Hacking Humans 12.12.19
Ep 77 | 12.12.19

If you didn't ask for it don't install it.


Karl Sigler: [00:00:00] Whenever you have a lot of commerce going on, a lot of electronic transactions, credit card usage, it's bound to attract thieves. 

Dave Bittner: [00:00:07]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, the phishing schemes, the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:26]  Hi, Dave. 

Dave Bittner: [00:00:27]  We've got some good stories to share this week. And later in the show, my conversation with Karl Sigler from Trustwave. Karl's going to be discussing how consumers can stay safe during the holiday season. 

Dave Bittner: [00:00:37]  But first, a word from our sponsors at KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff breakroom. Refreshments in the form of sugary doughnuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training. 

Dave Bittner: [00:01:17]  And we are back. Joe, I'm going to start things off for us this week. 

Joe Carrigan: [00:01:20]  All right. 

Dave Bittner: [00:01:21]  We've got a story - this is from KrebsOnSecurity, Brian Krebs' security online publication. And this is particularly relevant, I think, as we're coming towards the holidays. People are going to be doing a lot of traveling. That means they're going to be buying a lot of gas. 

Joe Carrigan: [00:01:36]  Yep. 

Dave Bittner: [00:01:36]  And that means they're going to be - most people, I would hazard to say, probably pay for their gas with some kind of a credit card. And this is a story about an interesting hack of a gas pump that involved not just a skimmer inside the pump, which we've talked about, and we'll dig into some of those details here. 

Joe Carrigan: [00:01:53]  Right. 

Dave Bittner: [00:01:53]  But this is a modification to the pump itself, where someone has installed a hidden camera above the display for the pump. So let me try to describe this to you. Imagine you walk up. You're facing your standard gas pump. Here in the U.S., generally, the top-most thing on any pump is a display. 

Joe Carrigan: [00:02:10]  Right. 

Dave Bittner: [00:02:11]  And that displays the number of gallons that you've purchased, and it displays the price per gallon. And depending on the sophistication of the pump, it can - some of them even show you commercials while you're pumping your gas, which is... 

Joe Carrigan: [00:02:22]  Right, yeah. 

Dave Bittner: [00:02:22]  ...Annoying. 

Joe Carrigan: [00:02:25]  Irritating. 

Dave Bittner: [00:02:25]  (Laughter) But in this case, the scammers have actually constructed out of wood, but they painted the wood black, so it sort of blends in with the black frame of this gas pump. It's just a strip of wood that goes across the top lip of the pump sort of above the display and blends in quite nicely. 

Joe Carrigan: [00:02:43]  Yeah, there's a picture of it in the article, and you can't really tell. It just looks like part of the bezel of the gas pump, if you will. 

Dave Bittner: [00:02:48]  Yes, it is well camouflaged. If you weren't looking for it... 

Joe Carrigan: [00:02:51]  You wouldn't see it. 

Dave Bittner: [00:02:52]  ...You would not see it at all. But within this strip of wood is a pinhole camera. Now, that's part of the scam. 

Joe Carrigan: [00:02:59]  Right. 

Dave Bittner: [00:02:59]  Also in the pump - somehow, they got access to the pump. And I say somehow. Evidently, the keys to these gas pumps are easy to buy online. 

Joe Carrigan: [00:03:08]  Right. 

Dave Bittner: [00:03:09]  So - and I guess they - it's sort of one of those things where they have a master key that works for all the pumps. 

Joe Carrigan: [00:03:14]  Right. 

Dave Bittner: [00:03:14]  That's my understanding of it. 

Joe Carrigan: [00:03:16]  Yeah, it's a very common problem with a lot of keys, actually. 

Dave Bittner: [00:03:18]  Yeah. So inside the pump, they've installed a Bluetooth skimmer. So it sort of inserts itself between the card-reading hardware on the pump, and it makes it so that the bad guys can drive up to the pump with a Bluetooth device - so a mobile device, a laptop, whatever, something that has Bluetooth - log in to the pump and download all of the data that this skimmer has gathered up from the card reader. 

Joe Carrigan: [00:03:45]  Right. 

Dave Bittner: [00:03:45]  Then they combine that with the video footage from the pinhole camera of people entering their PINs. 

Joe Carrigan: [00:03:55]  Or here in the U.S., their zip codes. 

Dave Bittner: [00:03:55]  Oh, yeah, right. Their zip code is - yeah, that's interesting. Never thought about that, yeah. 

Joe Carrigan: [00:03:58]  Because one of the things about PCI compliance is - PCI means payment card industry. 

Dave Bittner: [00:04:03]  Yeah. 

Joe Carrigan: [00:04:03]  And you notice that a few years ago, many, many merchants started having chip readers in their - what would be called chip-and-PIN in the EU. 

Dave Bittner: [00:04:12]  Right. 

Joe Carrigan: [00:04:12]  But here, it's just a chip. It just verifies the card is present. However, gas stations have been given an exemption from that, and they have a couple more years to get their chip readers in because of the massive quantities of devices they need to replace. You think about a gas station. A gas station has not just one point-of-sale system, but every pump has its own point-of-sale system... 

Dave Bittner: [00:04:31]  Right. 

Joe Carrigan: [00:04:32]  ...Right? So the capital investment is big, but as a workaround, the way they verify that the card is yours is they ask you for the zip code of your billing address. But you have to enter that in on your keypad, and that's what this camera's capturing. And it could get your PIN. Now, that's much more dangerous - right? - because if you have a debit card and they get your debit card and your PIN, they can go to an ATM, put a fake debit card in and draw money actually directly out of your account. 

Dave Bittner: [00:04:58]  Yeah, and that's one of the points that Brian Krebs makes in this story - is that you're really better off in a situation like this buying your gas with a credit card... 

Joe Carrigan: [00:05:06]  Yes, yes. 

Dave Bittner: [00:05:07]  ...Rather than a debit card because there are many more protections here in the States when it comes to credit cards and being able to get your money back than with a debit card. 

Joe Carrigan: [00:05:15]  Right. And that's not your money when you're using a credit card. You're using somebody else's, like, Capital One or Wells Fargo's money. And then you can dispute it through fraud reporting. 

Dave Bittner: [00:05:23]  I'll also add that when I go to buy gas, I have taken to using the gas station's app. So for example, we have a lot of Exxon stations around here... 

Joe Carrigan: [00:05:33]  Right. 

Dave Bittner: [00:05:33]  ...So they're convenient for me. And Exxon has a really good app. You drive up to the station. You open the app. It uses your location information, and it says, are you at this gas station? And you say, yes, I am. And it says, which pump are you at? And you put in the pump number, and it says, how would you like to pay for this? And in my case, I say Apple Pay... 

Joe Carrigan: [00:05:52]  Right. 

Dave Bittner: [00:05:52]  ...Which is an additional layer of security... 

Joe Carrigan: [00:05:54]  Yep. 

Dave Bittner: [00:05:54]  ...Because it's a tokenized payment system. 

Joe Carrigan: [00:05:57]  Absolutely. 

Dave Bittner: [00:05:57]  Very, very secure. And it says, all right, authorizing that pump. So I don't do any interaction with the pump at all. 

Joe Carrigan: [00:06:06]  That's awesome. 

Dave Bittner: [00:06:06]  I don't put a card in. I don't - it all happens through my phone, so I feel as though that's a higher level of security than otherwise. Would you agree? 

Joe Carrigan: [00:06:15]  I would agree, yeah. 

Dave Bittner: [00:06:20]  Yeah. So - and it's free. And I suppose there are some rewards that I earn from doing that. I haven't really checked into that. It's one of those - there are rare cases where an app has exceeded my expectations in ease of use and increased security. So good job, Exxon (laughter). 

Joe Carrigan: [00:06:30]  Very good. 

Dave Bittner: [00:06:31]  Yeah, yeah. But I guess the other option here is to pay in cash. 

Joe Carrigan: [00:06:36]  Yeah. I would never use my debit card at a gas pump. I would only pay in cash if I didn't have a credit card with me. But I do have credit cards. So that's really your option. You can either use a credit card or pay with cash. I would never use a debit card. 

Dave Bittner: [00:06:48]  Yeah. I was speaking to a local police officer here who's one of the police officers who helps people with fraud. And he says that he never pays for gas with anything other than cash. 

Joe Carrigan: [00:06:58]  Yeah. 

Dave Bittner: [00:06:59]  He also said, if you can, use the pump closest to the convenience store, closest to the person monitoring the station. 

Joe Carrigan: [00:07:06]  Right, closest to the human that could see it. 

Dave Bittner: [00:07:08]  Yep. 

Joe Carrigan: [00:07:08]  One of the things that's interesting about this is the risk for the bad guys in this case only exists when they're installing the hardware. After that, the risk is over. If they don't get caught when they're installing the hardware, they're never going to get caught. They just drive up, act like they're getting gas and probably paying with a stolen card anyway... 

Dave Bittner: [00:07:25]  (Laughter). 

Joe Carrigan: [00:07:25]  ...And download all the data and leave. 

Dave Bittner: [00:07:27]  When the pumps convert to chips... 

Joe Carrigan: [00:07:29]  Right. 

Dave Bittner: [00:07:30]  ...Is that going to - I mean, is that going to... 

Joe Carrigan: [00:07:31]  That's going to put a dent in this, yeah. 

Dave Bittner: [00:07:32]  Yeah. 

Joe Carrigan: [00:07:33]  Yep. 

Dave Bittner: [00:07:33]  OK, I suspect it would. Yeah, in the meantime, check out those apps. 

Joe Carrigan: [00:07:37]  Yep. 

Dave Bittner: [00:07:38]  All right. Well, that's my story this week. Joe, what do you have for us? 

Joe Carrigan: [00:07:40]  Dave, my story comes from Diana Lopera from Trustwave security team SpiderLabs. 

Dave Bittner: [00:07:45]  Oh, OK. 

Joe Carrigan: [00:07:46]  I love these names for these security teams - SpiderLabs. 

Dave Bittner: [00:07:48]  Right. 

Joe Carrigan: [00:07:48]  Last week we had ACID, right? 

Dave Bittner: [00:07:49]  Right, right. 

Joe Carrigan: [00:07:50]  If I start a security company and have a lab, I'm just going to call it the Scary Team. 

Dave Bittner: [00:07:53]  Yeah, it's never the Teddy Bear Team or... 

Joe Carrigan: [00:07:55]  Right, yeah. 


Joe Carrigan: [00:07:58]  So SpiderLabs is warning about an email scam that's going around. It's coming out with two different subject lines, either, install latest Microsoft Windows update now, or, critical Microsoft Windows update, with exclamation points. 

Dave Bittner: [00:08:10]  OK, so you know it's important. 

Joe Carrigan: [00:08:12]  And the email contains only one line of text. It says, please install the latest critical update for Microsoft attached to this email, and it's got capitalization errors and everything. It's kind of obvious that it's a scam. But there is an attachment to the email, and it's a JPEG attachment, but it has the extension JPG. A JPEG is an image file. 

Dave Bittner: [00:08:31]  Right. 

Joe Carrigan: [00:08:32]  But it's not an image file. It's actually an executable, and it's very small, too. This is what's interesting about it, to me at least. It's only 28 kilobytes, which is a very small application. 

Dave Bittner: [00:08:41]  Yeah. 

Joe Carrigan: [00:08:41]  But when you open it, what it does is it goes out to GitHub and downloads an executable. Now, for our listeners who might not know what GitHub is, GitHub is a code management repository that you can go out and create an account on. And generally, developers will upload their files to GitHub so that they can keep their source code safe. But you can put any kind of file on GitHub, and accounts are free. And if an account is free, then all your repositories, your different ways of storing your data up there are open to the public. So this malware team or actor is using GitHub as a distribution method for this other malware. It calls itself bitcoingenerator.exe 

Dave Bittner: [00:09:20]  I wonder what it does. 

Joe Carrigan: [00:09:21]  It doesn't generate bitcoin. 

Dave Bittner: [00:09:22]  Oh, OK. 

Joe Carrigan: [00:09:23]  It's actually a variant of Cyborg ransomware. So it downloads the ransomware app from GitHub, and then that ransomware app starts running and encrypting all your files and leaves a ransom note for you for how to get your files back. 

Joe Carrigan: [00:09:35]  Couple things are going on here. One, I find it interesting that they named it bitcoingenerator.exe. It's like they're putting it on GitHub and going, you know, since we're going to be encrypting people's machines, why not try to get people who are maybe looking for a bitcoin miner and encrypt their machine as well? 

Dave Bittner: [00:09:54]  Oh. 

Joe Carrigan: [00:09:55]  I don't know. That might be a long shot. I don't know if they got anything from it. 

Dave Bittner: [00:09:59]  Yeah, so in this phishing expedition, through this use of this name, perhaps catching a few extra people in the net. 

Joe Carrigan: [00:10:05]  Yeah, maybe. 

Dave Bittner: [00:10:05]  Yeah. 

Joe Carrigan: [00:10:06]  Hopefully. Not a bad way to do it, right? 

Dave Bittner: [00:10:08]  Yeah. 

Joe Carrigan: [00:10:09]  If you can get a couple extra encryptions for free, why not do it? 

Dave Bittner: [00:10:12]  Right. 

Joe Carrigan: [00:10:13]  Here's a couple points I want to make. No. 1, Microsoft will never email you to tell you to install a critical update. They handle that through their OS. And this email campaign, this spam campaign, relies on the user's lack of knowledge of that fact. So maybe a user is not very technically savvy. They say, oh, Microsoft sent me an email. They want me to install this patch. I'm going to go ahead and do that. Microsoft will never send you an email to update your operating system. The operating system has that feature built in. All modern operating systems today have that feature built in. And it's - I can't think of one that doesn't, actually. So use that feature. In fact, if you're on Windows, you can just type in the little search bar, update, and it will tell you what your update status is and give you ways to update if you need to. 

Dave Bittner: [00:10:53]  OK. 

Joe Carrigan: [00:10:53]  And you should update. That's one of the basic cyber hygiene practices. Keep your operating system up to date. 

Dave Bittner: [00:10:59]  Right. 

Joe Carrigan: [00:10:59]  In the hacks where people actually go out and break into somebody's machine, 9 times out of 10 - actually, I would even say 95 times out of 100, it is with an old known exploit that could've been patched, right? 

Dave Bittner: [00:11:12]  Right. 

Joe Carrigan: [00:11:12]  Just update your operating system. Set it to automatic if you can. This is a very primitive campaign. Somebody went and set up a GitHub account, put some known malware out in the GitHub account, wrote a small .NET executable that they then spammed out to a bunch of people. But I'll bet that they got some people with this. 

Dave Bittner: [00:11:29]  Yeah, it's really lightweight. The thing that strikes me also is that I guess having a .JPEG extension on that file, that's not any guarantee that that's actually what that file is. 

Joe Carrigan: [00:11:42]  Yeah, that's right. That is an interesting feature of this malware. 

Dave Bittner: [00:11:45]  All right, well, something to look out for. So I guess the take-home here is twofold. Keep your operating system up to date... 

Joe Carrigan: [00:11:52]  Right. 

Dave Bittner: [00:11:52]  ...And only respond to requests to do that from the operating system itself. 

Joe Carrigan: [00:11:57]  Yes. You know, Brian Krebs, who is the author of the first article that we talked about today, has a few rules. And one of the rules is if you didn't ask for it, don't install it, right? So don't install a software that comes to you in an email that you didn't request. That's just another basic hygiene rule. And that's really, really good advice, especially here. But your advice is also paramount. 

Dave Bittner: [00:12:15]  Yeah. 

Joe Carrigan: [00:12:15]  That's not how this works (laughter). 

Dave Bittner: [00:12:17]  All right. Well, it's time to move on to our Catch of the Day. 


Dave Bittner: [00:12:24]  Our Catch of the Day comes from one of our listeners. He's a friend of the show. His name is Tim (ph), and he had a brief exchange with someone who is trying to scam him on LinkedIn, and I have the exchange here in front of us. Joe, I will play the part of the LinkedIn member, and you can play the part of Tim. And it goes like this. (Reading) Hey, how are you doing today? I'm Linda - never married, no kids. I'm looking for a serious relationship, a man who's ready to meet face-to-face, a man who's not too hurt and not too hard to get along with. I'm also open to anything. If you're interested in getting to know more about me, text me. 

Joe Carrigan: [00:13:01]  WTF? Did you hack this account, or did you create it yourself just for this romance scam? I mean, you're obviously a scammer - like, duh. Save yourself some time and hassle, and don't try to convince me otherwise. I work in infosec. This is transparently a scam. And then Tim goes on. So did you hack this account, or did you create it for your scam? 

Dave Bittner: [00:13:24]  LOL. Heck, you chickened up, then you must be one. Bye. 

Joe Carrigan: [00:13:28]  What the F are you talking about? That didn't even make sense. You're using a picture of a woman named Natasha Nice. You just copied her picture. Reverse image search is a thing. 

Dave Bittner: [00:13:38]  And so the exchange ends there. 

Joe Carrigan: [00:13:39]  It does. 

Dave Bittner: [00:13:39]  Let me provide a little bit of context here. So as part of this exchange - Tim tagged us on Twitter with this one. And, Tim, we appreciate that. He also tagged the woman whose images they stole, who is named Natasha Nice. And so I made the mistake of clicking on Natasha Nice's profile on Twitter, Joe. And... 

Joe Carrigan: [00:13:58]  Was it a mistake, Dave? 

Dave Bittner: [00:13:59]  Well, you know, it was kind of - it was a - well, let me just say she's a lovely woman. 

Joe Carrigan: [00:14:03]  Yes. 

Dave Bittner: [00:14:04]  She's particularly lovely when she's wearing no clothes, which is what I saw when I clicked through on Twitter... 

Joe Carrigan: [00:14:09]  So a happy accident. 

Dave Bittner: [00:14:11]  ...On my work computers. 

Joe Carrigan: [00:14:13]  Nice. 


Dave Bittner: [00:14:15]  So perhaps, Tim, in the future, a little bit of a heads-up would be nice to your good friends Joe and Dave here... 

Joe Carrigan: [00:14:20]  Yes (laughter). 

Dave Bittner: [00:14:20]  ...Who like our jobs and want to keep them. But - yeah. So, Tim, with a quick reverse image search, was able to find that, as is so often the case with these things, they were just stealing the image from someone else and... 

Joe Carrigan: [00:14:33]  Yeah. 

Dave Bittner: [00:14:33]  ...Just to scam. 

Joe Carrigan: [00:14:34]  People overlook this. But this actually does, in some way, victimize Miss Nice, you know? These people are misusing her image without her permission. 

Dave Bittner: [00:14:41]  Right. 

Joe Carrigan: [00:14:41]  I'm sure she didn't consent to this. 

Dave Bittner: [00:14:43]  I would imagine not. Yeah. 

Joe Carrigan: [00:14:44]  Right. 

Dave Bittner: [00:14:45]  All right, well, thanks to Tim for sending that in. That is our Catch of the Day. Coming up next, we've got my conversation with Karl Sigler. He's got some advice for folks to keep safe out there during this upcoming holiday season. 

Dave Bittner: [00:14:57]  But first, a word from our sponsors, KnowBe4. And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:16:03]  And we are back. Joe, I recently had the pleasure speaking with Karl Sigler. He is from security firm Trustwave. And we had a nice conversation about how people can protect themselves during the holiday season, some of the things that they need to look out for from the scammers out there. Here's my conversation with Karl Sigler. 

Karl Sigler: [00:16:21]  I think that these holidays are probably better than holidays past. I think that in general, people are a lot more security savvy year after year. But, you know, whenever you have a lot of commerce going on, a lot of electronic transactions, credit card usage, it's bound to attract thieves. 

Dave Bittner: [00:16:37]  So let's go through some of the things together. I mean, what's on your radar? What are some of the common ways that the thieves go after people? 

Karl Sigler: [00:16:44]  No. 1 is phishing attacks. So spam and phishing attacks - it allows them to throw a very wide net very quickly and easily with very little investment upfront. And in the end, they tend to get a really good payback on people opening attachments that they shouldn't be opening or clicking on things that they shouldn't click on. 

Dave Bittner: [00:17:01]  What about out and about with retail itself? People are going to be using a lot of credit cards, interacting with terminals and ATMs and even gas pumps. Are there things folks should be looking out for there? 

Karl Sigler: [00:17:13]  Oh, definitely. I mean, skimmers are still very, very popular among thieves. So if you're actually inserting your card into a device that isn't manned by a cashier or something like that - for instance, an ATM, like you say, a gas pump or something that is just sort of stand-alone - just take a look at it. See if it looks really new, if the machinery is a little bit shaky. Look for little pinholes around it. Those cameras can be very, very small these days. So skimming is still a huge threat. 

Karl Sigler: [00:17:40]  I think the biggest thing that I've seen that has helped prevent theft in just, you know, brick-and-mortar, out-and-about live shopping is the chip. EMV has provided a tremendous amount of security, security that a lot of other countries outside the U.S. have enjoyed. And this is probably only the second holiday season that we've had where EMV and chip cards are really prevalent in the U.S. So if you have it, use it. 

Dave Bittner: [00:18:07]  What about some of the electronic payment methods? I'm thinking of things like Apple Pay, and Android has their own version. Is that a good option? 

Karl Sigler: [00:18:14]  Absolutely. Apple Pay, Samsung Pay, Google Pay, all of those sort of mobile payment methods - they actually provide one-time tokens, in essence, for each individual transaction. So typically, when you're worried about skimmers or you're worried about POS malware - the point-of-sale malware that we've heard in the past that will grab your credit card number - all of that is made moot by either the chip or these tokenized payments because every single transaction is unique. So even if criminals do get information associated with that one purchase, they can't reuse that to purchase other things down the road. 

Dave Bittner: [00:18:49]  Now, what about some of the more personal attacks? It's a time of the year when there's a lot of getting together with family, but there's a lot of people who have trouble during the holidays. And I suppose dealing with things like loneliness and missing family members and so on, I mean, that could make them prime targets for some of these scammers who try to target them. 

Karl Sigler: [00:19:09]  Oh, absolutely. And that's generally what we see, is that criminals will prey on people that are vulnerable, whether it's emotionally, like you say, or vulnerable in other methods, like not having access to technology that can secure you. So, yeah, criminals prey upon the weak. We see a lot of crime that are targeted at senior citizens and the elderly, the poor, and that just becomes more and more prevalent around the holiday season. 

Dave Bittner: [00:19:34]  What sort of things can we do to check in on our friends and relatives? I'm thinking of maybe those older people or just people who aren't as technically savvy. How can we check in on them and help make them safer? 

Karl Sigler: [00:19:46]  Definitely do exactly that - check in, give them a phone call, send them an email - and especially for those that you may not even be aware are in that type of vulnerable situation. Take close account of your neighbors. Knock on doors and just see if there's any need, anything that you can help out with. And generally, in this day and age, a lot of it is just about education, giving somebody another voice that they can bounce something off of. If I have a relative that maybe receives an email that is setting off some red flags for them, just having the ability to reach out to me to double-check to make sure that instinct is correct is something that's extremely useful. So expand your community, and don't wait for them to come to you; go to them instead. 

Dave Bittner: [00:20:27]  We hear a lot about folks who fall victim to these things. And a lot of times, they're embarrassed to tell anyone. They feel foolish for having fallen for some sort of scam. What's your take on that? Should those folks feel that way, or should we do a better job of protecting them as a community? 

Karl Sigler: [00:20:44]  Absolutely, we should be doing a better job. That type of victim blaming really only benefits the criminals. Anybody can be the victim of a crime at any point in time, no matter how savvy you are, no matter how strong you are, no matter how well-off you are. So just be empathetic and realize that, you know, it's not the victim's fault. Most times it is completely somebody that was taken advantage of in some way, shape or form. So use it as an educational moment and provide them the support they need. When we victim shame, we basically force victims to be quiet about the crimes that occur. And when that happens, nobody is educated about the prevalence of some of these crimes. And a lot of times, that victim blaming it comes from a place of wanting to feel superior to that victim so you don't fall into that same category. Really, it just does a disservice to everybody involved. 

Dave Bittner: [00:21:34]  You know, we've been talking about things from the consumer side, but what about from the merchants, from the vendors? I mean, what sort of things should they be looking out for this time of year? 

Karl Sigler: [00:21:45]  They should be looking out, definitely, for scams that might be targeting their customers directly. So they want to make sure that if they're running an e-commerce shop, that that e-commerce shop is secure. We've seen a huge spike in e-commerce heart attacks, if you will. Magecart is really prevalent these days. That's a small, little malicious script that criminals are embedding into some e-commerce shops that will then strip your credit card information from that shop. And when you're shopping online, you don't have that benefit of the chip, right? You're just typing in your credit card number and the CVV code. And that is something that can be stolen. 

Karl Sigler: [00:22:18]  So merchants should be very, very aware of those types of crimes. They should make sure that their websites are patched, that their websites have been audited and they can't be leveraged against the company's own customers. 

Dave Bittner: [00:22:30]  What are some of the take-homes for you? I mean, is - sort of the broad advice that you have for folks as we head into this busy time. There's going to be a lot of money changing hands. What are some of the overarching themes here that folks can follow to help keep themselves safe? 

Karl Sigler: [00:22:45]  Just use common sense, I would say. I think that a lot of people don't trust their instincts, especially when there's new technology involved, like, let's say, your mobile payments - that's relatively new technology for a lot of people, and they might be a little bit sketched out about when to use it, where to use it. Just make sure that you're comfortable with what you're doing. If there's red flags that are being set off, listen to those red flags. Listen to those instincts. 

Karl Sigler: [00:23:07]  And things that we do throughout the rest of the year - if something seems too good to be true, it probably is too good to be true. You might not want to click on that, despite the fact that it sounds like it's an amazing sale. Be wary of emails that come into your inbox that you didn't ask for. Be aware of clicking on ads that might sound like they're providing the gift that you want to give for a really, really cheap price. You probably wouldn't click on those ads, you probably wouldn't open those emails any other time of the year. Don't be tempted just because you're looking for a good deal this year. 

Karl Sigler: [00:23:39]  Also, EMV chip cards have done a tremendous amount of securing brick-and-mortar transactions. We need to have that same awareness when it comes to online e-commerce transactions. So, you know, I love TLC's "Waterfalls." I always use this phrase around this time of year - stick to the rivers and lakes that you're used to. Stick to those e-commerce shops that you use throughout the rest of the year. If you've trusted them for sales in the past, they're probably trustworthy now as well. 

Karl Sigler: [00:24:03]  Probably, the only other tip I would add is - and we see this quite a bit - if you're going to be shopping outside - doing e-commerce shopping outside of your own home, if you're in a cafe, if you're in a coffee shop, something like that, that has public Wi-Fi, be especially careful in those situations. Any sort of public Wi-Fi should be considered sort of a public arena where any criminals could be hanging out and trying to access your transactions or intercept your transactions and process. So I recommend not doing shopping from public Wi-Fi, if possible. If you're trying to hide your shopping from maybe relatives or family by going to someplace that's a little bit more private for you, definitely use VPN software on the public Wi-Fi to better secure those connections. 

Dave Bittner: [00:24:51]  All right, Joe. What do you think? 

Joe Carrigan: [00:24:53]  I love it when the interview meshes so nicely with our stories. 


Dave Bittner: [00:24:58]  Yes. It's a happy accident, let me assure. 

Joe Carrigan: [00:25:00]  Yes. 

Dave Bittner: [00:25:01]  No, I meant to do that. It's careful planning, yes. 

Joe Carrigan: [00:25:03]  One of the things that Karl pointed out was that these problems are asymmetric problems. It's very easy for people to commit these crimes, and it's very difficult for us to defend against it, you know? It's low cost, high benefit for them, and high cost, low - sometimes low benefit for us, right? That's what I mean when I say asymmetric. 

Dave Bittner: [00:25:21]  Yeah. 

Joe Carrigan: [00:25:21]  Mobile payment is a good way to protect yourself, using something like Apple Pay, Google Pay or Samsung Pay. 

Dave Bittner: [00:25:27]  Yeah. 

Joe Carrigan: [00:25:27]  I would advise sticking with one of the big names like Apple or Google before I went with some other third-party payment organization. There's also services like privacy.com out there as well for online shopping that creates disposable credit cards. And I think JPMorgan has kind of a service like that as well, although I'm not sure the details of JPMorgan's - how good it is. These actors do go after the vulnerable because they're easy targets. That's sad and unfortunate, but it is the truth. So check on people you think are vulnerable, they're in your network. Take care of each other. 

Dave Bittner: [00:25:56]  Yeah. It reminds me, too, that, you know, over the holidays when we're getting together with family, those of us who may be a little more knowledgeable on this stuff, strike up that conversation. Remind people. Have a little informal lesson without being professorial. Share the information. 

Joe Carrigan: [00:26:13]  Yes, indeed, share the information. I like what Karl said about victim blaming only benefiting the criminals. It also is a force that suppresses the information. It makes people be quiet about it. 

Dave Bittner: [00:26:22]  Yeah. 

Joe Carrigan: [00:26:23]  I agree with that 100%. And we need to be able to talk openly about this. That's better than suppressing it. 

Dave Bittner: [00:26:28]  Yeah. 

Joe Carrigan: [00:26:28]  Magecart is a very interesting piece of malware. It's a very small, lightweight, malicious JavaScript thing. And if you want to know the technical details about it, Jack Rhysider has a great episode of the "Darknet Diaries" - I think it's Episode 52 - where he goes into depth about how Magecart works. It's fascinating. It's actually a very smartly designed piece of malware. 

Dave Bittner: [00:26:49]  And quite effective, right? 

Joe Carrigan: [00:26:50]  And very effective, remarkably effective. 

Dave Bittner: [00:26:52]  (Laughter) Yeah. 

Joe Carrigan: [00:26:52]  And I won't bore our listeners with it. If you really want to know about it, you should listen to Jack's podcast. 

Dave Bittner: [00:26:56]  Yeah. 

Joe Carrigan: [00:26:57]  When he says don't use public Wi-Fi without a VPN, that's a great piece of advice. But I would go one step further and say, just use mobile data. It's very inexpensive nowadays to have unlimited mobile data on your phone, and then your phone can become a hotspot if you have that capability on your phone. All the phones I've had, for the past three or four phones, have had this capability. 

Dave Bittner: [00:27:17]  Yeah. 

Joe Carrigan: [00:27:17]  And I just activated it last year when you and I were down at the KnowBe4 conference. I turned it on, and I haven't regretted it for a minute. It's great. Wherever I go, I have a hotspot. And even if I'm sitting in a Starbucks, I don't use the Starbucks Wi-Fi; I use my hotspot that's sitting next to me. 

Dave Bittner: [00:27:30]  Yeah. A little more secure. 

Joe Carrigan: [00:27:32]  It is a little - it's a lot more secure. 

Dave Bittner: [00:27:33]  Yeah. 

Joe Carrigan: [00:27:34]  I'll still run a VPN even on my mobile hotspot just because I don't want my cellphone provider seeing where I'm going, and also it does add another layer of security. 

Dave Bittner: [00:27:42]  Yeah. If you have that capability. Why not? 

Joe Carrigan: [00:27:44]  Yes, absolutely. Use it. 

Dave Bittner: [00:27:45]  All right. Well, thank you to Karl Sigler. He's from Trustwave. We appreciate him coming on our show this week. And, of course, we want to thank all of you for listening. 

Dave Bittner: [00:27:53]  And we want to thank our sponsor, KnowBe4. Their new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:28:19]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:28:31]  And I'm Joe Carrigan. 

Dave Bittner: [00:28:32]  Thanks for listening.