Andrew Brandt: [00:00:00] Really, IT and IT security in particular depends on - basically, everyone in the company is on the frontlines, and they need people to be their eyes and ears.
Dave Bittner: [00:00:10] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:28] Hi, Dave.
Dave Bittner: [00:00:29] We've got some good stories to share this week, and later in the show, Carole Theriault returns. She's going to be speaking with Andrew Brandt from Sophos about their 2020 trends report.
Dave Bittner: [00:00:38] But first, a word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:11] And we are back. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:01:14] Dave, this week, I'm starting on a story from Brian Krebs from KrebsOnSecurity, and he has a very interesting story here today. In early December, there were some security experts at PhishLabs who detailed a very sophisticated phishing scheme targeting users of Office 365.
Dave Bittner: [00:01:32] OK.
Joe Carrigan: [00:01:33] The user would click on the link. They would actually go to the legitimate Microsoft login page, login.microsoftonline.com.
Dave Bittner: [00:01:40] Someone is phishing them, providing them with a link.
Joe Carrigan: [00:01:43] Right.
Dave Bittner: [00:01:43] And then the link takes them to an actual Microsoft login page.
Joe Carrigan: [00:01:46] That's right.
Dave Bittner: [00:01:47] OK.
Joe Carrigan: [00:01:47] But if you look at the link, it tells Microsoft to forward the authorization token from logging in, which is what you get in the cloud app. You get an authentication token. And it goes to a domain called officesuited.com. You log in, you provide your credentials, and you are redirected to another site that has malicious software on it.
Dave Bittner: [00:02:07] Let's pause for a second...
Joe Carrigan: [00:02:08] OK.
Dave Bittner: [00:02:08] ...Because I'm not clear. So buried within this link, there's the functionality, and the functionality exists within a link...
Joe Carrigan: [00:02:17] To redirect.
Dave Bittner: [00:02:17] ...To do the redirect, to tell it...
Joe Carrigan: [00:02:19] Right. Actually, it doesn't necessarily exist within the link, but there are some cloud services that will redirect. We've talked about the Google redirect service.
Dave Bittner: [00:02:28] Yeah.
Joe Carrigan: [00:02:28] If you looked at the link, it was actually a real link...
Dave Bittner: [00:02:31] Right.
Joe Carrigan: [00:02:31] ...To Google, but it would redirect you to another site. But this is doing more than that. This is actually taking you to the Microsoft login site. You're logging in with your credentials, and then it's forwarding those credentials on to the next site in the chain. Now, this is a legitimate feature of Microsoft's cloud services.
Dave Bittner: [00:02:48] OK.
Joe Carrigan: [00:02:48] Right? And we'll get to why that is as we get in the story.
Dave Bittner: [00:02:52] OK.
Joe Carrigan: [00:02:52] But once you get forwarded to the new domain, the user is presented with a prompt that says there's an app requesting permissions to - now, get a load of this, Dave - read your email, read your contacts, access your OneNote notebooks, access your files, read or write to your mailbox settings, sign you in, read your profile and maintain access to all of that data.
Dave Bittner: [00:03:16] It's the whole shooting match, Joe (laughter).
Joe Carrigan: [00:03:18] Right. Exactly. It's a lot of permissions.
Dave Bittner: [00:03:20] OK.
Joe Carrigan: [00:03:20] Now, this should be a red flag to anybody. When anything comes up and requests access to this much information, there should be red flags. Now, there may be legitimate reasons for an app to request these permissions, but at this point in time, you should be stopping and thinking. Whenever you see this - it doesn't matter what you're doing. If you're installing an Android app, if you're installing an app from the Apple Play Store, if you're doing any of this stuff, whenever you see something requesting these kind permissions, stop and think about it.
Dave Bittner: [00:03:44] OK.
Joe Carrigan: [00:03:45] Once the user grants these permissions to this malicious app, the attacker can maintain access to the account, and it doesn't matter if you change your password or if you even use two-factor authentication. All of that is irrelevant because you have given the app access to your account.
Dave Bittner: [00:04:01] OK, yeah. This is part of a feature, not necessarily a bug...
Joe Carrigan: [00:04:06] Right.
Dave Bittner: [00:04:06] ...Because - we used to use Office 365 here. And so there were some other services that I used...
Joe Carrigan: [00:04:12] Right.
Dave Bittner: [00:04:13] ...That used my Office 365 credentials...
Joe Carrigan: [00:04:15] Yes.
Dave Bittner: [00:04:16] ...To be able to do things like access my calendar. And so it was providing a good sort of cross-app functionality, and I guess that happens through this tokenization.
Joe Carrigan: [00:04:27] Right. It's a single sign-on solution, right?
Dave Bittner: [00:04:29] Yes. Yes.
Joe Carrigan: [00:04:30] So what's happening here is that PhishLabs thinks that somebody's credentials for signing their apps got stolen and that this malicious organization is now signing apps with stolen credentials.
Dave Bittner: [00:04:44] Oh, I see.
Joe Carrigan: [00:04:45] So the feature that you're talking about also is add-ins that are available with Office 365 and Outlook, and they can be written by third parties.
Dave Bittner: [00:04:54] OK.
Joe Carrigan: [00:04:55] So anybody can write one of these and become an add-in developer.
Dave Bittner: [00:04:58] Right.
Joe Carrigan: [00:04:58] Now, here's what's interesting. According to Michael Tyler from PhishLabs, by default, any user can apply add-ins to their Outlook application. Additionally, Microsoft allows Office 365 add-ins and apps to be installed via sideloading without going through the official store, thereby avoiding the review process. Now, what is sideloading? Sideloading is the practice of adding an app through some means other than the store, right?
Dave Bittner: [00:05:25] So just downloading it from who knows where...
Joe Carrigan: [00:05:27] Correct.
Dave Bittner: [00:05:27] ...Off the internet - could be anywhere.
Joe Carrigan: [00:05:29] Right.
Dave Bittner: [00:05:30] And you can install that app.
Joe Carrigan: [00:05:31] Yep. Apple...
Dave Bittner: [00:05:31] The way it all used to work...
Joe Carrigan: [00:05:33] Right.
Dave Bittner: [00:05:33] ...Before we had app stores (laughter).
Joe Carrigan: [00:05:36] Exactly - (laughter) - 100% correct.
Dave Bittner: [00:05:37] Right.
Joe Carrigan: [00:05:37] This is the legacy means.
Dave Bittner: [00:05:38] Yes, OK.
Joe Carrigan: [00:05:39] Now, on iOS, Apple doesn't allow this, right? I'm not an iOS user. You are.
Dave Bittner: [00:05:44] Yeah.
Joe Carrigan: [00:05:44] But you can't go out and get an app that isn't signed with a valid App Store certificate and put it on your phone in any way, shape or form unless you actually go through the process of jailbreaking your Apple phone, right?
Dave Bittner: [00:05:52] Correct, yep.
Joe Carrigan: [00:05:54] Google doesn't allow it by default, but you can actually allow third-party apps on your phone by enabling some developer options. It looks like Microsoft allows it by default on the cloud apps.
Dave Bittner: [00:06:04] OK.
Joe Carrigan: [00:06:05] Now, here's what's smart about this, another key feature. The app that PhishLabs tested was not visible in the add-in list for users. So once you installed the app or essentially gave it permissions, you as the user couldn't go in and uninstall it. You had to get an administrator to uninstall it for you.
Dave Bittner: [00:06:22] Wow.
Joe Carrigan: [00:06:22] So now it becomes an administrative headache. So imagine you're an organization with 10,000 people in, and a thousand of them go out and install this app. Now you as the administrator have to go out and do 1,000 uninstall operations (laughter). Maybe you can do it in bulk - just say, I want to get rid of this app from my domain. I don't know how that works. I'm not a Microsoft guy.
Dave Bittner: [00:06:42] Yeah.
Joe Carrigan: [00:06:42] But it becomes a problem for the administrator, not for the users.
Dave Bittner: [00:06:45] Well, but it's also not drawing attention to itself...
Joe Carrigan: [00:06:47] Right.
Dave Bittner: [00:06:47] ...Because the user doesn't see it there.
Joe Carrigan: [00:06:49] Right. Yeah, if the user were to go look for it, they'd say, I don't have this installed.
Dave Bittner: [00:06:52] Right.
Joe Carrigan: [00:06:53] Right. That's a good point.
Dave Bittner: [00:06:54] So what do we do?
Joe Carrigan: [00:06:55] Well, there are two fixes. The first one is that when Microsoft discovers these, they disable them...
Dave Bittner: [00:06:59] OK.
Joe Carrigan: [00:06:59] ...Right? - out there. And the second one is that an administrator of the victim domain actually goes and removes the app from the account. Microsoft is actually notifying people that they've been impacted 'cause Microsoft - because it's a cloud service, Microsoft can see that. And they're letting companies know, hey, you've got this malicious app installed for a bunch of your users.
Dave Bittner: [00:07:22] I see. So they can track based on, I guess, whose key was stolen. They can tie it into that.
Joe Carrigan: [00:07:24] Right. When they identify an app as malicious, they can see who has access to that app, who's installed the app and granted it permissions. I think for Microsoft, it's nothing more than a simple database query. Now, Microsoft says administrators can enable settings that block users from adding third-party apps. Microsoft calls this a drastic step - is the quote in the article, right? And they say they don't recommend it because it will impair the users' ability to be productive. Michael Tyler from PhishLab (ph) disagrees...
Dave Bittner: [00:07:50] (Laughter).
Joe Carrigan: [00:07:51] ...And I think Michael Tyler is right, so I'm on Michael Tyler's side of this.
Dave Bittner: [00:07:55] You're on team Tyler? (Laughter).
Joe Carrigan: [00:07:58] I'm on team Tyler. Disable the ability for users to install apps, or at the very least, just disable their ability to install third-party apps and make sure they can only install apps from the app store because those apps go through a review process.
Dave Bittner: [00:08:11] I wonder if they have the granularity so that if you want to install something like this, you need to get a second pair of eyes on it.
Joe Carrigan: [00:08:16] Yeah.
Dave Bittner: [00:08:16] You know, you need to get somebody from IT or somebody to check it out 'cause I could see people needing this functionality.
Joe Carrigan: [00:08:22] Right.
Dave Bittner: [00:08:23] I think in my own case, the functionality this sort of thing provided helped me do my job better...
Joe Carrigan: [00:08:27] Yep.
Dave Bittner: [00:08:28] ...So I would hate to lose that.
Joe Carrigan: [00:08:30] Yeah.
Dave Bittner: [00:08:30] But at the same time, if I had to go to, you know, the tech folks one time and say, hey, can you make sure this is legit? Well, it's not that big a deal.
Joe Carrigan: [00:08:37] Exactly. Yeah. And an organization like the CyberWire or CyberWire media - how many people do we have working here, Dave? It's not...
Dave Bittner: [00:08:43] Oh, a dozen or so.
Joe Carrigan: [00:08:44] Yeah, it's not a big organization.
Dave Bittner: [00:08:45] Yeah.
Joe Carrigan: [00:08:45] But how does that scale up to, you know, tens of thousands of people? That's really...
Dave Bittner: [00:08:49] Right. Yeah, it may not.
Joe Carrigan: [00:08:50] You know, when you start getting humans involved, it becomes costly in terms of time and money.
Dave Bittner: [00:08:54] Yeah, pesky humans.
Joe Carrigan: [00:08:55] Pesky humans.
Dave Bittner: [00:08:55] They ruin everything, Joe. (Laughter).
Joe Carrigan: [00:08:58] Right. This job would be great if it wasn't for the customers...
Dave Bittner: [00:09:06] (Laughter).
Joe Carrigan: [00:09:06] ...To quote Kevin Smith.
Dave Bittner: [00:09:06] Yeah (laughter).
Joe Carrigan: [00:09:07] Or actually, to paraphrase. That's not really a quote.
Dave Bittner: [00:09:07] So - all right. So this story is from Brian Krebs of KrebsOnSecurity. We'll have a link to that in the show notes - very interesting. My story this week actually came from a co-owner, and it's a version of a fairly common scam that we've seen. This is often referred to as the grandparents scam.
Joe Carrigan: [00:09:25] OK.
Dave Bittner: [00:09:26] There are some interesting things here. I'm going to go through - this is the letter that was provided to us by one of my co-workers. It says, my friend is a business owner at a local town. About 10 a.m., he received an emergency phone call from a good friend of his who lives in Pittsburgh. His friend in Pittsburgh related the following. He had been in a serious car accident and had a broken jaw and nose. Even though he did not drink, the police tested his blood alcohol, and it registered as being a drunk driver. He was in the prison wing of a hospital in Pittsburgh, charged with drunk driving.
Dave Bittner: [00:09:55] The driver of the other vehicle was seven months pregnant and was injured. Two witnesses said the other driver was at fault, and they were willing to testify. And this friend needed a lawyer to bail him out. If the attorney did not receive $8,500 by 1 p.m. that day, he was going to be transferred to the prison. And he was afraid of that. He begged his friend to wire $8,500 to the attorney's account immediately so that he would not go to prison.
Dave Bittner: [00:10:24] Now, there are some other details here. They say that it sounded like the friend. The voice inflections and the accent were correct. They had all sorts of details about the friend.
Joe Carrigan: [00:10:33] And this was a phone call?
Dave Bittner: [00:10:34] This was a phone call. It was a voice-to-voice kind of thing. And this friend - he spoke to his bank about wiring the money. He was convinced that this was his friend. They knew many personal details about both of the people involved in this - the friend and the person they were calling. But this person was smart. Before they sent the money, he did one more thing. He called his friend in Pittsburgh, and his friend answered the phone.
Joe Carrigan: [00:10:58] Right.
Dave Bittner: [00:10:58] His friend was home. (Laughter) His friend was not in the hospital. His friend was not in prison. His friend was at home, minding his own business.
Joe Carrigan: [00:11:05] Right.
Dave Bittner: [00:11:06] So the whole thing was fake. Now, here's where it starts to go a little funky for me. The phone call was a real person, but it was fake. Now, they're claiming here in their description that they were using some kind of artificial intelligence software that could do voice manipulation to change the voice in real time.
Joe Carrigan: [00:11:27] Right.
Dave Bittner: [00:11:27] I call foul on that.
Joe Carrigan: [00:11:28] Yeah. I'd like to know - in order to impersonate someone's voice, you need to train a model...
Dave Bittner: [00:11:33] Yeah.
Joe Carrigan: [00:11:34] ...On that person's voice. Did this person have enough public speech out there...
Dave Bittner: [00:11:38] Well...
Joe Carrigan: [00:11:38] ...To train a voice?
Dave Bittner: [00:11:39] ...So there's - part of that - they're saying that the victim - the person, you know, who's claiming was the person in prison - had received multiple calls where he talked to telemarketers. So they could record that person's voice, OK? Now, I checked with some folks who know about these sorts of things before we did today's show, and they basically said, yeah, that whole thing about AI - no - because it's not necessary. All you need to do is get someone who's a clever mimic...
Joe Carrigan: [00:12:06] Right.
Dave Bittner: [00:12:06] ...Who's capable of doing impersonation.
Joe Carrigan: [00:12:08] Right.
Dave Bittner: [00:12:08] The fact that it's over a phone connection, that takes away a whole lot of the fidelity of the phone call.
Joe Carrigan: [00:12:14] Additionally, if he's said that his nose and jaw are injured, he kind of has to talk like this the whole time.
Dave Bittner: [00:12:19] Yep, exactly. Exactly. Very good point. Very good point. So they adopt some sort of accent. They start peppering the person with common facts about, you know, hey, our mutual friend Joe...
Joe Carrigan: [00:12:30] Right.
Dave Bittner: [00:12:31] ...I tried to call him, and I couldn't get him, so I called you. You know, just - so you're building up this believability in their minds. So it's an interesting story. It's a fairly common scam, and I actually going to include a link to a story from Forbes from last year about this grandparents scam. Evidently, the thing about a broken nose is very common. The thing about being in jail is very common. So they're sort of turning up the heat that we have to get this money right away. You've just got just a few hours...
Joe Carrigan: [00:13:00] Right.
Dave Bittner: [00:13:01] ...Or bad things are going to happen to your...
Joe Carrigan: [00:13:02] Yeah, that's the artificial time horizon.
Dave Bittner: [00:13:04] Yep, absolutely. So I guess the important thing here is that I've seen more and more stories where folks are assigning this to artificial intelligence, that they're using voice manipulation. I think that's a myth that's sort of spinning out of control right now.
Joe Carrigan: [00:13:20] I think you might be right.
Dave Bittner: [00:13:22] I don't think the technology is there yet to make this sort of thing easy to do, to make it reliable. And I think just having someone be a good mimic and a good - it's that old thing - a cold reading, you know?
Joe Carrigan: [00:13:34] Right.
Dave Bittner: [00:13:35] Scammers used to use cold reading. It's a lot like that. I think you just have a good scammer, a skilled scammer. They're going to be able to convince you that they're who they want you to think they are.
Joe Carrigan: [00:13:44] Right.
Dave Bittner: [00:13:45] So - and again, I'll have a link about the grandparents scam in the show notes.
Joe Carrigan: [00:13:50] My favorite part is that the mark, for want of a better term, in this actually did what he should do. He made the phone call back to his friend...
Dave Bittner: [00:13:56] Right.
Joe Carrigan: [00:13:56] ...And found out that everything was fake - very simple thing to do, takes very little time and will save you, in this case, 8,500 bucks.
Dave Bittner: [00:14:04] Yeah, 'cause once that money's gone...
Joe Carrigan: [00:14:06] Yeah.
Dave Bittner: [00:14:07] ...You are not getting it back (laughter). All right, Joe. It's time to move on to our Catch of the Day.
0:14:11:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:14:15] Our Catch of the Day came to us from one of our listeners. This Catch of the Day is a letter that came from the Administrative Services Inspection Unit at Hartsfield-Jackson International Airport in Atlanta, Ga. And it goes like this.
Dave Bittner: [00:14:28] It says, dear owner, I am Mr. James Dee, head officer in charge - Administrative Service Inspection Unit United Nations Inspection Agency in Hartsfield-Jackson International Airport, Atlanta, Ga. During our investigation, I discovered an abandoned shipment through a diplomat, which was transferred from JF Kennedy Airport to our facility here in Atlanta. And when scanned, it revealed an undisclosed sum of money in two metal trunk boxes, weighing approximately 110 kilograms each. By my assessment, each of the boxes contains about $4 million or more. The consignment was abandoned because the content was not properly declared by the consignee as money. Rather, it was declared as personal effects, classified documents to either avoid diversion by the shipping agent or confiscation by the relevant authorities. The diplomat's inability to pay for non-inspection fees, among other things, are the reasons why the consignment is delayed and abandoned. As I did say, again, the diplomat abandoned it and ran away, most importantly because he gave a false declaration. He could not pay for the yellow tag. He could not secure a valid non-inspection document, et cetera. I am ready to assist you in any way I can for you to get back this package, provided you will also give me something out of it - financial gratification. You are to reconfirm your full name and address to us to start the process for the release and delivery. Please reply this email strictly at my email address, which is a Gmail address. Best regards, Mr. James Dee, head officer in charge - Administrative Services Inspection Unit.
Dave Bittner: [00:15:53] Joe?
Joe Carrigan: [00:15:54] Well, first off, let me see if I got this right. So a guy has two containers, each having $4 million in it.
Dave Bittner: [00:16:00] Yeah.
Joe Carrigan: [00:16:01] And then he also can't come up with the money for the fees. I don't understand this.
Dave Bittner: [00:16:05] (Laughter).
Joe Carrigan: [00:16:05] And then the diplomat just runs away.
Dave Bittner: [00:16:07] Yeah.
Joe Carrigan: [00:16:08] I don't think there are fees for - I don't know. This whole thing - I wonder if it worked.
Dave Bittner: [00:16:13] Well...
Joe Carrigan: [00:16:13] I wonder if anybody responded.
Dave Bittner: [00:16:15] What amazed me about this is that the name of this scam is the trunk box scam. So...
Joe Carrigan: [00:16:20] (Laughter) The trunk box scam.
Dave Bittner: [00:16:22] And the trunk box scam evidently goes back to the days of pirates.
Joe Carrigan: [00:16:26] Really?
Dave Bittner: [00:16:27] Yes, the trunk box scam...
Joe Carrigan: [00:16:28] Oh, this is good.
Dave Bittner: [00:16:29] ...Goes back to the age of pirates. So the fact that they use the name trunk boxes in this scam - that's a little on the nose, I think.
Joe Carrigan: [00:16:38] That's pretty funny.
Dave Bittner: [00:16:39] Yeah. Yeah. So hopefully, the person did not fall for it. You're not getting your $4 million. I imagine what would happen next is you're going to have to pay some fees to get the money. And you pay the fees, and the money never comes. And of course...
Joe Carrigan: [00:16:52] Right.
Dave Bittner: [00:16:52] ...That's that.
Joe Carrigan: [00:16:53] Yep.
Dave Bittner: [00:16:53] So - all right. Thanks to our listener for sending that in. That is our Catch of the Day. Coming up next, we've got Carole Theriault. She's speaking with Andrew Brandt from Sophos. They're going to go over their 2020 trends report.
Dave Bittner: [00:17:05] But first, a message from our sponsors, KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:59] And we are back. Joe, it's always great to have Carole Theriault back on the show. This week, she has an interview with Andrew Brandt from Sophos. And they are talking about their 2020 trends report. Here's Carole Theriault.
Carole Theriault: [00:18:12] Now, guys, as you and some of our listeners know, Sophos is one of the companies where I actually sharpened my tech and cybersecurity nous, my knowledge. And it has recently issued its 2020 Sophos threat report. I've invited Andrew Brandt, a principal virus researcher at Sophos, to help us understand the latest findings and to chat about everything that's in the report. Thank you so much for joining me to talk about this, Andrew.
Andrew Brandt: [00:18:39] That's my pleasure, Carole. Thanks.
Carole Theriault: [00:18:41] Now, I should start with a little side note. So I'm particularly fond of this report because I actually was the originator of the first Sophos threat report way back when, probably a decade ago. At the time, only big tech firms like - firms like IBM issued these huge, serious reports - hundreds of pages - right? - really heavy infotech reports. I remember we tried to create one that was, like, a bit more accessible to the average user. And I think at time, our goal was to educate people on safe computing practices - like, really basic stuff. And we were trying to use research from the labs to try and do that. Now, I was wondering, hearing that, do you feel like the report has changed its strategy or its look or its feel from that description? Is that how you would describe it?
Andrew Brandt: [00:19:25] So my goal with the report is to, you know, highlight the great research that we've done across the security spectrum of products. The company is no longer just an antivirus company. And although I am a malware researcher, my role in SophosLabs has spanned across the company to try to find interesting stories. And so as we've been pulling together the topics that we put in this report, we did, you know, kind of reach out to different divisions within the company to get their take on what they felt were sort of the most important things that they saw over the course of the past year. You know, we talk about ransomware. We talk about mobile. We talk about the types of attacks that just are constantly washing up on the shores of everyone's firewalls that just kind of come from the internet. We talk about misconfigurations and other goof-ups that can lead to big breaches in cloud operations.
Carole Theriault: [00:20:24] I feel like you're teasing us. I think we should probably go into, like, the meat of it. What do you think were the biggest highlights?
Andrew Brandt: [00:20:31] Sure. I'll give you one big example, which is that we have a team of people that just work on a segment of the product that is particularly focused on blocking and stopping ransomware attacks, which are obviously, like, a pretty huge and scary problem for companies of all sizes. We don't see quite so many ransomware attacks that target individuals. We see that the criminals have realized that they can make a lot more money by targeting organizations that have the deep pockets to pay the ransom but may not have the technical expertise to recover themselves quickly enough to sort of restore business operations. And it becomes a strategic game for the ransomware operators, where they're trying to do just enough damage that they push people into the paying the ransom decision instead of just trying to fix it themselves by recovering from backups or, you know, what have you.
Andrew Brandt: [00:21:29] You can break out most ransomware behaviors into some small subsets of categories. Like, for example, there's ransomware that renames the files before it encrypts them. Why would that matter? Might matter because even if the ransomware is not able to do the encrypting, it still renders the files not double-clickable, right?
Carole Theriault: [00:21:52] Yeah.
Andrew Brandt: [00:21:52] So it might take away the file suffix that associates a Word document with Microsoft Word. And then all of a sudden, you know, even though it's not encrypted, you might be convinced to pay anyway.
Carole Theriault: [00:22:04] Oh, that's like a - such a cheap trick. You would really be annoyed by that, wouldn't you?
Andrew Brandt: [00:22:09] I think if I found out that it wasn't actually encrypted but they just renamed the files, yeah, I would be annoyed if I paid the ransom.
Carole Theriault: [00:22:16] (Laughter) Yeah, I know. But can you imagine going through all your files and figuring out what kind of file it was to be - actually be able to relabel it?
Andrew Brandt: [00:22:23] Oh, it's a nightmare. It's a nightmare.
Carole Theriault: [00:22:25] Yeah, yeah.
Andrew Brandt: [00:22:25] Now, I'm sure there are tools that can do that. But, boy, what a pain in the butt to do it on 10,000...
Carole Theriault: [00:22:29] Yep.
Andrew Brandt: [00:22:29] ...Machines across, you know, an enterprise.
Andrew Brandt: [00:22:33] We do a lot of work on mobile malware as well. One of the interesting things that we came across this year in the mobile space is that there are companies out there who have created sort of a unique business model where the effect is definitely undesirable. There's nothing potential about it. This is definitely unwanted software. But what they do is they offer free trials of simple tools, like a compass or a flashlight or photo filters, for your phone. You can download it and run the app for three days, and it doesn't charge you anything. But if you allow the app to remain on your phone and/or even if you remove the app but you don't tell the company that you've removed the app, they will charge upwards of $200 for a flashlight app.
Carole Theriault: [00:23:20] That's outrageous. That would be so upsetting.
Andrew Brandt: [00:23:22] It is. It's terrible. We've coined the term fleeceware for this type of app because it's not a potentially unwanted app. It's not adware that you can just get rid of. And it's not malware that's stealing information from you. You are intentionally installing this thing. It's just that their business model is centered around people not paying attention and not reading the fine print.
Carole Theriault: [00:23:42] Yeah. I mean, that's something I talk about a lot - is reading the fine print. And I once was on some BBC radio program talking about it, and the interviewer told me, who does that? And who does that? I said, honestly, I do now. I really do.
Andrew Brandt: [00:23:56] Yeah, it's terrible. And I'm the kind of person who reads those things, as well. I will actually read through an entire end-user license agreement. The problem that I have is that sometimes they're printed in a box where you can only see seven or eight words at a time, and you have to scroll for 10 minutes to be able to read the whole thing.
Andrew Brandt: [00:24:14] What people are having to deal with today is this sort of growing ecosystem of criminals coming up with interesting ways to circumvent the rules that Google has set up to prevent people from getting scammed on Google Play.
Carole Theriault: [00:24:28] Exactly. It's true. Yeah, fleeceware - I think your word is very apt. I really like it, actually. Especially, I'm particularly interested if you've seen any changes in how people are targeted, so perhaps phished or vished or anything like that.
Andrew Brandt: [00:24:43] Yeah. So one of the things that we talk about is this sort of relatively novel attack model, which has - it's become very quite vogue - automated active attacks, which is if you have a computer that someone on the outside of your organization might need to manage.
Andrew Brandt: [00:24:58] Say you've got something that helps control the air conditioning in your big office building and the company that manages your HVAC wants to be able to go in there and periodically check to make sure everything is working right. You know, legitimately, they may need to be able to log in to it periodically and update software or change settings, you know, if you call them because something's not working.
Andrew Brandt: [00:25:18] So those machines - they may sit there, you know, 24 hours a day, just waiting for someone to, you know, ring them up and log in. Well, if that machine is old, if it hasn't been managed, if - especially if it's owned by another company and you don't have the permissions to be able to do things like patches on it, these things become sort of ticking time bombs on your network, and they are, essentially, a back door to the network that's been left ajar. And people will take advantage of that to sneak in. And then once they gain a foothold on that machine, that machine's on the internal network. They will then use that to try to scan around and figure out what are the - sort of the most damaging things that they can do on the internal network - killing backups, turning off security features, disabling logging. And they spend a considerable amount of time poking around in the internal network, just manually trying to figure out how to make things as difficult as possible for anyone who would try to recover from a security incident.
Carole Theriault: [00:26:23] So from the findings that you found in the report, have you any advice for your average user and what things they can do?
Andrew Brandt: [00:26:30] Really, IT, and IT security, in particular, depends on, basically, everyone in the company is on the front lines. And they need people to be their eyes and ears. And if the employees feel that they're not being treated respectfully by the security folks, being told that, oh, that was a really dumb thing to do - anybody can be fooled by a phishing attack. Even I can be fooled. I have very nearly clicked malicious links, and I do this for a living. So if I can be fooled, anybody can be fooled. And so you should just be open to listening to people. And when they tell you something is going on that's not right, trust their instincts and at least take a look.
Carole Theriault: [00:27:10] Yeah. And if you're in IT, I dare say maybe go and read the threat report, right?
Andrew Brandt: [00:27:15] Absolutely. Well, we're going to encourage everyone to do that because, you know, the threat report is not just a bunch of speeds and feeds. It's a bunch of stories of bad things that have happened to good people and how you can basically avoid them by, you know, knowing what to look for.
Carole Theriault: [00:27:33] Andrew Brandt, thank you so much for making the time today. Andrew Brandt is a principal virus researcher with Sophos. This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:27:45] All right. Good stuff.
Joe Carrigan: [00:27:46] Yeah.
Dave Bittner: [00:27:46] Joe, what do you make of this?
Joe Carrigan: [00:27:48] I find it interesting. In the early part of the interview, Andrew talks about the problem that ransomware criminals have - right? - the economic problem that they have of finding the people who have enough money to pay the ransom but not enough technical sophistication to recover on their own.
Dave Bittner: [00:28:03] (Laughter) It's the Goldilocks problem.
Joe Carrigan: [00:28:04] It's - exactly, the Goldilocks - right. These people are just right.
Dave Bittner: [00:28:08] Yeah.
Joe Carrigan: [00:28:09] The trick of renaming files is a good one that he talks about, the ransomware going in and just renaming files, not really encrypting anything. But imagine that - trying to recover from that at scale.
Dave Bittner: [00:28:19] Yeah.
Joe Carrigan: [00:28:20] It may just be worth it to pay the ransom - right? - or to recover from backups. At that point in time, you've got - I mean, how many files do you interact with on a regular basis?
Dave Bittner: [00:28:28] Well, just think about all the - just the - think about the operating system files, you know?
Joe Carrigan: [00:28:32] Right.
Dave Bittner: [00:28:33] Yeah. I think that another good point is that something that doesn't get talked about very much is data integrity.
Joe Carrigan: [00:28:39] Yeah.
Dave Bittner: [00:28:40] What if someone doesn't just go in and encrypt your files, but they go in and they just change them a little bit.
Joe Carrigan: [00:28:45] Yup, yup.
Dave Bittner: [00:28:45] Go into a database and just start changing a few numbers here and there.
Joe Carrigan: [00:28:49] I've mentioned that before that...
Dave Bittner: [00:28:50] How do you know? Yeah.
Joe Carrigan: [00:28:51] ...That's something that Avi Rubin has speculated is going to be the next big thing is ransomware is just going to be, I change your data, and you need to give me the money to get it back.
Dave Bittner: [00:29:00] Yeah.
Joe Carrigan: [00:29:00] Fleeceware apps are terrible apps developed by horrible people.
Dave Bittner: [00:29:05] (Laughter).
Joe Carrigan: [00:29:06] But I like the term fleeceware apps. That's a good one. I'm going to go ahead and make that judgment call. I'm going out on a limb here, Dave.
Dave Bittner: [00:29:13] (Laughter) Yeah, yeah. Always the controversial opinion from you, Joe.
Joe Carrigan: [00:29:17] Right, yeah. Well, sometimes I do have controversial opinions, but I don't think this one is very controversial.
Dave Bittner: [00:29:21] Yeah. Isn't fleecewear what you order from, like, Lands' End...
Joe Carrigan: [00:29:24] Right, yeah. It's...
Dave Bittner: [00:29:25] ...When you want something comfortable for the wintertime?
Joe Carrigan: [00:29:26] My hoodie is fleecewear.
Dave Bittner: [00:29:27] (Laughter).
Joe Carrigan: [00:29:27] EULAs are notoriously difficult to read. And there has to be some way to make them easier. Now, I was reading someone's EULA. I can't remember who it was, but they actually had - above all the legalese, they had something called TLDR, which stands for too long, didn't read.
Dave Bittner: [00:29:43] Right.
Joe Carrigan: [00:29:44] It just said in plain English what the section below meant - pretty good.
Dave Bittner: [00:29:47] Yeah. Probably made a bunch of lawyers nervous, but so be it.
Joe Carrigan: [00:29:50] Right, right.
Joe Carrigan: [00:29:51] So be it, exactly. And there's Dave's controversial opinion today.
Dave Bittner: [00:29:54] That's why they get the big bucks, yeah.
Joe Carrigan: [00:29:56] The automated active attacks that he talks about - in the example that Andrew cites, going into an HVAC vendor's access point, you know, access method - whatever - that's exactly how Target got compromised.
Dave Bittner: [00:30:07] Yeah.
Joe Carrigan: [00:30:07] They didn't segment their network properly. The attackers found the entry point from an HVAC vendor. They jumped across the point of sale systems and just started harvesting credit cards. And they started harvesting credit cards at the holiday season. They were in there, like, in July, and they didn't start harvesting them right away. They waited until they knew Target was going to be very busy and could not afford to shut down.
Dave Bittner: [00:30:28] Biding their time.
Joe Carrigan: [00:30:30] And I think one of the most important points that Andrew says here is that everyone in the company is on the front lines of the security organization and that security operations people should not be condescending to users. That's counterproductive. I think that's sage advice.
Joe Carrigan: [00:30:44] I don't know how often this happens anymore. I mean, it used to happen frequently when I would talk with other people, but I don't know in the real world how much this happens anymore. I would like to think that it doesn't happen much - that everybody understands that we're all susceptible to these kinds of things. Everybody has some kind of trigger that's going to make them fall for some kind of phishing email or some scam.
Dave Bittner: [00:31:06] Yeah. I would say I think that's something that an organization needs to be mindful of.
Joe Carrigan: [00:31:11] Agreed.
Dave Bittner: [00:31:11] That if you have security ops people who look down their noses at the rest of the people in your organization, that's a change that needs to be made.
Joe Carrigan: [00:31:21] It is. It absolutely is a change to be made.
Dave Bittner: [00:31:21] That's going to come back and bite you in the butt.
Joe Carrigan: [00:31:23] That is a risk that you have, whether you know it or not.
Dave Bittner: [00:31:27] And train everybody up. Just make sure that...
Joe Carrigan: [00:31:29] Training - training's the answer.
Dave Bittner: [00:31:29] Yeah, yeah. All right. Well, again, always great to have Carole Theriault back on the show. We want to thank her. And, of course, we want to thank Andrew for taking the time to speak to us from Sophos. And we want to thank all of you for listening.
Dave Bittner: [00:31:43] We want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:32:06] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:32:19] And I'm Joe Carrigan.
Dave Bittner: [00:32:20] Thanks for listening.