Hacking Humans 6.12.19
Ep 53 | 6.12.19

Just because I trusted you yesterday doesn't mean I trust you today.


Avi Solomon: [00:00:00] Anti-malware and phishing protection mechanisms won't help when you're dealing with the compromise of one party in the conversation.

Dave Bittner: [00:00:07] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:26] Hi, Dave.

Dave Bittner: [00:00:27] We've got some interesting stories to share this week. And later in the show, we've got my interview with Avi Solomon. He's the director of information technology for a law firm in Orlando, Fla. You and I met him at KB4-CON. He came up to us, and he said, I've got a story your audience needs to hear.

Joe Carrigan: [00:00:42] OK.

Dave Bittner: [00:00:42] He told us the story, and I said, yep. You're right. Our audience needs to hear that (laughter) story.

Joe Carrigan: [00:00:46] (Laughter). So he's going to share that story later in the show.

Dave Bittner: [00:00:49] But first, a word from our sponsors, KnowBe4. So how do you train people to recognize and resist social engineering? There are some things, people think. Test them, and if they fall for a test scam, fire them. Or, other people say, if someone flunks the test, shame them. Instead of employee of the month, it's dufus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how 'bout it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:01:29] And we are back. Joe, before we jump into our stories this week, I wanted to take a moment of shameless self-promotion...

Joe Carrigan: [00:01:35] Yes.

Dave Bittner: [00:01:35] ...And (laughter) talk about the CyberWire, which, of course, is a daily podcast that I host that is cybersecurity focused.

Joe Carrigan: [00:01:43] It's daily news from the cybersecurity front.

Dave Bittner: [00:01:46] That is correct. And I think many of our listeners here may not either know about the CyberWire or may not have checked it out so I wanted to recommend that they do. You listen every day, right?

Joe Carrigan: [00:01:56] I do. I listen every day because it's a great summary of all the events that have happened in the past 24 hours.

Dave Bittner: [00:02:01] We do recommend that folks, please, check out the CyberWire. We also have a show called "Research Saturday" which posts - wait for it - Saturday.

Joe Carrigan: [00:02:08] Right.

Dave Bittner: [00:02:08] And that's when we have interviews with folks who are out there doing research that is also cybersecurity related.

Joe Carrigan: [00:02:13] An in-depth look at their research.

Dave Bittner: [00:02:16] Yeah.

Joe Carrigan: [00:02:16] You interview the actual researchers. That's also a good show.

Dave Bittner: [00:02:19] Yeah. Well, thank you. So please do check it out. I hope you enjoy it. All right. Well, let's move on to our stories. My story this week comes from the BBC. And this is titled "Dating App Scammers Spotted by AI," artificial intelligence. And this is about a group of computer scientists. They published some research. One of those computer scientists is Awais Rashid, who's a regular over on the CyberWire. He's one of our partners. He's from University of Bristol.

Dave Bittner: [00:02:46] So what they did was, they threw artificial intelligence at this problem of dating sites, and can you tell if a dating profile is real or not by using artificial intelligence to kind of analyze the profile on the dating site and see whether or not it is legit? I have the research here in front of me. And some of the things they looked at - for example, they looked at occupation by gender, comparing known real profiles to known fake profiles.

Joe Carrigan: [00:03:16] Right.

Dave Bittner: [00:03:16] And some of these won't be surprising to regular listeners of our show. On the male profiles, the real profiles most of the time either listed themselves as either other or self-employed. The scam profiles, what do you think No. 1 was?

Joe Carrigan: [00:03:30] Military person?

Dave Bittner: [00:03:31] Ding, ding, ding, ding, ding, ding, ding. Correct. Military.

Joe Carrigan: [00:03:35] Some kind of military role.

Dave Bittner: [00:03:36] Yes. No. 1 was military. No. 2 was engineer. No. 1 for the scams female profiles was student.

Joe Carrigan: [00:03:43] Really?

Dave Bittner: [00:03:45] Mmm hmm. Other stuff they looked into was the use of fake images. There's a lot of stuff in here about them taking real images and either altering them in some way, putting a different face on the image or just using stock photos.

Joe Carrigan: [00:03:59] Right.

Dave Bittner: [00:03:59] So what they got at here in this research is that they could use image recognition...

Joe Carrigan: [00:04:03] Right.

Dave Bittner: [00:04:04] ...To compare the profile images.

Joe Carrigan: [00:04:07] And do a reverse image search.

Dave Bittner: [00:04:08] Exactly. And see if they could easily find out whether, for example, it was a stock image. That's a dead giveaway that this is not a...

Joe Carrigan: [00:04:15] (Laughter) Right.

Dave Bittner: [00:04:15] ...This is not a real person. Other things they looked at was if the IP address contradicts the location of where they say they're from. And they were able to use natural language processing to figure out if the post used suspicious language use.

Joe Carrigan: [00:04:30] Broken English or such?

Dave Bittner: [00:04:31] Yep. So lots of different things that they looked at. And they found that they could, with high reliability - I don't have the exact percentage here, but high reliability - they could tell whether or not an account was fake. And I think this is really interesting because I can imagine, wouldn't it be nice if some of the dating sites, when you looked at a profile, it would list, it would say, you know...

Joe Carrigan: [00:04:55] We think this is fake.

Dave Bittner: [00:04:56] Right. Now, I guess it would be even nicer if they thought it was fake, they just simply removed it.

Joe Carrigan: [00:05:00] Yeah. That would be better.

Dave Bittner: [00:05:01] (Laughter).

Joe Carrigan: [00:05:01] Right.

Dave Bittner: [00:05:02] (Laughter) Yeah.

Joe Carrigan: [00:05:02] That would be the thing to do.

Dave Bittner: [00:05:03] But I wonder, how much of that is against their self-interest?

Joe Carrigan: [00:05:06] Yeah. Because are these scam accounts paying for a membership?

Dave Bittner: [00:05:09] Mmm hmm. Yeah. And the more accounts they have on the system...

Joe Carrigan: [00:05:12] The better off their bottom line is.

Dave Bittner: [00:05:14] Mmm hmm. Makes the system more interesting. So I don't know. We'll see if any of this gets integrated into the dating sites, either publicly or behind the scenes. But I think it's encouraging that they're able to throw this technology at this and figure it out.

Joe Carrigan: [00:05:28] I find it interesting that the No. 1, or No. 2, rather, fake occupation is engineer.

Dave Bittner: [00:05:34] Me too, that point. The engineer does come up in the real profiles as the third most popular.

Joe Carrigan: [00:05:39] OK.

Dave Bittner: [00:05:39] But it's only 1/3 as common as it is in the scam ones.

Joe Carrigan: [00:05:44] So in the scam ones, it's three times more common.

Dave Bittner: [00:05:46] Correct.

Joe Carrigan: [00:05:46] So that's, like, a flag for them to say, let's pay closer attention to this guy?

Dave Bittner: [00:05:51] Mmm hmm. And I think the way that they're doing this is not just one thing. It's a combination of the things.

Joe Carrigan: [00:05:55] Sure. No, it's absolutely a combination of things.

Dave Bittner: [00:05:57] Yeah.

Joe Carrigan: [00:05:57] Right. Absolutely.

Dave Bittner: [00:05:58] And that's how they get such a high degree of reliability in guessing.

Joe Carrigan: [00:06:02] Yep. Yep.

Dave Bittner: [00:06:02] So yeah, interesting story. We'll have a link to both the BBC's coverage of this and the original research, if you want to dig in and really see what they're doing here.

Joe Carrigan: [00:06:10] Yep.

Dave Bittner: [00:06:10] So yeah, I like it. Good-news story this week from me.

Joe Carrigan: [00:06:14] It is a good-news story.

Dave Bittner: [00:06:15] What do you have for us, Joe?

Joe Carrigan: [00:06:16] Dave, this week, I have something that might work on me. We've been saying throughout all our time on this podcast that there is something that will work on you. Here's another one that might work on me.

Dave Bittner: [00:06:26] OK.

Joe Carrigan: [00:06:26] You get an email message in your system, and it reads - messages are pending to be deliver to mailbox since, some date, due to validation error. You have below emails pending to be released. Kindly review, allow or deny. And then it has a list of emails underneath of it, and each one is followed by a link to release, allow or deny. Now, if you click on the link, what happens is you're taken to a fake login page for Office 365 for Outlook, and it's just a credential harvesting site.

Dave Bittner: [00:06:57] Right.

Joe Carrigan: [00:06:58] And that's essentially what it is. What I find particularly interesting about this is that this is mimicking some kind of system that's telling you - now, this one's not really good; I'll say that off the bat. But I do get emails like this from my employer that say, this email has been flagged as spam. Please log in to handle it. What happens to me nowadays is I just ignore them because I think the spam filter is so good that it probably is spam. And I look at the subject lines coming through and the senders, and I don't know any of these people, so I just ignore them and let the spam system take care of it.

Joe Carrigan: [00:07:31] But if someone were to send me a fake spam filter email that I looked at and it had a from address of someone I knew and a subject of something I cared about, I might go and click and release that because I might want to see that. And then, if it asked me to log in, I would view that as a red flag, but I don't know that I would catch it 100%.

Dave Bittner: [00:07:50] What about the URL of the login? Are they doing anything to hide that? When they're trying to get you to log into Outlook...

Joe Carrigan: [00:07:58] On this particular campaign, it's not very good because they're using a hacked server.

Dave Bittner: [00:08:02] Oh, I see.

Joe Carrigan: [00:08:03] On other campaigns, they're using, like, Azure services, so it looks kind of like a Microsoft environment.

Dave Bittner: [00:08:08] Oh.

Joe Carrigan: [00:08:09] Right.

Dave Bittner: [00:08:09] So it's plausible.

Joe Carrigan: [00:08:10] Right. This is an article from Bleeping Computer, and they have all the information; we could put the link in the show notes. The actual sample comes from Michael Gillespie, who sent it to them, who showed it to them. So Michael's paying attention and sends that to Bleeping Computer so they can talk about it, and then we talk about here so every one of our listeners can hear it.

Dave Bittner: [00:08:27] So what's the red flag to look out for here? How do I - what's the giveaway?

Joe Carrigan: [00:08:30] The giveaway on this particular campaign, with this sample, is the language; the language is broken. Does your company have something that filters out emails or - this is actually not even claiming to be a spam filter. It's saying that there's some kind of problem with the email. That generally doesn't happen. But if you're not technical, you wouldn't know that, right? You wouldn't know that's not how email works.

Joe Carrigan: [00:08:49] You know, an email is either delivered or not delivered. If you're the recipient of the email and somebody malforms an to send to you, you never see it; the sender gets a message back. So if you have some kind of technical understanding, you might know that this is an improbable situation. But if they were masquerading as a spam filter, saying, is this message spam? Please let us know. And then those links are malicious, to let them know if it's spam or not. This is something that may very well work on me.

Dave Bittner: [00:09:15] Yeah, it's interesting, too, looking at one of the messages they posted here, that they cover a lot of ground on possible emails you'd want to have released.

Joe Carrigan: [00:09:23] Right, yeah.

Dave Bittner: [00:09:24] There's one having to do with medical stuff. There's one having to do with payment authorization. There's one with a delivery. So they're kind of spreading it around.

Joe Carrigan: [00:09:34] They're kind of covering all the bases here.

Dave Bittner: [00:09:35] Yeah.

Joe Carrigan: [00:09:36] They're hitting all...


Dave Bittner: [00:09:37] Yeah.

Joe Carrigan: [00:09:38] All the typical things. Hey, you got a delivery waiting. Hey, here's your medical records. Hey, we're waiting on your payment.

Dave Bittner: [00:09:43] Yeah.

Joe Carrigan: [00:09:43] It's like three spam messages in one - what a value.

Dave Bittner: [00:09:45] Right, right. Which one do you want to release first?

Joe Carrigan: [00:09:48] Yeah. It's a phishing attack with three variants. It's - they found a way to make it more efficient. With one message, they can now hit you with three different things. I imagine that has some kind of increase in impact as well.

Dave Bittner: [00:09:58] Yeah, I would think so. All right, as always, we'll have the link in the show notes.

Dave Bittner: [00:10:02] Joe, it's time to move on to our Catch of the Day.

Joe Carrigan: [00:10:05] My favorite part of the show.


Dave Bittner: [00:10:10] Joe, our Catch of the Day this week comes to us courtesy of the website 419eater.com. This is a group of folks. They have taken it upon themselves to do the service of trying to string along these scammers.

Joe Carrigan: [00:10:24] They're scam baiting.

Dave Bittner: [00:10:25] They are scam baiting, and they do it in a very entertaining way. But it illustrates some of the messages that they get. This is one going back to 2006. In this case, Joe, I'm going to be the person trying to do the scam, and you can be the person who's stringing them along.

Joe Carrigan: [00:10:42] OK.

Dave Bittner: [00:10:42] All right, here we go.

Dave Bittner: [00:10:43] Puppy for sale. My name is Clement. I am from Barrytown, N.Y. But due to work presently, I was just been transferred about a couple of days for a missionary purpose in West Africa. Right now I am still located in the Republic of Benin, where am carrying out my missionary assignment, and due to tight assignment, I found myself I don't have much time to take good care of my puppy like I used to, and so the environment that the puppy found herself in, Republic of Benin, is too harsh. Therefore, have decided to give out the puppy to good, caring person who would treat my puppy with a tender care and well-family interaction. The puppy as well-breed, and the puppy has current vaccination, vet exams, health certificate and one-year guarantee. The puppy has potty-trained, home-raised and socialized for tremendous attitude, well and excellent temperamented (ph). The puppy has super trainability and people-pleasing personality. The puppy has given a high learning and delight elegance of structure and well-dewormed. The dog has CKC, AKC and FCI registered AM. Offering the puppy out at $650 each. One, including the shipment, and I have attacked the pics of my puppy, and I will like attach the pic of mine-self (ph). I will like to hear from you as soon as possible. Thanks, and God bless.

Dave Bittner: [00:11:53] Now, the person trying to do this scam attaches pictures of puppies.

Joe Carrigan: [00:11:57] And they're adorable.

Dave Bittner: [00:11:58] They are adorable. Now, the person stringing them along replies. And his reply goes like this.

Joe Carrigan: [00:12:05] How much will it cost for you to kill the puppies and send me the fresh meat?

Joe Carrigan: [00:12:09] That's terrible, Dave.


Joe Carrigan: [00:12:12] That's absolutely terrible.

Dave Bittner: [00:12:12] It is awful.

Joe Carrigan: [00:12:15] These are adorable puppies.

Dave Bittner: [00:12:16] I know, I know. It gets...

Joe Carrigan: [00:12:19] I should've read this first.

Dave Bittner: [00:12:21] ...It goes on.

Joe Carrigan: [00:12:22] Oh, good.

Dave Bittner: [00:12:23] I do not kill puppy. I only sell due to - I on a transfer, live outside United States. That is why I want to sell out mine pet for a Christian person that will take her as a daughter. So are you willing to buy a living puppy? Thanks and remain bless.

Joe Carrigan: [00:12:37] I only deal in dead dogs, sorry. It costs more to import them alive. I own an exotic food importation company specializing in Klingon foodstuffs. We usually pay between $2,000 and $3,000 per kilo of fresh dog meat, antelope meat, tribble meat, and also Mogwai meat. Thank you for your contact. I am sorry you cannot help me at this time. Mogwai meat?

Dave Bittner: [00:13:01] (Laughter) For those who might be wondering what Mogwai meat is, Mogwai is the little...

Joe Carrigan: [00:13:07] The Gremlin.

Dave Bittner: [00:13:07] ...Guy from "Gremlins."

Joe Carrigan: [00:13:08] Right.

Dave Bittner: [00:13:08] Yeah, the little - cute little...

Joe Carrigan: [00:13:09] Gizmo.

Dave Bittner: [00:13:09] ...Creature - Gizmo from "Gremlins."

Joe Carrigan: [00:13:10] It was also the evil creatures from "Gremlins."

Dave Bittner: [00:13:13] Yeah.

Joe Carrigan: [00:13:13] Those are also Mogwai.

Dave Bittner: [00:13:14] Yeah. Thanks for that. We have dog meat, and they are readily for sale. But I can still tell you the fellow worker that I have seen the person that is readily buy the meat. But it is too costly. And it can be shipped to your country. That is, if you are willing to pay for it. Reply as soon as possible. Thanks, and remain blessed.

Joe Carrigan: [00:13:29] So now they change their tune, huh?

Dave Bittner: [00:13:31] Well, they may not be on the hook for a live puppy, but they still want to get your money.

Joe Carrigan: [00:13:35] Right.

Dave Bittner: [00:13:36] So the person stringing them along replies.

Joe Carrigan: [00:13:38] Do you have dealers who also specialize in Mogwai meat? I recently lost my usual supplier, and I'm in desperate need of a new reliable supplier. Typically for good quality imported Mogwai meat, my company pays $2,700 per kilo. That is for smoked Mogwai meat. I would be very interested in importing regular supplies if you are able to arrange this. Get back to me with more information and prices if possible. And let me know a list of the different types of meat you can export to me.

Dave Bittner: [00:14:08] And it goes on from there. We don't have time to do the whole thing, but this person masterfully strings them along. Obviously, the bad guys have no idea what Mogwai meat is. They just want to get some kind of money...

Joe Carrigan: [00:14:20] Right.

Dave Bittner: [00:14:21] ...From this person.

Joe Carrigan: [00:14:22] They also have no concept of pop culture references because he says he runs a Klingon meat emporium.

Dave Bittner: [00:14:28] (Laughter) Right.

Joe Carrigan: [00:14:28] And then one of the meats he sells is tribbles. Well, Klingons hate tribbles.

Dave Bittner: [00:14:31] Oh, OK.

Joe Carrigan: [00:14:32] Yeah.

Dave Bittner: [00:14:32] All right. Well, there you go.

Joe Carrigan: [00:14:34] Maybe they like eating it (ph). I don't know

Dave Bittner: [00:14:37] (Laughter) So...

Joe Carrigan: [00:14:38] He should be asking to import Gagh (laughter).

Dave Bittner: [00:14:39] OK, we went from live puppies to Mogwai meat.

Joe Carrigan: [00:14:43] Right.

Dave Bittner: [00:14:43] All - yeah.

Joe Carrigan: [00:14:44] Yes.

Dave Bittner: [00:14:44] Is this is a great internet, or what?

Joe Carrigan: [00:14:46] Yes, it is. It's a beautiful internet.

Dave Bittner: [00:14:48] All right, so that is our Catch of the Day. Coming up next, we've got my interview with Avi Solomon. He is director of information technology for Rumberger, Kirk and Caldwell. They are a litigation defense firm based in Orlando, Fla. But first, we've got a message from our sponsors at KnowBe4.


Dave Bittner: [00:15:09] Let's return to our sponsor KnowBe4's us question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives at KnowBe4's weekly Cyber Heist News. We read it, and we think you'll find it valuable, too. Sign up for Cyber Heist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:15:56] And we are back. Joe, I recently had the pleasure of speaking with Avi Solomon. He is director of information technology for Rumberger, Kirk and Caldwell. They are a litigation defense firm based in Orlando, Fla. We met him at the KnowBe4 conference, at KB4-CON. And he came up to us, and he said we had a really interesting thing happen at our firm. And I think your listeners would benefit by hearing about it. And we agree. So here's my interview with Avi Solomon.

Avi Solomon: [00:16:23] The story begins back in January. And what had happened, I came in sort of on the back-end of the story, of course, because we don't necessarily find out about this in the beginning. And what ended up happening was one of the attorneys in my firm called up to me and said we have a - what I think is a problem because something isn't making sense in an email conversation. So I took a look at the attorney's emails. And I took a look at our archive of inbound e-mails back and forth. And I really didn't see anything offhand technologically that jumped out at me and told me that there was any sort of problem.

Dave Bittner: [00:17:01] What was it that made the attorney bring this to your attention in the first place?

Avi Solomon: [00:17:05] Well, so that's what's so interesting. So she was having a conversation with opposing counsel. And they were sort of winding their way to the settlement agreement, the ending part of the conversation as it went back and forth for days, even weeks. And the attorney on the other side kept trying to find a way for our attorney to engage in a financial transaction. We knew it was winding down. We were getting ready, and so could they do an electronic funds transfer? Could they do a money wiring? And it just so happens that the particulars of this case didn't really allow for that. And so ultimately, what was needed was a check to be cut. And when the address was put in for the check to be cut, it immediately set off an alarm to our attorney who looked at it. And knowing a little bit about the firm she was dealing with, the address didn't quite make sense.

Avi Solomon: [00:17:54] And so that was really what was the most interesting piece because there's no technological defense. There's no filtration system that's going to pick up on something like that. I mean, that's really the epitome of a social engineering hack, if you will. And so when she saw that, that raised a red flag for her, and she did what she's been trained to do. And this is really one of the most important pieces that I wanted to convey, was how important regular training is, phishing training, for the users so that they develop an awareness of what they're looking at.

Avi Solomon: [00:18:29] And so what she did, which is part of our training, is she picked up the phone, and she called the attorney on the other side, rather than respond in the email, and asked him, why are you having us send the settlement in this direction? What's the purpose of that? To which he responded, I have no idea what you're talking about. And that's what sort of unraveled this entire story.

Dave Bittner: [00:18:52] Well, and how far back did it go? Could you track at what point the bad folks injected themselves into the conversation?

Avi Solomon: [00:19:00] We weren't able to see how far back it can go. We know that it went back at least about a week because they had been monitoring it. But the reason we couldn't tell was because the compromise hadn't happened on our side; the compromise actually happened on the other firm's side. And so somebody was monitoring that conversation. Now, whether they had control of an entire desktop or only control of their hosted email, we don't know, and I wasn't really permitted to dig that far deep into their environment.

Avi Solomon: [00:19:30] But through investigating the email headers and looking at the information, I was able to bring to their IT department the important stuff to know about. And actually, because ultimately the attorney is responsible for the safety of the data for their clients, I actually reached out to the attorney himself, spoke to him about it. And sort of as a funny footnote, when I told him what the issue was, and he was actually pretty technical, and he asked me if I would send the information his way, I told him I would but not to his email because I can prove it's compromised.

Dave Bittner: [00:20:01] (Laughter) Right.

Avi Solomon: [00:20:01] So he actually - so he shared with me his home email address, and I packaged up the information for him. I highlighted the points that he needed to really care about and bring to his people and make sure that they were taking it very seriously because we could see where the problem was. I would guess at least a week, but it could go back weeks or months. I mean, how would anybody know until somebody slips up?

Dave Bittner: [00:20:23] Right. And they very well could have been biding their time, waiting for some opportunity where this sort of financial exchange was likely to happen.

Avi Solomon: [00:20:32] And I'm sure that was the case because they didn't inject themselves into any part of the conversation up until it came to the settlement. And the settlement for you to know was a million dollars. I mean, that was a big settlement.

Dave Bittner: [00:20:44] Wow.

Avi Solomon: [00:20:44] And so right at the point where the discussion started about how to transfer the funds, that's when it started to get a little odd, and only through inspecting the email headers did we notice it. Interestingly enough, by the way, one of the big challenges was, oftentimes, in these type of email compromise attempts and the such, you can usually tell - the language is poor, the usage is poor, etc.

Dave Bittner: [00:21:09] Right.

Avi Solomon: [00:21:09] What was so intriguing here was that the party that injected themselves into the middle of this conversation actually did so well at mimicking the salutations, the signature blocks, even the style of writing of the attorneys, that one of the attorneys said to me that had she read this later as part of a review process, she would not have known that she didn't write those emails.

Dave Bittner: [00:21:34] Fascinating.

Avi Solomon: [00:21:35] Because it was - yeah, it was so similar to her own language, stylistic, writing approach. And only afterwards, when we reviewed and looked at all of the emails to try to understand how could a person have detected this, a layperson, have detected this type of email compromise, we only noticed two things that stood out, and they were so minute that when I gave this presentation to other people and showed them what it was within my firm - because this was a really good education moment for everybody in our organization - nobody picked up on the two things that we noticed.

Avi Solomon: [00:22:10] One was that in the middle of the conversation, the RE was missing in the reply, and that's because that was the first message that the injector started with in that conversation. The other one was, as the conversation was advancing, their male client used a different case handling of the letters RE than our mail client, and so there was a certain inconsistency. But that is so small that nobody would really pick up on that.

Dave Bittner: [00:22:39] Right. That's the kind of thing you notice when you're going through everything with a fine-toothed comb. But in the - I don't know - the velocity of day-to-day business, who's looking for that sort of thing?

Avi Solomon: [00:22:47] Sure. I mean, hindsight is 20/20 on that, for sure.

Dave Bittner: [00:22:50] Yeah. Now, I mean, it seems to me like the hero of the story here is the attorney who just had a funny feeling about something. But you say that a big part of that was training ahead of time.

Avi Solomon: [00:23:02] Absolutely. And when I went over to the attorney's office to congratulate her on what she had done, she said to me it's the constant, repetitive, reiterative training that I hold them to that helped her look with a much more careful eye at something that would stand out. Normally, at the speed of email flow and negotiation and conversation, you don't really look and stop and think about those details. But training and repetitive training, going through it - in our organization, we phish our employees randomly.

Avi Solomon: [00:23:37] Once a month, every employee from every level, no matter where they are in the standing - from the head of the firm, all the way to, you know, the most recent employee who's just come on board - every one of them gets phished regularly, and then we score and we watch their results, and then we remediate with them if they are not learning.

Dave Bittner: [00:23:57] And what a great story for you to be able to take back to the organization, that in this case it seems like the training really paid off.

Avi Solomon: [00:24:04] Absolutely. And our training vendor was very happy to hear about it. And our organization was very excited to distribute this information within the organization because what it meant was that everybody got to really understand a real-life activity action that happened not just far off in the distance to somebody else, but to one of their peers, somebody who may sit in the office right next to them.

Dave Bittner: [00:24:28] So what are your recommendations for organizations comparable to yours? A law firm, a business like that, how do you get everybody on board that this is something that is an effective way to protect themselves?

Avi Solomon: [00:24:41] Well, I think case studies like this one help to show organizations the value of it. I think getting buy-in from the organization's management, whether it's a law firm or a corporation, that at the highest levels, they have to appreciate the risks that are associated with social engineering and lack of training. And if those people can be convinced that this is important - and it is, it truly is - then it can go a long way towards saving an organization a lot of heartache down the road. And I assembled a few takeaways from this entire story that I thought were very important, if that's OK with you.

Dave Bittner: [00:25:19] Yeah. Let's hear 'em.

Avi Solomon: [00:25:20] So first of all, of course, training. Not enough can be said about that. The second is that considering email is pretty much the No. 1 attack vector, at least in my experience, hardening email through technological means and training for social engineering are vital to protecting the organization. No. 3 - and in this case, it was very specific - making sure that your SPF, your DKIM and your DMARC records are appropriate for email hygiene will go a long way towards ensuring that the emails that you're sending and receiving are verified and legitimate.

Avi Solomon: [00:25:53] The fourth item, which also is an interesting one, especially in this case - because systems or technologies that would detect anomalies wouldn't have picked it up - the idea that you should question even known good entities and known good parties. Just because you've had a conversation with somebody doesn't mean that every message is absolutely clean. And so therefore, when you're dealing with a very important activity such as the transference of money, secretive business or personal information, or organizational management decisions that are not for public consumption, it's important to make sure that you verify the information. Anti-malware and phishing protection mechanisms won't help when you're dealing with the compromise of one party in the conversation.

Avi Solomon: [00:26:34] And I think that's really important to understand. Oftentimes, I'm asked about making sure that email comes in, no matter what, from a certain party. And it's nice to be able to now look at managers in the organization and say, just because we've trusted 'em yesterday doesn't mean we get to trust 'em today.

Dave Bittner: [00:26:54] Right.

Avi Solomon: [00:26:54] And finally, the last piece that's important is to use another method of communication whenever there's something questionable. It's what I call the multi-factor authentication of a conversation. And this was a key that this attorney did. She didn't just simply email back to the attorney and say, why would you want me to send the money there? Because she would probably get back a great answer as to why the money should be redirected into a criminal's hands. But she actually picked up the phone and spoke to the person, and that was, as I often talk about, multi-factor authentication in the environment in general, this was a form of multi-factor authentication in a transference of funds.

Dave Bittner: [00:27:33] Joe, what do you think?

Joe Carrigan: [00:27:34] That's one of the best interviews we've ever had on this show, Dave.

Dave Bittner: [00:27:36] (Laughter).

Joe Carrigan: [00:27:37] And I'm not just saying that. Avi is talking about something that actually happened. It's a success story. It's fantastic. It's not some esoteric thing. It's not some horrible thing where you feel, oh, my God, these guys are out a million dollars. They're not out a million dollars. The person who spotted this saw something wrong and said something. And she did the absolute right thing at the right time by calling the person, what Avi calls a multi-factor conversation...

Dave Bittner: [00:27:59] (Laughter).

Joe Carrigan: [00:27:59] ...Authentication.

Dave Bittner: [00:28:00] Right. Right. Yeah, I like that.

Joe Carrigan: [00:28:01] I love that. She called the person before the money was sent. Right? And found out there's something terribly wrong. The actual technical red flags here were so small. The email headers were off. No lay user is ever going to check the email headers. They're just not going to do it. They don't even know what they are. The typesetting on the RE for reply, either missing or being a different case. Even an expert...

Dave Bittner: [00:28:22] Nobody's going to notice.

Joe Carrigan: [00:28:23] Nobody's going to notice that.

Dave Bittner: [00:28:24] No.

Joe Carrigan: [00:28:24] One of the key points here is that they were so good at impersonating people.

Dave Bittner: [00:28:29] Yeah. Isn't that fascinating? This wasn't some broken English kind of thing.

Joe Carrigan: [00:28:32] No. This was an expert.

Dave Bittner: [00:28:34] They were engaged with someone who had the ability to imitate someone's style of writing.

Joe Carrigan: [00:28:39] And it was so good, somebody said that if I was reviewing this in a forensic manner I would not have doubted I would have written these emails. That is a remarkable statement.

Dave Bittner: [00:28:49] Right.

Joe Carrigan: [00:28:50] That's how good these things can get.

Dave Bittner: [00:28:51] Think about how close they were to getting a million dollars.

Joe Carrigan: [00:28:55] Right.

Dave Bittner: [00:28:55] From the scammers' point of view, that's money well spent.

Joe Carrigan: [00:28:58] Right. Absolutely. This is a fantastic story, a fantastic interview.

Dave Bittner: [00:29:01] What a great lesson to everybody. And thanks to Avi for sharing it with us. All right. Well, that is our show.

Dave Bittner: [00:29:07] Of course, we want to thank our sponsors, KnowBe4, whose new-school security awareness training will help keep you people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:29:34] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, our editor is John Petrik, technical editor is Chris Russell, our staff writer is Tim Nodar, our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:51] And I'm Joe Carrigan.

Dave Bittner: [00:29:52] Thanks for listening.