Be wary of all emails.
Larry Cashdollar: [00:00:00] If you have the same password for a couple years on a website, you don't know if that database could've been compromised and then the company never made it publicly known that they had lost a million user accounts. So it's always wise to just rotate your passwords.
Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:31] Hello, Dave.
Dave Bittner: [00:00:32] We've got some good stories this week. And later in the show, Carole Theriault. She's got an interview with Larry Cashdollar. He's from Akamai, and he's going to describe a clever phishing campaign. But first, a word from our sponsors, KnowBe4.
Dave Bittner: [00:00:47] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary doughnuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4 who have a different way of training.
Dave Bittner: [00:01:22] And we are back. Joe, I am going to kick things off this week. My story is about the curious case of Katie Jones. And I have to ask, Joe, are you familiar with Katie Jones?
Joe Carrigan: [00:01:33] Yeah, I know who she is. I'm connected with her on LinkedIn.
Dave Bittner: [00:01:36] (Laughter) OK. Of course, you are. You're the one.
Joe Carrigan: [00:01:39] (Laughter) Right.
Dave Bittner: [00:01:39] (Laughter) OK, so...
Joe Carrigan: [00:01:42] I'm not connected with her on LinkedIn.
Dave Bittner: [00:01:43] No. Speaking of LinkedIn, it is one of the key elements of this story. So let's dig into LinkedIn. So how much do you scrutinize the requests you get on LinkedIn?
Joe Carrigan: [00:01:55] I scrutinize them more than most. I probably accept about half the people, and I use my network as verification. So I'll look and see - like, if they're friends with you and maybe some other people in the security industry, then I'll accept them. But if they don't have any common friends or if something looks amiss - like, I had one - there was a picture of a woman and her last name was in all caps and her profile was kind of empty, and she was friends with, like, 15 people I knew - or not friends but connected...
Dave Bittner: [00:02:23] Yeah.
Joe Carrigan: [00:02:23] ...With 15 people I knew. I never accepted that request.
Dave Bittner: [00:02:26] Well, I'm glad you framed it that way because this story is about our guard being down because of our network of friends being friends with someone.
Joe Carrigan: [00:02:37] Right.
Dave Bittner: [00:02:37] Or being connected with someone.
Joe Carrigan: [00:02:38] Yes.
Dave Bittner: [00:02:39] And like you, I'll do the same thing. If I get a request from someone I may not be familiar with, first thing I do is check to see who else is this person already connected with.
Joe Carrigan: [00:02:49] Right.
Dave Bittner: [00:02:49] And it is absolutely true that my guard will be lowered if they're connected to people I know. And I think that's natural. I think that's human nature. But this story about this entity claiming to be someone named Katie Jones is all about someone who took advantage of this. It's a story from AP. And this character named Katie Jones was connected with a bunch of people on LinkedIn. She claimed to be working as a Russia and Eurasia fellow at the Center for Strategic and International Studies. That is a Washington think tank.
Joe Carrigan: [00:03:21] OK.
Dave Bittner: [00:03:21] That organization actually does exist.
Joe Carrigan: [00:03:24] OK.
Dave Bittner: [00:03:24] Now she was connected with a bunch of people of important status in government, other think tanks, things like that. But it turns out that, first of all, this person does not exist at all.
Joe Carrigan: [00:03:38] Right.
Dave Bittner: [00:03:38] And as people have dug into this, they are pretty sure that she was probably spun up by a foreign intelligence service to make these connections with people that they may want to later try to compromise or get to perhaps inadvertently leak information...
Joe Carrigan: [00:03:56] Sure.
Dave Bittner: [00:03:57] ...That the foreign intelligence service could use.
Joe Carrigan: [00:03:59] Sure. These foreign intelligence services just try to start with - and our intelligence service does this as well. They just start with a friendly contact. Hello. Hey, how are you doing? That's how it always starts, and it goes on from there.
Dave Bittner: [00:04:10] Right. They start asking you little insignificant favors.
Joe Carrigan: [00:04:14] Right.
Dave Bittner: [00:04:14] Hey, can you give me the phone number of this person you work with? They're an old friend, and I'd like to reconnect with them.
Joe Carrigan: [00:04:19] Yes, exactly.
Dave Bittner: [00:04:20] And it goes from there, just slowly building up trust. Well, one of the elements of this that I find fascinating is the actual profile picture for this Katie Jones seems to have been generated by artificial intelligence. It's one of those images that this is not a situation where they took an existing stock photo of a model or something like that.
Joe Carrigan: [00:04:40] Let me Google Katie Jones' picture.
Dave Bittner: [00:04:42] This was generated from whole cloth, as they say, via AI. This story from AP really digs in and highlights some of the things that you can see in this picture that point to it not being authentic. I have to say, at first glance...
Joe Carrigan: [00:04:56] At first glance, it looks pretty good. After looking at it for a couple minutes, I'm going to say the left ear looks a little weird.
Dave Bittner: [00:05:03] It does. But how often do you look at someone's left ear...
Joe Carrigan: [00:05:08] You don't.
Dave Bittner: [00:05:08] ...Closely?
Joe Carrigan: [00:05:10] You look at the picture in the eyes.
Dave Bittner: [00:05:12] Yeah. It's like that thing from "Shawshank." You know, how often do you look at a man's shoes...
Joe Carrigan: [00:05:15] Right.
Dave Bittner: [00:05:16] ...You know? You don't. You're looking at their eyes. Exactly.
Joe Carrigan: [00:05:19] And this looks like an actual picture of somebody.
Dave Bittner: [00:05:21] It does. So that would help draw people in, but we'll also include a link. There's a website called This Person Does Not Exist, and what it does is it spins up these fake AI images of people.
Joe Carrigan: [00:05:33] Right. Every time you load the page, you get a new face.
Dave Bittner: [00:05:35] Exactly.
Joe Carrigan: [00:05:35] That's a fantastic website, by the way.
Dave Bittner: [00:05:37] Right. But the thing about this is that it makes it impossible to do a reverse image search to see if it's a stock photo...
Joe Carrigan: [00:05:43] That's exactly right.
Dave Bittner: [00:05:44] ...'Cause it's not.
Joe Carrigan: [00:05:45] It's not. If you use This Person Does Not Exist, that's a new photo every time you load that page.
Dave Bittner: [00:05:49] Right.
Joe Carrigan: [00:05:49] It's generated by the algorithm behind it.
Dave Bittner: [00:05:52] So AP went and they contacted some of the people who had accepted LinkedIn connections with this profile, and most of them - they all had similar stories. They said, I don't really scrutinize my LinkedIn connections because, you know, I may have been at a trade show and you say hello to someone. You're at an event, and they say, oh, I'll connect with you later. And it's not perceived that there's not a huge downside to connecting with folks on LinkedIn who may not be as close real-world connections as, say, you know, some of the other social media places where you frequent.
Joe Carrigan: [00:06:22] Right. There is probably a perceived upside in the fact that you're increasing your network and making your marketability for your later career moves better.
Dave Bittner: [00:06:29] Right. Yes.
Joe Carrigan: [00:06:30] So there's a definite incentive to accept these friend requests or these connection requests. I keep saying friend requests like it's Facebook, but it's not.
Dave Bittner: [00:06:36] Yeah. I know. It's - I think that's the common way to say it these days, I suppose.
Joe Carrigan: [00:06:39] Right. It's like saying Kleenex when you mean facial tissue.
Dave Bittner: [00:06:41] Right, exactly, exactly. So LinkedIn has removed this profile. And of course, they've said that whenever a false profile is pointed out to them, they have methods for trying to determine whether it's real or not, and they do delete them. They want everyone on the platform to be authentic.
Joe Carrigan: [00:06:56] Right. My understanding is that the resume for this Katie Jones was way too impressive for how old Katie Jones is.
Dave Bittner: [00:07:03] Oh, yeah, that's interesting, too.
Joe Carrigan: [00:07:05] That if you looked at the resume for it - or if you looked at all their job history, it added up to being that she had to start work when she was, like, 2 or something like that.
Dave Bittner: [00:07:13] (Laughter).
Joe Carrigan: [00:07:14] So there were - but...
Dave Bittner: [00:07:15] She just had ambitious parents.
Joe Carrigan: [00:07:16] You're not going to do that. You're not going to go back and do the math on that (laughter).
Dave Bittner: [00:07:21] No. I don't know. I don't know how much this affects mere mortals like you and I who probably aren't targets for foreign intelligence services.
Joe Carrigan: [00:07:28] Yes.
Dave Bittner: [00:07:28] But you never know. You just - be careful. Be - as we always say, be vigilant.
Joe Carrigan: [00:07:33] Right.
Dave Bittner: [00:07:33] It's worth that extra couple seconds to try to make sure that you're not dealing - or in this case, that you're just dealing with a real person.
Joe Carrigan: [00:07:39] Right (laughter).
Dave Bittner: [00:07:39] Yeah, yeah. All right. Well, that's my story. What do you have this week, Joe?
Joe Carrigan: [00:07:43] All right. My story comes from NBC Boston this week. We'll put a link in the show notes. They have a video on this. In February of this year, a woman named Christine Lu began receiving a large number of phone calls that appeared to be coming from the Massachusetts State Police. And they were so persistent that she finally answered one of the calls.
Dave Bittner: [00:08:01] OK.
Joe Carrigan: [00:08:01] And when they answered - of course, these are scam calls because that's the nature of this show. That's not really a spoiler.
Dave Bittner: [00:08:05] (Laughter) Right.
Joe Carrigan: [00:08:06] The scammer tells her that her identity has been stolen. He has a warrant number and a case number, and he makes Christine feel like she's in danger because her identity has been stolen and used for some very serious crimes.
Dave Bittner: [00:08:19] And she thinks she's talking to a police officer.
Joe Carrigan: [00:08:21] She thinks she's talking to a police officer from the police department.
Dave Bittner: [00:08:23] Right. Someone in authority.
Joe Carrigan: [00:08:24] Right. So then the next thing this scammer says is we need to work together to get this resolved.
Dave Bittner: [00:08:30] I'm going to help you.
Joe Carrigan: [00:08:31] Right. Exactly. First he comes in, and he scares Christine. And then he comes in and goes, well, I have the solution. That's a very common tactic that we see in these scams. They come and they terrify you, and they say, I'm also the solution. So this guy that calls her and a team of people, actually, keep her on the phone for hours walking her through this scam. And they convince her that the only way for her to keep her money safe was to wire it to them while they issue her a new Social Security number.
Dave Bittner: [00:08:58] So money in her bank account.
Joe Carrigan: [00:08:59] Right - is going to be wired...
Dave Bittner: [00:09:01] Transferred them because it's not safe...
Joe Carrigan: [00:09:03] At her bank account because her identity's been stolen.
Dave Bittner: [00:09:05] The threat is someone's going to come in, steal the money from her bank account because they've compromised her identity.
Joe Carrigan: [00:09:10] Right, right.
Dave Bittner: [00:09:11] OK.
Joe Carrigan: [00:09:11] So over the course of four days, Christine transfers $200,000 in wire transfers to the scammers over six transactions.
Dave Bittner: [00:09:18] Wow.
Joe Carrigan: [00:09:19] Now, Christine makes a good point here. She says that no one at the bank said anything, right? There was no red flag system that caught this. But the scammers had worked around this by saying that when you go to the bank to make the wire transfers, if they ask you what these wire transfers are for, which the bank employees did, then you are to say it's for family support.
Dave Bittner: [00:09:40] Oh, so...
Joe Carrigan: [00:09:41] And that is what Christine told them.
Dave Bittner: [00:09:42] Because she's sending money overseas...
Joe Carrigan: [00:09:44] Right.
Dave Bittner: [00:09:45] ...And that's not uncommon for folks to do...
Joe Carrigan: [00:09:49] Exactly.
Dave Bittner: [00:09:49] ...To send money overseas to support family members.
Joe Carrigan: [00:09:51] So these scammers knew that if they said, well, I'm sending it to this account to protect it because these guys and the cops called me and - the scammers knew that if she said that, the bank would go, hold on, stop.
Dave Bittner: [00:10:02] Right.
Joe Carrigan: [00:10:03] This is a fraud. This is fraudulent calls. You're being scammed. So when she went in, they said, what is this for? She said family support because that's not uncommon. There are consumer protections in place for debit and electronic transactions but not for wire transactions. So...
Dave Bittner: [00:10:17] Yeah.
Joe Carrigan: [00:10:17] ...This money is probably gone. I think that's a case of the law lagging behind our technology and our current problems.
Dave Bittner: [00:10:23] Right. It's both a feature and a bug - right? - because especially internationally I suppose there are benefits to not being able to claw money back...
Joe Carrigan: [00:10:34] Right.
Dave Bittner: [00:10:35] ...That's been transferred...
Joe Carrigan: [00:10:36] Yes.
Dave Bittner: [00:10:36] ...Because then you open yourself up to bad guys clawing money back that's been transferred.
Joe Carrigan: [00:10:41] Exactly. Here's a trivial example. You've sold something on eBay, and maybe it's a thousand-dollar item.
Dave Bittner: [00:10:46] Yep.
Joe Carrigan: [00:10:46] You send it to them after they wired you the money. Then they say the wire transfer was fraudulent, and they get the money back.
Dave Bittner: [00:10:52] Right.
Joe Carrigan: [00:10:53] So these consumer protections can also be abused. Now, here's the important part of this story that I kind of buried this on this, but Christine Lu is no average person.
Dave Bittner: [00:11:02] OK.
Joe Carrigan: [00:11:02] She is an associate professor at Harvard Medical School. And I think it's safe to say that Christine is possessed of above-average intelligence, right?
Dave Bittner: [00:11:11] Yeah, Harvard Medical, yeah.
Joe Carrigan: [00:11:12] They're no slouches.
Dave Bittner: [00:11:14] No. I mean, you know, they're no Hopkins, but...
Joe Carrigan: [00:11:17] Right, well, yes.
Dave Bittner: [00:11:17] (Laughter) Who is really?
Joe Carrigan: [00:11:20] Right, exactly.
Dave Bittner: [00:11:21] (Laughter).
Joe Carrigan: [00:11:21] So I wanted to say something to Christine that if she's listening - I doubt she listens to this podcast. But if she is, you're my hero, OK? Not many people would come out and discuss this publicly like she has. And this has to be terribly difficult to come forward and to share your story. But by doing so, you are helping so many people not fall victim to this scam.
Dave Bittner: [00:11:42] Yeah.
Joe Carrigan: [00:11:43] This has to happen more often. When somebody gets scammed, the first inclination is to be embarrassed. It's the natural order of things. It's why these scams continue to work. If we start opening up and talking about our own faults and talking about how things have worked on us, I think as a society, as a community - global community, we'll be better off.
Dave Bittner: [00:12:01] Support people to...
Joe Carrigan: [00:12:03] Right.
Dave Bittner: [00:12:03] ...Remove that shame - remove that sense of shame.
Joe Carrigan: [00:12:05] Right.
Dave Bittner: [00:12:05] Remind them. If you tell - you're going to be celebrated for sharing these stories; you're not going to be shamed.
Joe Carrigan: [00:12:10] Right. And we shouldn't be shaming this. Christine's not dumb. We talk about this often. We talked about the guy from Australia who got scammed out of $200,000. Somebody went so far as to generate a fake website that looked like he was making money. You know, these people are not stupid. They're possessed of at least average intelligence or some higher-than-average intelligence. That's where the money is, right?
Dave Bittner: [00:12:26] Yeah - smart enough to have socked away $200,000...
Joe Carrigan: [00:12:29] Right.
Dave Bittner: [00:12:29] ...Right? (Laughter).
Joe Carrigan: [00:12:29] Yeah, exactly.
Dave Bittner: [00:12:30] Just that - I mean, that's got to be above average (laughter).
Joe Carrigan: [00:12:32] Yeah. These scammers come in, and they go right for your emotions, and they short-circuit your thinking.
Dave Bittner: [00:12:38] Yeah.
Joe Carrigan: [00:12:39] And in Christine's case, they came in. They said, you're in big trouble, lady, and we're going to help you fix it.
Dave Bittner: [00:12:44] Yeah. Right - and so many buttons they push.
Joe Carrigan: [00:12:46] So many buttons.
Dave Bittner: [00:12:46] Yeah.
Joe Carrigan: [00:12:47] It's a terrible story, but thank you, Christine, for sharing it.
Dave Bittner: [00:12:50] Yeah.
Joe Carrigan: [00:12:50] It's important that people do this.
Dave Bittner: [00:12:52] All right. Well, it's time to move on to our Catch of the Day.
0:12:55:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:59] This one came to us from someone who goes by the Twitter handle MOS6502, which'll have some meaning to folks from the old 8-bit microprocessor days. This is a message, Joe. It comes from the Secret Service.
Joe Carrigan: [00:13:12] Oh, you'd better pay attention, Dave.
Dave Bittner: [00:13:13] The Department of Homeland Security...
Joe Carrigan: [00:13:14] That's...
Dave Bittner: [00:13:15] ...Washington, D.C., USA. And it goes like this. Good day. This is the Department of Homeland Security. We have a vital mission to secure the nation from the many threats we face, as well as internet fraud. This requires the dedication of more than 230,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, but our goal is clear - keep America safe. We are happy to inform you that your funds, valued at 10,700,000 U.S. state dollars, have been approved by the Treasury Department of the United States. Kindly get back to us for further directives. Note - do not reply to any email that comes from the FBI director Christopher A. Wray. The FBI director does not email people. He will rather send an agent to your doorstep in person. Do not fall a victim of scam again. A word is enough for the wise. Thank you. Have a good day. James M. Murray, director, Secret Service.
Joe Carrigan: [00:14:19] That's awesome. I mean, first off, they're actually telling you, right here in the email, that the federal government will not call you or email you to arrest you. We will actually show up at your doorstep.
Dave Bittner: [00:14:27] Well, and I love how he's kind of throwing a rival agency under the bus.
Joe Carrigan: [00:14:31] Right.
Dave Bittner: [00:14:31] You know, like those - this is from the Secret Service. Those punks over at the FBI - they're probably going to try to scam you, so don't fall for it. You know, they're going to show up at your doorstep or - little interagency rivalry thrown in the mix here.
Joe Carrigan: [00:14:44] So this is just another scam. It looks like the Nigerian prince scam. Hey, we've got this $10.7 million we want...
Dave Bittner: [00:14:50] Yeah.
Joe Carrigan: [00:14:50] ...To...
Dave Bittner: [00:14:51] By the authority of the United States - they have the money. Right - no explanation for why they have these funds for you.
Joe Carrigan: [00:14:58] Why would the government want your help? I mean, the government - they go through more money than this in a minute.
Dave Bittner: [00:15:03] The Secret Service is keeping America safe.
Joe Carrigan: [00:15:05] Right.
Dave Bittner: [00:15:05] And part of the way they do that is by making sure that people who have an extra $10 million laying around don't forget about it...
Joe Carrigan: [00:15:13] Right.
Dave Bittner: [00:15:13] ...That it's properly distributed to them.
Joe Carrigan: [00:15:15] Yes.
Dave Bittner: [00:15:16] So there you go. Thank you, James M. Murray, director of the Secret Service. All right. Well, that is our Catch of the Day. Coming up next, Carole Theriault returns. She's going to interview Larry Cashdollar. He's from Akamai, and he's got some news about some pretty clever phishing campaigns. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:15:37] And now, back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:16:38] And we are back. Joe, it's great to have Carole Theriault back on the show. She recently spoke with Larry Cashdollar. He's from Akamai. And he's got some news about some clever phishing campaigns that people should be aware of. Here's Carole Theriault.
Carole Theriault: [00:16:52] So phishing campaigns - I hate them. The security experts out there hate them. Everyday folks that use computers hate them. The only people that seem to like them are those that try and make money out of them, and they're constantly innovating their tactics to try and dupe us into falling for their schemes. Larry Cashdollar is an Akamai senior researcher. He recently discovered a phishing email that tries to scoop up the victim's Facebook and Google credentials using a rather novel approach - Google Translate. Now, Larry was kind enough to walk us through how the phishing attack was constructed, and this is important because it's this kind of knowledge that will help us keep our eyes peeled if this type of attack actually targets us. My first question to Larry was to set the scene. So where was he when he first received this phish email?
Larry Cashdollar: [00:17:50] I just happened to be actually sitting and waiting for my son. He was in basketball, and I was checking my email. It wasn't in my spam box, which is usually where I check first for interesting tidbits. It was actually in my inbox, so this phishing, you know, had made it past the spam filters for Gmail. And it was telling me that my account had been logged in from a IP address somewhere in Russia. And at first glance, you know, I thought this email was fishy, but, you know, my brain was like, you should check into this. Maybe it's legit. So at that point, I clicked the link and saw it had redirected me to Google Translate. And I'm like, well, that's not normal. And it was asking me to log into my Gmail application. And I thought to myself, well, that's neat. I've never seen a phishing email redirect through Google to make it look like it's legit.
Carole Theriault: [00:18:43] Right. OK, so let me slow this down. So you get this email, and it's saying someone has logged into your device from a different account or a different location...
Larry Cashdollar: [00:18:50] Right.
Carole Theriault: [00:18:50] ...Than you were actually at.
Larry Cashdollar: [00:18:52] Right.
Carole Theriault: [00:18:52] So that raised your suspicions right away, but what was weird for you is it then went to Google Translate.
Larry Cashdollar: [00:18:57] Yes, yes. It redirected me to Google Translate, and it was actually - Google Translate was loading the phishing site through it. And the site itself didn't need translation. It just was - looked more legit with the Google Translate domain at the top of my browser.
Carole Theriault: [00:19:13] Yes.
Larry Cashdollar: [00:19:14] For someone who's not doing this stuff as their day job, they might actually be fooled into thinking it was a real Google domain if they're not looking closely.
Carole Theriault: [00:19:22] Sure, especially if people are sitting there on their phones between meetings, trying to cram in the most amount of emails they can. But maybe some people have family members who share accounts, and they may not be that suspicious at that kind of a situation.
Larry Cashdollar: [00:19:34] Yeah. All my accounts have, you know, some sort of two-factor or multi-factor authentication, so to me, to get that email was sort of like, OK, you know, if someone's gotten my password through, you know, some sort of SQL compromise for Google or Gmail, then I should at least have, you know, a second factor of authentication on my account. So I should be getting a text about now, which I didn't get. So at that moment, I'm like, OK, this is an interesting phish.
Carole Theriault: [00:20:01] Right.
Larry Cashdollar: [00:20:02] So at that point, I had forwarded the email to a different account of mine that I check on a machine - that is, a lab machine that doesn't have my normal work stuff on it. It's not my phone, and it's...
Carole Theriault: [00:20:12] A clean machine.
Larry Cashdollar: [00:20:12] A clean - a burner machine.
Carole Theriault: [00:20:14] Right. Burner machine - I like that.
Larry Cashdollar: [00:20:15] And I started looking at the actual phishing email itself and then the site that it was trying to redirect me to, and I realized that it was actually, you know - the sole purpose of them using the Google Translate was to try and trick the user into thinking it was a legitimate request from Google to change my password. Yeah, I wasn't exactly sure what was going on because I had never seen that before. And then once I got it onto a different machine, I was able to look at it closely without looking at it on, you know, an iPhone or something. Like, I realized what the guys were actually up to doing.
Carole Theriault: [00:20:44] And so what would happen - I'm guessing, of course, you didn't fall for this (laughter). But what would have happened had someone fallen for it and actually entered their Google credentials on that Google Translate page that had been displayed?
Larry Cashdollar: [00:20:57] Well, in this case, what would have happened was the page redirected to the phishing site. In my case, I would have gotten - at some point, I'm assuming they would have tried to use those credentials to log into my account or they would have sold them on the dark web. But I would assume, at some point, they would have tried to log in that account and change my credentials. And in my case, I would have gotten a message on my cell phone saying, hey, someone's trying to log into this account. And do you approve of it? But in, I think, most people's cases who aren't as protected with their account, somebody could have gone in their email. They would have had access to my Google Drive.
Carole Theriault: [00:21:29] Yeah.
Larry Cashdollar: [00:21:30] And in this case of this email, it actually - once you log into or submit your credentials to the Google phishing site, it actually redirects you to Facebook - to a Facebook phishing page, which I didn't actually know about. A reporter from ZDNet actually tipped me off to it. He was like, well, did you enter any credentials into this? And I'm like, no, I was more interested in, you know, how the phish was being concealed not really about where the phish was going. And he said, well...
Carole Theriault: [00:21:56] Aha.
Larry Cashdollar: [00:21:56] If you put your credentials in, it redirects you to a Facebook page. He's like, the guys are actually pretty greedy and are being pretty lazy by figuring if you fell for one phishing attempt, you might fall for another one. And, you know, maybe some not-so-Internet-savvy users would think, oh, you know, I need to log into Facebook now after logging into Google, when most people are like, wait. I just logged into Facebook. Why would I need to log into Google?
Carole Theriault: [00:22:19] Yeah. I bet it works, though.
Larry Cashdollar: [00:22:22] Oh, I'm sure.
Carole Theriault: [00:22:23] Yeah. I bet there are people that think, oh, God. Google caught it, and now, you know, they work with Facebook. I could just imagine this weird tangential...
Larry Cashdollar: [00:22:30] Oh, yeah.
Carole Theriault: [00:22:31] ...Like, all the systems are trying to reset to protect me.
Larry Cashdollar: [00:22:34] I'm sure. You know, I'm sure it's worked on people who think something's fishy about logging into both Google and Facebook for one single request. So - and I imagine if they're doing it, then it has worked in the past. It's a lazy tactic, but it must be a successful one.
Carole Theriault: [00:22:49] Do you think that this particular phish was kind of spray phish, so you were not targeted as a particular user?
Larry Cashdollar: [00:22:58] I think what happened was, with all of these massive data breaches and these password and email address dumps where there's a billion-user credential database...
Carole Theriault: [00:23:07] Yeah.
Larry Cashdollar: [00:23:07] ...I think now...
Carole Theriault: [00:23:08] It's crazy.
Larry Cashdollar: [00:23:08] They have an enormous email list. I know throwaway passwords of mine have been compromised, along with my email address. I have email addresses that I never had submitted publicly that are actually getting phished now because they were part of a SQL dump from, you know, Adobe's breach or - you know, or Yahoo's breach. So...
Carole Theriault: [00:23:29] Yeah.
Larry Cashdollar: [00:23:30] I'm now getting, you know, phishing attempts on, you know, emails that were private and weren't disclosed publicly because, you know, I use those emails to log into - you know, get an Adobe update or whatnot. So they now have this massive list of emails that they can target with phishing scams, and I think that's what's probably what's going to drive the phishing attacks up is all of those credential dumps.
Carole Theriault: [00:23:54] I think more people today than ever before are actually using unique passwords for every one of their accounts. I think there's a - you know, not everyone but there's a greater proportion of people than there were, say, five years ago. And I wonder if that means you can actually track which passwords have been stolen...
Larry Cashdollar: [00:24:07] Yes.
Carole Theriault: [00:24:08] ...By whom, you know? Because it must be easier for those who are in the forensic side to kind of go, interesting. All these passwords that have been stolen happen to belong to, you know, this company or these encounters.
Larry Cashdollar: [00:24:17] I have friends of mine who actually do submit - they keep track of a list of - I don't know how many passwords they must have, but every site they create an account on, they have a unique password for that site, and they track which site they use that password on. So they know, if they see that password turn up, that either that site's been compromised...
Carole Theriault: [00:24:34] Right.
Larry Cashdollar: [00:24:35] ...Or, if they see that email turn up in spam or with marketing emails, they know that either that site was compromised or his information or their information was sold to a third-party company for, you know, X amount of dollars to send marketing materials to.
Carole Theriault: [00:24:51] Exactly, exactly. It's interesting because now more people use password managers, too.
Larry Cashdollar: [00:24:55] Yeah.
Carole Theriault: [00:24:55] Don't they? So in effect, everyone's kind of got a - of almost a kind of log of these unique passwords.
Larry Cashdollar: [00:25:01] Yeah. I think with password managers, people can do their own sort of reconnaissance as to where was my account had been compromised on what site just based on either emails they're getting to that account or...
Carole Theriault: [00:25:11] So there seems to be - so that's a really interesting point you made earlier, Larry - that, you know, because of these huge password dumps, you are expecting to see an increase in the number of phishing scams maybe coming up in the next 12 months or so.
Larry Cashdollar: [00:25:22] Yeah.
Carole Theriault: [00:25:23] We're also reading of increased targeted phishing attacks, where they're actually doing some recon on the people that they're going after or targeting a specific type of person. Maybe they have more money or they have access to the correct accounts, for example.
Larry Cashdollar: [00:25:35] Right. I mean, you know, let's say I was targeting akamai.com...
Carole Theriault: [00:25:38] Right.
Larry Cashdollar: [00:25:39] ...The company I work for. You could go through the list of emails or pull down one of those billion-user database dumps and look for Akamai email addresses. And then you can take those email addresses and start looking on LinkedIn to see who these email addresses belong to or, you know, who these people are and then specifically target phishes for people who might have access to accounts payable at Akamai, you know? You could - there's all sorts of things like that that I think is going to come of these or probably has already come of these database breaches.
Carole Theriault: [00:26:08] Yeah. Now - OK, so this is the $10 million question. Advice - we need advice for our listeners. What can you tell them? What kind of things can they do to better protect themselves against these types of phishes?
Larry Cashdollar: [00:26:22] Be wary of all emails. If it's something that's asking you to click a link and it seems urgent, where it's saying your account's been compromised or you need to fill out a form or complete some sort of document in order to get something, be wary of those emails. They're usually preying on your humanity and your need to get things fixed or done. And then, you know, if there's a link embedded - you know, if my bank says, you need to change your password, I go to my web browser, and I go to my bank. I don't click the link in my email. And then for...
Carole Theriault: [00:26:51] Exactly.
Larry Cashdollar: [00:26:52] I can't stress this enough - two-factor or multi-factor authentication, you know, on everything.
Carole Theriault: [00:26:57] Yep.
Larry Cashdollar: [00:26:57] You have to have it these days because, you know, if your password is compromised and you reuse your passwords or, you know, if the password was compromised through the data breach, you'll need another step in order to get into your account, so...
Carole Theriault: [00:27:09] And unique passwords - I guess, you know, it goes without saying - unique passwords for all your accounts.
Larry Cashdollar: [00:27:13] Yeah, yeah. One password per account. In this day and age, where, you know, we have - information technology is a big thing now. It's, you know, data cleanliness and operational security - people should really try and have, you know, multi-factor or two-factor authentication.
Carole Theriault: [00:27:30] Yeah. I drank the 2FA Kool-Aid as well - or multi-factor Kool-Aid as well.
Larry Cashdollar: [00:27:34] Yeah.
Carole Theriault: [00:27:34] What do you think about people regularly changing passwords? Do you think that's something that's advisable or...
Larry Cashdollar: [00:27:40] I think, you know, changing your password every couple of months is a good idea. I try to do it more often than I should, but just for due diligence, just if you have the same password for a couple of years on a web site, you don't know that database could have been compromised and that the company never made it publicly known that they had lost a million user accounts. So it's always wise to just rotate your passwords.
Carole Theriault: [00:28:03] So that was Larry Cashdollar, a senior researcher at Akamai. I liked his tips - number one, having a unique email address for every online account that you create so that if you lose an address, you can actually trace it back to its original source. That's clever. And although changing passwords regularly - maybe, you know, every six months, year, five years - fell out of fashion for many security experts, I think Larry's argument holds water as to why it's a good idea. After all, none of our data seems very safe out there these days. This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:28:45] All right. Interesting stuff, huh?
Joe Carrigan: [00:28:47] Yeah, yeah, very interesting. I'm going to tell you something, Dave. If something gets through my spam filters and says that one of my accounts at one of my institutions has been accessed from Russia, that gets my attention immediately.
Dave Bittner: [00:28:57] (Laughter) Right.
Joe Carrigan: [00:28:57] That's a pretty good phishing technique.
Dave Bittner: [00:28:59] Yeah.
Joe Carrigan: [00:28:59] You know, I'm going to be more cautious, but it is something I'm not going to ignore. I'm going to pay attention to that message. Using Google Translate is a very clever way to obfuscate a malicious website. You and I did this while we were listening to the interview. You can create a link that loads up any page you want, and the domain that your website goes to is a Google domain.
Dave Bittner: [00:29:19] Right.
Joe Carrigan: [00:29:19] Right? So if I loaded up a malicious Gmail phishing page and you went to it, you would be going to a Google page and think that you were entering your information into Google's webpage, but you would not be.
Dave Bittner: [00:29:30] Yeah. Yeah, so it has the legitimacy of Google...
Joe Carrigan: [00:29:33] Right.
Dave Bittner: [00:29:33] ...Right at the beginning of the URL.
Joe Carrigan: [00:29:35] That is very clever. I wonder if Google is aware of this and doing something about it.
Dave Bittner: [00:29:39] Yeah, it'd be nice if they had some way to flag it because you'd suspect Google would know or would at least have a lead on...
Joe Carrigan: [00:29:47] Right.
Dave Bittner: [00:29:47] ...Suspicious websites.
Joe Carrigan: [00:29:48] Right.
Dave Bittner: [00:29:49] Yeah, interesting.
Joe Carrigan: [00:29:50] I like that Larry has a burner machine. I don't have a physical machine, but I do have a VM that I use like this. It's not an ideal solution 'cause any malware knows it's in the VM - a lot of malware does; not any malware but a lot of it does. And actually, I'm not trying to download malware, but I will go to links in a VM, like a Linux VM, because usually, these malicious links are not targeting Linux machines. They're targeting Windows-based machines.
Dave Bittner: [00:30:10] That's right.
Joe Carrigan: [00:30:11] I like how this website - some other researchers contacted him and said that after you enter your Google credentials, it goes to collect your Facebook credentials. If you're going to swing for the fences, right?
0:30:19:(LAUGHTER)
Dave Bittner: [00:30:22] Yeah.
Joe Carrigan: [00:30:23] Larry calls this lazy. I mean, yeah, maybe it's lazy. And I guarantee you this worked on a certain percentage of the people that went to it. They collected some Facebook credentials as well.
Dave Bittner: [00:30:31] Yeah.
Joe Carrigan: [00:30:32] That happened.
Dave Bittner: [00:30:32] Yeah. We got you once.
Joe Carrigan: [00:30:33] Right.
Dave Bittner: [00:30:33] Let's see if we can get you again.
Joe Carrigan: [00:30:35] I'll bet you if you enter your Facebook credentials, it takes you to another place (laughter).
Dave Bittner: [00:30:38] Right. Yeah.
Joe Carrigan: [00:30:38] These huge password dumps like Collection 1 or these aggregations of passwords are making it a lot easier to do these phishing attacks. This data is now being essentially managed like big data is because it is now big data.
Dave Bittner: [00:30:51] Right.
Joe Carrigan: [00:30:51] And people have access to it, so it really creates a problem for users out there.
Dave Bittner: [00:30:56] Yeah. I would say if there's a password that you've been using for a long period of time - a legacy password, your favorite old password - just get rid of it.
Joe Carrigan: [00:31:06] Right.
Dave Bittner: [00:31:06] Just make a new one.
Joe Carrigan: [00:31:07] Right, yeah.
Dave Bittner: [00:31:08] Just do it. Make a new password. Why not?
Joe Carrigan: [00:31:10] Because they're already out there.
Dave Bittner: [00:31:12] Yeah. Chances are, somebody has it.
Joe Carrigan: [00:31:13] Go to Troy Hunt's page, Have I Been Pwned, and look at the passwords page. And I used to use these passwords many years ago.
Dave Bittner: [00:31:20] Yeah, we all did.
Joe Carrigan: [00:31:20] They're all in there.
Dave Bittner: [00:31:21] Yeah.
Joe Carrigan: [00:31:21] Everything I ever used - because I still remember them. They're easy to remember. They're all in there.
Dave Bittner: [00:31:25] Right.
Joe Carrigan: [00:31:25] None of my passwords from my password manager are in there, though...
Dave Bittner: [00:31:27] Right.
Joe Carrigan: [00:31:28] ...Because they're all random 20-character passwords.
Dave Bittner: [00:31:30] Yeah.
Joe Carrigan: [00:31:30] I like a lot of Larry's advice. Be wary of emails that sound urgent, right? They're trying to elicit an activity from you, and they're trying to get you to not think about it.
Dave Bittner: [00:31:38] Right.
Joe Carrigan: [00:31:39] Don't click the link, and use multi-factor authentication. When I give people advice, I say the single biggest thing is using multi-factor authentication. And, of course, use a password manager. At the end of this, and during the discussion, Carole and Larry talk about changing your password. There is some research out there that people might be misinterpreting, and the research says it is a bad idea to force people to change their password.
Dave Bittner: [00:32:03] Right.
Joe Carrigan: [00:32:03] OK, so - because what happens when you force people to change their password? They inherently will pick a weak password. They will just change the password minimally enough to meet your requirements, and they're going to use - and the password can be broken very quickly.
Dave Bittner: [00:32:17] Right. That's where you get people using password1 and then password2, password3.
Joe Carrigan: [00:32:20] Right, exactly. If you break a password - let's say it's marylandware - because I'm reading off a bumper sticker on your car here - marylandware5, and you make me change it, then I'm going to change it to marylandware6.
Dave Bittner: [00:32:30] Yeah.
Joe Carrigan: [00:32:30] That is not the same thing as you changing your password as a user, OK? You changing your password as a user, as a personal policy, is a good policy to have. So every so often, on my web sites that I deem risky enough for this, usually every 180 days, my password manager prompts me to change the password on these web sites.
Dave Bittner: [00:32:50] So you have it dialed in to prompt you...
Joe Carrigan: [00:32:53] I do.
Dave Bittner: [00:32:53] ...Remind you.
Joe Carrigan: [00:32:54] Remind me, right.
Dave Bittner: [00:32:54] Yeah.
Joe Carrigan: [00:32:55] It doesn't really prompt me. It just turns the little icon next to the password red, reminding me that this password is due for changing.
Dave Bittner: [00:33:00] Yeah. Well, that's good.
Joe Carrigan: [00:33:02] And I change them the next time I log into that web page. Because I use an open-source solution that I manage myself, I frequently have to make a backup of this thing so I don't get locked out of my accounts if I ever lose my two-factor authentication that accesses my password safe. But there, again, I'm using multi-factor authentication. So I would say it is good for you to change your password on a regular basis with some periodicity. It is bad for someone to force you to change your password because that doesn't work for the vast majority of people who have accounts on that system.
Dave Bittner: [00:33:31] Right. Long, random passwords generated by a password manager...
Joe Carrigan: [00:33:35] Yep.
Dave Bittner: [00:33:35] ...That's the way to go.
Joe Carrigan: [00:33:36] It is.
Dave Bittner: [00:33:37] Yeah. All right. Well, thanks to Carole Theriault and Larry Cashdollar for joining us this week. That is our podcast.
Dave Bittner: [00:33:43] We want to thank our sponsor KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.
Dave Bittner: [00:34:01] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:34:09] The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben, and our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Peter Kilpe. And I'm Dave Bittner.
Joe Carrigan: [00:34:31] And I'm Joe Carrigan.
Dave Bittner: [00:34:32] Thanks for listening.