Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick request - if you could leave us a review on whatever platform it is you listen to the show, it'll help spread the word and grow our audience. So please take a few minutes and share why you think this podcast is a valuable part of your day. Thanks. Here's the show.
Kurtis Minder: [00:00:16] We're seeing a whole bunch of kits just like this around stealing the stimulus money that's going through the SBA and the banks.
Dave Bittner: [00:00:23] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:42] Hi, Dave.
Dave Bittner: [00:00:43] We've got some good stories to share this week. And later in the show, my interview with Kurtis Minder. He works with a company called GroupSense, and they've been commemorating the 20th anniversary of the dark web. So stick around for that. But first, a word from our sponsors at KnowBe4.
Joe Carrigan: [00:01:00] So how do you train people to recognize and resist social engineering? Here are some things people think - test them, and if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. How about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this podcast.
Dave Bittner: [00:01:37] And we are back. Joe, we got some follow-up from a listener, wrote in and said, Dave and Joe, I've been enjoying your podcast for a long time, and you often talk about good password habits - not vaporous hygiene like SSO, MFA and password managers. Yet for all the time I've been listening, you never include biometrics on the list. Why is that not discussed? Surely, the technology's beyond the Silly Putty attack of old. Plus, wouldn't it yield a suitably long, unguessable random password while saving time and hassle when crossing security boundaries to different systems?
Dave Bittner: [00:02:09] It's a solution that literally always on hand and can have an MFA alternative when wearing a bandage. We used to trust a signature but no longer. Then we had credit cards protected by a supplementary number on the back of the card. But we hand over all the information when requested to anybody and everybody for any reason. There is no security really anymore because people are dumb on the whole. So why isn't biometrics being championed? Is it because Jason Bourne can circumvent it using MacGyver's toenail clipping? And he has a little smiley there.
Joe Carrigan: [00:02:39] Right.
Dave Bittner: [00:02:40] What do you make of this, Joe? Is our listener onto something here?
Joe Carrigan: [00:02:44] I am not a fan of biometrics. And the biggest reason I'm not a fan of biometrics is because you can't change them. He talks about the Silly Putty attack, but that's not the only kind of attack there is against biometrics. A lot of these biometrics, like your fingerprint - it doesn't store your fingerprint. It stores some mathematical representation of your fingerprint. And if that gets breached, there's nothing you can do to change your fingerprint like a password.
Dave Bittner: [00:03:09] We've seen stories where people have had high-enough-resolution photographs where someone's, like, waving their hand or something, and they can go in close enough and pull a fingerprint.
Joe Carrigan: [00:03:20] Right, and they can reproduce a fingerprint. He talks about the Silly Putty attack, where we may be beyond that - I don't know. But we're certainly advancing in the field of 3D printing a lot, to the point where you can actually 3D print fingerprints. We saw a story about that a couple of years ago.
Dave Bittner: [00:03:35] Yeah. Actually, I spoke to some researchers over at Cisco Talos. I'll be running on an upcoming episode of "Research Saturday" about that very thing, about research they did with 3D printing and fingerprints. Spoiler alert - it works, but it's not easy (laughter).
Joe Carrigan: [00:03:49] Right. Well, exactly. It's not easy. I'm one to say that anything that moves us in a more secure direction is good. And right now, these fingerprints are not easy to reproduce. But that will become easier over time. And it doesn't matter how old you get - your fingerprints will always be the same; there's nothing you can do to change them. And that's really my biggest problem with all the biometrics is they're immutable.
Dave Bittner: [00:04:11] Yeah. Yeah. It's interesting to me, like - you know, I use face ID on my phone, which works great most of the times - having a little bit of trouble with masks lately. But in my mind, the biometric things for unlocking your phone - I think for most people, the benefit there is that people who weren't using any password before because it slowed them down...
Joe Carrigan: [00:04:35] Right.
Dave Bittner: [00:04:35] ...Now are using the biometrics because they're much faster and they give you pretty much instant access to your device. So in my mind, that's a good balance between increasing your security - maybe an imperfect increase of your security...
Joe Carrigan: [00:04:48] Right.
Dave Bittner: [00:04:48] ...Way better than nothing, right...
Joe Carrigan: [00:04:51] Yep.
Dave Bittner: [00:04:51] ...But easy to use. And when you want to get in your phone, easy to use and frictionless is the way to go.
Joe Carrigan: [00:04:56] Yep. Yep. And I use a fingerprint to access my phone, and I think it's fine for that use case. But when you start talking about moving across networks and going from one segment to the next, I'm less likely to be in favor of that. I mean, it's OK. It's fine. It adds another layer. But like I said, it's immutable. And for that reason alone, I think that we need a better solution.
Dave Bittner: [00:05:19] Yeah. All right. Well, thanks to our listener for sending in that question. It's a good one. Let's move on to our stories. I'll kick things off this week. My story comes from ZDNet, and this is titled "Network of Fake QR Code Generators Will Steal Your Bitcoin." Now, Joe, I don't - have you any direct experience with Bitcoin?
Joe Carrigan: [00:05:40] I have some bitcoin, small amount of bitcoin.
Dave Bittner: [00:05:43] Do you?
Joe Carrigan: [00:05:43] Yes.
Dave Bittner: [00:05:44] I do not.
Joe Carrigan: [00:05:45] Like, maybe - maybe it's worth, like, $15 right now.
Dave Bittner: [00:05:49] (Laughter) OK. So you're not quite lighting cigars with $100 bills off your Bitcoin investments.
Joe Carrigan: [00:05:55] No, I'm not.
Dave Bittner: [00:05:56] Well, it turns out that Bitcoin addresses are, by design, long (laughter).
Joe Carrigan: [00:06:02] Right.
Dave Bittner: [00:06:02] Right? Which makes them hard to use.
Joe Carrigan: [00:06:05] Yeah.
Dave Bittner: [00:06:05] So you know, you have to be careful. You have to - of course, you have to have them exactly right because there - we've had many stories about people losing their Bitcoin addresses or their passwords and the money's just gone, right?
Joe Carrigan: [00:06:18] Right. If you lose the keys to access your wallet, then that money will remain where it is on the blockchain forever.
Dave Bittner: [00:06:26] So there are some services out there who claim to be converting your Bitcoin address to a QR code. And a QR code is a little - that little scannable pattern that...
Joe Carrigan: [00:06:41] It's a barcode.
Dave Bittner: [00:06:42] It's a barcode, yeah. You're right, right, right...
Joe Carrigan: [00:06:44] It's a two-dimensional barcode.
Dave Bittner: [00:06:44] Yep. And I guess QR codes kind of had their rise and fall a couple years ago. Some organizations were trying to get them to catch on from a consumer point of view, you know, putting them on for advertisements and things like that. And it seems like they've sort of fallen off in popularity with that, but they still have their uses. And so one of them is that they're trying to make it easier for people to access their bitcoins by using these QR codes instead of having to keep track of this long bitcoin address.
Joe Carrigan: [00:07:14] Right.
Dave Bittner: [00:07:14] Well, turns out that there are people out there who have spun up websites that claim to do this, but instead of doing this, basically, they just take your bitcoin address and they go and take your money.
Joe Carrigan: [00:07:28] So they're pretending to offer a service that lets you access your bitcoin with your private keys. And instead, they're just taking the private keys because you have to provide the private key (laughter).
Dave Bittner: [00:07:39] (Laughter) Right. Exactly (laughter).
Joe Carrigan: [00:07:43] Yeah, this is - yeah. Here's the thing with cryptocurrency like Bitcoin and any other cryptocurrency that's out there, like ZCash or Monero or - you kind of have to know how they work, right? You have to know what's going on. And basically, in a nutshell, with Bitcoin in particular, the way it works is your Bitcoin address is your public key. And the fact that you possess the private keys proves that you are the owner of the public key for the network. Right? So if somebody gets your private keys - if somebody asks you for your private keys and you give it to them, you have given them literally your identity. That's what you've done.
Dave Bittner: [00:08:18] It's like giving them your username and password.
Joe Carrigan: [00:08:20] It is more than that. It's actually giving them the way to prove, irrefutably, who you are or who - that you are who you say you are. And it lets them just - they can - they then have access to any bitcoin that you have at that address or with that identity, and they can send it wherever they want. And once they send it, it's gone. You cannot get it back.
Dave Bittner: [00:08:42] I think it's interesting they've branded these scam services as Bitcoin transaction accelerators (laughter).
Joe Carrigan: [00:08:48] They're going to accelerate that transaction. I guarantee you that they're going to be some very fast transactions, Dave.
Dave Bittner: [00:08:55] (Laughter) Yeah. So far, they've scammed over $45,000 from folks.
Joe Carrigan: [00:09:00] OK. So that's actually a small amount of money that they've scammed. I would have anticipated this being a lot more. So I'm glad to see that it's only $45,000. I'm hoping that they're scamming that from a large group of people so that not anybody is being hurt in big ways here, people like me who have maybe $15 worth of bitcoin.
Dave Bittner: [00:09:17] As so many of these things do, targeting the unsophisticated user...
Joe Carrigan: [00:09:21] Absolutely.
Dave Bittner: [00:09:21] ...The casual, you know, Bitcoin person who doesn't really understand perhaps everything they should...
Joe Carrigan: [00:09:26] That is exactly the market they're going after.
Dave Bittner: [00:09:28] Yeah. Yeah.
Joe Carrigan: [00:09:28] It's because, you know, somebody who is steeped in the Bitcoin world, who understands what the blockchain is and how it works - and I'm not going to go into that 'cause we try not to be technical in the show - but they're going to look at this, and they go, why would I do that? That's just going to let you steal everything from me.
Dave Bittner: [00:09:42] Right.
Joe Carrigan: [00:09:42] But somebody else who says, oh, I got the bitcoin, and I'm going to be rich...
Dave Bittner: [00:09:45] Keeping track of these numbers is really a pain.
Joe Carrigan: [00:09:48] Right. Yeah. Keeping track of all these - let me have this guy keep track of my private keys. Yeah, that's a bad idea. And it's - and that's exactly who they're preying on, is the unsuspecting or the people who are just - who just are ignorant of how it works. It's not because they're stupid. It's just because they just don't understand how it works and they haven't invested the time to understand it. They may have invested time to understand some feature of it, but they haven't thoroughly gone into it and looked at it.
Dave Bittner: [00:10:14] Yeah. All right. Well, buyer beware. If you see ads or promotions for these QR code-generating sites, chances are they may be out to steal your bitcoins.
Joe Carrigan: [00:10:26] Absolutely.
Dave Bittner: [00:10:27] So be cautious of that.
Joe Carrigan: [00:10:28] Do not do that, and do your due diligence when you're looking at where you're going to keep your bitcoin. If you're going to keep it in an exchange or you're going to keep it in a wallet, if you're going to keep it in a software wallet or hardware wallet, learn what all that stuff means. Learn what it means. It's very important.
Dave Bittner: [00:10:43] All right. Well, that is my story this week. Joe, what do you have for us?
Joe Carrigan: [00:10:46] Dave, I want to - about four episodes ago - four or five episodes ago, I said I was going to - every - about once a month, do the old classic cons.
Dave Bittner: [00:10:53] Yeah.
Joe Carrigan: [00:10:53] So I've got two today that are interesting old cons. These have been around for years, decades, centuries, even.
Dave Bittner: [00:11:01] OK.
Joe Carrigan: [00:11:02] The first one is called the ring reward, and that's kind of hard to say. It's a tongue twister. So I'm just going to call it the ring scam - the found ring scam.
Dave Bittner: [00:11:10] OK.
Joe Carrigan: [00:11:10] So what happens is you're in a public place and a distressed woman asks you if you have found a ring. And she's looking around like she's looking for a ring. And she says she has lost one, and she's heartbroken. This ring was very important to her for some reason. Maybe it was an engagement ring. Maybe it was a ring that her grandmother gave her. Maybe it was some other - you know, some other valuable thing that - it doesn't have, you know, meaning to anybody else, but it has meaning to her, that kind of thing. And she gives you her contact information and a description of the ring.
Joe Carrigan: [00:11:41] And she says, whoever finds this ring, I'm going to give them a huge reward. And she will be specific about the amount of money, right? This ring is so important to me. If somebody finds it, I am going to give them a $500 reward.
Dave Bittner: [00:11:56] OK.
Joe Carrigan: [00:11:56] Because it means that much to me. The ring, it may not even be worth $500. I think it's worth - yeah, she'll come up with some story. It doesn't matter. But after she gives you the contact information, she disappears. And she - on the auspices, she's got to continue looking for the ring. Sometime later, another person will approach you, and they will say, hey, is this your ring? I found it, right? And they'll show you a ring that looks just like the one you were told about earlier by the woman looking for the ring, right? So inside your head, you're going, that woman is going to give me some money. She's lost the ring. Here's the ring right here. And what they're relying on here is for you to put this together.
Joe Carrigan: [00:12:35] You know, these are two different people. These are two separate events. You don't really realize these people are working in cahoots, but you go, well, I know whose ring it is. So if you give me the ring, I will give it to the person who owns it. The person, of course, will go, I'm not just going to give you the ring. How do I know? I mean - and they're hoping that you'll go, I'll give you some amount of money for the ring, right? Like, I'll give you 20 bucks, 30 bucks, 40 bucks, thinking that you're going to get 500 bucks from the woman who has lost the ring. So they're preying on two things here. They're preying on your greed and your good nature - right? - of...
Dave Bittner: [00:13:09] I see.
Joe Carrigan: [00:13:09] ...Returning the ring. Now, the ring is worthless, right? It doesn't have any value. And the contact information is bogus. So you give the second person some amount of money. He gives you a ring, and then he disappears. And now you're - now you've got a worthless ring, and they've got your money. And that's how it works. Now...
Dave Bittner: [00:13:31] One ring to scam them all.
Joe Carrigan: [00:13:33] Right. (Laughter) That's very good. I did a little bit of research on this, and I found there's an even simpler version of this. There is a website called Europe For Visitors that talks about the Paris Gold Ring Scam. And it's the same kind of scam, but it's simpler. It only involves one scammer. And this person will walk up to you, and they will say they found a ring and they'll ask if it's yours. And on this article on europeforvisitors.com, they have a picture of the ring, and it looks like a pretty real ring. I mean, the picture looks like it's a gold ring.
Dave Bittner: [00:14:07] Yeah. You know, it reminds me of the time - remember I shared the story of the time I got scammed by someone who was on the side of the road who claimed that their car had broken down and they were looking for help. And one of the things that they offered me was a ring.
Joe Carrigan: [00:14:20] Yeah.
Dave Bittner: [00:14:21] Hold on to this ring. I'll give you this ring as collateral, you know.
Joe Carrigan: [00:14:25] Right.
Dave Bittner: [00:14:26] And it was a very convincing looking goldan (ph) ring (laughter).
Joe Carrigan: [00:14:29] Right, goldan ring.
Dave Bittner: [00:14:31] Yeah, yeah.
Joe Carrigan: [00:14:31] So the story that this person tells in this article, the scammer then says - after you say, no, that's not my ring, they go, well, you want to buy it? In this story, the scammer goes, I'll sell it to you for 50 euros. And the woman that she was trying to scam goes, no, no, you found the ring. It's yours. It's your lucky day. And then she goes 20 euros, right? So it quickly drops. So this ring is worth a lot less than 20 euros, right? It's a cheap ring. In the article on Europe For Visitors, they said they got accosted by four different people who were running this scam while they were in Paris. So it's very common. I thought that was an interesting scam.
Dave Bittner: [00:15:08] Yeah, yeah, it is.
Joe Carrigan: [00:15:09] The next one that I found was the bank examiner scam. Here's how this one works. You're approached by someone somehow. They may give you a phone call. They may approach you in person. But they're claiming to be someone who's investigating a bank teller. And they may say that they're from the bank or they may say that they're with law enforcement and that they want to test the honesty of this bank teller. So they will ask you to go to the bank and withdraw some money. And then they'll say we need to examine the money when you get it out. So you go to the bank, you withdraw the money, and they say that they're trying to find out if this person is passing counterfeit bills.
Joe Carrigan: [00:15:43] So you go to the bank, you withdraw some money from your account, and then they meet you afterwards. And they may even have special instructions, like make sure you get everything in 20s - right? - because we think they're passing fake 20s or make sure you get it in hundreds. We think they're passing fake $100 bills. And then you hand them the money, and then they do one of two things in the stories I found. They will either give you an official-looking receipt and say you'll get your money back in a couple of days with a little bit more for you. Or they'll do some kind of sleight of hand trick and give you a bunch of fake bills back. So you go in, you say, give me $200 in 20s, and the teller gives you 10 $20 bills. And you go out to the scammer, and say, hey, give me 10 $20 bills. And they go, OK, let's take a look at it. And they look at it, and they hand you back what you think is your money, but it's not your money. It's counterfeit bills. And you go on your way, and they disappear, and they thank you very much for your service. That's basically how the scam works.
Joe Carrigan: [00:16:34] Now, there is another way the scam can start. And I found an account of this that is absolutely terrifying. They will approach you in the parking lot of a mall or at a store, and they'll look very official and they'll go, how did you pay for that? And if you say I paid cash, they'll go, yeah, we thought so. The money you passed was counterfeit and now you're in trouble for buying stuff with counterfeit money. And, of course, that is the fear of the government coming after you again. So this is somebody impersonating law enforcement, which, of course, is a crime. But, you know, laws don't stop people from committing crimes. They just provide us a way to punish people who do things, right?
Dave Bittner: [00:17:11] Yeah.
Joe Carrigan: [00:17:11] So once they say that, they're hoping that you go, well, I got this money from the bank this morning. And they go, the bank you say. That's interesting. Which bank was it? And you tell them which bank. And they go, yeah, OK. Now this is starting to add up, right? We need your help on this, and you're going to help us. And if you help us, then we won't prosecute you. And then they - the scam proceeds as normal, right? You're going off to the bank to get the - get some money out. They're going to switch the money out for you and give you back fake bills or just take it and go. It's unfortunate when this happens. But this reminds me a lot of an episode of "The Simpsons" from I think Season 5. But when Homer gets these college kids expelled from school, and they go out and they say, we'll be fine, Mr. Simpson, and Snake shows up and goes, wallet inspector...
Dave Bittner: [00:17:59] (Laughter).
Joe Carrigan: [00:17:59] They hand over their wallets.
Dave Bittner: [00:18:03] (Laughter) Right (laughter).
Joe Carrigan: [00:18:03] And Snake goes, I can't believe that worked.
Dave Bittner: [00:18:08] (Laughter).
Joe Carrigan: [00:18:08] But that's what this reminds me of. You know, it's not as simple as just walking up and going, wallet inspector. You're actually using the fear. Particularly when you're accusing somebody of passing counterfeit bills, the fear of prosecution, that is a very effective tool. We see that used as a hook in a lot of these scams where people start trying to scare you into compliance. And it's just a way to short circuit you into not thinking about it and behaving the way they want you to behave. So you got to be mindful of it.
Dave Bittner: [00:18:37] Yeah, absolutely. All right. Well, good classic ones that are still being used today.
Joe Carrigan: [00:18:41] Absolutely.
Dave Bittner: [00:18:42] Yeah. All right. Well, it's time to move on to our Catch of the Day.
0:18:46:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:18:49] Our Catch of the Day comes from Twitter user Courtney Bane, who is @cbane0. And this is titled "Humanitarian Gesture," and it goes like this.
Dave Bittner: [00:19:00] (Reading) The world is facing an unprecedented challenge with communities and economies everywhere affected by the growing COVID-19 pandemic. The world is coming together for combat the COVID-19 pandemic. Governments, organizations and individuals from across industries and sectors are coming together to help respond to this global outbreak. The outpouring of global solidarity and support sparked by this shared challenge has been phenomenal. The World Health Organization, WHO, is leading and coordinating the global effort supporting countries to prevent, detect and respond to the pandemic. Everyone can now support directly the response coordinated by WHO. People and organizations who want to help fight the pandemic and support WHO and partners can now donate through the COVID Solidarity Response Fund for WHO at the secure bitcoin digital currency address below. You can also scan the barcode below to make your goodwill donation toward this global effort at finding an effective vaccine for the virus. Any amount donated is significant and will go a long way to save lives. Thank you for your donation.
Joe Carrigan: [00:20:02] (Laughter) Now, it's important to note that when Courtney shared this, he noted that something key is missing from this. Dave, if you were a bad guy and you were going to send out a bitcoin scam email, what is the one piece of information you'd make sure to include in your email?
Dave Bittner: [00:20:17] The bitcoin address.
Joe Carrigan: [00:20:18] The bitcoin address, which is conspicuously absent from this email that Courtney received.
Dave Bittner: [00:20:24] Oops.
Dave Bittner: [00:20:27] I just imagine the scammer going to bed and going, God, I feel like I forgot to do something today.
Joe Carrigan: [00:20:31] (Laughter).
Dave Bittner: [00:20:31] And I don't know what it is. There's is nagging feeling like there is something - I worked all day long, and I feel as though I just missed out on doing some - ah, well, I'm sure it'll come to me.
Joe Carrigan: [00:20:41] And then he wakes up in the morning and goes, all right, time to count the money, and there's nothing there.
Dave Bittner: [00:20:45] Right. Right.
Joe Carrigan: [00:20:49] So thank you, Courtney.
Dave Bittner: [00:20:51] Yeah, Well, interesting that it also refers to a barcode, which we were talking about earlier.
Joe Carrigan: [00:20:55] Right. Yeah. Well, there are - you know, you can turn your public key into a barcode just fine. That makes it easy for people to send you bitcoin. But what you don't want to do is turn your private keys over.
Dave Bittner: [00:21:04] Yeah. Yeah. All right. Well, thanks to Courtney Bane for sending that into us.
Joe Carrigan: [00:21:09] If you have something you think might be a good Catch of the Day, send it to us at email@example.com or hit us up on Twitter. I'm JT Carrigan @JTCarrigan and Dave is @bittner with two Ts.
Dave Bittner: [00:21:22] Yes. All right. Well, coming up next - my conversation with Kurtis Minder. He's with a company called GroupSense, and they've been commemorating the 20th anniversary of the dark web.
Dave Bittner: [00:21:33] But first, a message from our sponsors, KnowBe4. So let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. You can hear more of Stu's perspectives in KnowBe4's a weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:22:23] And we are back. Joe, I recently had the pleasure of speaking with Kurtis Minder. He is with a company called GroupSense, and they published some research commemorating the 20th anniversary of the dark web - so interesting conversation with Kurtis Minder about that. Here's my conversation.
Kurtis Minder: [00:22:40] The dark web and darknet are largely used interchangeably, you know, widely understood to have some illegal activity tied to them. But they're not just used for illegal purposes. There is legitimate uses. Mostly, we're talking about networks that either require some special connectivity, whether that's a software client or something like that, and have some anonymity tied to their use so that folks can kind of say and do what they like. The deep web also plays a role in this where there are components or networks that aren't necessarily as anonymous, but they require some paywall or authentication component to get inside them. And largely any content that's unindexed by a by a traditional search engine would be in this category as well.
Dave Bittner: [00:23:20] Now, you and your team recently marked the 20th anniversary of the dark web. Do you have any insights on the history, any idea who - where the term was originally coined?
Kurtis Minder: [00:23:29] I don't know about exactly when they started using the term. But I mean, the original sort of iteration of what we now define as the darknet was really started around 2000 with Freenet. And Freenet had a similar concept to what we now know as the Tor network or the darknet as we know it today, basically around anonymous communication. Back in the 2000s, because we didn't have things like bitcoin and blockchain, there weren't a lot of transactions that occurred because that component was somewhat traceable. But what really happened on Freenet was a lot of free speech communication and a fair amount of pornography and illegal pirated content was traded but not necessarily for money.
Dave Bittner: [00:24:07] Are there any common misperceptions that people have about the dark web?
Kurtis Minder: [00:24:10] I do a lot of talks, and one of the questions I get from folks who aren't in the space that we're in is, could I accidentally end up on the darknet or dark web? And you know, generally, the answer is no. That's not something that accidentally happens to someone. You have to deliberately download some software, install it, know how to correctly configure it and use it to get on the darknet. So I mean, that's one of the common misconceptions - that you could accidentally end up on the darknet.
Kurtis Minder: [00:24:34] Another misconception, which I mentioned earlier, is, you know, people think that it's entirely used for illegal activity. It's not. There are legitimate uses for it. And in fact, the original concept, as with many technologies, was a positive one. But they all sort of - it's an enabler for a lot of different activities, right?
Dave Bittner: [00:24:52] Where do you see things going? How do you see it evolving over time?
Kurtis Minder: [00:24:56] We track that pretty closely. The darknet economy that we know today - they're estimating something like the cybercrime economy is now $1 trillion, and a lot of that occurs in the darknet. There's something - at any given time, there's something around a few hundred darknet marketplaces. And these marketplaces look a lot like you and I would recognize as, like, eBay or Amazon, except they're occurring in these underground marketplaces.
Kurtis Minder: [00:25:19] We're seeing a lot of what I would call displacement, where a lot of the marketplaces are going to other mediums besides traditionally Tor. So we're seeing marketplaces pop up in other mediums like OpenBazaar is one. And they're doing transactions in communications tools like Telegram and Discord, which is - Discord really is for gamers, but there's a whole darknet sort of activity and economy inside Discord now. So we're seeing them sort of spread out their activity largely due to what they call exit scams that are occurring in the darknet as well as law enforcement's crackdown. Yeah. So we're seeing a lot of spreading out.
Dave Bittner: [00:25:53] Can you give us some insights on the work that you all do to be able to do the research that you do and track the activities going on there? How does that process work? What sort of tools do you have to use to be able to have that view inside?
Kurtis Minder: [00:26:07] Mostly we're in the intelligence business. And my belief is the intelligence business is largely a human operation. So we do have a pretty substantial research team. Their main mission is to understand the mechanics of these marketplaces and the activity and where it's moving to and why and basically where we need to be looking. And we couple that research with software that we built internally to basically monitor those communications and bring that data back where we can analyze it to see, hey, look are these guys talking about something that's interesting to our customers? - whether that's stolen data - which often it is - leaked credentials, things like that.
Kurtis Minder: [00:26:40] So it's really a coupling - I like to say we bookend the technology with humans. There's humans on the front end that do sort of the research and make sure we're looking for the right things. There's technology in the middle that's doing the heavy lifting as far as getting the data someplace where we can make it useful to us. And then on the back end, we've got some more humans making sure that that data is meaningful to our clients and that they understand what they're looking at.
Dave Bittner: [00:27:02] The technology that enables the dark web, does that continue to grow in sophistication? I'm thinking of how, you know, encryption grows more complex, more powerful over time. Are these tools for anonymity, are they tracking along in a similar way?
Kurtis Minder: [00:27:17] Less so in the darknet tools and more in the point-to-point communications side. So when you're looking at tools like Signal and stuff like that for point-to-point communications, those certainly are making huge technological leaps on anonymity and encryption and privacy. Other than relative feature updates, the Tor network is basically similar to the way it was when it was invented in the 2000s.
Kurtis Minder: [00:27:40] One of the things that we've seen occur in the economy is sort of a dumbing down or simplification of the exploitation of enterprises and/or governments. And what basically the threat actors are doing en masse is creating sort of fraud kits or malware kits. The net effect to the cybersecurity community is it's lessening the necessary sophistication of the threat actor. They can buy these tools and just implement them with a how-to guide and pull out the data or pull out the capital.
Kurtis Minder: [00:28:09] In fact, we're seeing a whole bunch of kits just like this around stealing the stimulus money that's going through the SBA and the banks, where there's just kits that you can buy with the stolen PII coupled with the right forms and a how-to guide on how to get that money without having to pay it back. And so the dumbing down of the sophistication means more and more people who all they really need is a Tor browser and a bitcoin wallet can go in and buy a kit and defraud the government based on this how-to guide. And so that's what we're seeing a lot of lately.
Dave Bittner: [00:28:36] All right. Joe, what do you think? Interesting talk, huh?
Joe Carrigan: [00:28:39] Good talk. Very interesting interview. One of the first things he says kind of strikes at one of my little pet peeves, I guess, is that I have not seen any standardization on what terms like dark web, deep web, hidden services - what any of these terms mean. Or darknet, deep net - who knows? When we say these things, some people may mean one thing, and some people may mean another. But it's - so it's important to kind of clarify it.
Joe Carrigan: [00:29:02] But then there are other things that people refer to as the darknets, right? It may be like a VPN, like the one that you use at work, could technically be a darknet because nobody else can see the traffic that's going across your network from your home network to your business network. And it's dark. Or there may just be computers sitting out there on the internet that don't have any index content on them but to provide services for people who know what those services are, right?
Dave Bittner: [00:29:30] Yeah.
Joe Carrigan: [00:29:30] A lot of business-to-business services can happen this way. And some people refer to that as the darknet. And then, of course, there's the deep web and - which is paywalled stuff. The terminology gets very confusing, but it's interesting nonetheless.
Dave Bittner: [00:29:44] Yeah. I think there's a tendency for people to refer to anything that tries to keep hidden and has - of a criminal nature, that's sort of been put under the popular umbrella of the dark web.
Joe Carrigan: [00:29:56] Right, right.
Dave Bittner: [00:29:56] Whereas the people who are actually working in this space are more specific about what they mean when they say dark web or deep web and those sorts of things. They have more specific meanings. But it seems like dark web has become a catch-all for the notion of these sorts of things.
Joe Carrigan: [00:30:12] Yeah. And to your point, there is a lot of criminal activity that occurs on networks like the Tor network. And Kurtis pointed out that that activity is actually moving not just in Tor but also on these other peer-to-peer services like Telegram and WhatsApp. And encryption provides a great tool for criminal activity. But we can't really focus on the criminal activity here because these also have - and Kurtis said this as well - these also have legitimate purposes of. Getting around censorship, we in America think that's a very legitimate use of these kind of technologies, right? We're in favor of that. No, you will not accidentally find yourself on the dark web. That's a good point. If you're...
Dave Bittner: [00:30:52] You're not going to stumble, take a wrong turn and find yourself in a bad neighborhood.
Joe Carrigan: [00:30:56] Right. Yeah. That will not happen, particularly if you're talking about the Tor network. That requires you to go out and get some very specific software, and you can start exploring the dark web. I don't recommend it. But be careful when you do that because, like I said, there is a lot of criminal activity that happens on the web. And some of it's pretty gross. I find it interesting that he says the cybercrime economy is estimated to be a $1 trillion economy now. I would like to know where he got that number because I will start quoting that in my talks because that is a very big number. A $1 trillion economy - that is a large percentage of the gross world product, which is the sum of all the gross domestic products on the planet. Right? In 2014, that number was $77 trillion. And Kurtis is saying that the cybercrime economy is $1 trillion. That's more than 1% of the global economy is being made in the black markets here. That's amazing to me.
Dave Bittner: [00:31:51] I'm pondering whether that's even plausible or not. Part of me is saying it could be. And part of me wonders if it's even possible.
Joe Carrigan: [00:31:58] Yeah. I don't know. I'd like to see where he got the number. I would love to see that. He talks about exit scams. These are a pretty good scam that are easy to pull off on the dark web. So here's how this works. Let's say I want to buy something from somebody on the darknet. So we have a bitcoin. We each have bitcoin wallets. Well, how do I know that I'm going to send bitcoin to somebody and they're actually going to send me a product? So there's a third party that can be involved that's called an escrow, right? So what an escrow agent does is he has a bitcoin wallet or a cryptocurrency wallet of some kind, and he acts as a middleman and he takes a small fee. So he receives your bitcoin. He tells the seller that he has received your bitcoin and that he's holding it until the seller sends you the product. Once you have confirmed you received the product, he sends the seller most of the bitcoin and keeps a small percentage for himself.
Joe Carrigan: [00:32:49] So over time, these guys build up a lot of trust. And over time, they start accumulating a large amount of cryptocurrency. And then at some point in time, they realize, hey, there's a big payout here, and they just disappear, and they take all the cryptocurrency with them. So it's - and there's nothing you can do to track them down because they've been completely anonymous the entire time, just like you and the seller have been. So you're hosed.
Dave Bittner: [00:33:14] Yeah. Well, it's certainly interesting that the dark web has been around for 20 years.
Joe Carrigan: [00:33:21] Yeah, 20 years...
Dave Bittner: [00:33:21] Time flies, huh (laughter).
Joe Carrigan: [00:33:21] Yeah. It started as Freenet, and now there's Tor and other networks that are coming up. They're all built over top of the internet. You know, you don't need a special physical connection. They all still run on the internet, and the same technologies that underpin the internet are underpinning these darknets or the dark web.
Dave Bittner: [00:33:38] Well, I think it's - also just shows that wherever there's a demand for something, there will be a market. You know, those two things go together.
Joe Carrigan: [00:33:45] Absolutely. Oh, there's one more point I wanted to talk about. Kurtis talked about these attacks are becoming essentially commodities, and that's bad because it really lowers the barrier of entry to the field. But I think there is an upside if you're paying attention to this. Because it's being simplified and commoditized, if you will, then you can go out and you can find these things and recognize them very, very quickly. I think this is a problem that's solvable. I don't think - that's my conjecture is that this is not a difficult problem to overcome. We just have to do it right.
Dave Bittner: [00:34:17] All right. Well, interesting insight. And, of course, we want to thank Kurtis Minder for joining us. And we want to thank all of you for listening. That is our show.
Dave Bittner: [00:34:25] And we want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:34:41] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:34:49] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:35:03] And I'm Joe Carrigan.
Dave Bittner: [00:35:04] Thanks for listening.