Christopher Hadnagy: [00:00:01] From attacking your grandma at home to corporate businesses with BEC scams, it's just nonstop. And these two vectors alone are billions of dollars a year.
Dave Bittner: [00:00:10] Hello, everyone. And welcome back to another episode of the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And there's no way I can do this all just by myself, so I'm joined by my co-host, Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:35] Hi, Dave.
Dave Bittner: [00:00:36] We've got some good stories to share this week. And later in the show, Christopher Hadnagy joins us. He's from Social-Engineer, LLC. He's got an update on the trends he's been tracking for social engineering.
Dave Bittner: [00:00:47] But before we get to all of that, a word from our sponsors, KnowBe4. So how do you train people to recognize and resist social engineering? Here are some things people think - test them, and if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this podcast.
Dave Bittner: [00:01:27] And we are back. Joe, I have a weird one this week.
Joe Carrigan: [00:01:31] OK.
Dave Bittner: [00:01:31] (Laughter) This is very strange. One of our listeners reached out on Twitter. And he sent me a transcript of a voicemail message that he and one of his colleagues at work had received.
Joe Carrigan: [00:01:45] So both these guys independently received the email - or voicemail, right?
Dave Bittner: [00:01:48] Well, I think his colleague sent it on to him.
Joe Carrigan: [00:01:50] OK.
Dave Bittner: [00:01:51] Now, these guys work in IT, so they know what's going on, right?
Joe Carrigan: [00:01:54] Right.
Dave Bittner: [00:01:55] And I think we've all gotten dozens of these fake, phony voicemails that are trying to sell us one thing or another. And they're prerecorded.
Joe Carrigan: [00:02:04] Yep.
Dave Bittner: [00:02:04] And it's - you know, please call now from the - this is from the IRS. Call us now, or you will be in big trouble, right?
Joe Carrigan: [00:02:12] Right.
Dave Bittner: [00:02:12] It's that sort of thing.
Joe Carrigan: [00:02:13] Right.
Dave Bittner: [00:02:14] Well, it starts out that way. But then it takes a turn. So...
Joe Carrigan: [00:02:16] Does it?
Dave Bittner: [00:02:18] (Laughter) I'm just going to play it for you. Here's the voicemail message.
Computer-generated Voice: [00:02:21] Approved for the personal loan (unintelligible)...
Unidentified Person: [00:02:26] Excuse me. Hi there. I'm actually a scammer calling from India trying to steal your money. Usually, I'd like to try to make up a story like I'll pretend to be your bank threatening to shut off your debit card or maybe the IRS is going to arrest you or perhaps Microsoft wants to give you your money back or really any other bulls*** I can think of to try to get ahold of your bank account. What's that? You don't have any cash to give us? It's fine. We actually only take bitcoin or, in a pinch, iTunes gift cards. Whatever you do, though, don't bother calling this number back because we spoofed it trying to get you to answer the phone because you thought maybe somebody local was calling you. God, that trick is so 2009. Now, you might be thinking to yourself, hold up. This call actually sounds like a real person, though, not like those fake-sounding text-to-speech voices. Because I'm actually just a sad, dumb [expletive] with the moral backbone of a chocolate eclair. Anyway, sorry for the interruption. I'm going to go back to eating [expletive]. You have yourself a wonderful day.
Dave Bittner: [00:03:33] OK, then.
Joe Carrigan: [00:03:34] OK.
Dave Bittner: [00:03:35] (Laughter) I went back-and-forth with the person who sent this to us on Twitter. By the way, I am @Bittner on Twitter. Joe, what's your Twitter account?
Joe Carrigan: [00:03:41] I am @JTCarrigan.
Dave Bittner: [00:03:43] Right.
Joe Carrigan: [00:03:43] C-A-R-R-I-G-A-N.
Dave Bittner: [00:03:45] Shameless plug there for both of us.
Dave Bittner: [00:03:47] What could this possibly be? And the best - the conclusion we've come to is that someone hacked the hackers, someone hacked the scammers. And I think they inserted this message into the outgoing feed that these scammers send out without the scammers knowing it. So best I can guess is that somebody out there figured out how to get in there, replace the outgoing message that the scammers use, and they put this very colorful message in there. I'd say this is a little more colorful than probably was necessary.
Joe Carrigan: [00:04:20] Yes.
Dave Bittner: [00:04:20] (Laughter).
Joe Carrigan: [00:04:21] Yeah, I would agree with that.
Dave Bittner: [00:04:22] I mean, on the one hand, it still wastes people's time, money, resources, energy, whatever. On the other hand, it saves them from being scammed.
Joe Carrigan: [00:04:31] Yeah. It does...
Dave Bittner: [00:04:31] So...
Joe Carrigan: [00:04:32] ...Let them know that the call is a scam call. And it tells them, don't even bother calling back the number because we've spoofed it. Yeah, somebody's doing some good work here in kind of a crass and offensive way.
Dave Bittner: [00:04:41] (Laughter).
Joe Carrigan: [00:04:41] But this could have been done better. This is - technically, this is excellent. Execution - it could've been done better.
Dave Bittner: [00:04:48] Right, right. Perhaps a little nuance...
Joe Carrigan: [00:04:50] Right.
Dave Bittner: [00:04:50] ...A little better from the writing staff. But (laughter)...
Joe Carrigan: [00:04:53] Yeah, let me know. I'd be happy to help write the copy for this next time.
Dave Bittner: [00:04:56] But how interesting how the arms race goes on, right?
Joe Carrigan: [00:04:59] Yeah, yeah.
Dave Bittner: [00:04:59] The scammers go out. And someone, you know, goes and breaks into the scammer's system. And here we go, pingponging back-and-forth - very interesting. Well, thanks to our listener on Twitter who sent this to us. Joe, what do you have for us this week?
Joe Carrigan: [00:05:12] Dave, this week, I have a story from Lindsey O'Donnell at Threatpost. And she is talking about a new phishing campaign that was uncovered by Jan Kopriva. Jan put a post out on the Internet Storm Center. You frequently have Johannes Ullrich on.
Dave Bittner: [00:05:25] Right.
Joe Carrigan: [00:05:25] He runs the Internet Storm Center. It's part of SANS, which is a security training organization.
Dave Bittner: [00:05:31] Yep.
Joe Carrigan: [00:05:31] Actually, a top-rated security training organization.
Dave Bittner: [00:05:33] It's my second favorite daily cybersecurity podcast.
Joe Carrigan: [00:05:36] So the story is there's this phishing campaign that looks like a standard phishing campaign impersonating PayPal. It's not really PayPal, of course.
Dave Bittner: [00:05:44] Right.
Joe Carrigan: [00:05:44] But it starts with an email that says, we've limited access to your account because it was logged into from a new browser or a device. Of course, people are going to think, oh, no, what can I do, right? And, of course, there's actually a line - what do I need to do? - in the email.
Dave Bittner: [00:05:57] (Laughter) It's like they've anticipated your response.
Joe Carrigan: [00:05:59] That's right. And the user is instructed to click on a link that kind of looks like a button that says, secure and update my account now. This is not a link to PayPal, of course. And you should never click on links in emails. But it takes you to a Bitly link, right? Now, Bitly is a link shortening service.
Dave Bittner: [00:06:15] Right.
Joe Carrigan: [00:06:15] Every Bitly link will redirect you, but this one redirects you to an attacker-owned webpage that asks for a bunch of personal information. But it starts with just, log into PayPal, right? But it's not a PayPal login. You're not on PayPal at all.
Dave Bittner: [00:06:29] But it looks like PayPal?
Joe Carrigan: [00:06:30] It looks like it. So the first thing they do is they harvest your PayPal credentials, which is damaging.
Dave Bittner: [00:06:34] Yeah.
Joe Carrigan: [00:06:34] Right? So after you've entered your username and password for PayPal, you get a page that says, account locked, and then says, enter your billing information. And this page collects your name, address and telephone number. Now, if you enter that information, the next page asks you for your credit card details. And it says, enter the name on the card, the credit card number, the little code on the back, expiration date, all that stuff. If you enter that information, you get a pop-up window that says, what's your date of birth? What's your Social Security number? And what's your debit card PIN?
Dave Bittner: [00:07:05] Wow.
Joe Carrigan: [00:07:05] If you enter that information...
Dave Bittner: [00:07:06] (Laughter).
Joe Carrigan: [00:07:07] ...It then says...
Dave Bittner: [00:07:08] Pretty soon, they're going to be asking for tasteful nudes, like (laughter)...
Joe Carrigan: [00:07:08] Well, you laugh, but they are asking you to upload a - what they call a proof document. And they're looking for a picture of a credit card, a picture of a driver's license, a picture of a passport or some other government ID.
Dave Bittner: [00:07:24] Oh, wow.
Joe Carrigan: [00:07:24] So what Jan says is this just showcases that these attackers are going after all the information they can get. And here's a quote from him. It says, over the years, phishing authors seem to have learned that once they hook a fish, they should try to get all the information they can from them. This is a reason why many current campaigns don't stop after getting the usual credit card information but go further.
Dave Bittner: [00:07:46] Yeah. And, well, it strikes me, too, that these are in the online - the dark web forums...
Joe Carrigan: [00:07:50] Right.
Dave Bittner: [00:07:51] ...They refer to these as fullz...
Joe Carrigan: [00:07:53] Fullz, yeah.
Dave Bittner: [00:07:53] ...F-U-L-L-Z.
Joe Carrigan: [00:07:54] You're pretty much providing a full here...
Dave Bittner: [00:07:56] Yeah.
Joe Carrigan: [00:07:56] ...Of everything if you were to give them all the information they were looking for. It would be very difficult to recover from a mistake like this.
Dave Bittner: [00:08:03] Yeah.
Joe Carrigan: [00:08:04] Now, Lindsey O'Donnell, the author of the article from Threatpost, points out that there are some major red flags about this campaign. No. 1 is the sender's email is not a PayPal email, not even remotely a PayPal email. It's service with some numbers and then @ some dot-com domain. It doesn't resemble PayPal. She notes their strange use of exclamation points, right? Like, the very top says PayPal Notification Center!
Dave Bittner: [00:08:27] (Laughter).
Joe Carrigan: [00:08:27] Right? And then secure my account now is secure and update my account now! Both of these have a space before the exclamation point as well, which is something I noticed. And the phishing page is obviously not PayPal either. It's Eemou - two E's - eemou.com, which is not a PayPal site.
Dave Bittner: [00:08:46] Right.
Joe Carrigan: [00:08:46] Jan said he has reported the incident to PayPal. And PayPal says legitimate emails from PayPal will always come from paypal.com address. They will address customers by their first and last name because they have that information because they're required to by federal law.
Dave Bittner: [00:08:59] Right.
Joe Carrigan: [00:09:00] Emails will never ask for sensitive information like your bank account or your password. And emails will never contain an attachment. We'll put links to both Lindsey O'Donnell's article and Jan's post on the Internet Storm Center 'cause the Internet Storm Center post actually has pictures of this, which is really interesting to look at. PayPal also says something I always say, and that's never actually click on the link in the site. If you get an email from PayPal, just go to your browser and type in paypal.com. It's - what? - 10 characters. No problem. So that's a good idea; also enabling two-factor authentication on your PayPal account. If you did give them your username and password, that would prevent them from accessing your account. But if you give them all this information that they're asking for in this, you're pretty much hosed.
Dave Bittner: [00:09:39] Right. Well - and as always, we say, you know, share this information with your friends, family, loved ones, all that sort of thing.
Joe Carrigan: [00:09:45] Yeah, let everybody know.
Dave Bittner: [00:09:46] Education's one of the best ways we can be on alert. All right, well, that's an interesting one. Like you say, we'll have links to the story in our show notes. Joe, it is time to move on to our Catch of the Day.
0:09:57:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:10:00] Our Catch of the Day comes from Chris from C.U. Imagery. You can follow him on Twitter @CstarofDGF. And he sent us a series of screen-captured images from Facebook Messenger that he captured and was kind enough to send onto us. Joe, I will play the part here of the poor damsel in distress.
Joe Carrigan: [00:10:22] Right.
Dave Bittner: [00:10:23] And you can play the part of - I suppose it's Chris here...
Joe Carrigan: [00:10:26] It is Chris.
Dave Bittner: [00:10:27] ...Who's replying to her needs. Now, the poor damsel in distress here, she goes by the name Jessica. And she starts off. And she says, sorry - random. But do you have $10 you could send? Stuck for gas.
Joe Carrigan: [00:10:40] Sure. Where do I send it?
Dave Bittner: [00:10:41] Thank you so much. If you have any more, let me know because I'm far away. My Cash App is $pandaexpress12. You're a godsend. I owe you my life. I've been stuck here for two hours.
Joe Carrigan: [00:10:53] Oh, I only use PayPal. Do you have that?
Dave Bittner: [00:10:56] Yes. Here's my PayPal address. Thank you so much. Did you get it, Chris?
Joe Carrigan: [00:11:01] Making sure this is right. And then Chris sends an image of his PayPal payment that he's sending $20 to.
Dave Bittner: [00:11:07] Yeah, hon. Is there anything more you could send, my love? I will pay you back, I swear. I'm struggling bad, Chris. I'll even send some pics and videos.
Joe Carrigan: [00:11:15] Oh, you let me know what you had in mind. I got money.
Dave Bittner: [00:11:18] Can you do 350, LOL? Actually, 1K, LOL. I need a lot, but I would never ask you for that.
Joe Carrigan: [00:11:26] How's this? I'm feeling good today. Let me know if this is right. And then he has a picture where he's sending $2,500. And this is from an expired credit card. So they're never going to get the money.
Dave Bittner: [00:11:38] (Laughter) I'm far behind every bill. You're lying. I'm crying. Don't joke around like that, please. It's not funny. I'm having such a horrible time in my life. I'm waiting for a miracle.
Joe Carrigan: [00:11:49] Chris don't joke - sent. Let me know when you received it.
Dave Bittner: [00:11:52] Babe, it's email@example.com. I'm crying.
Joe Carrigan: [00:11:56] Wait.
Dave Bittner: [00:11:56] I'm shaking.
Joe Carrigan: [00:11:57] What?
Dave Bittner: [00:11:58] Yeah. You had it right the first time. It's why I was confused. You changed the name. If you're joking, please don't because I'm legit shaking and crying.
Joe Carrigan: [00:12:06] Oh, hold on. I think I can call PayPal. My bad. I was looking at your name. Nah, I got you. If that's not a real account, it won't go through. It'll just stay pending. And they can cancel it easy for me.
Dave Bittner: [00:12:17] OK, I'm still stuck here, and I am legit crying. Could you send me something? I'm going to find you and give you the biggest hug and kiss. You have no idea. Let me know if you're joking or not.
Joe Carrigan: [00:12:28] Oh, I like that.
Dave Bittner: [00:12:30] It's fine.
Joe Carrigan: [00:12:31] I'm not. Hold on, love.
Dave Bittner: [00:12:33] I'm used to people doing this. Been having such a depressed time in my life, praying for a miracle. And I got stuck on the side of the road just now. And you showing me a pic like that, I started shaking and crying because those people are nasty to me when I ask for help. And I used to be prideful, but not anymore. I just know. I'm just sitting here waiting.
Joe Carrigan: [00:12:52] Chris got you. Don't worry. I don't need the pic or anything, just want you to be safe and happy.
Dave Bittner: [00:12:57] I have more for you if this is really true. Just wait. I see I need your number and address. Here's my number.
Joe Carrigan: [00:13:03] Oh, a surprise visit. I'm not opposed to that. OK, let me stop getting distracted. And let me help you first.
Dave Bittner: [00:13:10] And then she sends what appears to be an address. And then she says, you there? What's going on? I'm still shaking. Let me know what to believe. I'm praying to God right now that this is actually for real and not a sick joke.
Joe Carrigan: [00:13:25] OK, I just have to ask, though, what is your real name? Like, I know this is a fake account and a scam. I just went along with it. You don't even have a Facebook. We're not friends. The house you sent was just purchased, so it's easy to pull up on Zillow. It's an elaborate plan, and you'll definitely get someone, unfortunately. But you won't get me. I was able to get your hopes up a little, thinking I was a moron. 'Twas a pleasure playing along, though. Gots to go.
Dave Bittner: [00:13:51] Oh, my God. I'm crying. I'm not a fake person. Why would you do this to me? Honestly - God, I am so stupid.
Joe Carrigan: [00:14:00] Still playing along?
Dave Bittner: [00:14:01] I thought this was my good karma for once.
Joe Carrigan: [00:14:04] Oh, it wasn't good karma - a good scam, though. And then he sends a tip of the hat emoji, the milady guy.
Dave Bittner: [00:14:11] (Laughter) Oh.
Joe Carrigan: [00:14:12] It says, tipping intensifies. This is a good one, Chris. I like this one a lot. It's really good.
Dave Bittner: [00:14:20] I was trying to do my best Blanche DuBois there from...
Joe Carrigan: [00:14:23] (Laughter) Blanche DuBois from "The Golden Girls"?
Dave Bittner: [00:14:25] Yes, exactly. That's what I had in mind as I was replying there. So I'm sure the audience recognized that right away, since we know I'm...
Joe Carrigan: [00:14:31] Yes, of course. You are the master of dialects.
Dave Bittner: [00:14:33] I am. It is true.
Joe Carrigan: [00:14:34] Yes.
Dave Bittner: [00:14:34] It is true. All right. Well, thank you, Chris, for sending that in. That is our Catch of the Day.
Dave Bittner: [00:14:39] Coming up next, we speak with Christopher Hadnagy from Social-Engineer, LLC. He returns with an update on some of the social engineering trends he's been tracking.
Dave Bittner: [00:14:48] But first, a message from our sponsors, KnowBe4. So let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. You can hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it. And we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:15:37] And we are back. Joe, it is always a pleasure when Christopher Hadnagy joins us.
Joe Carrigan: [00:15:41] It is, indeed. I like listening to Chris.
Dave Bittner: [00:15:43] Yeah, yeah.
Joe Carrigan: [00:15:44] He's got a lot of good things to say.
Dave Bittner: [00:15:45] Great guest. He's been with us before. His company is Social-Engineer, LLC. And he's got some other activities that he's involved with he's going to tell us about as well, as well as some updates on some of the social engineering trends he's been tracking. Here's my conversation with Christopher Hadnagy.
Christopher Hadnagy: [00:16:02] If we go back something like five years, we saw a lot more exploitation of software, exploitation of vulnerabilities and services that would be running on ports. And then we start to see this advent of software companies are really doing a better job. I'm not saying they're perfect, but we see a lot less OS vulnerabilities than we did in previous years. So the attackers don't go, well, hey, we lost. Let's give up. They start to use avenues that work more. And that is the human avenue, right?
Christopher Hadnagy: [00:16:29] So we saw - Verizon DBIR tells us every year that phishing is in, like, 80, 90-plus percent of all breaches. The vishing scams - that's voice phishing - just through the roof. I mean, from attacking your grandma at home to corporate businesses with BEC scams, it's just nonstop. And these two vectors alone are billions of dollars a year. So we're seeing more use of the human factor as opposed to software or hardware hacking as we were in the past.
Dave Bittner: [00:16:58] Are the folks who are out there trying to execute these schemes - are they growing more sophisticated in the ways they're coming at people?
Christopher Hadnagy: [00:17:07] Oh, so much. You know, we used to be able to say to folks, you know, if you see bad spelling and bad grammar in a phishing email, that's probably a good indicator that it may be a phishing attack. Now, you cannot say that anymore. They're using spell-check. And this is not even a joke. We found - on the dark web, we were doing some research. And we found a service on the dark web that offers spelling and grammar check for malicious phishers with a guaranteed increase in percentage of clicks or your money back - not even making that up. That's a crazy thing that we saw.
Dave Bittner: [00:17:38] (Laughter).
Christopher Hadnagy: [00:17:38] There are support services out there that are better than my, like, cellphone company in helping malicious phishers get more clicks.
Dave Bittner: [00:17:46] Now, in terms of the training, it seems to me that there's been a lot more awareness there, that businesses are starting to recognize that in terms of an investment in both time and money, that this is something that could pay off for them.
Christopher Hadnagy: [00:18:01] Yeah. I mean, so think of this. If you send out - let's just use, like, small numbers. You send out 10,000 emails. And let's say your success ratio is really low. Let's say it's, you know, 5%. So that means you got 500 people. That's it, you know? Out of 10,000, you got 500 people. Let's say it's even less. Let's say it's 1%. You got a hundred people. But those hundred people all give you credentials to their bank account or give you credentials to their Amazon account or their credit card or give you PII that's worth something on the dark web or give you financial data, like, actually give you money, that means out of just 10,000 people, they got a hundred people to transfer them money or give them something worth money. That is a huge win. Now, you're saying they're not sending 10,000 emails. They're sending a million. They're sending 100,000. They're sending 500,000 - whatever. This is a huge win for them. The cost of doing that, also, is so low that it doesn't really matter to them. So they can send 10,000 emails, 100,000 emails for pennies. And then if they get that 1% ratio, they still have a huge windfall.
Christopher Hadnagy: [00:19:07] And that goes the same for vishing. Setting up a vishing server now with VoIP and SIP technology - it costs almost nothing to do that. And if they get one person to believe they're the IRS and give them $5,000, that's a huge win. But we know that there's billions of dollars being done in that type of scam.
Dave Bittner: [00:19:24] It seems to me that the boldness that these people are using and the sophistication of the attacks - in other words, going after those big fish, building these sophisticated multistep, multilayer types of attempts to part people with their money - is my perception correct that things have headed in that direction to a certain degree? Or how much is that true? And how much are the folks out there still just shotgunning and aiming for everybody?
Christopher Hadnagy: [00:19:55] No, I think you're a hundred percent right. So we've been tracking this for the last three or four years. And the number of news stories coming in where people are impersonating law enforcement is just staggering. And that was something you rarely saw because everyone knows it's illegal, first of all. But, yeah, it's just so bold and brazen to make believe you're an FBI agent or you're a cop or you're the IRS or you're some kind of collector for the government. And we see that so much more today - that brazen attitude toward those type of things. And I think boldness is a huge factor in it. They're seeing massive amounts of win, lots of money in it, so let's take the risk and take the job more seriously. And they're putting a lot of effort into it.
Dave Bittner: [00:20:41] I'm curious about social engineering skills in your day-to-day business life, and then also using open source intelligence to try to go after folks who might be targeting children. Can you take us through each of those? What are those efforts about?
Christopher Hadnagy: [00:20:55] Sure. So about a decade ago, I came out with my first social engineering class. It was called Social Engineering for Penetration Testers. And it was very limited in my mind as a scope for usage to just people who were pen testers. Jumping forward about five years, I started to notice that over half the class weren't pen testers. And I started to ask them, like, why are you here? You know, why are you in this class particularly? And they would say, oh, my buddy took it. And he works for X company, and he's a penetration tester. But he said it was so amazing, I would learn something from it. So I'm taking it. It was a sales guy. And then I had, you know, psychologists and teachers and stay-at-home parents. And I was like - so eventually, I changed the name of the course to Advanced Practical Social Engineering. And what's occurred over the last, let's say, five or six years is maybe 50% or 60% of my public classes - so not the Black Hat ones where everyone's in the industry. But my public classes tend to be non-security-related folks that are just interested in learning these skills for everyday life.
Christopher Hadnagy: [00:21:55] So that sparked a thought. Maybe we should hold a conference where we get some of the greatest minds, people who I've personally learned from - people like Joe Navarro, who's, like, the body language king, you know, Ian Rowland, who, like, created the science behind understanding cold reading and how to use it, R. Paul Wilson, who was on "The Real Hustle" in the U.K., and he's, like, the greatest deception guy on the planet. And, you know, there's nine of them - and say, can we invite these people in to do two- to five-hour training sessions that any person can attend that's not geared towards pen testing? Now, if you're a pen tester, you'll learn great things. But if you're a stay-at-home parent, you'll learn great things. If you're a magician, you'll learn great things. And we designed it as what we call The Human Hacking Conference. So its whole concept is to teach just everyday people, regardless of what your role is, on how to use the very same skills that social engineers use, but to communicate more effectively, to get things that you want out of life, to be able to accomplish your goals.
Dave Bittner: [00:22:53] Now, how about your efforts to help protect children online?
Christopher Hadnagy: [00:22:56] That came about because of my corporate work. In my job, I had a couple pen tests where the first time this happened, really, is where this started - is I was working with an organization, and we found a guy who was using his corporate computer and phone to film child pornography and then trade it on the dark web. And that guy's in prison right now. And it was the first time in my life I ever thought, man, like, you know, these skills that I have - I never thought about using them that way. I mean, I'm just a hacker, right? I didn't think about any type of, like, saving people or anything like that. And that came after conversations and a couple more jobs where that happened, where I was talking to some friends and saying, do you think there's others in our industry that would want to join together, band together, join forces and maybe help law enforcement close some of these cases? And I was amazed at how many people were like, yes, I would help with that. I would love to help with that.
Christopher Hadnagy: [00:23:50] So I started the ILF, Innocent Lives Foundation, about two years ago - just a little over two years ago. We sent a message out, and now we have - I think it's something like 40 volunteers working with us, two full-time employees. Last year, we closed almost 90 cases. You know, just so much good has come of it. And we use - we don't hack. We don't do anything illegal. We keep it all aboveboard. We're not like Chris Hansen. You know, we're not out there, like, trying to entrap people with conversation. We are finding people who have already hurt children, who have already proven to be predators. And we are locating them off of the internet into the real world and then handing those identities over to law enforcement to be apprehended and put in jail.
Dave Bittner: [00:24:33] Can you describe to us what goes in to the work that you do from the ethical point of view? And I'm thinking about, you know, you're training people with these techniques and - but there must be - in your mind, you must think that I really want to guide towards people using these tools for good and not harm, but you only have so much control over that.
Christopher Hadnagy: [00:24:52] Yeah, and that's a good point. You know, I think it's like anybody who creates anything. A car manufacturer doesn't say, man, this is going to be the car that's great for hit-and-runs, you know? They create...
Dave Bittner: [00:25:03] Right.
Christopher Hadnagy: [00:25:03] ...Their cars with the hope that people will use them in the way they were intended. Someone buys that car and uses it for drug deals or murder, the intent was not that. So what I decided a long time ago was when I was thinking through that - 'cause that very thought process came up. And we were like, how are we going to manage this? All we can do is use this philosophy. So we came up with a mantra. And it's, leave them feeling better for having met you. So our brand of social engineering doesn't use the manipulative tactics. It doesn't use sex. It doesn't use flirtation or lust. It doesn't use extreme fear. So when we're teaching people how to use these skills, our end goal is always leave them feeling better for having met you. It's a harder way to do the job, especially when you're talking about corporate security, but, sir, the last 10 years, we've successfully been able to accomplish that goal. And then when we educate others with that kind of mindset, we're not teaching them the darkest arts, right? We're not teaching them all the things that maybe the bad guys truly do. We use those in our corporate world when we have to, but we're not training those. We're training the way that we use social engineering while leaving people feeling better for having met you.
Dave Bittner: [00:26:15] All right. Joe, what do you think there?
Joe Carrigan: [00:26:17] I always love listening to Chris...
Dave Bittner: [00:26:18] Yeah.
Joe Carrigan: [00:26:19] ...When he's on our show. It's always an interesting interview. First off, he starts off with a great point. Software has gotten a lot better, which is why these social engineering attacks increased. All of the major tech companies have stepped up their game if they didn't - haven't. There used to be - 15, 20 years ago, Microsoft really wasn't in the security game. But that's changed. Now they do security, and they do it very well. Apple has always had a history of doing security very well - Google, the same...
Dave Bittner: [00:26:43] Yeah.
Joe Carrigan: [00:26:44] ...Good security. But the human factors remain the same. And that's why we do this podcast. This podcast is the software updates for people.
Dave Bittner: [00:26:50] (Laughter).
Joe Carrigan: [00:26:51] I said that before.
Dave Bittner: [00:26:52] Right, right.
Joe Carrigan: [00:26:52] This is the inoculation you need to not fall victim to these kind of scams, because everybody has triggers, and everybody's going to fall victim to something at some point in time.
Dave Bittner: [00:27:01] Yeah.
Joe Carrigan: [00:27:01] It's going to happen. I found it interesting that - you know, I always talk about how I'm fascinated by the economics of hacking, right? But this is interesting to me. These phishers are using services to craft better emails. And these service providers are guaranteeing a higher click rate...
Dave Bittner: [00:27:17] Right.
Joe Carrigan: [00:27:18] ...Or your money back.
Dave Bittner: [00:27:19] Yeah.
Joe Carrigan: [00:27:19] I don't know how they guarantee that, but it's interesting that that's available on the darknet.
Dave Bittner: [00:27:23] Yeah, yeah. Where there's a demand...
Joe Carrigan: [00:27:26] Right.
Dave Bittner: [00:27:26] ...Someone's willing to fill that supply.
Joe Carrigan: [00:27:28] Yep. One of the points that Chris makes is that a 1% click rate for a phishing campaign - just a broad phishing campaign - is a huge success. That represents many thousands of emails of being successfully clicked on. And it also represents some other return on investment from that point as well. It is a numbers game, and that's all this phishing is. It's your - it's essentially the scamming equivalent of cold calling.
Dave Bittner: [00:27:50] Yeah, and direct mail - all those types...
Joe Carrigan: [00:27:51] Yeah.
Dave Bittner: [00:27:51] ...Of things. You don't - you expect a low percentage of returns. But at scale, those numbers can work.
Joe Carrigan: [00:27:57] Right, exactly. Impersonating law enforcement - this is being done more for a few reasons. One - Chris talks about this - it is illegal, but when you're in a foreign country, who cares? I'm going to impersonate American law enforcement from Nigeria or India or somewhere else, and chances are I'm never going to get caught. One of the reasons it works - imagine that tightness in your chest you get when you're getting pulled over, you know? It immediately is something that gets your attention. This is law enforcement. Oh, why is law enforcement looking at me?
Dave Bittner: [00:28:23] Right.
Joe Carrigan: [00:28:23] If law enforcement's looking at me, I am in trouble.
Dave Bittner: [00:28:26] What did I do? Yeah.
Joe Carrigan: [00:28:27] Right, exactly.
Dave Bittner: [00:28:27] How am I going to get out of this?
Joe Carrigan: [00:28:29] And they're going to do it more because if it does work, it's kind of like hitting a vein of gold when you're mining for gold. You just got to follow that vein all the way down into the Earth...
Dave Bittner: [00:28:39] Right.
Joe Carrigan: [00:28:39] ...Until you can get all the gold out of it. And that's what these guys have done. They found something that works with a higher rate of success, so they're doing it.
Dave Bittner: [00:28:45] Yeah.
Joe Carrigan: [00:28:46] When it stops working, they'll go on to something else that works better. It's just the way it's going to be. When Chris talks about the Innocent Lives Foundation, that's good work, but it's tough work to do. Everybody I've talked to who does this kind of work and articles I've read about people doing this kind of work, it's emotionally taxing...
Dave Bittner: [00:29:00] Yeah, yeah.
Joe Carrigan: [00:29:01] ...To do this kind of work. I like that they've closed 90 cases in two years. That's pretty impressive.
Dave Bittner: [00:29:05] Yeah.
Joe Carrigan: [00:29:05] It's an OSINT job. Chris makes clear that's what he's doing. He's going after people who have already been identified as predators. And he's - OSINT stands for open source intelligence.
Dave Bittner: [00:29:15] Right.
Joe Carrigan: [00:29:15] So basically, it's like all the information that somebody could find out about you by Googling your name and going to other sources of information that are just available for anybody to go to. Open source intelligence is very powerful. All the intelligence agencies around the world use it. There are people at all these intelligence agencies whose job is to read newspapers. That's what they do. And that is part of the open source intelligence collection. Now, there's all kinds of things you do in OSINT. But basically, if anybody has access to it, it's open source intelligence.
Dave Bittner: [00:29:44] Yeah, I've seen it described as like pieces of a puzzle.
Joe Carrigan: [00:29:46] Right.
Dave Bittner: [00:29:47] That one piece on its own may not mean much to you, but as you start to put them together, you can start to put together a picture of whatever it is you're hoping to understand.
Joe Carrigan: [00:29:55] You can see the information that lies behind all the data that's out there.
Dave Bittner: [00:29:58] Right. All right, well, our thanks to Christopher Hadnagy for joining us. Always a pleasure to have him on the show. So we appreciate him coming on. And, of course, we want to thank all of you for listening.
Dave Bittner: [00:30:08] And we want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:30:31] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:30:45] And I'm Joe Carrigan.
Dave Bittner: [00:30:45] Thanks for listening.