Hacking Humans 7.5.18
Ep 6 | 7.5.18

Phone scams, phantom employees and sitting Ducks.


Paul Ducklin: [0:00:00] If you're not testing your employees and helping them to learn, then, by golly, the crooks surely are.

Dave Bittner: [0:00:08] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm David Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [0:00:28] Hello, Dave.

Dave Bittner: [0:00:29] As always, we've got some interesting stories to share. And later in the show, we welcome Carole Theriault. She's co-host of the "Smashing Security" podcast. Excited to have her join us. She's got a fascinating interview with Paul Ducklin. He's a senior technologist at Sophos. But before we get to all that, a quick word from our sponsors, our good friends, KnowBe4.

Dave Bittner: [0:00:52] So how do you train people to recognize and resist social engineering? There are some things, people think. Test them, and if they fall for a test scam, fire them. Or other people say, if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. How 'bout it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [0:01:28] And we're back. We've got some fun stories to share this week. Joe, you're up first. What do you got for us?

Joe Carrigan: [0:01:33] Well, this week, Dave, I received an email from our security department at work, and they were advising all the people at the university of a new scam that's kind of growing and becoming more prevalent. And, actually, I did a little research on it and found out that there was that great story from WTTG, here in D.C., and they had a woman who received a phone call that said, we have your daughter, and if you hang up, we're going to kill her. So it's a particularly gruesome phone scam where they are trying to exact a ransom out of people by calling them. And they have enough information to do this, right? There's even a person screaming in the background that sounds like a child.

Dave Bittner: [0:02:12] So...

Joe Carrigan: [0:02:14] Yeah. It's awful, absolutely awful.

Dave Bittner: [0:02:17] So imagine you're minding your own business, carrying about your day. And they know you have a child.

Joe Carrigan: [0:02:23] Right.

Dave Bittner: [0:02:23] They know the kid's name, I suppose.

Joe Carrigan: [0:02:25] They do. And then they demand a ransom, and the rest of the scam is pretty self-evident.

Dave Bittner: [0:02:29] Right.

Joe Carrigan: [0:02:30] Right?

Dave Bittner: [0:02:30] But that idea of having the sound of a screaming child in the background, boy...

Joe Carrigan: [0:02:36] Right.

Dave Bittner: [0:02:37] ...That pushes all your buttons.

Joe Carrigan: [0:02:38] It does. It's...

Dave Bittner: [0:02:40] It's horrible.

Joe Carrigan: [0:02:40] It is. It's horrible, but it's a well-designed social engineering scam.

Dave Bittner: [0:02:43] Wow.

Joe Carrigan: [0:02:44] I have a word I like, Dave, and that word is confluence.

Dave Bittner: [0:02:47] OK.

Joe Carrigan: [0:02:47] Literally, it means the joining of two rivers. Right? But metaphorically, it means kind of the coming together of two ideas. And, last week, we learned about an absolutely massive data breach from the fine folks over at Exactis.

Dave Bittner: [0:03:02] OK.

Joe Carrigan: [0:03:02] And fine is in air quotes there.

Dave Bittner: [0:03:06] (Laughter).

Joe Carrigan: [0:03:06] Basically, the personal information of every adult in the U.S. has been available for the downloading on an open server.

Dave Bittner: [0:03:13] So this is where there's one of those classic - we hear a lot about unprotected AWS servers.

Joe Carrigan: [0:03:18] Correct. Yeah.

Dave Bittner: [0:03:18] People forget to set the security settings correctly.

Joe Carrigan: [0:03:21] The researcher who found this just found it with a Shodan search, which is a search engine that lets you find these kind of things and other things, as well. But this data is nothing as innocuous as credit card numbers or bank account information, right? That information can all be changed. This is stuff about who you are. It's real data about you. It's what you like, what you dislike, how many kids you have, how old they are, what their genders are, your religious beliefs, your sexual preferences. This is the kind of data that was in that. When I say sexual preference - you know, whether you're gay or straight.

Dave Bittner: [0:03:50] Right.

Joe Carrigan: [0:03:50] They know this based on your browsing behavior. And...

Dave Bittner: [0:03:53] So this is marketing data, mostly, that they've gathered.

Joe Carrigan: [0:03:56] Yeah. But they have amassed a vast amount of it. And it's stuff that's not likely to change about you. They're hard facts. Now, imagine what phone scammers can do with this kind of information and the morals that they demonstrate.

Dave Bittner: [0:04:10] Right. Right.

Joe Carrigan: [0:04:11] So if they get a hold of this data - which, I'm sure somebody has gotten a hold of this data 'cause this researcher was probably not the first person to find that database on the Shodan search.

Dave Bittner: [0:04:21] Yeah.

Joe Carrigan: [0:04:21] So it's probably out there. I don't know how I would advise people to protect themselves against this (laughter).

Dave Bittner: [0:04:27] Yeah. Just - yeah. Have your guard up. The reporting on this story, it sounds like they have data for just about everybody.

Joe Carrigan: [0:04:34] Yeah. They do.

Dave Bittner: [0:04:35] Pretty much every adult in the United States, they're saying. It's more likely than not.

Joe Carrigan: [0:04:40] Right, that you're in this breach if you're a U.S. citizen.

Dave Bittner: [0:04:44] Right. Right.

Joe Carrigan: [0:04:46] So I just think that this paired with, you know, the phone scam, this is just data that makes phone scamming people easier.

Dave Bittner: [0:04:52] Right.

Joe Carrigan: [0:04:52] A lot of people are worried that it's going to be leading to identity theft. And I think that's right. It probably will lead to more identity theft. And everybody should always be vigilant with your identity and, you know, monitor your credit and all that stuff. But now this is going to be something that's going to make social engineering a lot easier for people because now if I have this data, I know a lot more about you. I know what your triggers are. You know, maybe I can even blackmail you with some of this information.

Dave Bittner: [0:05:18] Right.

Joe Carrigan: [0:05:18] I mean, if you go back to the Ashley Madison breach, if you were able to cross-reference the breach from Ashley Madison with the breach from OPM...

Dave Bittner: [0:05:27] Right.

Joe Carrigan: [0:05:27] ...Where everybody's clearance information was leaked, then you could have a list of highly exploitable resources in that.

Dave Bittner: [0:05:34] Well, and I seem to recall that there was at least one suicide after the Ashley Madison breach.

Joe Carrigan: [0:05:39] Yeah. I remember that, as well.

Dave Bittner: [0:05:41] It's horrible.

Joe Carrigan: [0:05:42] Yeah. It is horrible.

Dave Bittner: [0:05:43] All right. Well, I guess the lesson here is that keep in mind that if someone's calling you and they have a specific information, that doesn't necessarily mean that they are who they say they are.

Joe Carrigan: [0:05:56] That's correct.

Dave Bittner: [0:05:56] There are other ways for them to get this specific information, and they can use it to fool you.

Joe Carrigan: [0:06:01] Right.

Dave Bittner: [0:06:03] All right. Well, my story's a little lighter than yours.

Joe Carrigan: [0:06:05] (Laughter) Sorry. I had to go - my story's very heavy and dark.

Dave Bittner: [0:06:05] It's probably - it's hard for my story to not be lighter than that...

Joe Carrigan: [0:06:11] (Laughter) Yeah.

Dave Bittner: [0:06:12] ...Kidnapping. But this is actually another true story of social engineering from my own life. So back in the early 2000s, I worked at a tech company, and we had a receptionist who answered the phones and she greeted people who came by the office. Now, if you think back to this time, there was an endless barrage of salespeople who would either call or stop by, and they were hoping to sell you one thing or another. And at the time, some of the popular things they would sell were photocopier services, toner cartridges, long-distance telephone services.

Joe Carrigan: [0:06:45] Yep.

Dave Bittner: [0:06:46] It's hard for our younger listeners to imagine that there was a time when you had to pay for a phone call based on how far away the other person was. But this is the reality. This is the nightmare in which we lived, right?

Joe Carrigan: [0:06:57] Right.

Dave Bittner: [0:06:58] They would try to sell you high-speed Internet and office supplies, things like that. So our receptionist was really frustrated because she was spending a lot of time with these people, and they'd be these salespeople who would not take no for an answer, right? So...

Joe Carrigan: [0:07:11] Pests.

Dave Bittner: [0:07:12] They were pesky. They would try to keep her on the phone because, you know, the longer you keep someone the phone, the more likely they are to engage with you. And so she was just at the end of her rope. So here's what we did. We created a fake employee persona, and we named him Juan Gonzalez (ph).

Joe Carrigan: [0:07:27] Juan Gonzalez.

Dave Bittner: [0:07:28] We created a voicemail box for him. We created an email account. We even printed up business cards for Juan.

Joe Carrigan: [0:07:35] (Laughter).

Dave Bittner: [0:07:35] So now when a salesperson called, the receptionist could simply say, yes, let me connect you to Juan. He's in charge of those things. And if a salesperson came in the office, she could hand them his business card, and she could say, oh, my gosh. You just missed Juan. He's the person you want to talk to. Here's his business card with his contact information. And so the salesperson's very excited. They think they've got a hot lead, right? They leave the office thinking, this is great. I can go back to my boss and say, well, look, I gathered some leads today.

Joe Carrigan: [0:08:05] (Laughter).

Dave Bittner: [0:08:07] Now, as part of this, I created an outgoing voicemail message.

Joe Carrigan: [0:08:11] Right.

Dave Bittner: [0:08:11] And it sounded something a little bit like this. Hello. This is Juan Gonzalez. I am truly sorry that I'm not here to take your call. I am responsible for the purchase of photocopier services, toner cartridges, long-distance telephone service, high-speed Internet and office supplies. Please leave your name and number, and I will call you back as soon as possible. Thank you for calling, and have a good day, my friend.

Joe Carrigan: [0:08:42] (Laughter) It's like Ricardo Montalbán.

Dave Bittner: [0:08:43] Exactly. Well, that's...

Joe Carrigan: [0:08:45] (Laughter).

Dave Bittner: [0:08:46] That is who I was trying to channel. Now, in retrospect, I will acknowledge that perhaps it was a bit culturally insensitive of me. But...

Joe Carrigan: [0:08:53] Revenge is a dish best served cold.

Dave Bittner: [0:08:56] Right. But it was intentional. Now, part of what we were doing here was I wanted to make the message a bit over the top so if a smart salesperson got passed on to this voicemail, they would probably know what was going on.

Joe Carrigan: [0:09:09] Right.

Dave Bittner: [0:09:09] Right? They would know we were fooling them, and they would go, OK, and they'd move on. So here's an interesting side note about this, right? It took about three months before Juan started getting mail.

Joe Carrigan: [0:09:21] (Laughter).

Dave Bittner: [0:09:23] Right? Catalogs and flyers started showing up. And it struck one of our people that one day the IRS might show up...

Joe Carrigan: [0:09:33] (Laughter) Looking for Juan.

Dave Bittner: [0:09:33] ...And ask us about this employee we'd never filed any tax information for. But, fortunately, that never happened.

Joe Carrigan: [0:09:41] Yeah. I don't think that the IRS is a real concern there.

Dave Bittner: [0:09:44] (Laughter).

Joe Carrigan: [0:09:45] I mean, if an IRS agent just shows up, you tell him the truth. You tell him Juan's not real.

Dave Bittner: [0:09:49] Right.

Joe Carrigan: [0:09:49] He's just someplace we send - he's the black hole that we send salespeople to.

Dave Bittner: [0:09:54] Right. So the social engineering aspect of this - you know, I guess you'd say it was misdirection.

Joe Carrigan: [0:10:00] Yes. Absolutely.

Dave Bittner: [0:10:01] And it was for a good cause. So we were saving our receptionist from - because really, we're just passing these people on, right? We're saving her from having to deal with them. They think they're dealing with - you know, they think it's great. They're getting a lead. They're leaving a message - saving everyone from having to deal with pesky salespeople.

Joe Carrigan: [0:10:18] We've known each other for a while now.

Dave Bittner: [0:10:19] Yeah.

Joe Carrigan: [0:10:20] So you know that early in my life, I had a failed sales career.

Dave Bittner: [0:10:22] (Laughter) Yes.

Joe Carrigan: [0:10:24] So I was the guy that would leave a message for Juan.

Dave Bittner: [0:10:27] (Laughter) Right.

Joe Carrigan: [0:10:28] Maybe that's why my sales career was a failed one.

Dave Bittner: [0:10:31] Well, yeah. There you go.

Joe Carrigan: [0:10:32] (Laughter).

Dave Bittner: [0:10:32] So again, a true story, something from long ago, but I still actually have one of Juan's business cards.

Joe Carrigan: [0:10:39] Awesome.

Dave Bittner: [0:10:40] Yeah.

Joe Carrigan: [0:10:40] That is a wonderful story.

Dave Bittner: [0:10:41] All right, Joe. It's time to move on to our catch of the day.


Dave Bittner: [0:10:48] What do you have for us this week?

Joe Carrigan: [0:10:49] This week, we get an email from Ron in Dayton, Ohio.

Dave Bittner: [0:10:53] One of our listeners.

Joe Carrigan: [0:10:54] One of our listeners who sent us a catch of the day. And he was talking about selling his car. And he has a 2015 Ford F-150. So I guess it's a truck.

Dave Bittner: [0:11:03] Yeah.

Joe Carrigan: [0:11:04] And he decided to sell it as a private seller.

Dave Bittner: [0:11:06] Right.

Joe Carrigan: [0:11:06] And he listed on Craigslist. And after he's listed the truck, he gets a text from somebody with an area code from St. Louis. It's a 636 area code.

Dave Bittner: [0:11:18] Yeah.

Joe Carrigan: [0:11:19] And he thinks this is odd because his truck is listed in Dayton, Ohio. But his cellphone number starts with 314, which is a cool area code to have, but it's from St. Louis, as well. So his cellphone has a St. Louis area code, and he's getting a text from a St. Louis area code...

Dave Bittner: [0:11:37] Interesting.

Joe Carrigan: [0:11:38] ...Even though the truck is in Dayton. So that kind of sets up a red flag, and he's a little more alert. And then he sends along the conversation that these two have. So you play the person texting Ron.

Dave Bittner: [0:11:49] All right.

Joe Carrigan: [0:11:50] And I will play Ron.

Dave Bittner: [0:11:51] All right. Here we go. Hi. Sorry. I lost service. Is your car listed on CL still available?

Joe Carrigan: [0:11:57] Yes.

Dave Bittner: [0:11:58] It looks great, but I have a few question. What is the price for your 2015 Ford?

Joe Carrigan: [0:12:04] Twenty-one thousand, two hundred-fifty dollars.

Dave Bittner: [0:12:07] One more thing. Do you mind if I see a copy of your car's history report? You can get it from getyourvinchecked.com. If so send it to me at email address at Yahoo.com., if you can. Hey. Don't mean to bother, but, are you still here?

Joe Carrigan: [0:12:22] So going to pass on the VIN report.

Dave Bittner: [0:12:25] Hmm. After you've got the report and we can make a time to meet up. Awesome. Look forward to seeing the report. Smiley face. I've been thinking about getting a 2015 Ford for a little bit now.

Joe Carrigan: [0:12:36] Not getting a warm fuzzy about giving my info to this site. Seems like this is a scam. Sorry. FYI, I'm a cybersecurity professional. Please do not contact me again.

Dave Bittner: [0:12:49] So it strikes me as being interesting, this whole thing with the area codes, 'cause I think a lot of times, these bad guys, they have an automated way to go through and scrape these ads from things like Craigslist.

Joe Carrigan: [0:12:59] Yeah. And then they have a neighbor number scheme where they call you from a similar number. I got one of these calls the other day, somebody calling from some service, and the first six digits of their phone number are my area code in the exchange.

Dave Bittner: [0:13:11] Interesting.

Joe Carrigan: [0:13:12] So it's easy to do using Voice over IP, or just get yourself a Google Voice number and start saying text with it.

Dave Bittner: [0:13:19] Yeah. Now, there was another interesting part of this, though, that Ron, who sent this in, he went down the path a little bit. He said originally he was checking all this on his phone, which of course makes it harder to check things like the links.

Joe Carrigan: [0:13:31] That's right.

Dave Bittner: [0:13:31] So he went back to his Mac. And, what happened there?

Joe Carrigan: [0:13:34] And there, he realizes that the website for the report service is HTTP and not HTTPS.

Dave Bittner: [0:13:41] And this is where they want him to pay for...

Joe Carrigan: [0:13:44] Right. He's not comfortable entering his credit card information, and that's what finally triggers him to conclude that this is a scam.

Dave Bittner: [0:13:49] Right.

Joe Carrigan: [0:13:50] And he terminates the relationship immediately.

Dave Bittner: [0:13:52] That's the final straw...

Joe Carrigan: [0:13:53] Right.

Dave Bittner: [0:13:53] ...That they are asking for his credit card information on an unsecured site.

Joe Carrigan: [0:13:57] Yep. And a red flag here for me would have been, I want your vehicle history report. Go to this site and get me one. So if I'm selling my car, the very first thing I'm going to do is generate a vehicle history report. And I'm going to have a PDF of that from something like Carfax or something, something that everybody's heard of.

Dave Bittner: [0:14:14] Right.

Joe Carrigan: [0:14:14] And when they ask me for it, I'm going to go, here's the vehicle history report. You are free to look it up in any service that you want to look it up in, but I have provided you with what I think is due diligence.

Dave Bittner: [0:14:24] Right. Right. So the fact that they were channeling him to a specific site that could have been a scam, or it could have been a legit site that was being man-in-the-middled.

Joe Carrigan: [0:14:33] Could be.

Dave Bittner: [0:14:33] Hard to know. But, good for Ron. He did not get fooled. And thanks to him for sending this into us.

Joe Carrigan: [0:14:38] Ron is a CISSP. So I would expect no less from Ron.

Dave Bittner: [0:14:41] He is also retired Marine Corps. So Semper Fi, Ron.

Joe Carrigan: [0:14:45] Yes. Thank you for your service, Ron.

Dave Bittner: [0:14:47] All right. Well, that is our catch of the day. Coming up next, we've got Carole Theriault and her conversation with Paul Ducklin. But first, a message from our sponsors at KnowBe4.

Dave Bittner: [0:14:59] Let's return to our sponsor, KnowBe4's, question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [0:15:47] All right. Joe, we're back. And this week we are excited to have Carole Theriault. She's from the "Smashing Security" podcast. She's joining us as a contributor to our "Hacking Humans" show here. Here's Carole.

Carole Theriault: [0:15:58] Dave, I'm fascinated by how scammers go about fooling a victim into giving something away for nothing. It's, like, the art of digitally deceiving someone is on the rise. And let's face it. I don't want to be conned. I don't think anyone wants to be conned. I guess if we can figure out how these guys operate, we'll glean a few tips in how we can spot and sidestep these nasty little communications.

Carole Theriault: [0:16:19] Now, we often hear about scams that target the individual user, so things like smishing, or romance scams or 419 scams. But if a scammer needs to get into a company, what then? Do scammers actually resort to social engineering techniques in this scenario? So I thought a good place to start was to ask an expert. I got in touch with an old colleague of mine from my days at Naked Security, Paul Ducklin. I know him as Duck. Now, Duck, you know your onions when it comes information security. I always learn something when I talk to you. So I hope you're not going to let me down today (laughter).

Paul Ducklin: [0:16:49] I hope not.

Carole Theriault: [0:16:50] (Laughter).

Paul Ducklin: [0:16:51] I hope to give some sage advice that will help protect individuals from themselves when they're at home, but also, by the same token, in exactly the same way, stop them being easily misled at work that could cause the company to lose loads of money, as well.

Carole Theriault: [0:17:08] Well, that's right. So OK. Let me paint a picture for you, and let's see what you have to say about this. So let's say I'm a bad guy, and for whatever reason, I want to break into company X's network. Is it likely that I would even think about employing social engineering tactics as part of my attack strategy?

Paul Ducklin: [0:17:25] I think for the average cyber crook, maybe the vast majority of cyber crooks, it's not just likely that you'll consider it, that's where you'll start. Take the statistics that people will show you with a pinch of salt, but you'll hear anything from, you know, between 50 percent and 99 percent of attacks start with something that would traditionally be considered a phish. My definition of a phish is it's an electronic message that persuades you to give away information that as soon as you've handed it out, you go, my goodness; I wish I hadn't done that.

Carole Theriault: [0:17:54] You get that really bad feeling in the bottom of your stomach. Yeah.

Paul Ducklin: [0:17:56] Maybe I shouldn't have sent that SMS authentication code to somebody else.

Carole Theriault: [0:18:02] Right.

Paul Ducklin: [0:18:03] Maybe I shouldn't have opened that attachment. Maybe I shouldn't have said, oh, yes, obviously, you've changed the payment details for your account; I'll change the bank account number in some other customer's record.

Carole Theriault: [0:18:14] But is it likely that say, Gary, who works in accounting, who really likes cats, might get an email from a scammer that has, you know, check out the cute pictures of kittens here, Gary.

Paul Ducklin: [0:18:25] From what I've heard, not being an expert in LOLCats...


Paul Ducklin: [0:18:29] ...Cat videos don't require the person to be particularly cat fancier.


Paul Ducklin: [0:18:34] And frankly, they work with everybody all of the time.


Paul Ducklin: [0:18:41] So that's the problem. Now, I'm kind of jesting there, but there are those things that are considered universally funny. And 99 percent of the time, when you get them from people you know or you know a bit or people who claim to be a friend of a friend, you click the link. You have a look. You go, ha, ha, ha. Apparently, no harm done.

Carole Theriault: [0:18:57] Yeah.

Paul Ducklin: [0:18:58] And the problem is that so much of our digital lives are, understandably, having a little bit of fun swapping pictures. Hey, check this link. When you Rickroll somebody - not that that's ever happened to you, of course...


Paul Ducklin: [0:19:11] ...Except by me - you know, you send a link. They click it. There's Rick Astley singing. And you kind of think, ha, ha, ha. But at the end of the day, what else could've been at the end of the link? Having said that, although LOLCats might work for the vast majority of people on the Internet regardless of their interests, if you want to then focus in and make it sound as though you've got some common bond with the person, either you could just chat to them a bit, like a good old face-to-face con man would've done, and just learn about them and show an interest...

Carole Theriault: [0:19:41] Yeah.

Paul Ducklin: [0:19:41] ...Or, these days, even easier - go look at my Facebook page. Go and see what they tweet about. Go and check them out on Pinterest, Instagram, et cetera, et cetera, and you'll get a good idea of what turns them on.

Carole Theriault: [0:19:52] And is the whole point for them to click a link so that something might get installed on the computer, or for them to deliver some information? And it's always different, right? So it's not like you can always tell people, look out for this kind of attack.

Paul Ducklin: [0:20:05] Yes. I think there's a bit of a problem with modern-day phishing in that people imagine that phishing is kind of like it was five or 10 years ago - that there's always a standard format, that it's, Dear Sir/Madam. It's never, Dear Carole.

Carole Theriault: [0:20:21] Right.

Paul Ducklin: [0:20:21] …That they don't - that they're guessing at what your bank is, that they've got terrible spelling mistakes, their grammar's rubbish, that it's obviously copied from somebody else's press release, and then the English language goes off the rails, and the link looks weird and so forth.

Carole Theriault: [0:20:36] So you're kind of asking someone to rely on a sixth sense to see that stuff, though.

Paul Ducklin: [0:20:40] If you see giveaways - obvious telltale signs that makes the thing look like a phish - then assume that it is. But the scammers are getting cleverer. Instead of teaching themselves to write perfect English, they've just learned to use copy and paste more effectively - take an exact correspondence that exactly matches the tone of voice of a company or individual and just use that as their message.

Carole Theriault: [0:21:04] Tell you what, though, I've seen a lot of typos and grammar mistakes in actual, official, legit communications from companies in my time.

Paul Ducklin: [0:21:11] Exactly. And that means that the telltales that people think, oh, it'll be absolutely obvious; I'll never get scammed because you can spot a phish 10 miles away - the point is that whilst most of the time you can, unfortunately, if the crooks are targeting a company, not just you, then they only have to trick you or one of your immediate colleagues in, say, the accounts department to be able to persuade you to open an attachment that might give them a foothold with malware...

Carole Theriault: [0:21:37] Yeah.

Paul Ducklin: [0:21:37] ...Or to click a link that leaks some information about the company, or just to reply with something like a password or a server name or a printer name or the name of their boss, who happens to be on vacation, and where they are - just some little bit of information that the crooks can use again to phone the next guy and the next guy and the next.

Carole Theriault: [0:21:58] Yeah.

Paul Ducklin: [0:21:58] And each time, they're that bit more plausible. And eventually, they'll find someone who thinks - you know what? - this guy could not possibly be an outsider.

Carole Theriault: [0:22:05] I'm going to guess, then, the one piece of advice you might have here is if you get into a situation where you've had an exchange with someone and it's been a bit - I don't know - you feel uneasy, maybe just tell someone. Because like you say, if they're going from employee to employee to try and get access to a system or to a computer, at least, you know, the IT team would be on guard knowing that something like that was going on if they had a heads-up.

Paul Ducklin: [0:22:28] Absolutely. If you have a 999 or a 911 email address, for example, inside a company, even if you're a small biz, if you've got something like security at your company - .co, .uk or whatever it is - even if that address is only visible internally, if there's somewhere that people can just say, look; I got a call from somebody that I absolutely didn't believe, that sounded absolutely rotten, that gives the person who's receiving those emails a chance to put a warning out.

Carole Theriault: [0:22:56] Oh, that's interesting.

Paul Ducklin: [0:22:57] Because, you know, let's say the crooks are going to call 10 different people, and they're hoping that they'll succeed with one. The chance that they call the right person first is only 1 in 10. So if they call the wrong person first, who spots this, don't leave the company in a position where they then can try the next person and the next person and the next person without some warning having gone out to say, look; it looks like somebody is literally and figuratively phishing for information here. And that's what a social engineer will do. They make things as believable as possible. They make you feel good about helping them. And they also - if they're smart, they make sure that they don't ask you to give out too much information at a time.

Carole Theriault: [0:23:36] Yeah. It's so smart. Yeah.

Paul Ducklin: [0:23:38] Or you just think, oh, I probably shouldn't give you my boss's name and the fact that they're not in the office at the moment. But - well, maybe they could find that out from Facebook. Maybe they couldn't. Well, you know...

Carole Theriault: [0:23:47] Exactly. Yeah.

Paul Ducklin: [0:23:48] Make it harder for them. Don't help them along by giving them exactly the information that maybe they couldn't find out from another source. So the bottom line is, if in doubt, don't give it out.

Carole Theriault: [0:24:00] Yeah. But listen; people would call me quite, you know, forthright in my style. I've had calls before, especially when I was starting off in my career, where someone was authoritative on the phone. They were just trying to sell us something or get information about the company so they could target people. But still, like, sometimes you're really on the back foot because you're not expecting that type of call. And you tend to comply before your brain catches up and says, hey, what are you doing?

Paul Ducklin: [0:24:23] Another good example of why it's hard to blame individuals for making mistakes that, with hindsight, are obvious is that frequently, what the crooks are trying to do is to get one or more people inside a company to do the kind of things that they do day after day after day and sort of get into trouble if they don't because it's their job. For example, if you work in an HR department, part of your job almost certainly - particularly in a medium or larger-sized company - part of your job is - will be receiving, if you like, unsolicited job applications where people have just seen something on your website. They're sending you a CV, a resume. It's in a .doc file. It's in a PDF file. You're opening it. You're having a look. No, this person isn't suitable. Put them on file. And there's a process that you're expected to go through. In the same way that if you're in accounts, you can't remember every single person who's offering to pay a bill or who's asking you to pay an account that's due, or the...

Carole Theriault: [0:25:21] Exactly.

Paul Ducklin: [0:25:22] You're just getting this flow of stuff. And you're used to a particular style, probably quite a clipped, jargon-rich style, by which accountants in two different companies communicate with one another. Here's the latest invoice. Oh, sorry, I haven't got back. Can you send this again? Et cetera, et cetera. So this thing about, oh, don't open attachments if you're not exactly sure who they're from, for many companies, that would pretty much run you out of business, wouldn't it? Because...

Carole Theriault: [0:25:47] (Laughter) Exactly.

Paul Ducklin: [0:25:48] ...Because you get new business - you get that by responding to emails from people who've come to you, saying...

Carole Theriault: [0:25:53] Unsolicited email. Right. Right.

Paul Ducklin: [0:25:55] ...Hey, can you help me? I'm looking to spend some money.

Carole Theriault: [0:25:58] Yeah. Yeah.

Paul Ducklin: [0:25:59] And here's a spreadsheet with a list of the parts that I'd like to order or the services that I want.

Carole Theriault: [0:26:03] I have one last question for you. And I want you to put hand on heart. Do you think it's worth companies trying to train employees to spot these type of attacks, or do you think it's maybe not the best resource or spend on money because there's so many different types of attacks?

Paul Ducklin: [0:26:20] My answer is sort of half-subjective, half-objective because, you know, I work for Sophos. We have a product called Phish Threat, which does exactly that. It helps you, if you, like, train your staff by putting them to the test by generating realistic-looking but not legit emails. In other words, you deliberately put in some things that they could have spotted. And provided that you don't, you know, sack any party who fails instantly, and you treat the results with some compassion, my theory about that kind of thing is that if you're not testing your employees and helping them to learn, then, by golly, the crooks surely are.

Carole Theriault: [0:26:56] Yeah.

Paul Ducklin: [0:26:56] But for me, for example, probably anywhere from one to 20 times a day, I'm getting emails that are sometimes very obviously bogus. But occasionally, I go, oh - oh, hang on. No. That's not somebody I know. That's not an email I'm expecting. I'm not going to open that. If you're not showing your staff the kind of things that could happen and how they can help you defend against it, then, like I said, the crooks are testing them any number of times a day.

Carole Theriault: [0:27:23] I suppose they're sitting ducks in a way, actually. Right?

Paul Ducklin: [0:27:25] (Laughter).

Carole Theriault: [0:27:28] (Laughter) Duck, as always, fantastic interview. Thank you so, so much.

Paul Ducklin: [0:27:32] Pleasure, Carole.

Dave Bittner: [0:27:33] All right. Our thanks to Carole Theriault and Paul Ducklin for taking the time for us. Joe, what do you make of that?

Joe Carrigan: [0:27:39] I like that interview a lot. My takeaway is - I've said this on - before on this podcast - is that the very first thing someone's going to try to do when they're trying to breach your organization is do reconnaissance. And what Paul said is that the very first thing they're going to use to get that reconnaissance is their social engineering skills. So it's like the very starting point of an attack. And they're going to gather information incrementally, so it doesn't matter how small the information you give away is. It's useful to the attacker.

Dave Bittner: [0:28:08] Yeah. It's a really good point. And then, along with that, the point that they make about how, you know, we tell people, never click on things; don't open files - well, that's just - that's simply not practical for a lot of basic business functions.

Joe Carrigan: [0:28:19] That's right. And particularly, he calls out the organizations like human resources, accounts receivable and accounts payable.

Dave Bittner: [0:28:26] Right.

Joe Carrigan: [0:28:26] And these are all high-value targets because they have something that's very, very valuable to attackers. They either have personal records, or they have money.

Dave Bittner: [0:28:33] Yeah.

Joe Carrigan: [0:28:34] You know?

Dave Bittner: [0:28:34] All right. Well, again, thanks to Carole Theriault. Please check her out on the “Smashing Security” podcast. She's got a co-host there. Can't remember his name. Do you remember who the co-host is in that?

Joe Carrigan: [0:28:42] Graham Cooley (ph).

Dave Bittner: [0:28:43] Oh, yeah. Right. Right. Graham Cluley. Right, right, right, right.

Joe Carrigan: [0:28:46] (Laughter) Cluley.

Dave Bittner: [0:28:46] Cluley. Yeah.

Joe Carrigan: [0:28:46] Did I say Cooley? I said...

Dave Bittner: [0:28:47] No, it's Cluley. Yeah.

Joe Carrigan: [0:28:49] Cluley.

Dave Bittner: [0:28:49] Yeah. Good guy, I heard. I - yeah. Though - anyway, (laughter) that is our podcast. So thanks for listening. And thanks as always to KnowBe4 for sponsoring our show. For help inoculating your organization's employees against social engineering with their new-school security awareness training, talk to KnowBe4. And be sure to sign up for their Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [0:29:27] The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [0:29:44] And I'm Joe Carrigan.

Dave Bittner: [0:29:45] Thanks for listening.