Hacking Humans 4.16.20
Ep 94 | 4.16.20

They're getting smart, but we're getting smarter.


Dustin Warren: [00:00:00] What organizations can do is just to be vigilant, educate their employees and just stay safe out there. 

Dave Bittner: [00:00:06]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:24]  Hi, Dave. 

Dave Bittner: [00:00:25]  We've got some good stories to share this week. And later in the show, my conversation with Dustin Warren. He's from a company called SpyCloud, and his team has been monitoring criminal forums during the COVID-19 pandemic. And he's here to share what they've been seeing. But before we get to all of that, a word from our sponsors at KnowBe4. 

Dave Bittner: [00:00:46]  Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us, and in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training. 

Dave Bittner: [00:01:22]  And we are back. Joe, before we jump into stories, we've got a little bit of feedback from one of our listeners, another listener who also happens to be named Joe. And we were commenting on an earlier episode. I think you and I were both sort of scratching our heads a little bit and wondering why eBay gift cards were something that the criminals were requesting. 

Joe Carrigan: [00:01:43]  Yes, that's right. Like, what am I going to do? Am I going to go on there and buy some auto parts or something? 

Dave Bittner: [00:01:49]  Right (laughter). This listener wrote in and said that you can buy gold on eBay, which... 

Joe Carrigan: [00:01:55]  Really. 

Dave Bittner: [00:01:55]  ...May be what they're doing. Yeah, and he included a link to some gold bullion. So I guess you can buy gold and just buy it now, and I suppose that's a pretty effective way to launder that money, turn it into gold. 

Joe Carrigan: [00:02:08]  Yeah. I suppose that is a good way to launder money 'cause once it becomes gold and a tangible asset, it doesn't really have any way of being traced. 

Dave Bittner: [00:02:15]  Right. 

Joe Carrigan: [00:02:16]  The only thing here is I don't know that I would buy gold from eBay. 

Dave Bittner: [00:02:20]  (Laughter). 

Joe Carrigan: [00:02:20]  You know, I just - I mean, how do they know they're not getting scammed out of the money they scam people out of, you know? It becomes a - one big scam circle. 

Dave Bittner: [00:02:28]  Right. It's gold-esque. 

Joe Carrigan: [00:02:30]  Right. 

Dave Bittner: [00:02:32]  (Laughter) Right. All right. Well, let's get to our stories this week. Again, thanks to our listener Joe for sending that in. It's an interesting insight there. Joe, why don't you kick things off for us? 

Joe Carrigan: [00:02:42]  This week, I have a story from the BBC, and we'll put a link in the show notes. It's, of course, a COVID-19 story, Dave, because we can't not talk about COVID-19 right now for some reason. 

Dave Bittner: [00:02:53]  Yeah. That's true. 

Joe Carrigan: [00:02:53]  This is about a cold-calling con man. Now, you're familiar with the term cold-calling. It's what you do in sales, just dial the numbers until you get someone to say, yeah, I'll talk to you for a little bit. And this is kind of the same thing. This guy was going around knocking on people's doors, and he repeatedly banged on this one woman's door, and this woman was 83 years old, and he claimed to be from health and safety and said she would be arrested if he did not let her in. And when the victim opened the door, this guy barges into her home saying he needs to check her property. 

Joe Carrigan: [00:03:22]  Now, here's part of the sick part of this. The victim has dementia, right? She's an older lady and was following the guidance to stay home amid the outbreak, particularly because older people are at greater risk for this - for this disease. The guy demands 220 pounds from the lady for some reason, but fortunately, he leaves empty-handed because the woman only has 20 pence of cash with her. So he didn't make any money off this, but this is kind of an example of how con artists are exploiting the current crisis. 

Joe Carrigan: [00:03:51]  There is a - an organization in the U.K. called the NTS, or the National Trading Standards that's a consumer protection body. And they said cases of this kind of doorstep crime and other scams are increasing right now, and they are being revised to steal from people who are left alone and vulnerable to the coronavirus restrictions. So the NTS says you should check on your family members and your neighbors that are vulnerable to this. And, you know, keep an appropriate distance, of course, but check on them. One of the other things they said is - I don't know how they calculate this statistic - is that only 5% of these scams are reported. And we've gone over this numerous times. A lot of times, people don't report scams because they are embarrassed of the fact that they got scammed. They may not even be aware of the fact that they got scammed. 

Dave Bittner: [00:04:37]  And, boy, I guess from the criminals' point of view, it makes sense. You can knock on someone's door and say you're, you know, you're from the government, you're here to help... 

Joe Carrigan: [00:04:46]  Right, yeah. 

Dave Bittner: [00:04:46]  ...Or you're doing some sort of mandatory inspection, which, you know, these days, we've got a lot of rules in place... 

Joe Carrigan: [00:04:54]  Yup. 

Dave Bittner: [00:04:54]  ...That we didn't have before. We're told to stay inside, and there are fines if you're, you know, somewhere you're not supposed to be. So all these emergency powers... 

Joe Carrigan: [00:05:02]  Fines and imprisoned for - here in Maryland, right? 

Dave Bittner: [00:05:06]  Yeah. 

Joe Carrigan: [00:05:06]  You can be imprisoned for up to a year if you're violating our quarantine emergency order stuff. 

Dave Bittner: [00:05:10]  Right. So you have all these emergency powers, which, I think, it makes them uncertain. And, of course, there's the fear factor, which is always what these bad guys look for. 

Joe Carrigan: [00:05:19]  Yeah. They're capitalizing on the fact that you don't want to mess with the government. 

Dave Bittner: [00:05:23]  Right. Right. 

Joe Carrigan: [00:05:24]  They had some other examples of scams that were going around as well. These are door-to-door scams, fake and dangerous hand sanitizers, face masks and swabbing kits being sold online and, of course, door to door. You know, there's nothing stopping somebody from making fake hand sanitizer out of some ingredients they have around the house - right? - and selling it... 

Dave Bittner: [00:05:41]  Right. 

Joe Carrigan: [00:05:41]  ...At exorbitant prices. And, of course, it probably won't work because it will probably not be strong enough to work. Collection supposedly for charities to help the vulnerable, but they're just actually straightforward theft. They're just saying, hey, help us help these people affected by the coronavirus, and then you give them the money and they just - poof - disappear. 

Dave Bittner: [00:05:59]  Right. 

Joe Carrigan: [00:05:59]  Gangs arriving unannounced to disinfect driveways. This seems to me like the driveway paving scam... 

Dave Bittner: [00:06:05]  Right. 

Joe Carrigan: [00:06:05]  ...That we get here in the States a lot. 

Dave Bittner: [00:06:06]  Right. 

Joe Carrigan: [00:06:06]  But now they're going with the disinfect your driveway scam. 


Dave Bittner: [00:06:10]  Well, the... 

Joe Carrigan: [00:06:10]  Your driveway doesn't need to be disinfected. 

Dave Bittner: [00:06:12]  The driveway paving scam is some folks will come and they'll say they're going to seal your driveway, which is something - if you have a driveway, is something that - you know, it's a regular maintenance thing. But I think what they do is, instead of actually sealing it, they just paint it. 

Joe Carrigan: [00:06:24]  Right. 

Dave Bittner: [00:06:25]  If they do anything, they paint it. They just paint it black, and they say it's sealed and, you know, away they go. 

Joe Carrigan: [00:06:31]  And off they go, right. 

Dave Bittner: [00:06:31]  Yeah. 

Joe Carrigan: [00:06:32]  These - offering to shop for housebound residents but just stealing the cash they're given. So they show up at somebody's house and say, hey, I'll go shopping for you. Tell me what you need. I'll charge you 20 pounds to do the shopping for you, plus what the groceries cost. So give me 120 quid, and I'll go get your groceries. And then - poof - they're gone. 

Dave Bittner: [00:06:49]  Right. 

Joe Carrigan: [00:06:49]  And no groceries, and your money's out. 

Dave Bittner: [00:06:50]  I guess the heartbreaking part is that we're in this situation where there's desperation all around, and so people are doing what they think they need to do to provide for themselves. And for the bad guys, that means they're extending these scams, maybe finding new ways to come at people. 

Joe Carrigan: [00:07:06]  You know, they're just taking advantage of an opportunity to probably reap more than they normally do. 

Dave Bittner: [00:07:10]  Yeah. All right. Well, I guess keep an eye out for it. As always, let your friends and relatives know... 

Joe Carrigan: [00:07:17]  Right. 

Dave Bittner: [00:07:17]  ...Particularly those folks who are in vulnerable groups. 

Joe Carrigan: [00:07:20]  Absolutely. 

Dave Bittner: [00:07:20]  Just have them be on the lookout for this sort of thing if someone comes to their door. I think it's fair to say no one's going to come to your door and demand in-house inspection. 

Joe Carrigan: [00:07:29]  Yeah, that is not part of the restrictions. The restrictions are, essentially, stay out of populated areas and stay at home. If you're staying at home, you're meeting the requirements. There's no restrictions when you're home, right? 

Dave Bittner: [00:07:38]  Yeah. 

Joe Carrigan: [00:07:38]  They're not going to come in and go, well, that's out of place; you need to pay this many dollars or pounds or whatever to settle up with the government. That's just not going to happen. But, you know, if someone shows up and they look like and act like they're from the government, who knows how people are going to react to that. I would imagine fearfully. 

Dave Bittner: [00:07:55]  Yeah. All right. Well, my story this week, I suppose it's sort of a good-news story, and shockingly, it has nothing to do with COVID-19 (laughter). 

Joe Carrigan: [00:08:04]  Ah, the only part of our show today that doesn't have anything to do with COVID-19. 

Dave Bittner: [00:08:07]  I saw recently - a couple of weeks ago, we might have even mentioned it here - that they were joking that these days every podcast is a COVID-19 podcast. 

Joe Carrigan: [00:08:17]  (Laughter) Yes. 

Dave Bittner: [00:08:17]  And I think there's something to that. This story comes from the Daily Voice, which is a Hackensack, N.J., publication. And this is about Western Union being required to pay $153 million in compensation to seniors who lost money in phone scams. 

Joe Carrigan: [00:08:36]  Really? 

Dave Bittner: [00:08:37]  That was my response when I saw this. 


Dave Bittner: [00:08:38]  Because - several things. Well, let me give you the details here. 

Joe Carrigan: [00:08:43]  All right. 

Dave Bittner: [00:08:43]  And then we can unpack it together. So this is coming from the U.S. Justice Department. They're working with a number of different federal organizations - folks like the postal inspectors, the Federal Trade Commission. And basically, what's happened here is that they've determined that Western Union was turning a blind eye to some of the money transfers that were taking place as part of these scams. And even worse, some of Western Union's employees were taking part in the scams. So... 

Joe Carrigan: [00:09:14]  Really? 

Dave Bittner: [00:09:15]  ...They were - in other words, they knew what was going on, and they were allowing it to happen, maybe, you know, getting tipped under the table - that sort of thing - to, again, turn a blind eye to this sort of thing. And the Justice Department came in and said, no, you can't do this. What's interesting to me, too, is that Western Union has acknowledged responsibility for its criminal conduct, which included violations of the Bank Secrecy Act and aiding and abetting wire fraud. What struck me about that - you know, typically, you see these sorts of things where you end up with a settlement with a big company like Western Union and, generally, they don't admit any wrongdoing. 

Joe Carrigan: [00:09:51]  Yes. 

Dave Bittner: [00:09:52]  You know, they'll say, well, we don't admit any wrongdoing, but here's some money, and we're going to settle and just to make this go away because we're good citizens of the community and so on. But, no, in this case, they said, yeah, yeah, yeah, we're - our bad. So very interesting. So they're going to be working to - they sent out notices to over 500,000 potential victims. There's actually a website. It's westernunionremission.com, where if you feel as though you may have fallen victim to something that - where the money went through Western Union, you can go check it out, and perhaps you'll get some of your money back. 

Joe Carrigan: [00:10:27]  I hope so. What's the amount they settled for? Is it a settlement or is it actually a trial? 

Dave Bittner: [00:10:32]  It seems like it's happening in several phases. This first phase is $153 million that's going out to over 100,000 people. But this article also says that, ultimately, Western Union is going to be paying nearly $600 million to compensate some of these fraud schemes. So... 

Joe Carrigan: [00:10:51]  That's a lot of money. That's more than half a billion dollars. 

Dave Bittner: [00:10:54]  It is a lot of money. There's not a whole lot of details here in this article about how that breakdown works. But, you know, I wonder, for the people themselves, is this going to end up working like a class-action suit, where you don't really end up - you know, maybe you get a couple bucks or (laughter)... 

Joe Carrigan: [00:11:09]  Right. Yeah, and lawyers... 

Dave Bittner: [00:11:10]  ...You know, you get a free Western Union money transfer or something like that. 

Joe Carrigan: [00:11:13]  Right. 

Dave Bittner: [00:11:13]  I don't know. Hopefully, these folks get made partially whole, if not getting all their money back. But I guess what really struck me is it seems like these are few and far between where anybody gets anything back... 

Joe Carrigan: [00:11:24]  Right. 

Dave Bittner: [00:11:24]  ...That the government comes after someone and successfully gets back a large amount of money like this. So that's good news. 

Joe Carrigan: [00:11:31]  I'm looking at the article right now, and I don't know that it's going to be one of those cases where the lawyers make off with most of the money because this is not a civil case; this is the Justice Department going after it. 

Dave Bittner: [00:11:41]  Yeah. 

Joe Carrigan: [00:11:41]  It sounds to me like a criminal case. 

Dave Bittner: [00:11:43]  Right. 

Joe Carrigan: [00:11:43]  There is admission of criminal wrongdoing. So I hope that these people get a lot more money back than they normally would from a civil case. 

Dave Bittner: [00:11:49]  Yeah. It's interesting. And I guess, again, the message to go out to our listeners to warn folks is, if anybody asks you to go transfer money, think twice about it. Ask a friend (laughter). 

Joe Carrigan: [00:11:59]  Yeah. Absolutely. Absolutely. 

Dave Bittner: [00:12:01]  And how heartbreaking, too, that perhaps some of the folks involved with this were sort of in on it, were working with the bad guys to, again, turn a blind eye to this. That's a real shame. 

Joe Carrigan: [00:12:10]  If you think about it, there's got to be - I mean, how many times in your life have you actually sent money via Western Union? 

Dave Bittner: [00:12:15]  I don't know that I ever have. 

Joe Carrigan: [00:12:17]  Right. 

Dave Bittner: [00:12:17]  Yeah. 

Joe Carrigan: [00:12:17]  And have you ever received money via Western Union? 

Dave Bittner: [00:12:20]  I don't know that I ever have (laughter). 

Joe Carrigan: [00:12:21]  So if you're a Western Union employee - right? - or somebody that works where Western Union money is sent and received and you keep seeing the same guy coming in every day and he's getting $200, $1,000 sent to him every day, that might be a red flag, right? 

Dave Bittner: [00:12:42]  Could be. 

Joe Carrigan: [00:12:42]  ...That you would maybe be obligated to report. I don't know how this works in Western Union policy or even in banking policy or law that says this. This might be a good question for Ben Yelin. Maybe he knows. 

Dave Bittner: [00:12:53]  Yeah. 

Joe Carrigan: [00:12:53]  If I was working in this, I'd be curious about why somebody was coming in every day to collect some amount of money from me via Western Union, and I would be asking questions about this. 

Dave Bittner: [00:13:02]  Well, and, you know, we've seen stories where the folks who run the cash registers at places like CVS, you know, your drugstores... 

Joe Carrigan: [00:13:09]  Right. 

Dave Bittner: [00:13:09]  ...The places where people are going to be buying gift cards, they've had training to be on the lookout for this sort of thing. 

Joe Carrigan: [00:13:15]  Correct. 

Dave Bittner: [00:13:15]  If someone - if an elderly person comes through and is buying a few hundred dollars' worth of iTunes gift cards, that raises a red flag. And they've trained the people at the cash register to - you know, of ways to kind of ask that person some questions to maybe hopefully set them off in the right direction. 

Joe Carrigan: [00:13:33]  Yeah. Right. 

Dave Bittner: [00:13:34]  So it is possible to do the right thing here. Train your employees to be on the right side of these things. 

Joe Carrigan: [00:13:41]  Yeah. Absolutely. We've talked about CVS as a good example of this before, that they are trained like that. And that's part of the corporate responsibility, I think, when you're dealing with this kind of thing. And I know the CVS by my house has a Western Union capability. In fact, I walked in there the other day and that Western Union capability has been automated, so now I don't even know that you need to interact with the CVS employee to send a MoneyGram. 

Dave Bittner: [00:14:03]  Interesting. 

Joe Carrigan: [00:14:04]  Yeah. 

Dave Bittner: [00:14:04]  Yeah. I mean, obviously, it's an important service, and lots of people make use of it for a lot of different ways and the vast majority of them legitimate. But I guess like anything, it can be abused. 

Joe Carrigan: [00:14:14]  Absolutely. 

Dave Bittner: [00:14:15]  All right, Joe. Well, those are our stories. It is time to move on to our Catch of the Day. 


Dave Bittner: [00:14:23]  Our Catch of the Day comes from Camilo R. A. Freedman on Twitter. He is @camilofreedman. And it reads like this. 

Dave Bittner: [00:14:32]  (Reading) Hello Sir/Madam, I am Mr. Frank C. Calmes, and I am requesting that I make you the executor to the wish of my late client, Mr. Myles Munroe, who died in a plane crash in Nassau, Bahamas, on the 9 of November 2014. Before his death, he was a known preacher. But before we proceed any further, I will want you to go and make your research on this issue. After that is done, then we can talk it over, and then I will give you my proposal. All I need is to be sure that you can handle this transaction very well and also take care of the huge amount of money involved and, most especially, if I can trust you with the whole amount to deliver the dying wish of my late client after a successful transfer of the said funds into your bank account. Please stay safe and indoors to avoid the spread of this deadly virus, COVID-19. Thanks, Mr. Frank C. Calmes. 

Joe Carrigan: [00:15:21]  Dave, what's interesting about this is, first off, the scammer's very concerned about your COVID-19. But what - he says go and research this before you contact me back. But there was a man who was a Bahamian evangelist named Myles Munroe who died in November of 2014. 

Dave Bittner: [00:15:38]  Really? 

Joe Carrigan: [00:15:39]  Yes. 

Dave Bittner: [00:15:40]  You did the research, Joe? 

Joe Carrigan: [00:15:42]  I did some research. 

Dave Bittner: [00:15:43]  (Laughter). 

Joe Carrigan: [00:15:44]  And he and his wife died during a plane crash during airport approach on November 9, 2019 (ph). So this has a link to an actual event that you may or may not know about. The guy went to Oral Roberts University, which is a Christian evangelist university. He's written tons of books. He's actually a very famous person, if you're in these kind of circles, I guess. I've never heard of this guy before. Have you? 

Dave Bittner: [00:16:07]  No. 

Joe Carrigan: [00:16:07]  Myles Munroe is a real person. 

Dave Bittner: [00:16:09]  Yeah. So if you do your research... 

Joe Carrigan: [00:16:12]  It comes up. 

Dave Bittner: [00:16:12]  ...You'll actually - this - oh, isn't that fascinating? 

Joe Carrigan: [00:16:15]  Yeah. 

Dave Bittner: [00:16:16]  So that lends a bit of credibility to it. 

Joe Carrigan: [00:16:18]  It does, yep. Absolutely. 

Dave Bittner: [00:16:20]  Well, and then also interesting, I mean, almost cut and pasted onto the end of this, about - to stay safe... 

Joe Carrigan: [00:16:26]  (Laughter) Right. 

Dave Bittner: [00:16:26]  ...During COVID-19. 

Joe Carrigan: [00:16:27]  From the deadly virus. 

Dave Bittner: [00:16:29]  Yeah. It also strikes me - I mean, the thing we've seen before - this person was a preacher, a religious person. 

Joe Carrigan: [00:16:35]  Yup, that's right. 

Dave Bittner: [00:16:36]  So presumably a person of good intent, a person of high moral character. 

Joe Carrigan: [00:16:40]  Yeah, so how could anything be wrong here, right? 

Dave Bittner: [00:16:41]  Right. Fascinating. All right. Well, that is our Catch of the Day. Coming up next, my conversation with Dustin Warren from SpyCloud. His team has been monitoring criminal forums during the COVID-19 pandemic. And he's going to join us to share the types of things that they've been seeing. 

Dave Bittner: [00:16:58]  But first, a word from our sponsors, KnowBe4. And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally. KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:18:02]  And we are back. Joe, I recently had the pleasure of speaking with Dustin Warren. He's from a company called SpyCloud. And among the many things that he and his team do, they monitor criminal forums. And, of course, the criminal forums have been hot with COVID-19 news. So he joins us and shares the types of things that they've been tracking online. Here's my conversation with Dustin Warren. 

Dustin Warren: [00:18:23]  Really, as soon as the news started coming out about COVID-19 here in the States, we started seeing a spike in COVID-19-themed malware and phishing lures. So we started seeing a spike in people, you know, using the COVID-19 theme to get people to click links and to download malware onto their machines that they otherwise probably would not have had if they were not searching for information related about COVID-19. 

Dave Bittner: [00:18:47]  Well, take us through some of the specifics here. What are some of the more prevalent ones that you're tracking? 

Dustin Warren: [00:18:52]  Everyone probably remembers the news of that AZORult stealer, fake COVID-19 map tracker application that came out. That was one of the first ones that was covered. Basically, it was like a fake map application that was tracking COVID-19 infection statistics across the world. And it was actually using a live feed for that data. But in the background, it was actually running AZORult, which is a family of malware used for stealing credentials from infected machines. So that was one thing that we saw. We actually found on a criminal forum that we track - we found an actor that was offering up sort of, like, that service for people to buy that - essentially, they could buy that service, and he would work with them to help them create their own phishing pretext related to COVID-19 and even would let them use, like, the fake COVID-19 map to deploy their malware. That was using Java to basically drop out malware onto the infected machine. And because it was using Java, that specific hit was considered multiplatform. So it would work on OSX, MacBooks and Windows machines. 

Dave Bittner: [00:19:58]  And so in terms of organizations protecting themselves against these sorts of things, what do you recommend? 

Dustin Warren: [00:20:05]  Well, really just to stay vigilant. And one of the things you can do to stay vigilant is to educate your employees about what's going on. You really need to say, like, hey, be very careful about the emails that you're getting, especially if they're COVID-19-themed. We should always be careful about the emails that we're getting, but, you know, we should have it in the back of our minds that attackers are using this crisis to their advantage right now. And a lot of folks out there are really concerned about this. And they're searching for information constantly. It's kind of hard not to - right? - because you want to know what's going on. What are the latest statistics? And because people are doing that, they're clicking all this new content. And if you look at the amount of new content that showed up online related to COVID-19, it's absolutely staggering, right? And so it's really hard to determine how much of that is legitimate versus how much of that is, you know, scams or criminals taking advantage of people seeking information. So just really to stay vigilant. 

Dave Bittner: [00:20:58]  Yeah. What sort of specific steps have you all been taking to protect your own customers? 

Dustin Warren: [00:21:04]  We've released a public service announcement blog post, really, where we're saying - we showed nine ways that attackers are capitalizing on COVID-19. And we cover some examples of how actors are using - you know, they're pretending to be government health agencies, things like that. They're creating fake mobile applications. So we really just show a lot of the different examples there of how criminals are capitalizing off of COVID-19-themed content. 

Dave Bittner: [00:21:31]  I suppose a lot of this has really been shifts in the bait itself - using existing types of malware but, you know, using COVID-19 as the hook. 

Dustin Warren: [00:21:42]  That's right. One of the other things that we're seeing that's really interesting is more and more people are ordering food from home now, obviously, because of all the restrictions. You know, restaurants can't have people in them, things like that. So more and more people are using these services to order food online. And then what we're seeing are criminals are starting to sort of take advantage of these - you know, the surge of these people signing up for these services. What'll happen is someone will sign up for some sort of grocery service, and they will reuse a previously compromised credential whenever they sign up for that service. And so what will happen is these criminals will check previously compromised credentials from past known breaches against that service and basically will find ways into those accounts. And what they'll do is they'll order food from those accounts for themselves and things like that. They're really finding a lot of really creative new ways to take advantage of this crisis. 

Dustin Warren: [00:22:34]  And, really, criminals can bank off of credential reuse, and that's one of the things that SpyCloud is really determined to put a dent in. We hope organizations really understand their exposure to credential reuse and what that could mean for them. But in this case, we're seeing criminals are using COVID-19 themes to, you know - or the fact that COVID-19 is this massive crisis right now - they're abusing that to sort of get into these various services that people might be using now. So more and more people are getting streaming services because they're spending more time at home, and so, you know, criminals are taking advantage of that opportunity. 

Dave Bittner: [00:23:12]  All right, Joe, what do you think? 

Joe Carrigan: [00:23:14]  Dave, imagine getting a COVID-19 email six months ago. You would ignore it, right? It would have absolutely no purpose. 

Dave Bittner: [00:23:21]  Right. 

Joe Carrigan: [00:23:22]  It would be meaningless. You would not have heard of COVID-19. You would not be worried about COVID-19. This is one of the things - we've been talking about this. Of course, today, it's pretty much all COVID all the time, except for your story today. You know, even the Catch of the Day has a mention of it. 

Dave Bittner: [00:23:35]  Right. 

Joe Carrigan: [00:23:36]  But it's a big lure, like Dustin says. When you hear the name Azrael, what do you think of? 

Dave Bittner: [00:23:41]  If I hear the name Azrael - I don't know - I guess I think of Ariel from "The Little Mermaid." 

Joe Carrigan: [00:23:45]  Oh. 

Dave Bittner: [00:23:45]  But that's just me (laughter). 

Joe Carrigan: [00:23:48]  Azrael was the name of Gargamel's cat in "The Smurfs." 

Dave Bittner: [00:23:50]  Oh, OK. 

Joe Carrigan: [00:23:52]  That was... 

Dave Bittner: [00:23:52]  Even better. 

Joe Carrigan: [00:23:53]  Yeah. That's what I remember. But you know what Azrael actually is? It's the angel of death from Islamic and Jewish lore... 

Dave Bittner: [00:24:00]  Oh, OK. 

Joe Carrigan: [00:24:02]  ...Which is - I find interesting. 

Dave Bittner: [00:24:03]  Yeah. 

Joe Carrigan: [00:24:04]  It's also a malware tool here that's been commoditized, so you can buy it online and distribute it to help you get what you want out of these different victims you're going to exploit. But it runs on Java, which is interesting. Now, Java - I don't want to get too technical, but Java is a language that allows you to write software that's write once, run anywhere. So I can run a Java program on a Mac. I can run a Java program on Windows or on Linux. Any operating system, just about, there are Java environments that will run this malware. 

Dave Bittner: [00:24:34]  Right. 

Joe Carrigan: [00:24:34]  So it's an attempt at optimization by these malware authors to make it easier to distribute this malware to more platforms. 

Dave Bittner: [00:24:43]  Yeah, make it easier on themselves (laughter). 

Joe Carrigan: [00:24:45]  Right, exactly. Yeah. 

Dave Bittner: [00:24:46]  Right, right. 

Joe Carrigan: [00:24:47]  Just like - you know, you think about it. Just like companies who want to have a program that they only have to write once, they only have to maintain one code base, so they use Java. The bad guys do the same thing, right? 

Dave Bittner: [00:24:57]  Yeah. Why not? Hey, yeah. Well, it's a business. Why not build in those efficiencies? 

Joe Carrigan: [00:25:01]  Right, absolutely. I appreciate Dustin and the team at SpyCloud with their public service and coming on this podcast and talking about this. I would advise you take a look at their blog. The blog entry's called "PSA: 9 Ways Attackers Are Capitalizing on COVID-19." A lot of these are relevant. Some of them are not so relevant. But a lot of them are. I like his targeting food delivery accounts via credential stuffing. That's a pretty important topic he talked about. 

Dave Bittner: [00:25:24]  Yeah. 

Joe Carrigan: [00:25:25]  And it's amazing to me that that still works. But people are signing up for these food delivery services. They've never signed up for them before, but they're using passwords that have already been compromised. So it's essentially like signing up without a password. If an attacker knows your email address and an old password that you used and you reuse that and they stuff that - those credentials into a webpage and get a hit, they're going to buy groceries on your dime and send them to themselves. 

Dave Bittner: [00:25:53]  Yeah, yeah. 

Joe Carrigan: [00:25:53]  That's just how this works. So don't reuse passwords. Use a password manager. And, of course, multifactor authentication is great here, but still, use a password manager. It's very important. 

Dave Bittner: [00:26:05]  (Laughter) Yes, yes. We should have T-shirts made, Joe, that say... 

Joe Carrigan: [00:26:09]  Yes, we should. 


Joe Carrigan: [00:26:12]  We absolutely should get T-shirts made. 

Dave Bittner: [00:26:13]  It'd say, use a password manager. Yeah. 

Joe Carrigan: [00:26:15]  Right. 

Dave Bittner: [00:26:15]  Yeah. 

Joe Carrigan: [00:26:15]  And then at conferences, instead of people walking up and saying, are you Dave, they'll say, you must be Joe, because that's what I've been saying for years... 

Dave Bittner: [00:26:22]  (Laughter). 

Joe Carrigan: [00:26:23]  ...And years and years and years. 

Dave Bittner: [00:26:24]  Right. 

Joe Carrigan: [00:26:25]  Use a password manager. Use a password manager. 

Dave Bittner: [00:26:26]  Right. It's Joe "Use A Password Manager" Carrigan... 

Joe Carrigan: [00:26:29]  Right. 

Dave Bittner: [00:26:29]  ...At your service. 

Joe Carrigan: [00:26:30]  (Laughter) Exactly. 

Dave Bittner: [00:26:31]  Yeah, yeah. All right. Well, again, thanks to Dustin Warren for joining us. And we want to thank all of you for listening. 

Dave Bittner: [00:26:38]  And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Seems like it's more important than ever these days, right? 

Joe Carrigan: [00:26:57]  Right. 

Dave Bittner: [00:26:57]  Want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:27:05]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:27:19]  I'm Joe Carrigan. 

Dave Bittner: [00:27:21]  Thanks for listening.