Podcasts
Hacking Humans
Ep 97
Hacking Humans 5.7.20
Ep 97 | 5.7.20

Exploiting our distractions.

Show Notes
Transcript

Dave Baggett: [00:00:04] This isn't one or two guys out there sending a fake COVID (ph) mail. You know, this is a large-scale operation by a lot of actors. 

Dave Bittner: [00:00:12]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:32]  Hi, Dave. 

Dave Bittner: [00:00:33]  We've got some good stories to share this week and, later in the show, my interview with Dave Baggett. He is the CEO and founder of Inky, and we're going to be discussing fake stimulus payment phishing scams that they've recently uncovered. But before we get to any of that, a word from our sponsors KnowBe4. 

Dave Bittner: [00:00:53]  So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that put it into perspective. 

Dave Bittner: [00:01:16]  And we are back. Joe, I'm going to kick things off for us this week. 

Joe Carrigan: [00:01:20]  OK. 

Dave Bittner: [00:01:21]  This is an article from BuzzFeed News, and it's titled "Disinformation for Hire: How a New Breed of PR Firms is Selling Lies Online," written by Craig Silverman, Jane Lytvynenko and William Kung, who are all BuzzFeed reporters. And BuzzFeed did this story in partnership with The Reporter, which is a Taiwanese investigative news site. 

Dave Bittner: [00:01:44]  This article focuses around a gentleman whose name is Peng Kuan Chin, and he runs a - to call it a PR firm, I guess that's being generous (laughter). In fact, the whole thing in this article calling them PR firms - I mean, these are disinformation organizations. So you will hire this company, I guess in the same way you would hire a PR firm, to promote the good things that you're doing, to get you mentions in the media, to get articles written, to basically up the awareness people have for your company or your efforts or whatever. These days, there is a growing market for companies who do that, but they call them black PR companies because they're basically out there spreading lies and misinformation. 

Dave Bittner: [00:02:32]  Several things in this article stood out to me. There's a quote from Mr. Peng. He says, customers have money. I don't care what they buy. There's now a worldwide industry of PR and marketing firms ready to deploy fake accounts, false narratives and pseudo-news websites for the right price. 

Joe Carrigan: [00:02:50]  That sounds ethical. 

Dave Bittner: [00:02:52]  (Laughter) Well, that's - and that's the whole thing here to me - that it's not ethical. 

Joe Carrigan: [00:02:57]  No, it's not. When you started this story, I was like, well, how is this really different from a PR firm, right? 

Dave Bittner: [00:03:02]  Yeah. 

Joe Carrigan: [00:03:02]  You know, I mean, you're going to try to boost your image. You're going to try to, you know, spin yourself in the best light. That's what these PR firms do... 

Dave Bittner: [00:03:09]  Sure. 

Joe Carrigan: [00:03:09]  ...Legitimate ones. But yeah. No, you're right. This is not. I'm going to set up a bunch of fake websites, fake news websites, fake Twitter accounts, fake social media accounts and use that to boost somebody's image by spreading lies or, rather, even if you're being more gentle about it, you know, more favorable information. But I'm sure in this case, it's mostly lies. Yeah, you're manipulating the global consciousness, I guess. 

Dave Bittner: [00:03:34]  Yeah. And I know it's naive to think that this sort of thing hasn't been happening at high levels forever. Nation-states run disinformation campaigns. 

Joe Carrigan: [00:03:43]  That's absolutely true. A lot of what we have going on now is only in your face because the internet makes it so accessible. But this kind of stuff has been going on for centuries. 

Dave Bittner: [00:03:53]  Yeah. A couple other things that stood out to me - they mentioned an organization, an Israeli firm called The Archimedes Group. And they say that they created a network of hundreds of Facebook pages, accounts and groups around the world, boasting on its website that it would, quote, "use every tool and take every advantage available in order to change reality according to our client's wishes." Let's put that right out there. 

0:04:15:(LAUGHTER) 

Joe Carrigan: [00:04:16]  That's absolutely Orwellian - change reality. 

Dave Bittner: [00:04:20]  Yeah. 

Joe Carrigan: [00:04:20]  Yikes. 

Dave Bittner: [00:04:21]  Well, and here we are. In this era of fake news, you have organizations that are happy to go out there and generate the fake news for you. Another pull quote here from this article - they're talking to one of the people who sell these services, and he says, the aim is to get an emotional reaction from a person. If they read a comment, even if they understand that it was written by a bot, it could have affected them emotionally. And it becomes more difficult for them to control themselves. 

Joe Carrigan: [00:04:48]  And that is the crux of... 

Dave Bittner: [00:04:53]  (Laughter). 

Joe Carrigan: [00:04:53]  ...Everything I've been saying. Thank you. Thank you, evil mad scientist. Thank you for saying that because that's what I - that is exactly the point of my argument. And that's why I say social media is not an environment conducive to political discussions. It isn't, and it is not because of exactly this. That is a great quote. 

Dave Bittner: [00:05:15]  Yeah. Evidently, a sort of epicenter of this is in the Philippines. A lot of companies there have specialized in this, and they - this article talks about how even legitimate PR companies have felt the pressure of having to offer these services - these... 

Joe Carrigan: [00:05:30]  Yeah. 

Dave Bittner: [00:05:30]  ...Types of services because they're in demand and they're so profitable. 

Joe Carrigan: [00:05:34]  It's a market. It's a market force, Dave. Look at it this way. You're a PR firm, and you're watching your business walk over to somebody who's less ethical than you. That puts a huge economic pressure on you to lower your ethical standards. 

Dave Bittner: [00:05:47]  Yeah. And, of course, you know, the legitimate PR industry is mortified by this, and... 

Joe Carrigan: [00:05:53]  Right. 

Dave Bittner: [00:05:54]  They - you know, they don't want this stain on their reputation. They have their own problems without having to deal with these folks even calling themselves PR professionals. So of course they have codes of conduct that are completely against this sort of thing. You know, I have to say, in my own personal experience, you know, I get - oh, gosh - probably dozens of pitches from PR companies every day of people who want their clients' stories on "The Cyberwire" or on this show or any of the stuff we do. And the vast majority of them are legit operations. They're - they have everyone's best interest in mind - ours, their clients - and they go about it the right way. At the same time, you know, we get offers almost every day - someone out there who wants to, you know, tell me how I can increase the number of downloads of my podcast or... 

Joe Carrigan: [00:06:44]  Yeah. 

Dave Bittner: [00:06:44]  ...You know, get - provide paid articles or let us put a link on your website, and we'll pay you for it; pay you to write an article about our client, that sort of thing. So there are a lot of different degrees of this sort of thing. But to be out there so boldly and just saying, this is what we're doing. 

Dave Bittner: [00:06:59]  I wonder, too - you know, they say that this is happening in the Philippines primarily. If you were to set up shop doing this in the United States, could someone come after you for fraud? 

Joe Carrigan: [00:07:10]  I don't know. I think it would be a big First Amendment case. This would be a question you should ask Ben. 

Dave Bittner: [00:07:14]  Yeah (laughter). 

Joe Carrigan: [00:07:16]  This would be a good story... 

Dave Bittner: [00:07:18]  Little broadcast crossover there, right? (Laughter). 

Joe Carrigan: [00:07:19]  Right. Do this story on "Caveat" as well. That's an excellent question. I don't know the answer to it. 

Dave Bittner: [00:07:25]  Yeah. Well... 

Joe Carrigan: [00:07:26]  You'd have a First Amendment defense. 

Dave Bittner: [00:07:28]  Right, right. And what about political speech? Because again, obviously, you know, there's no shortage of campaign spin and people muckraking about candidates. And you know, that's a tale as old as time. 

Joe Carrigan: [00:07:40]  Right. And Facebook has even gone so far as to say they're not going to vet any political party or any political candidates' ads. They're just going to run them for fear of running afoul of First Amendment violations and censoring people. 

Dave Bittner: [00:07:51]  Right. 

Joe Carrigan: [00:07:52]  I don't know. I don't think that's a wrong attitude. I think that's actually the right thing to do if you're going to run political ads. What I would prefer Facebook do is do what Twitter has done and said we're not doing political ads. 

Dave Bittner: [00:08:02]  Yeah. 

Joe Carrigan: [00:08:02]  I think that's a better solution. I certainly don't want Facebook being the arbiter of political discussion... 

Dave Bittner: [00:08:08]  Yeah. 

Joe Carrigan: [00:08:09]  ...And saying that you can say this but you can't say that. 

Dave Bittner: [00:08:11]  In this article, they speak to someone from Facebook - one of the security people. And he says, the reason we do that is making it very clear that it's not going to be a profitable business model on our platform. He's talking about removing Pages and so forth and banning employees - banning these folks from their platform. He says, you build a business around this, we will remove you. But Mr. Peng, who runs this company, he says it's easy to evade Facebook's controls and that demand for his services remains strong. 

Joe Carrigan: [00:08:41]  Yeah. It's very easy to evade Facebook's controls because the worst-case scenario is I have to go set up a new email account. And even then, sometimes Facebook will require an extended validation and require that you get a phone number. Well, I can go out and buy a burner phone to set that up for a very small amount of money. 

Joe Carrigan: [00:08:58]  It does add - you know, it does make building these large networks kind of expensive, but you can't ban a cellphone number forever because let's say a malicious actor uses it, then next time it gets assigned to a legitimate person who wants to set up a Facebook account. You can't ban them 'cause their phone number was previously used in a malicious campaign like this. 

Dave Bittner: [00:09:19]  Right, right. 

Joe Carrigan: [00:09:19]  It's kind of difficult to stop and very easy to get around, yeah. 

Dave Bittner: [00:09:22]  Yeah, yeah. Well, it's an interesting look behind the curtain here. And as always, we'll have a link to the article in the show notes. It's an interesting read, so do check it out. That's what I have this week. Joe, what do you have for us? 

Joe Carrigan: [00:09:34]  Dave, I have a story from Check Point Research. It's an article written by Matan Ben David. And they are talking about a threat actor that's been dubbed the Florentine Banker group. And they're actually writing about something that their incident response team was called out to. And it documents a business email compromise incident very, very well so you can see how this works. And this Florentine Banker group executed this plan with precision on this. The first step they performed was they did the reconnaissance, which is the first step in any hacking or attacking or malicious acting, whatever you're going to call it. You have to know what you're going to go after. Right? 

Joe Carrigan: [00:10:11]  So they did their reconnaissance, and they found three large firms that were U.K. firms and Israeli-based finance firms. They knew that these firms were handling and transferring large sums of money, that new partners and third-party providers were added on a weekly basis and that these firms all used Office 365 as their email provider throughout the organization. So they know what they're going after. They know they're going into Office 365 to get money out of these firms. 

Joe Carrigan: [00:10:40]  So the first thing they do, as in 95% of all of these attacks now, the first kinetic action is a - and by kinetic I mean the first interaction. So the first action is actually the recon, but that doesn't impact anybody in the company. The first kinetic action is the first thing where they go after somebody in the company. And the first thing they did is they spear phished two people. And one of them provided their Office 365 credentials and they were in. 

Dave Bittner: [00:11:08]  Wow. 

Joe Carrigan: [00:11:09]  So they continued these phishing attacks, persisting for weeks using alternating methods. Right? Different - they were varying up their attack strategies, and they occasionally added new individuals to the list of targets. And then the attackers had a lot of access into the company which let them do the next portion of their strategy, which was observe. They saw the different channels used by the victims to conduct money transfers. Right? They saw how that happened, what the business process was. They understood the victim's relationship with third parties and clients such as lawyers, accountants and other banks, and they understood the key roles of people in the company - in all three of these companies. 

Dave Bittner: [00:11:47]  So really doing their homework. 

Joe Carrigan: [00:11:49]  Right. They haven't done anything other than just listen so far. And this group can spend months doing this listening part. And this is one campaign that this group is running. 

Joe Carrigan: [00:12:00]  So the next thing they did was they began to do this control and isolate. And the attackers would isolate the victims by creating malicious mailbox rules to divert emails that were germane to the campaign to a folder that the people would not normally check out. Now, you use Outlook - right? - or you have used Outlook. 

Dave Bittner: [00:12:19]  I have in the past, yeah. 

Joe Carrigan: [00:12:20]  So there is a folder on - in your Outlook by default called RSS Feeds. I have never looked in this folder... 

Dave Bittner: [00:12:27]  (Laughter). 

Joe Carrigan: [00:12:27]  ...Never. 

Dave Bittner: [00:12:28]  Well, maybe you should (laughter). 

Joe Carrigan: [00:12:30]  Right. Well - actually, since this article, I have looked in it. And there is one email that was sent from me back in 2014 to one of my co-workers. I don't even know what it's - I can't even remember what it's referencing. There's nothing - but that's where they sent these emails that were interesting. They didn't delete them. They moved them to a different folder in the person's Outlook mailbox. The next thing they did was they set up look-alike domains. Right? Now, we've talked about this a lot. But what these guys did was they just added S's at the end of the domain to make it look like a plural. And that's a really good attack on these domains because when you're looking at it, your brain might not register that this is plural when it shouldn't be. Right? You just see the words in the URL. And making a noun plural is a very subtle way to create a look-alike domain. So... 

Dave Bittner: [00:13:14]  Right. Your brain's not going to flag that as being a misspelling necessarily. 

Joe Carrigan: [00:13:18]  Right, exactly. So one of the things that you can do to counteract this is if you run a company, go out and register all the plurals of your domain. Right? That would help you. I hesitate to say that this is a thing you should do, but I think in this case, it's definitely worth it. But you can't go out and register every single look-alike domain. These guys are going to find a way around it. Right? 

Dave Bittner: [00:13:37]  Yeah, yeah. 

Joe Carrigan: [00:13:38]  Once the setup of the domain was complete, the attackers start sending emails from the look-alike domains to create new conversations or to continue an existing one. And what that did was it deceived the targets into believing that they were now conversing with the people inside their partner companies, but they were actually talking to the attackers. And they had no idea. They weren't even sending the email to their partner organizations; they were sending it directly to their attackers. 

Joe Carrigan: [00:14:02]  And then, that's when they start asking for money. And they'd do one of two things - they would either intercept an existing transaction and inject, quote-unquote, "new banking information" - right? - but it was actually fraudulent banking information. Or they would straight up ask for a new wire transfer. And they already knew how this worked because they'd done all this research. Once they initiated or changed the banking transfer, they would monitor that process to make sure that that transfer went through. And they would use these compromised emails to assure the bank that things were right or make any changes that needed to be made. And the results of this were that 14 bankers transferred over 1.1 million pounds from these three companies of which the Check Point incident response team was able to claw back about half. So the bad guys made off with about 600,000 pounds. Or in U.S. dollars, that's about three-quarters of a million dollars. 

Dave Bittner: [00:14:53]  Wow. 

Joe Carrigan: [00:14:54]  And this is one campaign that they executed probably for a couple of months. Now, the article goes into some more analysis. Check the article out. The article is really, really good. I gave a pretty in-depth coverage here, but it does have more information in it. It has, like, where they think these guys were operating out of. It's interesting that they're really only going after English-speaking organizations. 

Dave Bittner: [00:15:15]  Yeah. 

Joe Carrigan: [00:15:16]  And they said one of the key things was that because one of these companies was Israeli, some of the emails were sent in Hebrew and some of those emails contained actionable items that these guys didn't act on, so they don't think that they know Hebrew. 

Dave Bittner: [00:15:30]  Oh, interesting, interesting. 

Joe Carrigan: [00:15:32]  Yeah. 

Dave Bittner: [00:15:32]  What always strikes me about these is, at first glance, you think, wow, this is a big investment in time and resources to do this sort of thing. But then you see what the potential payoff is, and... 

Joe Carrigan: [00:15:43]  Right. 

Dave Bittner: [00:15:43]  ...It's worth it. 

Joe Carrigan: [00:15:45]  Yeah. I mean, these guys made off with three-quarters of a million dollars in probably three or four months. There may be three or four of them doing the work. They don't need really advanced technical skills because they're not really breaking into somebody's organization. They're not penetrating a firewall. They're going into an Office 365 environment and compromising people's credentials. The two-factor authentication really would have helped with this. 

Dave Bittner: [00:16:09]  Yeah, that was my next question. How do we prevent this? Yeah. 

Joe Carrigan: [00:16:12]  If you have two-factor authentication, it's a lot harder for these guys to conduct this kind of an operation. 

Dave Bittner: [00:16:16]  To get into your email account. 

Joe Carrigan: [00:16:17]  To get into your email account, right... 

Dave Bittner: [00:16:19]  Yeah. 

Joe Carrigan: [00:16:19]  ...Because that's the first step. They have to get into your email account. Once they've set up the look-alike domain, there's nothing you can do at that point in time. 

Dave Bittner: [00:16:26]  (Laughter) You're toast. 

Joe Carrigan: [00:16:27]  Yeah, you're toast. The key is to keep them out in the first place. There's a couple of things that could have gone on here. People could have had a business process for when somebody changed the banking requirements for a money transfer to go ahead and make a phone call to the other person and say, are you changing these requirements for this money transfer? 

Dave Bittner: [00:16:45]  Right. 

Joe Carrigan: [00:16:45]  Or when somebody is asking for a new transfer to go ahead and make a phone call to ask - to talk about it, you know, to essentially put multifactor authentication on the conversation with a phone call. I would just call it multichannel communication. 

Dave Bittner: [00:16:59]  Yeah. Wow. all right. Well, that's a good one. And it really does take you through step-by-step. Interesting article. 

Joe Carrigan: [00:17:04]  Yeah, it's a really good article. Go check it out. We'll put a link in the show notes. 

Dave Bittner: [00:17:07]  Well, it is time to move on to our Catch of the Day. 

0:17:10:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:17:13]  Our Catch of the Day comes from a friend of the show, superlistener Chad Fackler (ph). Joe, you want to take this one? 

Joe Carrigan: [00:17:19]  Yeah. Chad writes, I wanted to share this fish with you guys. I received this email. And at first glance, it appears to be from a bank with whom I have a credit card, so it looks pretty legit. The email has branding on it from this bank. And it's a bank - I actually have a credit card with this bank as well. But the from address is from .rr.com. Dave, I'm no good at reading these broken English things. Can you go ahead and do this? 

Dave Bittner: [00:17:42]  I will do my best. 

0:17:43:(LAUGHTER) 

Joe Carrigan: [00:17:44]  OK. 

Dave Bittner: [00:17:44]  It says, (reading) dear online customer, due to the recent upgrade in our banking online banking database, we advise you to please sign in to visit and update your bank account information immediately. If this process is not completed within 24 hours, certain limitations may be placed on your account. Click the bank secure URL below to complete your account update. Click the link and update your information. Thank you for banking with A - and then there's the name of the bank. 

Joe Carrigan: [00:18:10]  Right. 

Dave Bittner: [00:18:11]  Sincerely, bank customer care. Almost every word in this sentence is capitalized. 

Joe Carrigan: [00:18:16]  Yeah. And the entire email, it's just all capitalized. 

Dave Bittner: [00:18:17]  (Laughter) It's very strange. 

Joe Carrigan: [00:18:19]  Now, Chad gives us a little bit of analysis on this. And good for Chad for this. But he says what's interesting is if you hover over any part of this, the whole thing is a link. 

Dave Bittner: [00:18:28]  The entire image. 

Joe Carrigan: [00:18:29]  It's an image that has a link to this malicious website, and he sent along the actual URL, and it's no longer active. I checked it out, and it's gone. But he says, either way, thank you guys for keeping me paranoid enough that I always look three times at any email. 

Dave Bittner: [00:18:43]  Well, what's interesting about that, the notion that this whole thing is a link, that it's an image, is that within that image is the normal HTML link that you would see, you know, some text that's underlined that indicates that it's a link. 

Joe Carrigan: [00:18:58]  Right. This is where you click. 

Dave Bittner: [00:18:59]  Right. And that has the legitimate name of the bank. It looks like the actual URL of the bank. It may be the actual URL of the bank. But if you click there, because it's all just an image, you're not going there. And - yeah, so it's an interesting little bit of trickiness. 

Joe Carrigan: [00:19:17]  Yes. 

Dave Bittner: [00:19:18]  Yeah. Our thanks to super listener Chad for sending that into us. Coming up next, my interview with Dave Baggett. He is the CEO and founder of Inky. And we're going to be talking about some fake stimulus payment phishing scams that they've been tracking. 

Dave Bittner: [00:19:31]  We'll be right back after a word from our sponsors. Now let's return to our sponsor's question about the attacker's advantage. Why do the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a failure rate of over 10%. That sounds pretty good. Who wouldn't want to bat nearly 900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and may be out of business. The last line of defense is your human firewall. You can test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:20:36]  And we're back. Joe, I recently had the pleasure of speaking with Dave Baggett. He is the CEO and founder of a company called Inky. And he and his team have been tracking a phishing scam that centered around the stimulus payments that here in the U.S. we've been receiving and certainly around the world. Various governments have been sending out stimulus payments. This one is going after folks here in the states. Here's my conversation with Dave Baggett. 

Dave Baggett: [00:21:03]  We've seen at Inky a huge rise of phishing generally. So since the COVID pandemic has befallen the world, we've seen a massive uptick of just phishing in general. And then we've also seen phishing scams that specifically target COVID-19 coronavirus. And we can presume that the reason there's a big uptick in phishing broadly is because the attackers know everybody's working from home. And, for example, if you're in an office and you get a request from your colleague that seems odd, like send me all the payroll information or something, you walk next door and ask them, you know, is this legit? Now you can't do that. So what I've been recommending people do is you can't walk next door. So if you get an email that seems suspicious, confirm it outside of email by phone or by Slack or some other communication channel. 

Dave Baggett: [00:21:56]  So where we are is the attackers really are beyond evil, and they're exploiting this pandemic to fool more people just with general purpose generic phishing but also with COVID-19-themed phishing. For example, we'll see emails that purport to be from an end user's company saying someone in your company died of COVID-19. You know, get the information here. So it's just completely shameless. 

Dave Bittner: [00:22:22]  Wow. Now here in the U.S., there are checks being sent out to a lot of people - physical checks being sent out with the stimulus program. And also some people are getting them directly deposited into their bank accounts. How are the bad guys coming after that program? 

Dave Baggett: [00:22:38]  We saw recently an email that looks quite legit claiming to be from the Federal Reserve System. And it's essentially directing end users to a website where they can get financial assistance. And what's remarkable about this - and it really is, it is probably the most remarkable phishing scam that I've personally seen - is that the site that this scam leads to is just absolutely perfect. It's beautifully designed. It looks completely professional. It's got a big American flag in the upper left corner. It has a big coronavirus picture, and it's all top-quality web design. And there's a call to action. You know, get your economic impact payment now. 

Dave Baggett: [00:23:21]  And what's devastating about this is when you click through there, it prompts you for a dropdown of your bank. So you can pick, you know, Wells Fargo or Bank of America, and then you're given a log-in box that, again, looks completely legitimate with exactly perfect branding for the bank. And you're supposed to fill in your credentials and, of course, you're then giving your credentials to the attackers. So it's just incredibly sophisticated. And I'm imagining it's able to fool a lot of people. They've even registered a domain - economicimpactpayment.site (ph), you know, which not exactly like what you'd expect the government to have. You might expect something irs.gov there, but it's plausible, I think, to a lot of recipients. So, again, they're directly exploiting the end user's concern about coronavirus, need for information about the payment program to lure them into what looks like a legitimate government site. And of course, it's just completely fake. 

Dave Bittner: [00:24:22]  How much of a component to all this is the fact that - you know, I think so many people are running a little bit ragged emotionally these days. We're probably not at our sharpest. 

Dave Baggett: [00:24:32]  Oh, exactly, exactly. And we're going through our email in a more harried way. You know, again, you have to give the attackers some credit here. They actually understand psychology well, so they know, as I said, that people aren't able to confirm suspicious requests as easily as they were pre everyone working from home. They know everybody's probably, like you said, not at the top of their game, not necessarily focused on every risk. They're focused on a primary risk of their health and the health of their friends and family and co-workers. And, of course, they probably also have stuff going on in the background, like their dogs barking or their kids are asking them where's lunch. And I think they're just exploiting the fact that people are distracted right now. 

Dave Bittner: [00:25:17]  So what are your recommendations? How can people best protect themselves given these circumstances? 

Dave Baggett: [00:25:23]  Well, obviously, you want to have, as a company, mail protection in place. Obviously, we offer phishing protection. There are other solutions that purport to. So if you can put in some extra layer of phishing protection, I think that's a good thing. Training your users with phishing awareness training is a good thing, not because users can actually be trained to find all the phish. That's basically impossible. But it does create the awareness among your users that email is not very trustworthy. And in fact, you can't really rely on the purported identity of any sender of any email. So I like to say, you know, put in automated mail protection like Inky. Put in phishing awareness training to train a healthy paranoia of email. And then beyond that, you know, educate your users on two-factor authentication when it comes to logging into things. But also I like to say use two-factor authentication when it comes to verifying the identity of an email sender. 

Dave Baggett: [00:26:18]  So, again, normally in a workplace, if I get an email from my CFO that says, hey, send me all this payroll info, I can go next door and ask the CFO, hey, did you really ask me for that? That's weird. Now I can't do that. So in the current work-from-home environment, it's important to maintain that second communication channel. So verify the identity of a sender of an email via another communication channel - phone or Slack or Teams or something besides email, so you've got that double verification of the identity of the sender. And you can rely on that because otherwise you just can't trust the identity of a sender, even if the mail looks really legit. So another example is brand forgeries. I mean, we use computer vision models to identify brand forgeries. But I can tell you these are hard for humans to identify. And some of them look really good. 

Dave Baggett: [00:27:08]  For example, you might get an email that says, you know, we're United Airlines, and we're going to refund your ticket. It's not United Airlines at all. But I can tell you it could be a perfectly branded designed real-looking email that appears to be from United. And so the other thing I tell people - and this is more relevant for consumers - if you've got a mail that you think is from a brand, don't click on any link in that email. Instead, go to your browser, type the brand name into your search engine and go into the brand's site that way because that way you've got another independent verification that you're really talking to United Airlines or Amazon or whoever, which you don't have if you rely on a link in the mail. 

Dave Bittner: [00:27:45]  Yeah. I almost wonder as you were describing, you know, that inability to go to the office next door and talk to your co-worker about something unusual, I wonder if this work-from-home situation provides a good excuse or a good cover for slowing things down a little bit, for taking that extra step, for not having to run at the pace that I think often gives the advantage to the attackers. 

Dave Baggett: [00:28:10]  I think that's absolutely right. I mean, I wonder - it's interesting because I think if you watch the news every day and you look at economic reports, you've got people broadly worried about productivity taking a big hit because of work from home. I actually wonder if we'll see that because from my own experience and my experience talking to colleagues and folks at other companies, if anything, people are working more from home. It kind of reminds me of - I used to do a lot of trips to Europe. And if you spend a week in Europe but you're an East Coast company executive, what ends up happening is you get up at the normal time in Europe, you know, which is 4 a.m. East Coast time, but then you work through the end of the East Coast day, so you end up working more hours. I almost wonder if we're seeing that kind of effect with work from home, you know, where sort of the days blur into each other. Weekends don't matter anymore, so you work on the weekend. So I kind of wonder actually whether, you know, in fact it's - people are working harder and actually therefore are more vulnerable to scams than they would have been otherwise. And in fact, they should make themselves intentionally slow down to your point. 

Dave Bittner: [00:29:14]  And I suppose as is the way of these things when it comes to these scammers, when we come out the other side of this thing, they'll just move on to the next thing that works. 

Dave Baggett: [00:29:23]  Exactly. And we see this - we see attackers using specific tactics, some of which are kind of, you know, technically interesting. You know, they'll hide text in the mail using various CSS and HTML tricks. But we also see a theme of the attackers always exploit whatever is topical. So we also caught a phish that was pretending to be from Donald Trump. And as ridiculous as you might think that someone would believe Donald Trump actually emailed them, I'm guessing a lot of people fall for this kind of thing. 

Dave Baggett: [00:29:53]  So the topical content is a go-to for phishers, and whatever it is in six months, they'll be using it. You can be absolutely sure. Another example that recurs year in and year out, by the way, is holiday shopping. You know, the attackers know everyone's buying stuff online for holiday shopping. And so they'll send out a bunch of fake Amazon or Target mails that tell you, yeah, you won a gift card. Go in here, and get your $50 gift card. And it's, again, credential-harvesting. They're trying to get your Amazon login account. So, again, topical news - exploiting something that everyone's thinking or worrying about to phish people. 

Dave Baggett: [00:30:30]  I think one interesting stat is, in addition to seeing a vast uptick in the rate and volume of phishing generally, we've seen by now at least 25 different unique COVID-19-themed scams. So this isn't one or two guys out there sending a fake COVID mail. You know, this is a large-scale operation by a lot of actors. And we've seen, again, two dozen templates, and you can think of these templates those evil mail merge. You know, the attacker designs some template, and then like Mad Libs, they fill in victim's name, victim's CEO name, victim's company name and logo and generate these things. And it's - and my point of bringing this up is it's not a one-off thing. This is now a widespread effect where attackers are making a concerted effort to scam people with these COVID scams, and they're sophisticated. 

Dave Bittner: [00:31:22]  All right. Joe, what do you think? 

Joe Carrigan: [00:31:24]  Interesting interview - I liked it a lot. It's going to be tough talking about this because his name is also Dave, so... 

Dave Bittner: [00:31:30]  (Laughter) Right - too many Daves (ph). 

Joe Carrigan: [00:31:33]  Too many Daves - right. I was talking with a friend last night about something Dave said. And it does take me longer to get things done at home, and one of the reasons is I just can't get up and go ask somebody something. And I actually said this to somebody last night. This impacts us from the perspective of scams as well. You can't just go ask your boss if they wanted you to send them that information. You actually have to use another method like Slack or, in my case, Zoom. But you do need to still apply that same two-factor model that I was talking about earlier to verify the sender of an email - right? - especially when it comes to sending out pertinent information or money transfers. If you just make that part of your business process as a company, that will return dividends in not getting scammed. 

Dave Bittner: [00:32:20]  Yeah. 

Joe Carrigan: [00:32:20]  Just make that something that - when somebody asks for something pertinent, you should expect a phone call back. 

Dave Bittner: [00:32:25]  Right. 

Joe Carrigan: [00:32:26]  And if you don't get the phone call back, then maybe that's something that - somebody's violated a process, and you have a discussion with that person. You made a good point, Mr. Bittner. 

Dave Bittner: [00:32:34]  (Laughter). 

Joe Carrigan: [00:32:36]  Use the fact that you are working from home as an opportunity to take the time to do things right, and then maybe this will carry over into when things kind of return to normal. I think that's a great idea. 

Dave Bittner: [00:32:47]  Thank you. 

Joe Carrigan: [00:32:48]  Someone died is a huge hook. Wouldn't you agree? 

Dave Bittner: [00:32:52]  Yeah. 

Joe Carrigan: [00:32:52]  Someone in your company has passed away from COVID-19. That would make me open an email. 

Dave Bittner: [00:32:57]  Right. Yes. Absolutely. 

Joe Carrigan: [00:32:58]  Somebody in your neighborhood has passed away. Actually, I was - last week I was on a phone call with the attorney general of Maryland, and he cited this exact example of somebody getting an email that says, someone in your neighborhood has died from COVID-19. And then that's the hook to open this up. This is not at all uncommon. And something that Dave Baggett said here is that these guys have absolutely no moral problem with sending these kind of things out. 

Dave Bittner: [00:33:24]  Right. 

Joe Carrigan: [00:33:24]  They're despicable people. 

Dave Bittner: [00:33:25]  (Laughter) Yes. 

Joe Carrigan: [00:33:27]  And despicable people have no problem exploiting your most base emotions. I love the term that Dave used in this - evil mail merge, right? That's pretty clever. But you have to understand what this is. This is the attackers making their lives easier with templates and process automation, right? These things make everybody's life easier, right? Like, we use mail merge. Well, actually, I don't use it, but I know people that use it for marketing or for communication with customers. Now, it's like a hammer. Any tool can be used for evil, right? 

Dave Bittner: [00:33:57]  Right. Right. 

Joe Carrigan: [00:33:57]  I can build a house with it, or I can tear a house down. And that's what they're doing - is they're using the same tools that businesses use to effectively whack people in the head with it. One of the things is these guys do understand psychology. They understand psychology better than they understand the technology that they're using, and that is a huge thing that everybody needs to understand. And it doesn't matter if it's COVID-19. Whatever the next crisis is, these guys are going to move on and exploit that. There's always going to be something that these guys are using. Dave said that people believe that President Trump emailed them, and he was surprised by that. I am not surprised by that. 

Dave Bittner: [00:34:34]  (Laughter). 

Joe Carrigan: [00:34:34]  People believe that Warren Buffett and Bill Gates email them and they're going to send them piles of money. 

Dave Bittner: [00:34:38]  Sure. 

Joe Carrigan: [00:34:39]  Why would you not believe that Donald Trump would email you? 

Dave Bittner: [00:34:42]  Yeah. 

Joe Carrigan: [00:34:42]  I mean, it actually makes sense that that happens. 

Dave Bittner: [00:34:45]  Yeah. 

Joe Carrigan: [00:34:46]  I like the interview, though. It's good interview, and I really like what Dave had to say. 

Dave Bittner: [00:34:49]  Yeah. Well, again, thanks to Dave Baggett from Inky for joining us and sharing that information with us. 

Dave Bittner: [00:34:57]  That is our show. We want to thank all of you for listening, and, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:35:23]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:35:37]  And I'm Joe Carrigan. 

Dave Bittner: [00:35:38]  Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.