Positive pretexting on the rise
Rachel Tobac: [00:00:00] SMS two-factor is OK, but I always recommend that we try and deploy something like Duo, Google Authenticator or something a little bit more tokenized.
Dave Bittner: [00:00:08] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:28] Hi, Dave.
Dave Bittner: [00:00:28] We've got some interesting stories to share this week. And later in the show, we welcome back Rachel Tobac. She's from SocialProof Security. Great to have her back. We're going to check in on the latest social engineering trends that she's tracking.
Dave Bittner: [00:00:40] But first, a word from our sponsors at KnowBe4 - so what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:13] And we are back. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:01:15] Dave, I got a story from my personal life.
Dave Bittner: [00:01:17] OK.
Joe Carrigan: [00:01:18] My wife called me last week...
Dave Bittner: [00:01:19] Yeah.
Joe Carrigan: [00:01:20] ...At work.
Dave Bittner: [00:01:20] Yeah.
Joe Carrigan: [00:01:20] And she said, has your Facebook account been hacked? You know the fear that goes through a security professional's head when someone they know and love calls them up and asks them that question?
Dave Bittner: [00:01:30] (Laughter) As matter of fact, I do, yes.
Joe Carrigan: [00:01:33] (Laughter).
Dave Bittner: [00:01:33] I am familiar with that. So what went through your head?
Joe Carrigan: [00:01:37] I was being like, oh, dear God, what has happened?
Dave Bittner: [00:01:39] Yeah.
Joe Carrigan: [00:01:40] A friend sent her some Facebook instant messages that said she had seen a lot of strange activity coming from my account.
Dave Bittner: [00:01:45] OK.
Joe Carrigan: [00:01:46] That my account had been posting strange links on her page.
Dave Bittner: [00:01:48] OK.
Joe Carrigan: [00:01:49] And that the posts were just links.
Dave Bittner: [00:01:51] OK.
Joe Carrigan: [00:01:51] And right away I'm thinking, man, this does sound like somebody's impersonating my account. So, immediately, I go to my timeline and I check my activity. My timeline looks normal. I don't see anything out of place. So I'm like, OK, so nobody has access to my account. But...
Dave Bittner: [00:02:04] Now, let me just pause here for a second.
Joe Carrigan: [00:02:06] Yep.
Dave Bittner: [00:02:06] Do you have multifactor on your Facebook account?
Joe Carrigan: [00:02:09] I do, yeah.
Dave Bittner: [00:02:10] OK. All right, so nothing unusual there. You didn't get any notifications or anything?
Joe Carrigan: [00:02:14] No, I didn't get any notifications or anything.
Dave Bittner: [00:02:15] OK.
Joe Carrigan: [00:02:16] Multifactor won't help you if somebody has cloned your account, and that's the first thing I'm thinking...
Dave Bittner: [00:02:20] Oh, I see.
Joe Carrigan: [00:02:21] ...Is somebody has cloned my account. After looking at my timeline and not seeing anything out of the ordinary and fearing that my account had been cloned, I said to my wife, do you have anything that points towards what she's saying? And she says, well, she sent me some screenshots.
Dave Bittner: [00:02:31] OK.
Joe Carrigan: [00:02:32] And she sends me the screenshots of these links, and I immediately recognize them. These are my posts. These are things I posted, right?
Dave Bittner: [00:02:39] (Laughter) OK. Right. Go on.
Joe Carrigan: [00:02:43] So here's what happened - the first status was about her teenage son working at a drive-thru.
Dave Bittner: [00:02:49] OK.
Joe Carrigan: [00:02:50] Right? And the picture is of her son handing them a bag of food. And the status reads, in part, hope he doesn't say love you to everybody that comes to this window.
Dave Bittner: [00:02:58] (Laughter).
Joe Carrigan: [00:02:59] Right? Which is funny because that's his parents. He said, love you.
Dave Bittner: [00:03:02] Oh, I see. Got you.
Joe Carrigan: [00:03:03] So I posted a link to a 12-second video from "Idiocracy," which is a Mike Judge movie. Mike Judge is one of my favorite media-producing people.
Dave Bittner: [00:03:11] Yeah, yeah, the humorist comedian. Yeah.
Joe Carrigan: [00:03:12] "King of the Hill." Yeah, I love his stuff.
Dave Bittner: [00:03:13] "Beavis and Butt-Head." Yeah.
Joe Carrigan: [00:03:15] Right.
Dave Bittner: [00:03:15] All kinds of good stuff, yeah.
Joe Carrigan: [00:03:16] Yep. "Idiocracy" was one of his greatest works. But there's a scene in there where the characters are walking into Costco, and the Costco greeter is telling everybody, welcome to Costco. I love you. Welcome to Costco. I love you.
Dave Bittner: [00:03:28] (Laughter) Yeah.
Joe Carrigan: [00:03:28] And I posted that video - right? - because I thought it was germane to the posting where she said her son handed her the food and said, I love you. All I did was post the video. So the next post she had that I commented on was about Ovi O's, which is a new cereal featuring Alexander Ovechkin, who is a hockey player for the Washington Capitals.
Dave Bittner: [00:03:44] OK.
Joe Carrigan: [00:03:45] You're a big Washington Capitals fan.
Dave Bittner: [00:03:46] This is a real thing?
Joe Carrigan: [00:03:47] This is a real thing, apparently.
Dave Bittner: [00:03:48] (Laughter) OK.
Joe Carrigan: [00:03:48] I posted a link to a video from this puppet show on YouTube that I love watching called "Glove and Boots."
Dave Bittner: [00:03:54] Oh, yeah. I'm familiar with that.
Joe Carrigan: [00:03:56] I don't know why I love watching "Glove and Boots," but I do.
Dave Bittner: [00:03:58] Well, they're funny
Joe Carrigan: [00:03:58] They're funny.
Dave Bittner: [00:03:59] Yeah.
Joe Carrigan: [00:03:59] They're - in this video, they talk about how he looks like both a caveman and a vampire, and they even have registered the domain vampirecaveman.com.
Dave Bittner: [00:04:07] (Laughter) OK.
Joe Carrigan: [00:04:07] So I posted that link as well and a link to the segment of video where they start talking about registering vampirecaveman.com. Basically, my friend sees a bunch of activity for me on Facebook. And the truth of the matter is, I really don't use Facebook that much.
Dave Bittner: [00:04:21] OK.
Joe Carrigan: [00:04:21] It just so happened that I was on there, and her stuff shows up in my feed. And it immediately makes me think of something related.
Dave Bittner: [00:04:27] Right.
Joe Carrigan: [00:04:27] And I just started posting the things that were related.
Dave Bittner: [00:04:29] You're inspired, yeah.
Joe Carrigan: [00:04:30] Right.
Dave Bittner: [00:04:30] OK.
Joe Carrigan: [00:04:31] But she notices - hey, Joe doesn't really comment on my stuff. All of these comments are just links, and there's three of them. So immediately, she calls my wife, and she says, has Joe's account been pwned (ph). Now, I called her back personally. I said, I want to let you know that those are links from me, that I did post those. They're all safe to click. It's fine. But she didn't click on any of them.
Dave Bittner: [00:04:53] Oh.
Joe Carrigan: [00:04:54] Because they all looked weird to her.
Dave Bittner: [00:04:55] OK.
Joe Carrigan: [00:04:56] It didn't add up. Immediately, it didn't add up to her. It's like, here's somebody who's not really active on Facebook. All of a sudden, he's active on Facebook, and he's posting a bunch of links. Let me check not with him, but with somebody who knows him, right?
Dave Bittner: [00:05:08] Oh, that's all good. That's all good.
Joe Carrigan: [00:05:10] Yeah, exactly. Exactly. As an abundance of caution - turned out to be a false alarm. But what I said to her was - I said, you know what? I'd rather that you'd have done what you did than for you to click on a malicious link that somebody who cloned my account is posting on your Facebook page.
Dave Bittner: [00:05:23] So happy ending?
Joe Carrigan: [00:05:24] Yes.
Dave Bittner: [00:05:25] Other than the revelation that this woman had - what a weirdo you are. But...
Joe Carrigan: [00:05:29] (Laughter) She is well aware of what a weirdo I am.
Dave Bittner: [00:05:32] She has your...
Joe Carrigan: [00:05:32] We've known each other since college.
Dave Bittner: [00:05:34] Ah, I see. Say no more. All right.
Joe Carrigan: [00:05:36] (Laughter) Right.
Dave Bittner: [00:05:36] Very good. My story this week actually comes from Australia. And I'm going to not do an Australian accent...
Joe Carrigan: [00:05:44] Aw.
Dave Bittner: [00:05:44] ...Out of respect for all of our Australian listeners, some of whom are doing things like driving cars while we do this podcast, and I don't want them to drive off the road.
Joe Carrigan: [00:05:52] (Laughter).
Dave Bittner: [00:05:53] This is from CRN, which is an Australian website here. It's an article by a gentleman named Brendon Foye, and it's titled "IT Suppliers Forced to Close After Procurement Scam." So evidently, this is floating around in Australia, targeting some people there. But I think this is universal enough that it's worth mentioning. There's no reason why it couldn't happen here. So in this particular case, they're calling this the freight forwarding scam. And the criminals send out emails, and they target small to medium-sized businesses who are supplying IT stuff. So think, like, hard drives and maybe some servers, some, you know, Wi-Fi devices, ethernet cables - those sorts of things.
Dave Bittner: [00:06:39] And so they target them, and what they do is they pretend to be from a large organization like a university or a large corporation. So they spoof the domains. They spoof the emails. They go so far as to spoof signatures of actual executives from places like universities or large corporations. And they put in for large purchases of things like hard drives, let's say.
Joe Carrigan: [00:07:03] Right.
Dave Bittner: [00:07:03] But what they do is they request credit. So not long credit - they say, we only need 14 days' credit, maybe 30 days. And that's not an unusual request.
Joe Carrigan: [00:07:15] No, it is not.
Dave Bittner: [00:07:15] I have to say, you know, what - back in the - my previous life, when I ran my own small business, it wasn't unusual to request credit or grant credit, especially for something short like that. The other thing I can see is that if you're a small or medium-sized business and you get a sizable order from a well-known organization, that could be a good day for you.
Joe Carrigan: [00:07:38] Yeah, absolutely.
Dave Bittner: [00:07:38] An exciting day. You know, hey, we're going on vacation this year, honey (laughter).
Joe Carrigan: [00:07:44] Right.
Dave Bittner: [00:07:44] You know? So what happens is they get granted the credit, and they ultimately pay with stolen credit cards, or they request more credit. And they have the devices shipped to a third-party distribution company, and then that distribution company ships everything overseas. So the distribution company has a legitimate local address.
Joe Carrigan: [00:08:05] Right. So they're an exporter...
Dave Bittner: [00:08:06] Yeah.
Joe Carrigan: [00:08:06] ...This distribution company.
Dave Bittner: [00:08:07] Then it gets shipped out and - never to be seen again. The payments get made with stolen credit cards, or they get the credit extended. And ultimately, what happens is these small to medium-sized businesses that sent out the merchandise...
Joe Carrigan: [00:08:21] Right. They're still on the hook to pay their suppliers.
Dave Bittner: [00:08:22] Right. And they're out the money. And according to this story, the average losses have been between $30,000 and $100,000.
Joe Carrigan: [00:08:30] Jeez.
Dave Bittner: [00:08:31] And the largest was $175,000. And several businesses have actually gone out of business because they haven't been able to absorb this kind of hit.
Joe Carrigan: [00:08:40] We saw this with other hacks as well. When I do talks about security, I say, tell me some big breaches that we hear - that we've heard about. And I always say, nobody ever mentions the Broadway Grill, which was - I can't remember. It was out west somewhere. But they were a small, like, deli that was attacked by Roman Seleznev, the carder.
Dave Bittner: [00:09:00] Yeah.
Joe Carrigan: [00:09:00] The guy who had all that card - this is not a social engineering attack; it was actually hacking in. That company went out of business because they were hacked as well. And these are small to medium-sized businesses that are being targeted. They're being targeted because they don't have the resources to have a full-blown security operation.
Dave Bittner: [00:09:17] Right. And then, also, I imagine - like we were saying - you could imagine somebody getting excited about...
Joe Carrigan: [00:09:22] Right.
Dave Bittner: [00:09:22] ...Making that big sale.
Joe Carrigan: [00:09:23] Absolutely.
Dave Bittner: [00:09:24] They don't want anything to get in the way of that.
Joe Carrigan: [00:09:26] Right.
Dave Bittner: [00:09:27] You know, let's get this sale through.
Joe Carrigan: [00:09:28] This could be - this is a $100,000 sale. This is going to make our month.
Dave Bittner: [00:09:31] Right.
Joe Carrigan: [00:09:31] We're doing great.
Dave Bittner: [00:09:32] Right. Exactly
Joe Carrigan: [00:09:33] Right.
Dave Bittner: [00:09:34] I suppose - I mean, ways to protect yourself against this - you could be insured against this sort of thing, I would imagine.
Joe Carrigan: [00:09:39] You could. You could do a little bit of vetting. You know, you could place a phone call to the organization and ask to speak to the person. Tell them that you're from this company.
Dave Bittner: [00:09:46] Right.
Joe Carrigan: [00:09:46] And that, you know, they should know who you are. And if you don't...
Dave Bittner: [00:09:49] Not the phone number they provide.
Joe Carrigan: [00:09:51] Right. Look them up.
Dave Bittner: [00:09:52] Right.
Joe Carrigan: [00:09:52] Look them up. Verify it. Have your sales organization do that.
Dave Bittner: [00:09:55] I think it's a cautionary tale. If you're someone who's doing this kind of business, just take extra step.
Joe Carrigan: [00:10:00] Yeah, be proactive.
Dave Bittner: [00:10:01] Yeah. Make sure you're covered for these sort of losses. Talk to your insurance folks, and see what it would cost to be covered for this sort of thing. But then, also, just slow down, like we say.
Joe Carrigan: [00:10:11] Exactly. Slow down.
Dave Bittner: [00:10:12] Make those extra calls.
Joe Carrigan: [00:10:13] And if something seems too good to be true, it probably is. You know, if you've never gone out and solicited something from a large university, how would they know that you exist and why would they be writing you and immediately asking to purchase large quantities of equipment?
Dave Bittner: [00:10:26] Yeah. All right. Well, that is my story this week. It is time to move on to our Catch of the Day.
0:10:30:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:10:33] Joe, our Catch of the Day this week - this is making the rounds. This is from a gentleman named Dave Holmes. He is a writer and comedian. He's based out of LA. And he received a scam call from someone pretending to be the IRS, which is something we've talked about here before.
Joe Carrigan: [00:10:51] Happens a lot.
Dave Bittner: [00:10:52] Yeah. And Dave has a background in improvisational comedy.
Joe Carrigan: [00:10:57] Ha-ha-ha.
Dave Bittner: [00:10:57] So he was able to string them along. I'll just set it up here, and I will play the part of Dave, and you can be the person from the IRS. Dave starts out this series of messages - he says, I just got targeted by the laziest, shoddiest grifters I have ever come across in my life, and, boy, did I enjoy it. I was coming out of the gym, disoriented and exhausted, and there was a VM from a number in Maryland.
Joe Carrigan: [00:11:21] Huh.
Dave Bittner: [00:11:22] I listened and it said...
Joe Carrigan: [00:11:23] This is a final notice from the IRS.
Dave Bittner: [00:11:26] I called back because I get stupid after a workout, and I thought, this might be real. I should take it easy, maybe. Anyway, a very stern person answered the phone and spoke very quickly.
Joe Carrigan: [00:11:37] This is in reference to your audit in 2008.
Dave Bittner: [00:11:40] Which actually happened. I owed zero. He continued...
Joe Carrigan: [00:11:43] There is a warrant for your arrest. You face five years in federal prison, and we have cancelled your driver's license. You owe $5,273. We sent a letter to your home in October, and nobody was there to receive it. But we left the slip, and you never called back. This tells us that you were trying to run away. Are you able to pay this money in full today?
Dave Bittner: [00:12:05] I'll need to talk to my tax preparer. They said they were going to put me on hold and then hung up on me. But I had their number, a 20-minute drive ahead of me, and I do improv. So I called back in tears.
Dave Bittner: [00:12:17] I was on the phone with one of your agents, and I got disconnected. I cannot go to prison. Please, help. I have my credit card out, but my hands are shaking too terribly for me to read it. What do I do? Please, help me. The agent on the phone, a man with a very thick Indian accent, whose name was Officer Eric Johnson, said he could not take my card.
Dave Bittner: [00:12:38] Then what am I to do, Officer Johnson? If I owe money, I want to make it right immediately. I cannot go to prison. I cannot. I have a family. I have a job. I'm going to be pulled over and arrested.
Dave Bittner: [00:12:49] Officer Johnson revealed that this was a strong possibility. What the IRS needed me to do was go to a bank and withdraw $5,300 in cash and stay on the phone with him while I did it. I agreed. I said, still crying, I'm a five-minute drive from the bank with a drive-through, but I'm driving as fast as I can.
Dave Bittner: [00:13:09] We stayed on the line together for that whole five-minute drive, me and Officer Johnson. I asked how long he'd been at the IRS. He said...
Joe Carrigan: [00:13:16] Eight years.
Dave Bittner: [00:13:17] I asked what he did before that and how he likes the IRS. He said...
Joe Carrigan: [00:13:21] Mr. Holmes, I am busy doing your paperwork.
Dave Bittner: [00:13:24] I said, of course, of course. I told him I was pulling up to the ATM to withdraw the money, and he said...
Joe Carrigan: [00:13:29] You can't withdraw that much money from an ATM. You have to go in.
Dave Bittner: [00:13:33] I'm going to be honest with you here. That was news to me, but it makes sense now that I think about it. So I pretended to go into the bank. I open and close my car door, improvised the whole transaction with a teller voice - thank you - the whole nine yards. I returned to the car, and I said, Officer Johnson, I have $5,300 in a paper bag. Tell me what to do next.
Joe Carrigan: [00:13:53] Hold on.
Dave Bittner: [00:13:55] He put me on hold, during which, I would imagine, there was a 30-second grifter office party.
Joe Carrigan: [00:13:59] (Laughter).
Dave Bittner: [00:14:01] I was then transferred to his boss, an agent with the same access, who identified herself only as Officer Debbie. Officer Debbie told me I needed to go to Bank of America to deposit the cash into an account whose number they would give me. Officer Debbie then put me on hold. I was then transferred to a guy who announced himself simply as Agent Paul. Agent Paul was going to give me the account information. I said, fire away. He gave me an account and routing numbers into which to deposit my money. The name on the account...
Joe Carrigan: [00:14:30] Jack Milton.
Dave Bittner: [00:14:31] I said, I'll be sure to tell the teller it's for the IRS so that he or she is extra careful with the numbers and whatnot. He said...
Joe Carrigan: [00:14:38] You are not allowed to do that. This is a federal case, and talking about it is illegal.
Dave Bittner: [00:14:44] I said, that makes perfect sense. I want to make sure we don't get disconnected so here's what I'm going to do. I'm going to keep the Bluetooth connected, leave the phone in the car, and keep the car running in the parking lot while I do this. Agent Paul said...
Joe Carrigan: [00:14:56] I don't think you should do that.
Dave Bittner: [00:14:57] I said, Bluetooth gets weird, though. He couldn't really argue with that. So I thanked Agent Paul, told him how crisp and professional Officers Johnson and Debbie had been, and went into the bank to transact. I opened and closed the car door, thought long and hard about a car-theft plot twist with all new characters, but I was close to where I was going. I opened and closed the door again. And I said, I've done it. I have my receipt. May I read it to you? Agent Paul said, with enthusiasm and relief...
Joe Carrigan: [00:15:23] You did? And no, I don't need to read what's on the receipt.
Dave Bittner: [00:15:27] And then I passed my destination and decided to drive around for a minute. I said, please let me read it to you. It says, this is the worst, sloppiest, saddest attempt at a con I have ever experienced, and you should be ashamed. You are bad at grifting, and you should stop it. I hope you never get another good night's sleep, not because you are bad, but because you are terrible at being a con artist.
Joe Carrigan: [00:15:50] (Laughter).
Dave Bittner: [00:15:51] And somewhere out there, someone better is going to con you, and you're too dumb to see it coming. Go [expletive] yourself. Agent Paul - I swear - said...
Joe Carrigan: [00:16:02] Please, accept my apologies.
Dave Bittner: [00:16:03] And hung up the phone. I've thought about it, and I don't accept his apologies.
Joe Carrigan: [00:16:11] (Laughter).
Dave Bittner: [00:16:11] And that is our Catch of the Day. (Laughter). Hats off to Dave Holmes for writing this up. He's - as I said, he's a writer from - writer and comedian from LA - just fun stuff, top-notch stuff here. I don't know. Are there any real lessons to take away from this one, Joe?
Joe Carrigan: [00:16:27] Well, one of the things that's interesting in here is that he is called about an audit that happened in 2008...
Dave Bittner: [00:16:33] Mmm hmm.
Joe Carrigan: [00:16:33] ...Which did happen to him.
Dave Bittner: [00:16:34] Yeah.
Joe Carrigan: [00:16:36] I wonder if that's just a coincidence.
Dave Bittner: [00:16:37] That's a good question. 'Cause audits aren't on the public record or anything like that.
Joe Carrigan: [00:16:40] I don't think so.
Dave Bittner: [00:16:41] I don't believe they are.
Joe Carrigan: [00:16:42] Especially if you owe zero. I mean, you can get audited anytime. There are random audits that happen.
Dave Bittner: [00:16:46] Right.
Joe Carrigan: [00:16:47] A lot of them end this way, where the IRS goes, OK...
Dave Bittner: [00:16:50] Yeah.
Joe Carrigan: [00:16:50] ...That's fine.
Dave Bittner: [00:16:50] Something got flagged for some reason. You explain it to them, and they go, I see. We're good here.
Joe Carrigan: [00:16:53] Yep. Exactly.
Dave Bittner: [00:16:55] Coming up next, we have my interview with Rachel Tobac. Great to have her back on the show.
Dave Bittner: [00:17:00] But before we talk to her, a word from our sponsors at KnowBe4 - and now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:55] And we are back. Joe, I had the pleasure of speaking once again with Rachel Tobac. She's from SocialProof Security, as you know. She is also, I believe, the three-time winner of the Social Engineering Capture the Flag at Defcon.
Joe Carrigan: [00:18:09] I believe she's a black badge holder.
Dave Bittner: [00:18:10] She is the reigning champion.
Joe Carrigan: [00:18:12] Yep.
Dave Bittner: [00:18:13] (Laughter) So someone who really knows her stuff. So it's a real treat to have her back on the show. Here's my conversation with Rachel Tobac.
Rachel Tobac: [00:18:20] I think last time we talked, we might have spoken a little bit about different pretexts, who social engineers pretend to be. And a big thing that we're seeing right now is that there's a huge uptick in reward-based pretexting. So what that means is, rather than saying in email something like, your package has been delayed, or your email has been locked, click here to reinstate access to your account - you know, something like that, that would be more of a fear-based pretext or a negative pretext - we're seeing a lot of really interesting positive pretexting coming through with phishing and vishing. Things like, you have new opportunities through your benefits at work. Or, hey, everybody at this company, you know, we all you love this taco place down the street. Here is two free tacos for this Tuesday. Really interesting because it's not playing on a fear-based pretext that we see commonly, but it's really just reward-based.
Dave Bittner: [00:19:10] Has there been any techniques that you've seen that have fallen off the radar or fallen out of fashion, things that folks aren't using much anymore?
Rachel Tobac: [00:19:17] There's a lot of lazy attackers out there. Right? They just kind of want to spray everything out there and see who clicks. So you're still going to get your UPS tracking phishing emails. You're still going to get your lazy, you need to reinstate your access to your Capital One. That's just very relevant right now 'cause of the Capital One, (laughter)...
Dave Bittner: [00:19:33] (Laughter) Yeah.
Rachel Tobac: [00:19:33] ...The Capital One attack. Your Capital One card, something like that. But we are seeing some more creative pretexting. We're seeing a lot more spear-phishing, a lot more spear-vishing, as well. So people are actually taking the time to develop a strong pretext with a good background that you're going to fall for. And over time, the more politely paranoid you are, the more likely you are to report that, like a business email compromise attack. Those are very common, where, basically, you masquerade as the CEO or somebody in a high position of power, and you request something like, hey, we need 15 gift cards. Are you in the office today? They're for our clients - you know, something really typical like that.
Rachel Tobac: [00:20:08] And they're just going to spray that to people, hoping that people are going to say, of course, you know, you're the CEO. I want to get these to you. They're going to scratch off the back of, like, a Amazon or a Walgreens gift card, or iTunes gift card, and they're going to send that to you. And we actually have seen that the losses from those type of attacks have increased significantly, which either means that attackers are sending them and spraying them to more people, or people are falling for them more often. My guess is it's maybe a little bit of both. From 2017 to 2018, the FBI reported that there was a huge increase in these losses. So I think it was, like, $676 million, and it doubled to $1.3 billion in 2018.
Dave Bittner: [00:20:45] Wow. And there's really no way that law enforcement can keep up.
Rachel Tobac: [00:20:49] Absolutely. It's a huge challenge. It really comes down to creating that security-conscious culture at your company and making sure that people are likely to report that content.
Dave Bittner: [00:20:57] What are some of the top things that you recommend? When you're out speaking to organizations spreading the word about these things, what information do you have for them?
Rachel Tobac: [00:21:05] Well, the first thing that I always say is you have to have a combination of social engineering awareness, and you have to have your technical controls in place. You have to have both. You know, something like two-factor, Duo, Yubikeys. Those things are essential to make sure that you don't have account takeovers. And that's something that attackers are going to try for often. SMS two-factor is OK, but I always recommend that we try and move toward something like Duo, Google Authenticator, something a little bit more tokenized, like a Yubikey.
Rachel Tobac: [00:21:31] And then the next thing that I recommend is that people use what I like to call real-world two-factor, which basically just means that if somebody tries to call you or email you, you use the opposite method, a second factor, to confirm they are who they say they are. So let's say you email me. I give a call to you at the phone number that I already have on hand previously and just say, hey, just checking real quick to make sure that you sent me that email. It looked like something that I wasn't expecting. Or, hey, I just wanted to make sure that I can protect your account. Just making sure that email came from you. Something like that can really shut down those types of BEC, business email compromise emails, very, very quickly.
Dave Bittner: [00:22:09] And I guess imparting in your employees that it's OK to take those extra steps.
Rachel Tobac: [00:22:14] Yeah. Absolutely. I was just working with a law firm client about this, and they raised a really important question. They were saying, you know what? I have really, really important people that I work with on a daily basis. I can't just be constantly not, you know, thinking that they are who they say they are. Like, they're going to get upset with me. They're going to get frustrated with me. And I think that's a really important thing to think about. So instead of saying something like, you know what, I can't help you in this way, or shutting them down and saying, I have to do this, sorry, I can't help you like that, just saying something like, to make sure that I can protect your privacy, I'm going to give you a call back, something as simple as that.
Rachel Tobac: [00:22:49] You know, if you're working with a VIP client, they're going to say, they're thinking about protecting my privacy. Or, they're working to protect my account. And they're going to appreciate that, as opposed to saying something like, you know, I can't work with you like that, let me give you a call back. It's really just all about that phrasing. And once you have that script down, it feels more natural and helpful.
Dave Bittner: [00:23:06] So I know something that you are interested in is voting hacking and securing those systems. What sorts of things have you been working on there?
Rachel Tobac: [00:23:15] Yes. So last year, Harri Hursti at the Defcon Voting Village and his team taught me how to hack a voting machine, which I made a video for, and it got a lot of press. Which is really exciting to see, that people are starting to think about voting security. And what I did was I learned how to get admin access on an AccuVote TSX machine, which is used in 18 states. Eight of those are swing states, so things like Pennsylvania, Ohio, Florida.
Rachel Tobac: [00:23:38] And a lot of people say, OK, so you have admin access. What can you do? Admin access, if you are in the field, you basically know that you can do anything. You can change the ballot. You can update the tallies for the votes. You can basically disrupt or undermine our democracy. And so I've been doing a lot of research and reading a lot this past year to get ready for DEFCON and Voting Hacking Village, and I'm really excited. I've learned a lot from - one of the people that I follow is Matt Blaze. And some of the things that I've found from Matt Blaze is he's been doing a lot of research. He testified in front of Congress. And he basically found that there's a lot of different things we could do, but there's three things that he recommends for voting hacking, and that is paper ballots, risk-limiting audits and protecting the back-end systems.
Rachel Tobac: [00:24:20] And the things that I'm specifically focused on are more in terms of how to protect people in the voting system from falling for social engineering. And so it's less on the technical side, and it's more about, like, OK, someone's trying to disrupt or defame public officials, or they're trying to influence policy decisions or undermine our democracy. Like, what are all the ways that they could do that? Like, who would they target? And I've been doing a lot of research with teams about election services, ballot managers, county clerks. Like, how do the systems work and how would attackers try and target those systems?
Dave Bittner: [00:24:52] Examples of that as simple as folks sending out things on social media saying that, oh, the polls are going to close early today, or we got the results in; no need to come to the polls?
Rachel Tobac: [00:25:03] Absolutely. That's definitely one way to disrupt an election. And something that's on Twitter's mind - they have - it's, like, a new alert that shows that basically says, if there's content that they think is suspicious, trying to disrupt a vote, they slap an alert on top of it, and I think they actually take that content down pretty quickly. And then the other things that I have in mind are things like third-party IT support calling a county clerk or someone from the Board of Elections, like the clerk and recorder, and trying to get them to update their machines or download a malicious browser extension or something like that. And so that's something that I'm really passionate about, is making sure that those folks understand what their roll is and how somebody might target them to disrupt the election.
Dave Bittner: [00:25:43] All right. Joe, what do you think?
Joe Carrigan: [00:25:44] I love hearing Rachel Tobac, anytime she talks. I'm a big fan of hers. I follow her on Twitter. You should, too. The voting hacking - I want to get right into that because I think that's probably the most important thing that is discussed in this interview for all of us. And yes, her point about being able to disassemble these electronic machines, this is a problem. If you are not concerned about these electronic voting machines, you really should be. One of our professors, Avi Rubin, has written a book called "Brave New Ballot" about these kind of machines, and they're absolutely, demonstrably not secure. The new system we now have in Maryland, actually, is a lot better. So in Maryland, what we have is, when you walk in, you get a paper ballot.
Dave Bittner: [00:26:22] Right.
Joe Carrigan: [00:26:22] And you mark that paper ballot clearly. So it's not like the Florida issue, where you have - you punch out chads or things. You have...
Dave Bittner: [00:26:28] (Laughter) Yeah, yeah.
Joe Carrigan: [00:26:28] You actually mark it clearly. They give you the pencil to mark it with. They give you the ballot. And then that ballot is tallied in a ballot box. There - on top of the ballot box, there is a reader that reads the ballot, and if the ballot is valid, it drops the ballot into the ballot box; if the ballot is invalid, it spits the ballot back out and says the voter didn't vote properly. It's great because you get the quick tally, so you can have your results fast, and the paper is preserved, and - this is important - everybody's ballots go into the same box. And that may not seem like it's important, but it is critically important to the process.
Dave Bittner: [00:27:05] So you don't lose a box of ballots or...
Joe Carrigan: [00:27:06] Right.
Dave Bittner: [00:27:07] ...Something like that. You can't be shuffling particular people to certain machines.
Joe Carrigan: [00:27:12] Exactly.
Dave Bittner: [00:27:13] Or their votes will end up in a certain box or anything like that. You got this...
Joe Carrigan: [00:27:16] And that box will get lost, right.
Dave Bittner: [00:27:17] Yeah, interesting. Yeah. What else from Rachel's interview?
Joe Carrigan: [00:27:20] I love that she's also concerned - back on - staying on elections, I love that she's concerned about the social engineering prospect of calling into, like, an elections board and saying, let's update the software on your computer. That terrifies me. As a freedom-loving American...
Dave Bittner: [00:27:33] (Laughter).
Joe Carrigan: [00:27:33] ...Who wants everybody's vote to count, I think that's absolutely a very astute observation on her part. Getting away from voting, going back to the new social engineering techniques, we're seeing these reward-based pretexts, where - you know, I'll tell you, here's another one that'll work on me - free tacos, right?
Dave Bittner: [00:27:50] (Laughter) Yeah.
Joe Carrigan: [00:27:52] What Rachel is saying here is that spear phishing - this is a more narrow phishing campaign.
Dave Bittner: [00:27:56] Right.
Joe Carrigan: [00:27:56] It may not exactly be spear phishing because, when you think spear phishing, you generally think going right after a certain individual.
Dave Bittner: [00:28:02] Yeah.
Joe Carrigan: [00:28:02] But it's certainly casting a much more narrow net, but with the hopes that that net will catch more people. I'm surprised that the gift card scam has increased so much that it doubled from 2017 to 2018. We're not talking about this enough, I don't think. Tell everybody you know. Nobody accepts valid forms of payment in gift cards.
Dave Bittner: [00:28:18] Well, it's good to see, too, that there's more awareness from the retailers.
Joe Carrigan: [00:28:22] Yeah.
Dave Bittner: [00:28:22] That they're educating the folks who are checking people out, ringing them up, saying, if someone comes through, here's some things you should ask them.
Joe Carrigan: [00:28:31] Right.
Dave Bittner: [00:28:31] Look out for them.
Joe Carrigan: [00:28:32] I really like what she calls real-world two-factor. That's a great term. You send me an email that says, hey, Joe, click on the link. I'm going to send you a text - this email from you? I'm going to send you a different means of communication, just like in our story today.
Dave Bittner: [00:28:46] All right. Well, again, thanks so much to Rachel Tobac for joining us. She is from SocialProof Security. And if you're heading out to DEFCON this year, be sure to stop by and say hello to her. I'm sure she would love to see you.
Dave Bittner: [00:28:57] And that is our show this week.
Dave Bittner: [00:28:59] We want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:29:14] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:22] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, our editor is John Petrik, technical editor is Chris Russell, our staff writer is Tim Nodar, our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:40] And I'm Joe Carrigan.
Dave Bittner: [00:29:41] Thanks for listening.