever that you're willing to go to for a gut check.

Joe Carrigan: [00:31:45] Right. Yep, that's also good advice. Sometimes just explaining this to another person, as we've talked about before, is enough to make you realize, oh, yeah. This is a scam.

Dave Bittner: [00:31:53] Yeah.

Joe Carrigan: [00:31:53] I should have seen this. But now that I'm telling you about this, it's obviously a scam.

Dave Bittner: [00:31:57] Yeah.

Joe Carrigan: [00:31:58] That's one of the big things. You - get out of your shell. Talk to people. You know, one of the big red flags that we talk about in scams and actually in all kinds of different things, you know, is one of the first things I told my kids before they went to school - is look for the red flag, let's keep this between us. That should be a huge red flag. There's no reason for that usually except to isolate you, to keep you away from family and friends to talk about it with other people.

Dave Bittner: [00:32:24] Yeah.

Joe Carrigan: [00:32:24] So if you see that, if you hear that, let's - this is our little secret, let's keep this between us - let that be a red flag for you.

Dave Bittner: [00:32:32] Yeah. Thanks to Carole Theriault for bringing this to us. Really interesting stuff. Again, thanks to Wayne. I have to say, Wayne has a lovely accent.

Joe Carrigan: [00:32:40] Yes.

Dave Bittner: [00:32:40] Almost as nice as some of mine.

Joe Carrigan: [00:32:42] (Laughter).

Dave Bittner: [00:32:43] (Laughter) But we appreciate him coming on. And as we've both said, really great work here and good stuff. So thanks to him and all that they're doing. And that is our show. We want to thank all of you for listening.

Dave Bittner: [00:32:55] And of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:33:10] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:33:19] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:33:37] And I'm Joe Carrigan.

Dave Bittner: [00:33:37] Thanks for listening.