The ultimate hacking tool.
Corin Imai: [00:00:00] We still have to want to protect our own data as individuals, but we still have to want to hold organizations that we hand our data to accountable.
Dave Bittner: [00:00:09] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:27] Hi, Dave.
Dave Bittner: [00:00:28] We've got some interesting stories to share this week. And later in the show, Carole Theriault returns with an interview with Corin Imai. She's a Senior Security Advisor at DomainTools. And she's going to tell us why phishing attacks remain so effective.
Dave Bittner: [00:00:40] But first, a word from our sponsors at KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us, and in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.
Dave Bittner: [00:01:20] And we are back. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:01:24] My story actually comes from Help Net Security. And Help Net Security published a good article on a report that came out of Proofpoint. And I wanted to open this up with a quote that comes from Kevin Epstein, who is the VP of threat operations for Proofpoint. "Cyber criminals are aggressively targeting people because sending fraudulent emails, stealing credentials and uploading malicious attachments to cloud applications is easier and far more profitable" - that's very important, profitable - "than creating an expensive and time-consuming exploit that has a high probability of failure." In other words, people are still the weakest link, and we're still being exploited, which is why we have this show.
Dave Bittner: [00:02:04] (Laughter) Yeah.
Joe Carrigan: [00:02:04] So I don't see this going away anytime soon. But this article talks about attacks on businesses and other organizations, and 99% of them still rely on some kind of human intervention, and that of course means that there is some kind of social engineering going on in there.
Dave Bittner: [00:02:18] Yeah.
Joe Carrigan: [00:02:19] And most of it is still phishing. So we spend a lot of time on this show talking about phishing, but the reason we do is because it's so prevalent, and it's so effective.
Dave Bittner: [00:02:28] Yeah, absolutely.
Joe Carrigan: [00:02:30] And there are some interesting stats in this article, and we'll put a link in the show notes. But it has a chart on the click rates for the 20 most successful phishing campaigns.
Dave Bittner: [00:02:40] All right.
Joe Carrigan: [00:02:40] All right.
Dave Bittner: [00:02:40] So before you read them off, I have not seen this chart.
Joe Carrigan: [00:02:43] All right.
Dave Bittner: [00:02:44] So let me guess. So what am I guessing here?
Joe Carrigan: [00:02:46] It is a...
Dave Bittner: [00:02:47] The - how often people click.
Joe Carrigan: [00:02:49] How often people click for a given campaign. Now, do you want some of the campaigns?
Dave Bittner: [00:02:53] Yeah, give me a...
Joe Carrigan: [00:02:54] OK.
Dave Bittner: [00:02:54] Just give me one example. I'll try to do my best.
Joe Carrigan: [00:02:56] So I'm going to eliminate the No. 1.
Dave Bittner: [00:02:59] OK.
Joe Carrigan: [00:02:59] We'll talk about No. 1 because I think it's an anomaly.
Dave Bittner: [00:03:01] OK.
Joe Carrigan: [00:03:02] It's called Brain Food.
Dave Bittner: [00:03:03] OK.
Joe Carrigan: [00:03:03] And it's also a botnet. But on the chart, the click rate is over 1.6 per message sent.
Dave Bittner: [00:03:08] OK.
Joe Carrigan: [00:03:09] So we'll eliminate that one.
Dave Bittner: [00:03:10] OK.
Joe Carrigan: [00:03:10] The next most popular one - you ready?
Dave Bittner: [00:03:12] Yeah.
Joe Carrigan: [00:03:13] ...Is Blackboard.
Dave Bittner: [00:03:14] Blackboard.
Joe Carrigan: [00:03:14] Blackboard phishing
Dave Bittner: [00:03:16] OK.
Joe Carrigan: [00:03:16] Most effective, not popular.
Dave Bittner: [00:03:17] All right.
Joe Carrigan: [00:03:18] Effective. What do you think the rate of click is on this one?
Dave Bittner: [00:03:21] What is Blackboard?
Joe Carrigan: [00:03:22] Blackboard is an education platform. So we used it at Hopkins.
Dave Bittner: [00:03:26] Oh, OK.
Joe Carrigan: [00:03:26] And it's how teachers share information with their students. At Capitol Technology University, it's how they actually run all their distance education programs.
Dave Bittner: [00:03:34] I see. So I'm a student at someplace where they're teaching stuff, and they have online access to this.
Joe Carrigan: [00:03:39] Yep, Hopkins or Capitol.
Dave Bittner: [00:03:40] Lots of places use it.
Joe Carrigan: [00:03:41] Yep.
Dave Bittner: [00:03:41] So they'll send out something that pretends to be from this popular online service for educators.
Joe Carrigan: [00:03:47] Right.
Dave Bittner: [00:03:47] And how often do people fall for the bait?
Joe Carrigan: [00:03:50] Yep.
Dave Bittner: [00:03:52] Well, I'm going to say, based on what I know about advertising and marketing, which is about, I don't know - you're lucky if you get - I mean, it's phenomenally successful, I think, if you get, like, a 10% click-through. So I'm going to say 10%.
Joe Carrigan: [00:04:06] OK. This chart says that the Blackboard campaign gets more than 60% click-throughs. It gets 0.6 clicks for every email that's sent out.
Dave Bittner: [00:04:17] Get out.
Joe Carrigan: [00:04:17] That's what it says.
Dave Bittner: [00:04:18] Really?
Joe Carrigan: [00:04:19] Yeah.
Dave Bittner: [00:04:19] Wow.
Joe Carrigan: [00:04:20] Here's why I think that's the case. People don't usually view this as a threat factor - right? - because it's very specialized and targeted. You didn't even know what Blackboard was.
Dave Bittner: [00:04:29] No.
Joe Carrigan: [00:04:30] Yeah, I know what it is because I work in education. And actually, when I got my master's degree, I had to rely on Blackboard a lot.
Dave Bittner: [00:04:34] OK.
Joe Carrigan: [00:04:35] So I'm familiar with it. But students get these emails from these scammers saying, hey, log in to your Blackboard account. Of course, it's a credential harvesting thing.
Dave Bittner: [00:04:44] Right.
Joe Carrigan: [00:04:44] But the reason they fall for it and they click on it is because they get these emails frequently, right?
Dave Bittner: [00:04:49] Yeah. If you're a student, you're going to be getting stuff from Blackboard all the time.
Joe Carrigan: [00:04:52] Yeah. And if I...
Dave Bittner: [00:04:52] So it becomes a routine.
Joe Carrigan: [00:04:53] Right. And if I can impersonate your instructor and say, hey, the new things are up on Blackboard, here's a link to it, then I can easily see how these things would be so successful.
Dave Bittner: [00:05:03] Now, with something like Blackboard, how hard would it be for me to figure out who your instructor is?
Joe Carrigan: [00:05:08] That's a good question. I don't...
Dave Bittner: [00:05:09] I mean, just thinking about that.
Joe Carrigan: [00:05:10] Yeah, I'm just thinking about it.
Dave Bittner: [00:05:11] Is that publicly available?
Joe Carrigan: [00:05:12] It might be - from a student in the class that I know who's in it, right?
Dave Bittner: [00:05:15] Yeah. What else did they find here?
Joe Carrigan: [00:05:17] Some other really effective phishing campaigns that get the high click-through rates - Zoominfo.
Dave Bittner: [00:05:22] Oh, is that the conferencing...
Joe Carrigan: [00:05:24] Conference calling, yep.
Dave Bittner: [00:05:25] Conference calling, yep.
Joe Carrigan: [00:05:26] Here's one that kind of surprised me - AOL phishing.
Dave Bittner: [00:05:29] Really?
Joe Carrigan: [00:05:30] Yeah.
Dave Bittner: [00:05:31] You've been phished.
Joe Carrigan: [00:05:34] Right. OK. So there's another kind of scam in here - the Microsoft scam, right?
Dave Bittner: [00:05:38] Yeah.
Joe Carrigan: [00:05:38] Because Microsoft is now huge in businesses...
Dave Bittner: [00:05:42] Right.
Joe Carrigan: [00:05:42] ...With Office 365. So guess what percentage of these phishing campaigns are Microsofts.
Dave Bittner: [00:05:48] What percentage are pretending to be Microsoft?
Joe Carrigan: [00:05:49] Correct.
Dave Bittner: [00:05:52] I don't know - half?
Joe Carrigan: [00:05:53] High - that's a little...
Dave Bittner: [00:05:54] That's a little high. OK, I went over. Darn.
Joe Carrigan: [00:05:56] It's a quarter. It's 1 in 4. One in 4 of these phishing campaigns is trying to impersonate Microsoft.
Dave Bittner: [00:06:01] Yeah, that makes sense.
Joe Carrigan: [00:06:02] Yeah, it does make some.
Dave Bittner: [00:06:04] OK, not too surprising.
Joe Carrigan: [00:06:06] So here's something that's interesting in this report. The top malware families over the past 18 months have consistently included banking Trojans, information-stealers and remote access tools and other nondestructive strains designed to remain there on the computer and continuously steal information. I would have expected ransomware to have been the most common threat vector here, right? But it's not; it's other types of things, like remote access tools. They're building botnets and collecting information, it looks like.
Dave Bittner: [00:06:34] Yeah, I guess if I can get your banking information without you knowing...
Joe Carrigan: [00:06:38] Right.
Dave Bittner: [00:06:38] ...There's a potential for a big jackpot.
Joe Carrigan: [00:06:41] Yep, absolutely.
Dave Bittner: [00:06:42] Yeah. Wow, that's interesting. All right. Well, we will definitely have a link in the show notes for that. My story this week - courtesy of the folks over at TechCrunch. This was written by Sarah Perez. And the article is titled "Dating App Maker Match Sued by FTC for Fraud." That's the Federal Trade Commission. And the FTC sued Match. They're the folks who do lots of dating sites like match.com. They do Tinder. They do OkCupid. They do Hinge.
Joe Carrigan: [00:07:10] Are all those Match products?
Dave Bittner: [00:07:12] They are all Match products. I think...
Joe Carrigan: [00:07:13] I had no idea.
Dave Bittner: [00:07:14] Well, I think they went on a bit of a buying spree at some point.
Joe Carrigan: [00:07:17] Ah, that makes sense.
Dave Bittner: [00:07:17] I think they were sort of top of the heap, and they went out and bought up a bunch of the other ones. So the FTC has come after them because they're saying that consumers aren't aware that 25% to 30% of Match registrations per day come from scammers. This is romance scams, phishing scams, fraudulent ads, extortion scams. They said during some months from 2013 to 2016, more than half of the communications taking place on Match were from accounts the company identified as fraudulent.
Joe Carrigan: [00:07:48] Really?
Dave Bittner: [00:07:49] OK, so that's bad enough.
Joe Carrigan: [00:07:52] That's really high, I would think.
Dave Bittner: [00:07:54] Yeah, but it gets worse.
Joe Carrigan: [00:07:55] Oh, boy. As these things often do.
Dave Bittner: [00:07:58] (Laughter) So - yeah. So what the FTC claims is that Match would send out alerts to users and say, hey, you got a message from somebody.
Joe Carrigan: [00:08:07] Right.
Dave Bittner: [00:08:08] But they would send that message out after they had already established that that somebody was fraudulent.
Joe Carrigan: [00:08:14] Really?
Dave Bittner: [00:08:14] Yeah. So the FTC is saying that Match was using these fraudulent accounts for their own profits.
Joe Carrigan: [00:08:21] To generate more traffic.
Dave Bittner: [00:08:22] To generate more traffic. But also, I think the way that some of these work is, like, you can sign up for a free account to sort of look around.
Joe Carrigan: [00:08:30] Right.
Dave Bittner: [00:08:30] But if you want to communicate with someone, then you have to pay.
Joe Carrigan: [00:08:33] Right.
Dave Bittner: [00:08:34] So if you start getting messages from people that say, I want to communicate with you, Joe, you handsome devil...
Joe Carrigan: [00:08:39] Ah, right.
Dave Bittner: [00:08:40] Then you're going to pull out your wallet, and you're going to pay and sign up for the service.
Joe Carrigan: [00:08:43] Right. When - after I've paid for the service, I'm going to see, oh, this account's been flagged as a spam account.
Dave Bittner: [00:08:48] Perhaps.
Joe Carrigan: [00:08:48] Maybe or maybe not.
Dave Bittner: [00:08:50] Well, that's what the FTC is trying to get at.
Joe Carrigan: [00:08:52] I see.
Dave Bittner: [00:08:53] They also said that Match is in violation of something called the Restore Online Shoppers' Confidence Act - ROSCA.
Joe Carrigan: [00:09:00] ROSCA.
Dave Bittner: [00:09:01] (Laughter) Which...
Joe Carrigan: [00:09:01] That's a great acronym there.
Dave Bittner: [00:09:03] Yeah. So what that is supposed to do is give customers a simple way to stop recurring charges.
Joe Carrigan: [00:09:09] OK.
Dave Bittner: [00:09:09] Because that's the way a lot of these online things get you, right?
Joe Carrigan: [00:09:12] Right, that's how they get you.
Dave Bittner: [00:09:13] They sign you up, and then you pay forever.
Joe Carrigan: [00:09:17] That's right.
Dave Bittner: [00:09:17] There's no way to unsubscribe.
Joe Carrigan: [00:09:18] It's like the gym (laughter).
Dave Bittner: [00:09:20] Yeah, it's like a gym membership. Right, absolutely. So what they're saying is that you had to go to something like six different pages to attempt to cancel your subscription. And even then, you weren't - wouldn't be sure that it had actually taken, that you'd actually done it.
Joe Carrigan: [00:09:34] Yeah, it sounds like it's easier just to cancel a credit card and get a new credit card (laughter).
Dave Bittner: [00:09:39] Right, exactly. Or you, yeah, use one of those temporary, burner card numbers.
Joe Carrigan: [00:09:43] Yeah, temporary credit card numbers.
Dave Bittner: [00:09:43] Yeah, yeah.
Joe Carrigan: [00:09:43] Those are great services if you can get one.
Dave Bittner: [00:09:45] So Match, of course, doesn't agree with any of this.
Joe Carrigan: [00:09:48] Of course.
Dave Bittner: [00:09:48] They say that they are fighting fraud, and they say that they handle 96% of fraudulent accounts within a day. So they're fighting back, and they're saying there's nothing to this. So we'll see where it goes, see how it plays its way out in court. But I suppose the reminder for our listeners is to be careful when you're using these sorts of things. Those messages that you get are likely to be from folks who may not exist.
Joe Carrigan: [00:10:13] Right.
Dave Bittner: [00:10:13] And it sounds like, according to the FTC anyway, they're convinced that some of these dating companies aren't necessarily on your side.
Joe Carrigan: [00:10:21] Right, yeah. Well, they're on the side of their own profits.
Dave Bittner: [00:10:23] Yeah.
Joe Carrigan: [00:10:23] That's where their corporate motivations lie.
Dave Bittner: [00:10:25] Right.
Joe Carrigan: [00:10:26] As well they should. I'm not saying that corporations are bad for profiting.
Dave Bittner: [00:10:30] No, but this seems...
Joe Carrigan: [00:10:30] That's what they're supposed to do.
Dave Bittner: [00:10:31] Yeah. This seems like a short-term gain, though, right? (Laughter).
Joe Carrigan: [00:10:33] Yeah, exactly. I agree with that 100%. You know, if I were running one of these things, I would be very interested in keeping my users safe and having a good reputation for doing that.
Dave Bittner: [00:10:43] That's right. So that is my story this week. Joe, it is time to move on to our Catch of the Day.
Joe Carrigan: [00:10:48] My favorite part of the show.
0:10:49:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:10:53] Joe, our Catch of the Day comes to us courtesy of a listener over on Twitter. This letter comes straight from Buckingham Palace. It's from Mr. Edward Young. He is the private secretary to Her Majesty, the Queen Elizabeth II. It's labeled private and confidential, and it goes like this.
Dave Bittner: [00:11:09] (Reading) Dear Mr. Ridden, for the second time in the last 30 years, Her Majesty, the Queen Elizabeth II appeals to a certain number of people to save Great Britain's economy. As you know, the Brexit will happen quite quickly, and we have not reached a bilateral agreement with the European Union. To save and sustain the U.K.'s economy after Brexit, we must pay the European Union 19 billion pounds. We currently have more than 82% of money available, and we need to raise the rest until October 19, 2019. With indulgence, we appeal to you. If you can borrow the royal house with amounts between 450,000 and 2 million pounds, we will offer 30% interest for a period of three months and the possibility to become a member of the Royal Warrant Holders Association. By paying this amount to the European Union, we will be able to keep the economy and inflation exactly as it is for a minimum period of 10 years, and the future changes will not affect imports from EU countries.
Joe Carrigan: [00:12:05] (Laughter).
Dave Bittner: [00:12:06] (Reading) We want this letter to remain anonymous, as we do not wish the subject to go viral. This could affect the agreements we have in order to obtain the bilateral agreement. In order to be able to help us financially, please transfer the money to the bitcoin address that was attached to your letter. Once we receive the funds, we will send you another letter with the contract. The queen's warm good wishes to you all for your continuing success in the future. Yours sincerely, Edward Young, private secretary to her majesty the queen, Elizabeth II.
Joe Carrigan: [00:12:37] I like how this letter is actually a physical letter that somebody got.
Dave Bittner: [00:12:40] Yeah, someone sent us - took a picture of this - this was delivered in the mail.
Joe Carrigan: [00:12:44] Right.
Dave Bittner: [00:12:45] Yeah.
Joe Carrigan: [00:12:45] And it's got a bitcoin address on it that you're supposed to send the money to.
Dave Bittner: [00:12:49] Right.
Joe Carrigan: [00:12:50] That's awesome.
Dave Bittner: [00:12:52] (Laughter) There's so much to love in this one.
Joe Carrigan: [00:12:54] Why wouldn't the crown want their money in real pounds?
Dave Bittner: [00:12:56] Well, you know - and the other thing, too - it's not like they have a lot of cash sitting around or any valuables, you know...
Joe Carrigan: [00:13:01] Right.
Dave Bittner: [00:13:03] ...Anything they could use as collateral to hold them over for a couple million pounds...
Joe Carrigan: [00:13:07] Right. I don't know.
Dave Bittner: [00:13:08] ...Vaults full of gold, diamonds.
Joe Carrigan: [00:13:10] Maybe those jewels are already encumbered with some other liens.
Dave Bittner: [00:13:13] It's possible.
Joe Carrigan: [00:13:14] I don't know.
Dave Bittner: [00:13:14] It's possible. It's up to us to bail them out.
Joe Carrigan: [00:13:16] I'm no expert in British finances.
Dave Bittner: [00:13:18] You know, I really wish I'd had this one when Graham was here.
Joe Carrigan: [00:13:20] Yeah, that would've been great.
Dave Bittner: [00:13:21] (Laughter).
Joe Carrigan: [00:13:23] Then he could've read it with a real accent.
Dave Bittner: [00:13:24] Well, you know, that's - what are you saying, Joe? Guys, you know, I am a...
Joe Carrigan: [00:13:28] I think your accent's great.
Dave Bittner: [00:13:29] I'm a master of dialects.
Joe Carrigan: [00:13:30] Yes.
Dave Bittner: [00:13:30] And that is our Catch of the Day. Coming up next - Carole Theriault returns. She's got an interview with Corin Imai. She's a senior security adviser at DomainTools. And she's going to explain why phishing attacks remain so effective.
Dave Bittner: [00:13:43] But first, a word from our sponsors at KnowBe4. And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly CyberHeist News. We read it, and we think you'll find it valuable, too. Sign up for CyberHeist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:14:49] And we are back. Joe, it's always great to have Carole Theriault return. She's got a really interesting interview this week. She speaks with Corin Imai. She is a Senior Security Advisor at DomainTools. And they're going to go over phishing attacks and why they remain so effective. Here's Carole Theriault.
Carole Theriault: [00:15:06] So, guys, I have a treat for you today. I'm speaking with Corin Imai.
Carole Theriault: [00:15:11] Is that how I say your name?
Corin Imai: [00:15:12] Yes.
Carole Theriault: [00:15:13] Perfect. I'm speaking with Corin Imai, senior security adviser at DomainTools. We hear all too often just how much malware is out there, from distributed denial-of-service attacks or ransomware, zero-day attacks. And I sometimes worry that we almost have information fatigue or information overload when it comes to these cyber nasties. So I wanted to speak with Corin on how she as a Senior Security Advisor at DomainTools avoids this feeling of there's just too much out there.
Corin Imai: [00:15:46] I don't think there is a way to avoid it. You know, I think that every day we consume a ton of information, whether it be from a research perspective or an investigative perspective. But I think in order to narrow that down, you have to look at trusted sources, so whether that be, you know, NCSC and when they issue alerts to, you know, stateside we use US-CERT. But those can be a little bit late to attack information. They have really quality information and non-biased information on an attack, but they aren't the latest breaking to see if your organization is a part of something that might be happening in real time.
Corin Imai: [00:16:21] So there are sources like KrebsOnSecurity. We also leverage MSSP Alert. I know that's a very odd one to hear about, but their publication comes out with some pretty, you know, late breaking stuff pretty quickly. We also look at Twitter. I know that that's one that the industry uses. We have our friendlies on there that we trust the information that they're giving and then, of course, we validate it. And then the old-school way of doing things, you know, looking to IRC and then, you know, the new wave of that, which is being on Wickr and Signal to make sure that you are talking to the right folks on the right channels.
Carole Theriault: [00:16:55] Do you think - just as an aside, isn't it nuts in the last decade, I think - you know, I used to have to just basically monitor email and maybe SMS. And now we all have about a dozen to hundreds of vectors of news coming in. Maybe I'm getting old (laughter).
Corin Imai: [00:17:12] No, definitely not. Yeah. No. We have so many different avenues of consuming information. And it is wildly overwhelming - but, yeah, just knowing where you can have trusted sources, and if you're new to the industry - right? - trying to build those and reaching out to the right folks. And I think what we're seeing in the industry is this new wave of folks wanting to help, right? I think maybe ten years ago or so we were a very bullish group of folks that wanted to kind of keep our community our community and not allow new folks in. And I think what we're realizing is that as we become more welcoming, we actually are welcoming some really stellar security researchers, as well as investigators and folks to the industry.
Carole Theriault: [00:17:53] Well, I'm very pleased about that because the reason I asked you on the show is because I saw that you had conducted some research. And in this research, you said that you considered phishing to be the, quote, "ultimate tool for hacking" - unquote. And I hadn't ever heard anyone position phishing like this before. So I wondered if you could unpack that concept for me a little. Why is phishing an amazing tool for the malicious agents lurking in the perhaps darker corners of the internet?
Corin Imai: [00:18:25] It has persisted over most of our careers in the industry, and it has become kind of the number one vector. I think it was Verizon in their deep Data Breach Investigations Report. So each year, Verizon puts out this report, and it's pretty comprehensive in terms of what they cover. This specific report - I think it was that they analyzed more than 4,100 security incidents of which, you know, 2,000 or more of those were actually confirmed breaches. So they were able to take kind of this in-depth look at attack vectors leading into kind of more of that myopic look at how that happens. And I think that each year, we see that phishing is the top threat actor. And for the confirmed breaches, I think it involved - more than 30% of those were from phishing. And then more than 70% were the cyber espionage piece of that. So it's going to continue to kind of be the big plug that we have in the industry to protect against phishing attacks.
Carole Theriault: [00:19:22] So as I understand phishing, it seems to be mostly about trying to get personal information. And maybe you can tell us why is my personal information so valuable to a bad agent? What do they get out of that? What can they do with my information, my private, personal information?
Corin Imai: [00:19:40] Yeah, absolutely. I think it depends on what their motivation is. So if they're looking to harvest data, it might just be able to collect and classify that data for later use. Or it might just be that they are essentially hoarding data for the potential to say that they have a significant amount of data. So we see, you know, nation states doing that a lot. Or if they're looking to leverage the specific data in nefarious things, they might be searching for key pieces like credentials to gain access to more systems or information.
Carole Theriault: [00:20:12] But is it ultimately about money? Is it to basically sell the information onwards or try to steal directly from the person whose information they've been able to get their hands on?
Corin Imai: [00:20:21] It can be a whole slew of motivating factors. I think, yes, money is definitely the number one motivation in terms of attacks and how we look at those. But I think even past that, we're seeing a lot of organizations be breached and the PII, you know, of the customers being exfiltrated over different avenues and that being just for the collection. We're not seeing it automatically used like we did a few years ago in terms of that data then being flipped and sold on the black market. We're seeing kind of this hold pattern where a breach happens, all of this data's exfiltrated and then there's no action of it or no action that we're seeing yet. So it just depends on what the motivating factor is. It depends on who those threat actors or those groups are and what their end goal is, which is very hard to predict.
Carole Theriault: [00:21:08] You know, sometimes I go to websites, and maybe I know that I'm only going to be there one time, and I give them bogus info or bogus PII info. God knows what they can get from the metadata that, you know, they might be collecting from me. But from, you know, from a point of view of putting in my name or an email address, I don't always put in the stuff that I use all the time - the addresses and, you know, my full name. So I'm imagining I'm not alone in that. And so this information that a bad actor can grab can't be always clean. How do they clean that data to make it useful?
Corin Imai: [00:21:42] It depends what they're looking for. So in a data exfiltration, they might just be looking for one specific person's records. They might just be looking for high-value target records. But they also might just be looking at the masses to be able to plug credentials or information in and get something back. So if we're talking about PII specifically - first name, last name, potentially address and an ID, all of those pieces - the value of that is to be able to go and register other accounts or do fraudulent things with that information. So it doesn't matter if it's true or false.
Corin Imai: [00:22:15] Eventually, what they'll be able to do is basically plug it in to a system that will spit all of these variations out and match them. It becomes a game, right? Most of this is for the fun of it, and it's fun to hunt, but it's also fun to see kind of these in the wild. Not that I condone bad behavior, but it is interesting to kind of see how different actors or groups are unpacking these massive datasets that they're exfiltrating - right? - because you are correct. A lot of folks are registering things not with their true first and last name. Or they're registering them with a bogus email account or those types of things. But what you'll start to see is they'll target organizations where you have to provide valid information. So we see this in a lot of the FSI or healthcare or those folks.
Carole Theriault: [00:23:06] Right. Because, obviously, if I have to fill in a tax return or if I'm going to the hospital or getting insurance or all those places, the information they will have on me will probably be up to date and accurate because, otherwise, I won't get the service I need. So are these sectors being increasingly targeted, do you think, because the data is so valuable?
Corin Imai: [00:23:28] Yeah, absolutely. We released some research in terms of HMRC and a phishing campaign that we were able to identify there. But, yeah, anything like tax records, anything from the healthcare sector or anything from the financial sector in terms of your credit or how that runs is going to be really high value because it does have to be validated. But it always is going to be a high-value target because the second they get a hold of that data, it is really hard, right? We're talking about, you know, having to lock down your - freeze your credit, things like putting on fraud alerts - right? - things that majority of the population don't assume that that's the risk they're taking in sharing that PII.
Carole Theriault: [00:24:09] I rarely see it as the end user's fault, although they are the ones that pay the absolute biggest price if a third party or a company or, like, for example, the Equifax breach a few years ago, all that information getting hoovered out, you know, it's the individual that's hurt a lot by that because it's their Social Security number that's inflicted, as well as their home address, as well as their, you know, contact information.
Corin Imai: [00:24:33] Absolutely. I mean, we talk about this very often is where does the onus sit? Is that on the organization? Is that on the end user or consumer? Is that on the vendors in the industry to provide valuable and relatively well-priced tools that everyone has access to to make it a safer internet?
Corin Imai: [00:24:55] One of my former colleagues, Jon Pierce (ph), said to me once - and this was at the beginning of my career. He said, you know, you either participate in this world, or you don't. And that really stuck with me, and it has until now. But I think helping folks understand that is the job of vendors and is the job of any of these organizations that are consuming this PII, right? There's a large educational piece that we could be doing a better job with.
Carole Theriault: [00:25:19] You know, many of my friends and colleagues, when we talk about this issue - and I probably talk about it way too much, from their point of view (laughter) - but when I talk about this issue of PII and, you know, and privacy, they're like, Carole, come on. It's way too late now; they've got all our information. These hacks have happened. Our information is out there. So why should we worry about it now? You know, what's your response to that kind of attitude?
Corin Imai: [00:25:43] Unfortunately, yes. I am of the same wavelength that, yes, we probably have already succumbed to that. But I don't think that means that we stop, right? We still have to want to protect our own data as individuals, and we still have to want to hold organizations that we hand our data over to accountable.
Carole Theriault: [00:26:00] There's a lot of distrust these days in big organizations for very valid reasons. You know, everyone reads the headlines as to how we feel about the big internet giants that are out there and how they're handling our data. So thank you for doing what you do (laughter) and helping to educate us on how it works because we all want to be more mindful.
Corin Imai: [00:26:19] Wonderful. Yes.
Carole Theriault: [00:26:20] This was Corin Imai, senior security adviser at DomainTools. And of course, I'm Carole Theriault for "Hacking Humans."
Dave Bittner: [00:26:29] All right. Joe, what do you think?
Joe Carrigan: [00:26:30] Well, Dave, I want to say, I love it when my story on the show lines up with the interview so nicely.
Dave Bittner: [00:26:37] (Laughter) It's almost as if we planned it.
Joe Carrigan: [00:26:38] It is.
Dave Bittner: [00:26:38] And we did not.
Joe Carrigan: [00:26:39] Phishing is the ultimate tool for hacking.
Dave Bittner: [00:26:42] Yeah.
Joe Carrigan: [00:26:42] And it's persistent. And like I said earlier, it's just because it works. It's so effective. Money is the big motivator, overall. When I give a presentation on why people hack, I used to say, here's a list of reasons why people hack, and now what I say is - I used to say this list of reasons, but now I just say money, right? Because it's so profitable for these guys to do it. Well, I mean, not really incredibly profitable. I mean, there's more - in America, there are better ways to make money. But outside there might not be.
Dave Bittner: [00:27:08] Yeah.
Joe Carrigan: [00:27:08] Your data is valuable, no matter how innocuous you may think it is. Even if it's just a little piece of information, if these guys can automate the gathering of that information and then the organization of that information - which is relatively easy to do - then they can create a pretty valuable product that they can sell on the black market very quickly.
Dave Bittner: [00:27:26] Yeah, bundle it.
Joe Carrigan: [00:27:27] Right.
Dave Bittner: [00:27:28] And volume, volume, volume.
Joe Carrigan: [00:27:31] Volume - right. Like Spatula City (ph). You remember Collection 1? I think it was Troy Hunt that uncovered that or publicized it.
Dave Bittner: [00:27:37] Right.
Joe Carrigan: [00:27:37] But it was just a conglomeration of a huge number of previous breaches, and that had value. It was already known data, but the fact that somebody could have that much data in one place had value to other attackers. I like what Corin talks about here, that a lot of times it's used to create fraudulent accounts, right? So your information can be used to set up fraudulent accounts, and not just, like, bank accounts or credit card accounts, but, like, Facebook accounts, Twitter accounts.
Dave Bittner: [00:28:02] Pretending to be you.
Joe Carrigan: [00:28:03] Right. Those are a lot easier to set up with fake credentials than a bank account is and can be useful to these guys. I will say that Corin is right - some of this stuff is fun. And that's OK. I don't have a problem with that. And I think that the work that she's doing is good work and important work. The one thing I thought was interesting was, who is culpable for these data breaches? And I think that's something that needs to be looked at on a case-by-case basis.
Joe Carrigan: [00:28:24] If you are a user of, like, a healthcare portal, and your password to that healthcare portal is password, the vendor or your healthcare provider is not culpable (laughter) for the loss of your healthcare data, in my opinion. You did not pick a strong enough password. Now, if, however, that same portal has a vulnerability that allows somebody to circumvent the authentication and just get in the back end...
Dave Bittner: [00:28:47] Yeah.
Joe Carrigan: [00:28:47] ...And then they take your data, then the healthcare provider would be culpable, I think. I really think it depends on every single case, and you have to look at it individually.
Dave Bittner: [00:28:56] Yeah, it's interesting. Do you think there's any culpability to the folks for letting you use a weak password?
Joe Carrigan: [00:29:04] That's a good question.
Dave Bittner: [00:29:05] Yeah.
Joe Carrigan: [00:29:05] Maybe.
Dave Bittner: [00:29:05] (Laughter).
Joe Carrigan: [00:29:06] Maybe. But, you know, then we're like - you know, then were at the same thing with the lawn mower. The reason we have that handle on our lawn mower is so we can't pick up the lawn mower and mow our hedges with it, you know.
Dave Bittner: [00:29:16] Yeah.
Joe Carrigan: [00:29:17] Because somebody did that and lost their fingers.
Dave Bittner: [00:29:19] Right.
Joe Carrigan: [00:29:19] You know.
Dave Bittner: [00:29:20] I don't know. I'm just thinking about a situation - like, I don't know if you've ever had to deal with an auto insurance company, where you get some damage to your car, and they'll come and they say, well, that quarter panel was previously scratched, and we're not going to fix anything that had previous damage.
Joe Carrigan: [00:29:34] Right.
Dave Bittner: [00:29:34] You know, those sorts of things.
Joe Carrigan: [00:29:35] Yes.
Dave Bittner: [00:29:35] And I could just see them saying, well, yes, we had a major breach, and we lost, you know, 100,000 people's data, but we went through and we found that your data was being protected by your weak password.
Joe Carrigan: [00:29:46] Oh, oh, OK.
Dave Bittner: [00:29:46] So everyone else we're going to compensate, but because you were using a weak password...
Joe Carrigan: [00:29:51] No, in that case, I wouldn't think that that would make the user culpable.
Dave Bittner: [00:29:54] Yeah.
Joe Carrigan: [00:29:54] I think the manner of breach is the important part.
Dave Bittner: [00:29:57] I see.
Joe Carrigan: [00:29:57] Circumventing the authentication and getting into the back end and dumping the database is a completely different attack than me going, Dave - username, Dave - password, password.
Dave Bittner: [00:30:07] Yeah. Will the insurance company pay me if someone breaks into my house when I left the front door open?
Joe Carrigan: [00:30:12] They actually will.
Dave Bittner: [00:30:12] (Laughter).
Joe Carrigan: [00:30:13] Because it's still a crime, right?
Dave Bittner: [00:30:16] Right.
Joe Carrigan: [00:30:16] I think it's actually still breaking and entering.
Dave Bittner: [00:30:18] Yeah, probably.
Joe Carrigan: [00:30:19] Or maybe it's just burglary. I mean, it's still burglary.
Dave Bittner: [00:30:22] Yeah, all right.
Joe Carrigan: [00:30:22] That much is certain. But I don't know if it's breaking and entering.
Dave Bittner: [00:30:24] And that is our podcast. We want to thank all of you for listening.
Dave Bittner: [00:30:26] And of course, we want to thank our sponsors, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their CyberHeist News at knowbe4.com/news. Think of KnowBe4 for your security training.
Dave Bittner: [00:30:44] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:30:51] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:31:06] And I'm Joe Carrigan.
Dave Bittner: [00:31:07] Thanks for listening.