I wouldn't want my computer to be disappointed.
Anna Collard: [00:00:00] A lot of the scams do come out of Nigeria. Interestingly enough, though, Nigeria is usually one of the countries that is the worst affected by cybercrime itself.
Dave Bittner: [00:00:09] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:28] Hi, Dave.
Dave Bittner: [00:00:29] Got some good stories to share this week. And later in the show, my conversation with Anna Collard. She's the founder of a security content publisher called Popcorn Training. They're a South African company, and they promote cybersecurity awareness using story-based techniques. Our conversation centers on the state of cybersecurity in Africa - really interesting stuff. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:00:53] So how do you train people to recognize and resist social engineering? There are some things people think. Test them. And if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.
Dave Bittner: [00:01:29] And we are back. Joe, I am going to kick things off this week with some good news.
Joe Carrigan: [00:01:34] OK.
Dave Bittner: [00:01:35] This is a story...
Joe Carrigan: [00:01:35] I'm like, finally (laughter).
Dave Bittner: [00:01:37] Yeah, I know - at last. This is a story from Ars Technica written by Timothy B. Lee. The title is "DOJ Sues U.S. Telecom Providers for Connecting Indian Robocall Scammers."
Joe Carrigan: [00:01:48] Aha - at last. This is good news.
Dave Bittner: [00:01:50] Yes, it is. So the U.S. Department of Justice has filed some lawsuits against a pair of telecommunications providers. Now - boy, this - getting into this story has really been an education for me...
Joe Carrigan: [00:02:04] Really?
Dave Bittner: [00:02:05] ...Because - well, I have wondered for a long time, as you and I have been covering these stories, how do these fraudsters get access to our phone system? And why don't the carriers shut it down?
Joe Carrigan: [00:02:17] Right.
Dave Bittner: [00:02:18] If you're out there making millions of calls, you figure AT&T is going to notice that...
Joe Carrigan: [00:02:23] Right
Dave Bittner: [00:02:23] ...And turn off your switch.
Joe Carrigan: [00:02:25] Yep.
Dave Bittner: [00:02:25] So this story was just the excuse I needed to dig in and figure out why that's happening and how that's happening. But before we get to that, the story is they've shut down a couple of companies - or they're asking to shut down a couple of companies. One of them, a judge has already issued a restraining order against them. They say one of these companies, called TollFreeDeals...
Joe Carrigan: [00:02:46] Right.
Dave Bittner: [00:02:47] ...Over a 23-day period in May and June of last year, they connected 720 million calls to U.S. numbers.
Joe Carrigan: [00:02:54] OK. So this is a company that connects calls to U.S. numbers?
Dave Bittner: [00:02:57] Correct. So here's how it works...
Joe Carrigan: [00:02:59] So their customers are the scammers?
Dave Bittner: [00:03:01] Yes...
Joe Carrigan: [00:03:01] OK.
Dave Bittner: [00:03:01] ...Their customers are the scammers. And in this case, it was call centers out of India who, on their own, do not have access to the U.S. phone system.
Joe Carrigan: [00:03:09] I see.
Dave Bittner: [00:03:10] So what they do is they contract with a company like, allegedly, TollFreeDeals.
Joe Carrigan: [00:03:16] Right.
Dave Bittner: [00:03:16] And TollFreeDeals has access to our phone system. Now, how do you suppose a company like TollFreeDeals has access to our phone system, Joe?
Joe Carrigan: [00:03:25] They're here in the U.S....
Dave Bittner: [00:03:27] Right.
Joe Carrigan: [00:03:27] ...And they provide some kind of Voice over IP connection to India.
Dave Bittner: [00:03:30] That is correct.
Joe Carrigan: [00:03:31] OK.
Dave Bittner: [00:03:32] However, here's some of the things that I learned that were surprising to me. Both of these companies are run out of people's homes.
Joe Carrigan: [00:03:40] Really?
Dave Bittner: [00:03:41] Yes. (Laughter) They're run out of people's homes. So basically, with a few computers and a high-speed internet connection, you, too, can be a scam provider or provide the mechanism by which scammers can have access to our phone system.
Joe Carrigan: [00:03:56] Really? Now, hold on, Dave. Now, these guys aren't really providing scams...
Dave Bittner: [00:03:59] Nope.
Joe Carrigan: [00:03:59] ...They're just providing a service. Right?
Dave Bittner: [00:04:01] Correct.
Joe Carrigan: [00:04:01] Yeah.
Dave Bittner: [00:04:01] They are merely passing through.
Joe Carrigan: [00:04:03] Thinking about how I can rationalize this for my own gain.
Dave Bittner: [00:04:06] (Laughter) Well, that's what they were trying to do, as well.
Joe Carrigan: [00:04:08] Right.
Dave Bittner: [00:04:08] And the Department of Justice has had enough of it.
Joe Carrigan: [00:04:11] Oh, OK.
Dave Bittner: [00:04:11] So...
Joe Carrigan: [00:04:11] Then I won't do it (laughter).
Dave Bittner: [00:04:12] Yeah. And so these folks, they'd set up their service. They would market to these people overseas...
Joe Carrigan: [00:04:17] Right.
Dave Bittner: [00:04:18] ...And say, hey, you looking for somebody who's willing to look the other way?
Joe Carrigan: [00:04:21] Yeah.
Dave Bittner: [00:04:23] That's us. And that's what they would do. And I'll - we'll have a link to the full complaint from the DOJ on it. If you are interested in these sorts of things, this is a really interesting education on that. I'll just share a couple of things I learned here. One of the folks who's prosecuting this case - there's a quote here. He says, "in the course of this investigation, I learned that with little more than off-the-shelf Voice over IP technology, an autodialer and a business relationship with a gateway carrier, any individual or entity with a broadband internet connection can introduce unlimited number of robocalls into the U.S. telephone system from any location in the world." Think about that.
Joe Carrigan: [00:05:03] Yeah.
Dave Bittner: [00:05:04] (Laughter) Now, how does it work? This is the part that I did not understand. And this is the part I spent a good amount of time reading this DOJ complaint to get the answer to.
Joe Carrigan: [00:05:14] I am looking forward to this part of the podcast, Dave.
Dave Bittner: [00:05:16] So it turns out that there is a thing called least-cost routing. And this is an automatic routing system where - let's say I want to make a VoIP call - right...
Joe Carrigan: [00:05:28] Right.
Dave Bittner: [00:05:28] ...Voice over IP phone call. I reach out, and I put the word out using this automated system, the - I'm not going to get into the technical details - but the system by which these calls make their way through our system. Right? Basically, I put out the word. This is a lot like sending out a request to access a webpage.
Joe Carrigan: [00:05:46] So it's like - this is like the DNS request.
Dave Bittner: [00:05:59] Correct. I send out a request, and I say I would like to make this phone call. So that phone call gets sent out to a bunch of what are called Level 2 providers. And they basically bid on that. And they say, oh, OK. We - I can connect you to a Level 3 provider. And the Level 3 providers then bid on that. And then the Level 3 providers connect you to the Level 4 providers, which are the people like AT&T - the big names, the common carriers. So the common carriers are several layers down the road...
Joe Carrigan: [00:06:21] Right.
Dave Bittner: [00:06:21] ...From the person making the request. And because of that, it basically hides where the original source of the call is. And that's one of the reasons why it's hard for people like AT&T to put a stop to this - because they have to use something called a traceback, which is a process by which - it's exactly what it sounds like - they have to trace back the call through all the different providers and try to figure out where the original source was.
Joe Carrigan: [00:06:49] Right.
Dave Bittner: [00:06:50] And that is an expensive and time-consuming process. And in this case, the Justice Department found that it was worth it...
Joe Carrigan: [00:06:56] Right.
Dave Bittner: [00:06:57] ...Because they went after and they found these two providers who were...
Joe Carrigan: [00:07:01] And these are Level 2 providers, right?
Dave Bittner: [00:07:03] They're actually Level 1 providers.
Joe Carrigan: [00:07:04] The Level 1 providers, these are the gateways.
Dave Bittner: [00:07:06] Right. So the foreign callers...
Joe Carrigan: [00:07:07] Contract with Level 1
Dave Bittner: [00:07:08] ...Contract with these folks that the DOJ's going after. They're Level 1. They go to Level 2. Level 3 goes to Level 3. Level 3 goes to Level 4. Level 4 connects them with your phone or mine. So there's a whole lot of stuff in between the request to make the call and the actual call happening.
Joe Carrigan: [00:07:25] The request to make the call activates the entire process, it sounds like...
Dave Bittner: [00:07:28] Correct.
Joe Carrigan: [00:07:28] ...Except for the getting to the final network that we're on.
Dave Bittner: [00:07:31] Yeah. And it's all automated.
Joe Carrigan: [00:07:33] Right.
Dave Bittner: [00:07:33] All automated. So the folks that the DOJ are going after, they had received countless complaints.
Joe Carrigan: [00:07:40] Yeah. Well, that's one of their biggest source of complaints, is these robocalls.
Dave Bittner: [00:07:43] Right, right.
Joe Carrigan: [00:07:44] They get, like, millions of complaints a year.
Dave Bittner: [00:07:46] Right. In other words, AT&T has gone all the way back to the Level 1 provider and said, hey, knock it off.
Joe Carrigan: [00:07:51] Right.
Dave Bittner: [00:07:52] And the Level 1 provider, they would say - oh, OK, we'll - we won't take calls from that number anymore. But of course, the bad guys overseas, they just change the number...
Joe Carrigan: [00:08:02] Right.
Dave Bittner: [00:08:02] ...Because changing a phone number in a VoIP situation is routine. There's...
Joe Carrigan: [00:08:05] Yeah.
Dave Bittner: [00:08:06] ...Nothing to it.
Joe Carrigan: [00:08:06] Right.
Dave Bittner: [00:08:07] So basically, it's gotten to the point where the DOJ are going after these folks, trying to shut them down. And it sounds like the scale of this, where you have a couple of providers sending hundreds of millions of calls...
Joe Carrigan: [00:08:20] Right.
Dave Bittner: [00:08:20] ...Over short periods of time - I don't know - I'm kind of hopeful that maybe they can do something about this.
Joe Carrigan: [00:08:26] Yeah. I don't know.
Dave Bittner: [00:08:27] What do you think?
Joe Carrigan: [00:08:28] Well, I'm not an expert in this phone system thing.
Dave Bittner: [00:08:29] Yeah.
Joe Carrigan: [00:08:29] But it seems like the simple thing to do is to regulate these Level 1 providers.
Dave Bittner: [00:08:34] Mmm hmm.
Joe Carrigan: [00:08:34] And that seems like where I would start.
Dave Bittner: [00:08:36] Yeah.
Joe Carrigan: [00:08:37] Maybe there's already regulation, and that's what the DOJ is trying to do here - is enforce that regulation. I'm not really familiar with all this stuff. I'm almost ashamed to admit it, Dave, but I would - I know a lot less than I'd like to about this.
Dave Bittner: [00:08:46] (Laughter) Well, you know...
Joe Carrigan: [00:08:48] 'Cause this is fascinating.
Dave Bittner: [00:08:49] Right. Well, maybe the word goes out to these folks that, hey, this is no longer a good business to be in.
Joe Carrigan: [00:08:54] Right.
Dave Bittner: [00:08:54] So if you are in this business, we're coming after you.
Joe Carrigan: [00:08:57] Right.
Dave Bittner: [00:08:58] So knock it off. Time to move on to something else - which is not to say that the bad guys aren't going to find another way into our system.
Joe Carrigan: [00:09:03] Well, it depends entirely upon what the penalties are here. Right?
Dave Bittner: [00:09:06] Yeah.
Joe Carrigan: [00:09:06] If the DOJ says, well, we're going to fine you $10,000 and you're going to shut down the business, then that corporation goes - OK, here's $10,000. Goodbye. We're going to shut down. But those people go and they fire up another corporation.
Dave Bittner: [00:09:16] Right.
Joe Carrigan: [00:09:17] Right? And they do it again until they get fined another $10,000. If the penalties are now you have to pay a million dollars and you're going to be going to jail for a couple of years...
Dave Bittner: [00:09:25] Right, right.
Joe Carrigan: [00:09:26] ...That's a different proposition.
Dave Bittner: [00:09:27] Yeah. Now, I don't see anything in this complaint about jail time. It seems like...
Joe Carrigan: [00:09:30] There probably isn't jail time for this.
Dave Bittner: [00:09:32] Right. It seems like what they're doing at this stage is trying to get them to knock it off.
Joe Carrigan: [00:09:36] Yeah.
Dave Bittner: [00:09:36] So...
Joe Carrigan: [00:09:37] This might be a civil complaint, actually.
Dave Bittner: [00:09:38] Yep. All right. Well, that is my story. It's an interesting one. We'll have links to both the story from Ars Technica and the DOJ complaint here if you want to check that out. I think it's an interesting read, but I'm into this sort of thing. So...
Joe Carrigan: [00:09:50] Yes.
Dave Bittner: [00:09:51] What do you have for us this week, Joe?
Joe Carrigan: [00:09:53] Dave, I got a good one. This one comes from Tatyana Sidorina at Kaspersky Labs. And she has a blog post there. Over at Kaspersky, they found a website claiming to be the site of a personal data protection fund created by the U.S. Trading Commission...
Dave Bittner: [00:10:08] All right.
Joe Carrigan: [00:10:09] ...Which does not exist.
Dave Bittner: [00:10:10] OK (laughter).
Joe Carrigan: [00:10:11] So that's the first good part of this - U.S. Trading Commission.
Dave Bittner: [00:10:14] OK.
Joe Carrigan: [00:10:14] It's a good looking site. Right? So if you go to this - we'll put a link in the show notes. But if you go read the article - the blog post, it's - the site looks like it could be a U.S. government site. It looks very similar to the Social Security Administration's website. But it doesn't purport to be that. It purports to be from the U.S. Trading Commission. And there is a large dollar amount on the right hand side. It's in the $4 billion range. And this is allegedly the amount of money that is set up in this fund to give out. And there's a banner at the top of the page that says, the fund awards compensations for leaked personal data. And it doesn't matter what citizen you're a country of, you can apply.
Dave Bittner: [00:10:50] OK.
Joe Carrigan: [00:10:51] So anybody can apply to get money from the U.S. government for leaked data. And of course, then the site offers to check to see if your data has ever been leaked. Right?
Dave Bittner: [00:11:01] (Laughter).
Joe Carrigan: [00:11:02] All you need to provide is this simple set of information - your last name, your first name, your phone number and your social media accounts.
Dave Bittner: [00:11:08] Oh.
Joe Carrigan: [00:11:09] Right? Red flag No. 1 - what does the government need with my social media accounts? What if I don't have social media accounts, all this other stuff? I mean, it's obviously just trying to gather the information about people. Now, Dave, before you get any big ideas, the site warns you that entering other people's information will result in a severe penalty.
Dave Bittner: [00:11:28] Oh, OK.
Joe Carrigan: [00:11:28] OK? So don't do that.
Dave Bittner: [00:11:30] All right.
Joe Carrigan: [00:11:30] Right? The website does, however, accept any information, including garbage. And the researchers at Kaspersky entered a citizen named Fghfgh Fghfgh, who I'm going to pronounce figfig figfig (ph).
Dave Bittner: [00:11:45] Right, OK.
Joe Carrigan: [00:11:46] Right.
Dave Bittner: [00:11:46] Just smashing on the keyboard.
Joe Carrigan: [00:11:47] Now, when they enter the information for Fghfgh Fghfgh, the site sits there and it ponders for a while. Right? It does, like, this little thing like, I'm connecting to the database; hold on. Have you ever seen this on a website?
Dave Bittner: [00:11:57] Oh, yeah.
Joe Carrigan: [00:11:59] That is BS, Dave. This - that is not how connecting to a database works. It is almost instantaneous. If you're looking something up and you have a properly configured database, that will happen within milliseconds.
Dave Bittner: [00:12:10] Right.
Joe Carrigan: [00:12:10] Right?
Dave Bittner: [00:12:11] But this is building up the excitement.
Joe Carrigan: [00:12:13] Yeah, this - exactly.
Dave Bittner: [00:12:13] I'm going to get some money.
Joe Carrigan: [00:12:14] This is a common technique. And they - and it's used by legitimate websites, too, to make you wait for the answer so that you think it's actually working on something. Well, look how much work they're putting into this. Oh, there must be guys in the back room tapping away on keyboards.
Dave Bittner: [00:12:26] Right.
Joe Carrigan: [00:12:27] No, you're looking at a - either a flash animation or a gif or something.
Dave Bittner: [00:12:31] I think about that thing from the old original "Star Trek," when they would ask the computer a question and you'd hear the sound of solenoids, like, working, working. Right? That's what's going on in the background.
Joe Carrigan: [00:12:42] Well, anyway, lo and behold, they found that this fictional character Fghfgh Fghfgh had indeed had their data leaked. Furthermore, it turned out that somebody had already used their photos, videos and contact information.
Dave Bittner: [00:12:54] Uh-oh.
Joe Carrigan: [00:12:54] So things are looking bad for Fghfgh Fghfgh. But he was entitled to a reward in excess of $2,500.
Dave Bittner: [00:13:00] Oh...
Joe Carrigan: [00:13:01] So...
Dave Bittner: [00:13:01] ...Happy ending.
Joe Carrigan: [00:13:02] Great. Send me a check, right?
Dave Bittner: [00:13:03] Uh-huh.
Joe Carrigan: [00:13:04] Not so fast. The fund can't send you a check without knowing your Social Security number - ahaha (ph). What if you don't live in the U.S. or you're not a citizen of the U.S. -
Dave Bittner: [00:13:14] Right.
Joe Carrigan: [00:13:14] ...You don't have a Social Security number?
Dave Bittner: [00:13:16] You're out of luck.
Joe Carrigan: [00:13:16] Don't worry. There's a checkbox there that says, I apostrophe am don't have SSN.
Dave Bittner: [00:13:23] Uh-huh.
Joe Carrigan: [00:13:24] I don't know how to read that. It's really bad English.
Dave Bittner: [00:13:26] (Laughter) Sounds like something Popeye would say.
Joe Carrigan: [00:13:28] Right.
Dave Bittner: [00:13:28] Yeah.
Joe Carrigan: [00:13:29] And you can get a Social Security number for the low, low price of $9.
Dave Bittner: [00:13:34] What?
Joe Carrigan: [00:13:35] Nine bucks - you can buy a temporary Social Security number from this website, Dave.
Dave Bittner: [00:13:38] That's a bargain at twice the price.
Joe Carrigan: [00:13:39] Right. Of course, there is no such thing as a temporary Social Security number. The U.S. government does not offer temporary Social Security numbers. They are permanent markers, which is actually one of the problems with them. And this is just completely a scam.
Dave Bittner: [00:13:50] Yeah.
Joe Carrigan: [00:13:50] If you do try to complete this transaction without buying an SSN, it'll return an error. It'll say nope, you have to buy a temporary SSN. Even if you enter a valid Social Security number, it still says you need to buy a temporary one. Right? So then they're going to process a $9 payment, presumably, on this card.
Dave Bittner: [00:14:07] Right.
Joe Carrigan: [00:14:09] And that is probably to validate that the card is good right before they steal it and then go sell it to somebody else.
Dave Bittner: [00:14:16] (Laughter) Right. You're right.
Joe Carrigan: [00:14:16] That's my guess what the payoff is here.
Dave Bittner: [00:14:19] Yeah. So this notion that the U.S. Trading Commission is - somehow has this big pool of money to compensate people who've...
Joe Carrigan: [00:14:27] Right.
Dave Bittner: [00:14:28] Yeah.
Joe Carrigan: [00:14:29] They're using the old - hey, you have some money coming to you. I don't want to say it's like the Nigerian prince scam because it actually seems a lot more plausible than that.
Dave Bittner: [00:14:36] Yeah.
Joe Carrigan: [00:14:36] We've all had our data breached. Everybody's had their data breached.
Dave Bittner: [00:14:39] All right. Well, it is time to move onto our Catch of the Day.
0:14:42:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:14:45] Our Catch of the Day comes from scammerinfo.com There's a user there named Jerry Kan (ph), and he sent out this - well, I guess this is a Windows pop-up up message - right, Joe?
Joe Carrigan: [00:14:55] It's a web browser pop-up up message...
Dave Bittner: [00:14:58] OK.
Joe Carrigan: [00:14:58] ...From Microsoft Edge.
Dave Bittner: [00:14:59] I see. And it goes like this. (Reading) Windows Security, Microsoft Edge - the server partnerincrime.tech is asking for your username and password.
Joe Carrigan: [00:15:09] That doesn't suspicious at all, does it?
Dave Bittner: [00:15:10] No, partnerincrime.tech - totally legit. That server also reports suspicious movements detected at your IP address due to a destructive infection on your PC. Call toll free for help. Your information is at real risk. Due to a dangerous infection, a computer framework record is missing, debug malware errors and framework disappointments - framework disappointments, that's so sad.
Joe Carrigan: [00:15:33] (Laughter).
Dave Bittner: [00:15:33] I wouldn't want my computer to be disappointed.
Joe Carrigan: [00:15:34] No.
Dave Bittner: [00:15:35] Contact the computer experts on the toll-free hotline. Do not shut down or restart your computer. Otherwise, data loss and operating system failure may occur. Full data loss - full data loss. Contact the administrator department to solve the problem for free. Warning - your username and password will be sent using basic authentication on a connection that isn't secure. What?
Joe Carrigan: [00:15:58] OK. So...
Dave Bittner: [00:15:58] (Laughter).
Joe Carrigan: [00:15:58] ...This part here that says warning - the warning part is actually from Microsoft Edge, right?
Dave Bittner: [00:16:04] Oh (laughter).
Joe Carrigan: [00:16:06] So...
Dave Bittner: [00:16:06] So they got caught in their own - oh, all right. Go on. Explain please.
Joe Carrigan: [00:16:11] So this is a security window from Microsoft Edge - a dialog box that's popped up. And it's telling you the server partnerincrime.tech is asking for your username and password.
Dave Bittner: [00:16:19] Yeah.
Joe Carrigan: [00:16:20] And then there's just a text field that they can send along with that, which is the - you know, all the fear, uncertainty and doubt about your computer being hacked.
Dave Bittner: [00:16:27] Right.
Joe Carrigan: [00:16:27] And then after that, Edge is saying - warning, your username and password will be sent using basic authentication on a connection that isn't secure.
Dave Bittner: [00:16:35] Ah, I see.
Joe Carrigan: [00:16:35] So this is a mishmash of things going on here. I thought it was great.
Dave Bittner: [00:16:41] Yeah.
Joe Carrigan: [00:16:41] Partnersincrime.tech.
Dave Bittner: [00:16:43] Yeah, yeah. You know, you'd think if you're a bad guy...
Joe Carrigan: [00:16:46] Right (laughter).
Dave Bittner: [00:16:47] And you're out there naming - you're choosing your domain name, thinking - what would throw people off the trail? - I wouldn't think this would be it.
Joe Carrigan: [00:16:56] No.
Dave Bittner: [00:16:57] But I guess...
Joe Carrigan: [00:16:57] I'd be totallylegittechsupportservices...
Dave Bittner: [00:17:00] Yeah, absolutely.
Joe Carrigan: [00:17:01] ...Dot com.
Dave Bittner: [00:17:02] Right. Red Rubber Balls or something...
Joe Carrigan: [00:17:03] Right.
Dave Bittner: [00:17:04] ...You know, something completely random. I don't know (laughter).
Joe Carrigan: [00:17:07] Yeah. But this is not it. Partnersincrime - bad idea.
Dave Bittner: [00:17:09] Yeah. Yeah. All right. Well (laughter), that is our Catch of the Day. Coming up next, my interview with Anna Collard. She is the founder of a security content publisher called Popcorn Training. They focus on cybersecurity awareness in South Africa. But first, a word from our sponsors KnowBe4.
Dave Bittner: [00:17:30] Let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives at KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news - that's knowbe4.com/news.
Dave Bittner: [00:18:18] And we are back. Joe, recently had the pleasure of speaking with Anna Collard. She comes to us from South Africa. Her company is called Popcorn Training, and they focus on cybersecurity awareness. Full disclosure - Popcorn Training was purchased by our sponsor KnowBe4. Actually, that's how we met Anna Collard - was when you and I were at the KnowBe4 conference...
Joe Carrigan: [00:18:39] Oh, yes.
Dave Bittner: [00:18:40] ...Last year, crossed paths with her and thought she'd make a good guest for the show. So here's my conversation with Anna Collard.
Anna Collard: [00:18:47] So Africa - at the moment, we'd be looking at about 1.3 billion people. And of those, about 40% are connected at the moment. That's - that number is going to double in the next two years. So we're seeing an explosion of people coming online, and because of the sort of - you know, the lack of infrastructure, a lot of those people that come online are using their smartphones or mobile devices because there's just not that infrastructure and will be first-time users. So you're talking about people who will use their mobile devices for, let's say, payments or mobile banking but that would have never been exposed to any sort of awareness or education when it comes to using online banking even on a computer or a laptop.
Anna Collard: [00:19:31] So it's a massive opportunity but, at the same time, a massive risk. It's like a ticking time bomb. You know, you have, like, all these people coming online. And again, another very specific African thing that's going on here is that - and I believe, like, sub-Saharan Africa is the region with the most payments done on mobile devices globally. So if you look at South Africa, for example, 90% of people use online banking. And, like, a large portion of those - including myself, by the way - we do it all by apps on your phone.
Anna Collard: [00:20:02] The other interesting thing that came out of the survey - and I've also seen it myself - is that, you know, email is sort of quite like a thing of the past a little bit. Like, if you want to get hold of someone in Kenya, you use WhatsApp. So 99% of people in Kenya use WhatsApp, and only - I think it's, like, 67% on email. And I know that, you know, we deal with a lot of partners and organizations. They - I can't get a hold of them on email, but I will get hold of them on WhatsApp.
Dave Bittner: [00:20:30] On this show, we talk a lot about scams, business email compromise, all those sorts of things. And it seems like a lot of that - the perception, anyway - is that a lot of that is coming out of Nigeria. Was there anything specific in your report that dealt with the situation in Nigeria?
Anna Collard: [00:20:47] It is true (laughter). A lot of the scams do come out of Nigeria. Interestingly enough, though, Nigeria is also one of the countries that is the worst affected by cybercrime itself. So, I mean, we only have numbers from 2017, so it's only going to going to be worse now. But then Nigeria lost about $650 million to cybercrime that's reported. You know, there's obviously way more that hasn't been reported. So they know that, you know, they sort of export the scams, but they also had the most opportunities.
Anna Collard: [00:21:16] So the government is - has luckily - Nigeria is one of the few countries that has put quite a lot of effort in place by introducing, you know, regulations and sort of law enforcement to curb cybercrime. And that's the other - you know, if you talk about Africa, why it is such a - it's - I always tell people, you know, cybercriminals love Africa. They're so attracted by it because, A, you have this sort of internet penetration that is above what, you know, cybercriminals would use as, like, a market entry.
Anna Collard: [00:21:46] I think they - soon as you have more than 20% penetration, it becomes an interesting market for them. You have the low level of sort of awareness and education. And then out of the 50-plus countries, we only have a handful that have introduced actual regulations to curb cybercrime. And a lot of that is obviously to do with governments having to fight bigger issues - you know, poverty and youth unemployment, et cetera. By the way, it's not just government. It's businesses as well. They haven't quite understood the urgency or the importance of fighting cybercrime.
Dave Bittner: [00:22:21] Where do you suppose that things are headed? I mean, we hear that Africa is going to continue to attract a lot of investment and will take more of its place on the global stage. Do you suppose that these nations will start to take notice of this, that they'll recognize that part of their place as global citizens is that they're going to have to put some regulations in place, things like that?
Anna Collard: [00:22:44] Definitely, and there are some positive stories, like Mauritius, for example. It's a tiny - you know, it's, like, a island country, but it's quite powerful in terms of the government's goals to become - like, they want to become a smart island. And they invest a lot of not just regulations and policies, but they actually invest in actual enforcement as well because that's - you know, that's always the second question. It's great to have a law and regulation in place. Like, South Africa's perfect in doing that. They have great policies in place, but it is very difficult to enforce them, or there's nobody around to physically enforce them. And with Mauritius, they're actually rated, I think, on a global scale within the top 10 countries in the world in terms of the proactivity and the embracement of fighting cybercrime.
Dave Bittner: [00:23:32] So what are some of the key take-homes from the report?
Anna Collard: [00:23:36] So the report has sort of confirmed that there is a definite need for more cybersecurity awareness. We had about 65% of people responding that they are concerned about cybercrime, and quite a large percentage of the respondents said they don't know what they should do about it. But what is most - I find personally, what is most interesting the results that this report showed was that you also get quite a large percentage of people that think they are sort of equipped or that they know what to do, but they actually don't.
Anna Collard: [00:24:05] So that's that whole concept of unconscious incompetence - you know, that quadrant where you kind of - you know what you don't know, but then you don't know you don't know. And that's a massive problem because you have people that think, well, everything's fine. And they aren't even aware of the problem itself or that they should educate themselves a bit more.
Anna Collard: [00:24:25] By the way - so the report - we had sort of a criteria that we would only interview or poll people that are currently employed. So those are professionals. We excluded people that are still in school or that are not employed. And already, that sort of gives - you know, that's, like, a possibly just the top of the crop kind of thing. But the people that responded, they said that about 60% felt the employers have done enough to, you know, raise awareness. But in the same token, 65% didn't know what a ransomware was. More than 50% had no idea what multi-factor authentication is or how you would use that.
Anna Collard: [00:25:03] And that's not just African problems. It's worldwide - right? - the rise in social engineering and phishing attacks and ransomware schemes. The need to put something as basic as two-factor authentication in place, especially if you do financial transaction on your mobile devices - it's so important. Yeah, and people just - you know, they think they know, but at the same time, when you ask those sort of qualifying questions, they didn't.
Anna Collard: [00:25:27] In summary, you know, it really is like a ticking time bomb unless we as, like, the industry are doing more to educate the end users because on the one hand side, you know, you have half a billion people that are coming online within the next two years. Most of them are first-time users. A lot of them are not even English-speaking, and a lot of the material out there is just available in English. So you have - you'd be dealing with a lack of awareness.
Anna Collard: [00:25:50] And then on the other hand, you've got them using mobile devices for financial purposes like banking and payments. Like, Africa's huge with cashless payments. And then you have - on the flipside, we've got sort of the increase in sophistication and phishing attacks, an increase in mobile malware attacks and a focus on Africa because it's such an attractive region for cybercriminals.
Dave Bittner: [00:26:14] All right. Joe, what do you think? Interesting, huh?
Joe Carrigan: [00:26:17] Very interesting. Forty percent of employed people online in Africa - and that number is going to double in short order.
Dave Bittner: [00:26:23] Yeah.
Joe Carrigan: [00:26:24] That does present a criminal goldmine opportunity.
Dave Bittner: [00:26:28] (Laughter).
Joe Carrigan: [00:26:29] I like the three factors that she points to for that - that it's got good and growing access - right? - it's got a lack of familiarity with the tech and there's little to no regulation.
Dave Bittner: [00:26:39] Yeah, and the other thing that stuck out to me was - is this idea that so little of the training out there or even just the information out there is available in anything but English, right? And I suppose you have things like Google Translate and all...
Joe Carrigan: [00:26:53] Right.
Dave Bittner: [00:26:53] ...That sort of thing. But I think it's easy for us here. The internet is - tends to be so centric to us and our needs, you know?
Joe Carrigan: [00:27:01] Right. Yeah.
Dave Bittner: [00:27:01] We don't even think about it.
Joe Carrigan: [00:27:02] Right.
Dave Bittner: [00:27:02] But if you're not...
Joe Carrigan: [00:27:03] Well, the internet was invented here in America.
Dave Bittner: [00:27:04] Yeah.
Joe Carrigan: [00:27:05] So...
Dave Bittner: [00:27:05] Yeah.
Joe Carrigan: [00:27:06] It's very interesting. I think, Dave, that this is a great opportunity in Africa. There is an opportunity here that needs to be seen, and that is to implement the security now. Now, the survey that Anna was talking about only surveyed employed people 40%, but overall, 13% of people in Africa have internet access. Now, that's low.
Dave Bittner: [00:27:24] Yeah.
Joe Carrigan: [00:27:24] Right? So if you look at it from an opportunity standpoint, now is the time for all these service providers, like the banking industry, any telecommunication industry, whatever - if you're offering a service to people in Africa, now is the time to implement things like multi-factor authentication...
Dave Bittner: [00:27:40] Yeah.
Joe Carrigan: [00:27:40] ...So that just becomes the norm...
Dave Bittner: [00:27:42] Yeah.
Joe Carrigan: [00:27:43] ...So that when people start using it, they learn how to use it with two-factor authentication.
Dave Bittner: [00:27:47] Yeah. Yeah, that's interesting. It reminds me of - I want to say a couple of decades ago, when the internet was really just spreading around the globe...
Joe Carrigan: [00:27:54] Right.
Dave Bittner: [00:27:54] ...That were some nations who were taking advantage of the fact that they didn't have to install copper infrastructure. They could go all wireless from the get-go...
Joe Carrigan: [00:28:02] Right. Yeah, that happened a lot in Asia.
Dave Bittner: [00:28:04] ...Save them a lot of money. Yeah.
Joe Carrigan: [00:28:05] Like, a lot of Korea is like that now.
Dave Bittner: [00:28:07] Yeah.
Joe Carrigan: [00:28:07] South Korea.
Dave Bittner: [00:28:08] Right, right. So you're not stuck with all that legacy stuff.
Joe Carrigan: [00:28:11] Right.
Dave Bittner: [00:28:11] Why not build in security from the get-go?
Joe Carrigan: [00:28:14] Correct.
Dave Bittner: [00:28:14] As people are learning, it's just a natural thing to them.
Joe Carrigan: [00:28:17] Yes, and that's exactly my point. I also found it interesting that Nigeria is a big victim of cybercrime as well. It makes sense.
Dave Bittner: [00:28:24] It does.
Joe Carrigan: [00:28:25] It also makes sense that Nigeria is kind of a continental leader in regulation of this kind of stuff as well.
Dave Bittner: [00:28:30] (Laughter) Yeah, I guess they have no choice. I mean...
Joe Carrigan: [00:28:33] Right. They have to be.
Dave Bittner: [00:28:33] Yeah, yeah, yeah.
Joe Carrigan: [00:28:34] You know, if they're going to be global players, they're going to have to solve that problem that is actually a blight on the rest of the world.
Dave Bittner: [00:28:40] Right. What's interesting about that to me is that you hear a lot about some of the bad actors in Russia.
Joe Carrigan: [00:28:47] Yeah.
Dave Bittner: [00:28:47] The government will turn a blind eye to them as long as they're not hitting Russians.
Joe Carrigan: [00:28:52] Russian targets, yeah.
Dave Bittner: [00:28:53] Right. So you hit overseas, and we won't come after you.
Joe Carrigan: [00:28:56] That's right.
Dave Bittner: [00:28:56] So that's interesting in contrast to what...
Joe Carrigan: [00:28:59] Yeah.
Dave Bittner: [00:28:59] ...Anna was describing here in Nigeria.
Joe Carrigan: [00:29:01] Yeah, Nigeria is not taking that stance. They're going after these guys.
Dave Bittner: [00:29:04] Yeah. By the way, the report that she references here, that is the 2019 KnowBe4 Africa Cybersecurity Awareness report. We'll have a link to that in the show notes. We want to thank Anna Collard for joining us, and of course, we want to thank all of you for listening. That is our show.
Dave Bittner: [00:29:20] We want to thank our sponsors KnowBe4. They are the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:29:34] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the start of studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:55] And I'm Joe Carrigan.
Dave Bittner: [00:29:56] Thanks for listening.