Apurva Kumar: [00:00:00] It's really about understanding, OK, well, this is a potential vector for somebody trying to get at me, and I should be wary of that every single time I get a link.
Dave Bittner: [00:00:09] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:29] Hi, Dave.
Dave Bittner: [00:00:29] We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with a couple of researchers from a firm called Lookout who analyzed a phishing scam with over 4,000 victims. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:00:49] So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us and we'll have some insights from our sponsor KnowBe4 that put it into perspective.
Dave Bittner: [00:01:12] And we are back. Joe, I'm going to kick things off this week, and I'm going to start by asking you this - are you a fan of the TV show "The Walking Dead"?
Joe Carrigan: [00:01:22] No, Dave, I am not. I...
Dave Bittner: [00:01:24] Have you ever watched it?
Joe Carrigan: [00:01:25] I have watched it. I tried to like this show, but it is too much like every other zombie-themed thing out there, and I just don't like zombie anything. I just...
Dave Bittner: [00:01:34] (Laughter).
Joe Carrigan: [00:01:34] I think it's derivative. I think it's boring. I think it's nuts, you know?
Dave Bittner: [00:01:37] Yeah.
Joe Carrigan: [00:01:38] I just don't care for it.
Dave Bittner: [00:01:39] OK. Well, I watched it for the first few seasons. I thought it was interesting just about kind of what happens when society breaks down, which - yeah, I know, right?
Joe Carrigan: [00:01:50] How apropos.
Dave Bittner: [00:01:52] Yeah. Hopefully, it won't come to that, but I, too, lost interest in it. I thought it got repetitive. And it seemed like they kind of had the "Gilligan's Island" problem, which is that, you know, you can't - there is going to be no solution to this.
Joe Carrigan: [00:02:02] Why don't they just kill Gilligan?
Dave Bittner: [00:02:06] (Laughter) Yeah. Right. Well, yeah. Anyway, we can get into all the reasons why...
Joe Carrigan: [00:02:11] Right.
Dave Bittner: [00:02:11] ..."The Walking Dead" is implausible and who's - who keeps mowing all the lawns...
Joe Carrigan: [00:02:15] Right.
Dave Bittner: [00:02:15] ...On that show? But one of the actresses from that show, her name is Sabrina Gennarino. She had been supporting someone online who was doing a GoFundMe campaign and had claimed that he had cancer. It was a 30-year-old gentleman named Chris King, and he had attracted the attention of this actress. And she had used her notoriety - she had used her reach on social media and elsewhere to kind of back up this GoFundMe campaign, and they'd raised over $36,000.
Joe Carrigan: [00:02:50] Right.
Dave Bittner: [00:02:50] Well, as it turns out, the local police - this is the Lehigh Township Police - were tipped off about this gentleman, and they went to him and asked him what was going on. Did he really have cancer? And initially, he sent them to Temple University Hospital. He sent them to St. Luke's Hospital. He sent them to a dentist. He sent them to a pharmacy. Basically, he sent them all over town to track down medical records. And it turns out those medical records never existed because Mr. King never actually had cancer.
Dave Bittner: [00:03:25] Now, he claimed to the district attorney that what he was actually doing was raising money to help his fiance's father, who had died recently from a terminal illness. I suppose, in that case, they're helping the fiance's father's family. Took these folks for over $36,000 - so far, GoFundMe has paid back just about $1,500, and the folks from GoFundMe say they're working with law enforcement to try to get restitution, get the money back, basically, to all the donors. And, of course, this woman, this actress, Ms. Gennarino, she's left with egg on her face.
Joe Carrigan: [00:04:01] Yep. Absolutely.
Dave Bittner: [00:04:02] She thought she was doing the right thing, thought she was supporting someone. And turns out the whole thing - what the law enforcement has concluded and a judge has concluded is that this gentleman was scamming people.
Joe Carrigan: [00:04:12] Yeah.
Dave Bittner: [00:04:12] Now, the - his defense attorney claiming that he has some mental health issues, that he's had a rough life and so on.
Joe Carrigan: [00:04:20] Well, defense attorneys are going to do what defense attorneys do, aren't they?
Dave Bittner: [00:04:23] Yeah, yeah. Well, and even if all that is true, it doesn't justify scamming people out of $36,000 for a false claim that he has cancer.
Joe Carrigan: [00:04:33] Yeah. This guy kind of hit it big when he got Ms. Gennarino's attention - right? - because...
Dave Bittner: [00:04:37] Yeah.
Joe Carrigan: [00:04:38] She has fame and, like you said, the reach. And as soon as she starts saying, hey; let's help this poor guy out - and if 10,000 people see that and a thousand of them give the guy 10 bucks, there's 10 grand, right? I mean...
Dave Bittner: [00:04:50] Yeah.
Joe Carrigan: [00:04:50] It's a numbers game. My story has a similar numbers game thing in it. But, you know, this is how these things work. But oddly enough, I think that may have been what caused his downfall here. Because he got all this attention, he got the attention of somebody who knew who he was, and they said, this isn't right. And they notified law enforcement, it sounds like.
Dave Bittner: [00:05:10] Yeah. Yeah, and I think the - part of why I wanted to draw attention to this is that I've certainly noticed that here in the United States, we see more and more of these GoFundMe campaigns for people with health issues. For our listeners outside of the United States, it may be hard for you to believe that we have to go to our friends and family to pay for things like medical care, but that is the reality here these days. And so I know I've been contacted by, you know, friends of friends, and I have donated to some of these campaigns when I've had close friends have this sort of need. But there's been times when I've been skeptical, where I really have to take a close look before I consider one of these to make sure that it's a legitimate need, that it's actually someone I know or that the person who's recommending it to me knows well enough that I consider it to be legit.
Joe Carrigan: [00:06:02] Yeah. In fact, I'm thinking of one right now I know. I've never met the person who brought it up, but they brought it up on a podcast I listen to. And they were talking about one of their good friends. But I do have interactions with this person, and I gave 10 bucks because one of their friends had some cancer. And actually, they got an update. They've made a good recovery. Things are going well for the person. And I'd like to think that that was true, and in fact, I'm pretty sure I wasn't scammed out of 10 bucks. I'm pretty sure it went to good use. And, I mean, I'm almost certain of it.
Dave Bittner: [00:06:30] Yeah, yeah.
Joe Carrigan: [00:06:31] But that's because I have a relationship with the person who made the announcement.
Dave Bittner: [00:06:35] Yeah, yeah. And, you know, your heart goes out to the folks who made these donations in good faith because it may make them think twice about the next time that they want to...
Joe Carrigan: [00:06:48] Yeah.
Dave Bittner: [00:06:49] ...Be generous, and that...
Joe Carrigan: [00:06:50] Right.
Dave Bittner: [00:06:50] ...Could hurt the next person who legitimately needs it.
Joe Carrigan: [00:06:52] You and I have said this many times in this program, and that is that we would rather get scammed out of a couple bucks from time to time than leave a fellow human who needs help unassisted when we're able to provide that assistance.
Dave Bittner: [00:07:04] Right. Right.
Joe Carrigan: [00:07:06] So...
Dave Bittner: [00:07:06] All right. Well, it's an interesting story and certainly a cautionary tale. That is my story this week. Joe, what do you have for us?
Joe Carrigan: [00:07:14] Dave, I have a story from Brian Krebs. And there's going to be a link in the show notes, but this story - the headline is "U.S. Government Sites Give Bad Security Advice." And I never thought I'd see the day, Dave...
Dave Bittner: [00:07:26] (Laughter).
Joe Carrigan: [00:07:28] ...When we couldn't count on our government to give us good advice. But Brian says in this article that there are many U.S. government websites that now carry a message at the top of their homepage that's meant to help visitors distinguish between real sites and phishing sites. And the example he cites here is from the my2020census.gov. And up at the top of this page - I'm looking at it right now - it says, an official website of the United States government. And then after that, there's a little link that says, here's how you know. It has a little downward-facing arrow, and you click on this link. And I just clicked on it right now, and it says, the .gov means it's official. Right? So you're up there looking at dot G-O-V. The federal government websites often end in .gov or .mil. Before sharing information, make sure you're on a federal government site - and more on this later. We're going to talk about that in a bit. But the piece of information that's incorrect is it has another column that says, the site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely. That is half correct and half false.
Dave Bittner: [00:08:44] OK.
Joe Carrigan: [00:08:44] It's wrong. HTTPS does not ensure in any way, shape or form that you are connecting to an official website, but it does ensure that your message is encrypted and transmitted securely. There are certificates called extended validation certificates which require a significant amount of vetting by the provider, but you have to really trust the certificate provider for that, and you may not know who's the provider of that certificate. So you're living here in ignorance. Basically, the wrong part here is you really don't have any way of knowing that you're connecting to the correct site except by entering the correct URL. And the statement here that this little lock - this is incorrect information, and it harkens back to the early '90s or late '90s, rather, where we would say, make sure you have the lock because that means you're secure. And all it really means is that the data that's transmitted to that site is transmitted in a way that's very difficult for people to intercept and read.
Dave Bittner: [00:09:41] Right.
Joe Carrigan: [00:09:41] That's all it means. And we've talked about this numerous times on this program, but we have to keep hammering on this misconception that HTTPS means the site is totally secure and that you're A-OK. We've got to kill this misconception.
Dave Bittner: [00:09:55] Yeah. Yeah.
Joe Carrigan: [00:09:55] It's not right.
Dave Bittner: [00:09:56] Well, what about the part here that wants you to be reassured because it's a .gov domain? How much do we put in that statement?
Joe Carrigan: [00:10:05] Well, that has gotten a little bit harder to register a fake .gov domain recently. So the .gov, top-level domain - that's what it's called. You'll hear it called TLD as well. That just stands for top-level domain. That is run by the U.S. General Services Administration, and they oversee the issuance of all .gov domains. And recently, they made it a little harder to get a .gov domain by requiring all applications to be notarized. Krebs says this is a small hurdle, but it is another hurdle that somebody has to go over. So I think it doesn't make it much more secure, but it does make it a little more secure. It makes it - now I have to go out and forge a notary stamp, which may not be hard to do, but...
Dave Bittner: [00:10:44] Yeah.
Joe Carrigan: [00:10:44] It is something else I have to do. So it is another hurdle for me to jump over. I've said many times I don't look at security as a binary field - either you're secure or you're not secure. I acknowledge there is no such thing as totally secure, right? There's the old XKCD cartoon that says, you know, I can spend thousands of dollars on supercomputing power to try to guess this guy's password, or I can just hit him with this $5 dollar wrench until he tells me the password, right?
Dave Bittner: [00:11:11] Right.
Joe Carrigan: [00:11:11] So that's the way that, ultimately, any system is not secure no matter how good the cryptography is. If I'm willing to and capable of inducing physical harm to somebody, I can get the password. So nothing is totally secure. So on one end, there is the totally insecure, where information is just published, and on the other end, there's - you've got to beat me with a wrench to get my password. And this kind of moves it along that continuum towards the more secure end, but not much, I'll say.
Dave Bittner: [00:11:40] Yeah. All right. Well, it's good information. It is time to move on to our Catch of the Day.
0:11:45:(SOUNDBITE OF FISHING LINE REELING IN)
Dave Bittner: [00:11:48] Our Catch of the Day this week comes from Twitter user David Yee. He is @thedave2006 - a name after my own heart. And this is a letter that claims to come from CIBC Bank, the First Caribbean Bank, Grand Cayman. And it goes like this.
Dave Bittner: [00:12:07] I am Mr. Eric Moore, the systems software engineer with the remittance department of CIBC, First Caribbean Bank, Grand Cayman Island, former senior project and programmer manager at Deutsche Bank, a trusted adviser for over 20 years. I came across your file diskette, which was marked X, and your release disk, painted red. I took time to study it and found out some top directors of this bank are interested in your money because it is a large amount. In fact, they have planned to frustrate all your good efforts so that they will be able to divert your fund.
Dave Bittner: [00:12:38] I carefully studied your release disk, and I found out the people you have been dealing with in the past are not telling you the truth. It is obvious that they all have personal interest in your money and have no plans of releasing the money to you. Their plan is to frustrate you with continuous upfront payments so that you will abandon your money, thereby giving them the chance to divert your money to themselves. The most painful part is that these people do not have the fear of God in them. I will help you get your fund, but you must work with me discreetly, as I cannot expose them because of the fact that they are top officials of this bank.
Dave Bittner: [00:13:11] All I need is for you to buy two special bank hard disks called the HD 212 GIG. Once you send me the money to buy this two new hard disks, I will buy them, and I will download your fund transfer coordinates into the two new hard disks, after which I was slot them into our remittance motherboard system and trigger the transfer to hit any bank account you provide.
Joe Carrigan: [00:13:32] This reads like a William R. Gibson (ph) novel. He's going to slot them. (Laughter)
Dave Bittner: [00:13:36] Once this is done, I will appreciate any amount of money you will give me for helping you. As soon as the fund is confirmed in your nominated bank account - and not before - I believe that you will surely reward me once your money is in your custody. Finally, do not reveal all I have told you to anyone because nobody is totally unaware of the plan by this directors of my bank to divert your fund. If you reveal what I told you to anyone, then you will have exposed my plan to help you and I cannot help you again.
Dave Bittner: [00:14:03] All I need from you is to buy the required two new special HDD 212 GIG bank hard disks. Once I hear from you, I will tell you how much it will cost to buy these required bank hard disks and how you will send the money for me to buy them. The money for the purchase of these required bank hard disks will be the only money you will ever have to send because once I buy the hard disks, I will use them for the bank to bank wire transfer of your fund. I cannot come back tomorrow and ask you for more money once you have sent the money for the hard disks because that would make me a scammer.
Dave Bittner: [00:14:34] By the time your fund is successfully transferred into your nominated bank account, then all the people planning to divert your fund will be exposed, and the devil will put them to shame, which will be a great victory for me as a Christian. I will send you a copy of my official ID card in my next email when I hear from you ASAP. Waiting for your immediate reply. Yours sincerely, Eric Moore, remittance department, First Caribbean Bank, Grand Cayman Island.
Joe Carrigan: [00:15:01] I love this one. This one is great because it has so many of the components, right? It starts off with I've been doing this for 20 years. Here's my resume. He goes back to Deutsche Bank, which, of course, he hasn't worked there. But it's interesting that he gives some employment history in this as well. He came across this diskette. This email was sent in 2020. So...
Dave Bittner: [00:15:22] (Laughter) Yeah, I don't know.
Joe Carrigan: [00:15:24] Who uses diskettes anymore?
Dave Bittner: [00:15:26] When's the last time you handled a diskette? I don't...
Joe Carrigan: [00:15:28] It was more than 20 years ago.
Dave Bittner: [00:15:30] (Laughter).
Joe Carrigan: [00:15:31] You know, I mean for legitimate reasons. I mean, I've come across them in cleaning out my office within the past five years. I think I have literally destroyed all of my existing diskettes. I don't have them anymore. He has the appeal to religion and Christianity here, fear of God and mentions the devil. That's great.
Joe Carrigan: [00:15:49] I love that he says here that I won't come back and ask you for more money because that would make me a scammer. Oh, that's what makes you a scammer, asking for more money - not asking to buy a couple of hard drives to do a wire transfer. But that's not how wire transfers work. Right? You don't need...
Dave Bittner: [00:16:06] I like that he doesn't say what the price of the hard disks is until he hears back.
Joe Carrigan: [00:16:12] Right. Oh, yeah. That's how he knows he has a live one.
Dave Bittner: [00:16:15] Yep.
Joe Carrigan: [00:16:16] If I said to you, Dave, these hard disks are going to cost $500, you're going to be like, this is a scam - you know? - and move on.
Dave Bittner: [00:16:22] Yeah. I wonder, too, about evoking the Grand Cayman Islands because I think in a lot of people's minds, that's probably - oh, that's a place where people hide money. So even...
Joe Carrigan: [00:16:30] It is, yeah.
Dave Bittner: [00:16:32] ...Maybe this is a big mistake, but I could benefit from it. Even if they have the wrong person, you know, I'll profit.
Joe Carrigan: [00:16:38] Yep, there's that vector as well. Interesting that this comes from a ProtonMail email account, which is pretty good. We should put a link in the show notes to this tweet because David Yee did a really good job of posting the entire thing.
Dave Bittner: [00:16:49] Yeah. All right. Well, that is our Catch of the Day.
Dave Bittner: [00:16:52] Coming up next, Carole Theriault is back. She has an interview with Aparna Kumar and Kristin Del Rosso. They're from Lookout, and they analyzed a phishing scam that reeled in over 4,000 victims. But first, a word from our sponsors KnowBe4.
Dave Bittner: [00:17:09] Now let's return to our sponsor's questioned about the attacker's advantage. Why do the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a failure rate of over 10%. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and maybe out of business. The last line of defense is your human firewall. You can test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:18:08] And we are back. Joe, it's always great to have Carole Theriault on the show. And recently, she spoke with Apurva Kumar and Kristin Del Rosso. They are from a security firm called Lookout. And they took a closer look at a phishing scam that was quite successful. Here's Carole Theriault's story.
Carole Theriault: [00:18:27] I have a great treat for you today. I met up with two researchers from Lookout, a mobile anti-malware company. Meet Apurva Kumar and Kristin Del Rosso. The three of us chatted about a mobile phishing campaign that they have researched. Not only did we have a really interesting conversation, but they share some seriously good tips that might help you avoid falling in a trap. But make your own mind up. So welcome Apurva and Kristin. Both of you are security research engineers at Lookout. So what's that like?
Kristin Del Rosso: [00:19:05] I love it. It's, I think, one of the most fun jobs because we get to poke into what the newest mobile threats are and figure out, you know, who's being targeted, different, you know, interesting ways attackers are going after trying to compromise people's devices. And so it's always a new day at the office.
Carole Theriault: [00:19:19] This is so great to be speaking to both of you because I, personally, find it a little bit scary how powerful mobile phones are. I mean, they're literally mini supercomputers. And the things that people can do to bypass our natural security thoughts, like, oh, I have a password so everything's fine - I mean, it just feels much easier to get duped these days.
Kristin Del Rosso: [00:19:39] People are also naturally much more trusting because you have this device in your hand, in your pocket at all times, and you have personal connections through that device to your Instagram or your contacts, your pictures. And so you might be wary of odd emails or you know about malware for computers, but people tend to forget that your phones aren't this - always this safe little place that you can just look at and enjoy some pictures.
Carole Theriault: [00:20:00] Well, the topic we're talking about today is going to help people understand or think about it differently. So you both have done some research on a recent phishing campaign. And what made this one unusual or less usual is that it targets mobile or cellphone users. This is a banking phishing attack. So this is trying to dupe people like me, and they're trying to use my mobile phone to get to me, rather than using email. So what do they do? How does that work?
Apurva Kumar: [00:20:25] This particular attack is actually very typical of what we see on a regular basis, like, maybe two or three times a week. It's very easy to use and deploy by the attacker. That's what we really wanted to highlight in the story. If I was the attacker, I would buy this phishing kit, this set of HTML files online for $10 or $15 and put them up on a website, send out links to your victims, so en masse to everybody who you can find or bulk sets of phone numbers that you can find online. And then once the link is with a victim, the victim would click the link and end up on that site, enter in the information, and suddenly, all of your credentials have been compromised for your bank account.
Kristin Del Rosso: [00:21:08] And so say I'm a victim that Apurva is trying to - you know, she doesn't know me by name, but I just happen to receive one of these text messages pretending to be my bank or telling me to log in. It usually has an interesting lure in the message of, oh, reset your password or something like that. And so when I click on that link, the pages for this phishing campaign in particular, they were designed to look like it was meant to be displayed on a mobile phone. So it had additional hyperlinks for, you know, connecting to mobile applications or resetting certain mobile settings.
Kristin Del Rosso: [00:21:37] And so this is interesting because on a mobile device, the screens are often smaller. People tend to trust it more. You might not see that the URL at the top isn't that legitimate bank's URL. A lot of things that you would, on a desktop, look for in a phishing campaign, you wouldn't necessarily be as quick to observe on your phone, which is why this is also effective.
Carole Theriault: [00:21:54] That's where I think I have trouble with this, is that most people - maybe it's only in the U.K. or Europe. I don't know. But we use banking apps to get access to everything. So how does it bypass that?
Apurva Kumar: [00:22:03] Oh, absolutely. So that's exactly what it's banking on. It's hoping that you don't realize that the interface is not your banking app. So if you actually - this is what kind of tips us off that it is a mobile-focused attack because when we research it and open it up in our laptops, we actually see that it's not - it doesn't look right. It doesn't fit right. But if you open the same link on a phone, it looks very, very similar to what you would see the login page for your banking app. So if you weren't paying attention, which is normally what happens when you look at stuff on your mobile device, you would access the link or click on the link. And then, suddenly, it looks exactly like your banking app. So you think nothing's gone wrong, enter in your credentials, and away they go.
Carole Theriault: [00:22:45] I know, also, though, with apps, I'm presuming a lot of them are already pre-logged in or use your fingerprint to kind of get access to them. Is this more targeting people that are always logging in? I would suddenly go, oh, why am I not logged in? Or why do I have to go through the entire login process, as opposed just to the final step?
Kristin Del Rosso: [00:23:03] Like, for someone who is paying attention, that might be giving you pause. But I even know, personally, like, I use the same banking apps every day on my phone, and every now and then, they'll make me reenter my password manually because Face ID doesn't...
Carole Theriault: [00:23:14] Right.
Kristin Del Rosso: [00:23:14] You know, it will have a certain timeout period.
Carole Theriault: [00:23:16] Right.
Kristin Del Rosso: [00:23:16] But these phishing links, they don't - they're not trying to compromise the application itself. So when you click on it from the text message, it just takes you to your browser on your phone. And it's meant - it's not necessarily even trying to pretend to be the banking app interface but rather - you know, you can access your bank on the browser on your phone or in the application either way, and so this is just attempting to appear like the browser access to it.
Carole Theriault: [00:23:39] Now, how many banks were affected by this? They are sending this out, this mass SMS spam, to all these people. They're just hoping they get the right bank with the right number?
Apurva Kumar: [00:23:48] Absolutely. Yeah. So we found that this particular attack was actually North American focused. All of the banks targeted were really TD and Scotiabank and a couple of others in Canada, as well as one or two in the U.S.
Kristin Del Rosso: [00:24:02] The other thing to mention here, too, it's not like the actor in particular has maybe an agenda against one of these banks; they're just picking the most popular banks in that region. And it's kind of a spray campaign, you know.
Carole Theriault: [00:24:13] Yeah. So that means, basically, that we have to keep our wits about us as, you know, users of these apps and, you know, of online banking because it's obviously super convenient, right?
Apurva Kumar: [00:24:23] The education is absolutely paramount, especially in terms of the mobile field. You have to understand how your mobile works and how you react to it to be able to see what...
Carole Theriault: [00:24:33] I don't even know how my car works.
Apurva Kumar: [00:24:36] Yeah. And that's what makes these attacks so effective. It's really just user education. It's more than just that boring course that you have to do at work for safety protection or, like, security protection; it's really about understanding, OK, well, this is a potential vector for somebody trying to get at me, and I should be wary of that every single time I get a link.
Carole Theriault: [00:24:55] Yeah. And I think people are, you know, getting more and more aware of what can actually happen. So do you have any, like, quick takeaways?
Kristin Del Rosso: [00:25:02] Yeah, for sure. So one thing - if you get a link sent to you via text message from an unknown number, a lot of the - you know, very rarely do I think it's something valid, so definitely, probably don't click on those. But if you do get these short links that get sent around, where it doesn't show you the full URL, on your phone you can actually hold down your finger on that link until, like, at the bottom, something else will pop up and show you what the full URL is for it without you actually having to click on it.
Carole Theriault: [00:25:27] Ooh, I didn't know that.
Kristin Del Rosso: [00:25:28] Yeah, so that's one good thing you can do before you even click on it. Or the other thing is, say you do click on it. It takes you to the browser. Just go into the URL bar so you can read through what it is because they might try and make it say the bank's name dot com, but then they don't have that domain, obviously, because it's owned by the bank. So there will be some changes there. So you can make sure it doesn't - if it looks suspicious or not.
Carole Theriault: [00:25:48] Yeah, totally.
Apurva Kumar: [00:25:49] Never click on that link directly, either through email, SMS text, IM or however you get it. If your bank is trying to contact you, go to one of your bookmarks on your phone or your banking app and log in through there. Just never, ever try to think that the link will guide you to the right place because that's just the best way to stay almost completely safe.
Carole Theriault: [00:26:09] OK, I have a question for you. So let's say someone is in the situation where they just get that kind of creepy feeling that they think they might have maybe given their credentials to something that may not have been their bank. Would you recommend they change their password immediately and alert the bank or is there any other steps they should take?
Kristin Del Rosso: [00:26:27] I would rechange my password. I - you know, three years ago, I - before I was even in the mobile security world, I got one of these messages about changing my iTunes password, and I clicked and rechanged it, and then I didn't see anything happening. And I was like, oh, that's odd. And so I went back to the text message, clicked the link again and then changed it again, and it didn't work.
Carole Theriault: [00:26:46] Yeah.
Kristin Del Rosso: [00:26:46] And then five minutes later, walking down the street, I was like, hmm, that definitely wasn't Apple.
Carole Theriault: [00:26:51] Yeah.
Kristin Del Rosso: [00:26:51] And so I logged in from my computer and changed it to, like, a whole new password and since then haven't had any compromises or anything. But definitely, if you think you might have given it away, I would say change your password.
Carole Theriault: [00:27:03] Yeah, because you have to pay attention to that icky feeling that sometimes you get when you do something a little bit (laughter) - you know, like...
Kristin Del Rosso: [00:27:09] The icky feeling is good, as long as it alerts you.
Carole Theriault: [00:27:11] Yeah.
Kristin Del Rosso: [00:27:11] And then this also brings in the other point of - just use a password manager because it'll save your life because if you do have to change your password or a different password for each site, password managers are great (laughter).
Carole Theriault: [00:27:21] You know what? You guys have convinced me; I'm buying a Faraday cage for my phone.
Carole Theriault: [00:27:26] Apurva and Kristin, thank you so much for making time to talk to us about this today. And folks out there, pay attention to the text message you get, and don't enter information willy-nilly. This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:27:40] All right, interesting stuff. Huh, Joe?
Joe Carrigan: [00:27:42] Dave, this is a really good interview. I liked it a lot. Let me see if I can suss some of this out. No. 1 - people do trust their devices. That is a great point. I think it was Kristin that made that point early on in the interview. You know, you have this with you all the time. You look at it. You play games on it. You communicate on it. This is...
Dave Bittner: [00:27:56] Right.
Joe Carrigan: [00:27:57] ...Probably the single most trusted computer that you will ever own, is your mobile device. Apurva does a really, really good job describing this kind of attack. And what's amazing is how easy and inexpensive it is to conduct one of these attacks. She says you can get the phishing kit for $15 and then find a list of phone numbers, and you can run with this and harvest banking credentials. That's it. There's nothing else to it.
Dave Bittner: [00:28:23] Yeah.
Joe Carrigan: [00:28:24] One of the reasons it does work - and we've talked about this in the show before - is because screen real estate is at a premium on mobile devices. But I think I have a solution, Dave.
Dave Bittner: [00:28:33] (Laughter).
Joe Carrigan: [00:28:33] We all need to get, like, really, really big cellphones, right?
Dave Bittner: [00:28:36] I see (laughter).
Joe Carrigan: [00:28:37] And, I mean, yes, we'll look ridiculous holding these things up to our face, you know, a 7- or 8-inch tablet. But that's the solution. I'm joking, of course. There's got to be a better solution than this.
Dave Bittner: [00:28:49] (Laughter) Well, but it is interesting that these scammers are willing to focus on mobile devices and disregard desktop machines.
Joe Carrigan: [00:28:57] Right.
Dave Bittner: [00:28:57] The value proposition is such that they know where they're going to be most effective.
Joe Carrigan: [00:29:02] Yeah. A lot of people use mobile devices as their sole computing device. My wife, for example, spends exponentially more time on her mobile device than she does on her laptop...
Dave Bittner: [00:29:12] Yeah.
Joe Carrigan: [00:29:12] ...And, in fact, to the point where I just started keeping her laptop in my office so it could run updates - right? - on a regular basis...
Joe Carrigan: [00:29:19] ...Because that's how infrequently she used it. There are statistics out there for how much more mobile is used overusing a desktop computer. Now, I'm kind of an old - I don't know - old guy on this. I really like the action and feel of a desktop computer. I'm really not even a big fan of laptops. I still like my desktop. So I do a lot more work on my desktop. I really don't like doing mobile banking on my phone. But with this coronavirus thing going on, I'm going to have to do some mobile banking. It's just going to have to be something I do. I don't like it, but I'm going to have to do it. This campaign is a very spray-and-pray campaign. Or maybe a better way to say it is spray and prey, with an E, right? Prey.
Dave Bittner: [00:30:00] (Laughter).
Joe Carrigan: [00:30:00] It's definitely a numbers game for these guys. And they can do it because it's so cheap. I mean, the kit costs $10 or $15. If that's my expense and I can get 4,000 people to give me their credentials, the return on that investment is enormous.
Dave Bittner: [00:30:14] Yeah.
Joe Carrigan: [00:30:16] Right? I can sell those credentials because chances are the people running this phishing campaign aren't the people that are going to steal your money out of your bank account. They're probably not equipped to do that. They probably have a buyer that they're going to sell that information to, and those people are going to go in and try to steal money out of your bank.
Dave Bittner: [00:30:30] Yeah. Interesting, too, that, again, with this numbers game, the odds are, I suppose, that I'm going to send you the wrong bank, you know. I'm going to send you the login page for the bank you don't use.
Joe Carrigan: [00:30:41] Right.
Dave Bittner: [00:30:42] But enough people are going to get the bank that they do use that it still pays off.
Joe Carrigan: [00:30:47] That's correct.
Dave Bittner: [00:30:48] Yeah.
Joe Carrigan: [00:30:48] That's absolutely correct. When it comes to protecting yourself against these kind of scams, the biggest and best advice that they both give is don't click the link. You know, we say that endlessly. I know that some people say that's not good advice; sometimes you have to click the link. I say you don't click the link. And if you get a message like this, you go to either the app or the webpage and log in manually.
Dave Bittner: [00:31:07] Well, and don't most banks these days - certainly, if you're doing business with one of the big banks, they're going to have an app, right?
Joe Carrigan: [00:31:14] Yeah.
Dave Bittner: [00:31:14] They're - chances are - you won't have to interface with them through the web on your mobile device.
Joe Carrigan: [00:31:19] Right. That's correct.
Dave Bittner: [00:31:20] Yeah.
Joe Carrigan: [00:31:20] So use the app. Yeah.
Dave Bittner: [00:31:21] Yeah. Yeah.
Joe Carrigan: [00:31:23] Open the app on your phone. Don't click the link because I know a lot of these links will actually try to open up the app on your phone. Like, if you click on a Reddit link, the first thing it asks you is, do you want to open the Reddit app? And I'm like, no, I don't want to open the Reddit app.
Dave Bittner: [00:31:34] (Laughter).
Joe Carrigan: [00:31:34] I don't have the Reddit app. I want to use the web, like the web, please. I don't need an app for every webpage I visit. That's not the intent of the web. But now I'm sounding like angry old man who's yelling in the microphone.
Dave Bittner: [00:31:44] (Laughter).
Joe Carrigan: [00:31:45] Kristin did say to look at the browser bar, but if you don't know that you're looking at a webpage and you think you're looking at an app, if this webpage is designed to look just like your banking app, you may not even know that you're on a webpage, and the thought to check the address bar may never occur to you. Yeah, if you know you're on a webpage, check the address, but that may never be something that you even think about.
Dave Bittner: [00:32:10] Right. And it goes back to what you were saying about that - real estate being a premium.
Joe Carrigan: [00:32:13] The real estate problem.
Dave Bittner: [00:32:14] Yeah. Yeah.
Joe Carrigan: [00:32:15] Right. I really like Kristin's story about her iTunes experience, where somebody scams her out of her iTunes password, and she quickly changed the password. How it dawned on her as she was walking down the street and she goes, that probably wasn't Apple.
Dave Bittner: [00:32:26] (Laughter).
Joe Carrigan: [00:32:27] And I think that happens a lot - right? - that you do something and then you kind of think about it or, passively - or you're not really thinking about it, but subconsciously, you're processing it, and then all a sudden, the light goes off and - ding - oh, I just gave away my password. So she very quickly changed her password and didn't have a problem with it. That's excellent. If you do get scammed by one of these things, immediately change your password and call your bank and let them know what happened, that you had this happen. Any suspicious activity, they want to keep an extra eye on your account, if they can.
Dave Bittner: [00:32:55] Well, and it also makes me wonder that if anybody who had multifactor authentication enabled with their bank...
Joe Carrigan: [00:33:02] Right.
Dave Bittner: [00:33:02] ...This scam wouldn't have been effective on them, right?
Joe Carrigan: [00:33:05] No, it would not have been effective. But multifactor authentication is - particularly hardware multifactor authentication is a little more difficult to do on a mobile device. I mean, actually, it's getting easier. The YubiKeys that I have now have a little near-field communication chip in them that will conduct themselves just as if it's plugged into the phone. But, you know, my devices are - my old device doesn't have that, my old YubiKey doesn't have that. It has the same level of security but just not the near-field communication. So I have to - actually have to plug it into my phone, and since my phone only has you USB-C input and output, I now have to plug an adapter into my phone and then plug the thing into the adapter. So there's a little bit of a hurdle for me there. But my second YubiKey does have the near-field communication part. So...
Dave Bittner: [00:33:45] Yeah. But I think, also, we're seeing more and more apps being enabled to use things like the phone itself as the second factor.
Joe Carrigan: [00:33:53] Yeah.
Dave Bittner: [00:33:53] So, you know, using - if you have an iOS device using Face ID or, you know, Google Authenticator or even just sort of clicking through, the phone lights up and says, hey, we got the security alert. Was this you?
Joe Carrigan: [00:34:05] Right.
Dave Bittner: [00:34:05] And the fact that you have the phone in your possession is the second factor.
Joe Carrigan: [00:34:09] Yep.
Dave Bittner: [00:34:09] So it seems like the - they're being successful at streamlining this over time, and that's a good thing. But I guess the bottom line here, the reminder, is certainly, for your banking, if you don't have some sort of multifactor authentication, please go do that right now.
Joe Carrigan: [00:34:25] Yes, absolutely.
Dave Bittner: [00:34:26] (Laughter).
Joe Carrigan: [00:34:26] That is the single best thing you can do to protect yourself, even against people who have stolen your login credentials. If you have multifactor authentication and someone steals your username and your password to your bank account, they are still not getting in. It's really going to protect you.
Dave Bittner: [00:34:39] Well, our thanks to Carole Theriault for bringing us another great interview, and thanks to Apurva Kumar and Kristin Del Rosso from Lookout for joining us. And of course, we want to thank all of you for listening.
Dave Bittner: [00:34:50] And we want to thank our sponsors KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:35:06] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:35:14] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:35:28] And I'm Joe Carrigan.
Dave Bittner: [00:35:28] Thanks for listening.