Hacking Humans 5.21.20
Ep 99 | 5.21.20

How scammers fill the gap.

Transcript

Neill Feather: [00:00:04] One stat I've seen recently is about two-thirds of breaches that involved small businesses are caused by an employee or contractor's negligence. 

Dave Bittner: [00:00:13]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:31]  Hi, Dave. 

Dave Bittner: [00:00:32]  We've got some good stories to share this week. And later in the show, my interview with Neill Feather from SiteLock. He joins us to explain how scammers fill the gap when popular retail items are sold out. 

Dave Bittner: [00:00:45]  So how do you train people to recognize and resist social engineering? Here are some things people think - test them, and if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's dufus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this podcast. 

Dave Bittner: [00:01:21]  All right. So we've got some good stories this week. But before we get to that, Joe, you've got some follow-up for us. 

Joe Carrigan: [00:01:26]  I do. I do. Listener Robert hit me up on Twitter. He said, first of all, I wanted to say I'm a big fan of "Hacking Humans." And I listen every week. Thank you for the valuable information you share. I would like to raise a red flag about Dave Baggett, last week's guest - actually, I guess it was two weeks ago - saying to verify the identity of a user through Teams or Slack - I don't think this is correct. To verify through Teams seems a dangerous option to me. If the Office 365 account was compromised, they'd have access to Mail and Teams. The risk with Slack would be dependent on trusting that they have a unique password or hadn't conducted a password reset. I'm far too cynical these days. Therefore, I'd verify with the good, old-fashioned phone call. And Robert makes a very good point. By the way, he also says P.S., he agrees with me on my barriers to entry to the cybersecurity industry. So I want to tout that again. 

0:02:14:(LAUGHTER) 

Joe Carrigan: [00:02:14]  But... 

Dave Bittner: [00:02:16]  Well, let's back up here, though. 

Joe Carrigan: [00:02:17]  Yes. 

Dave Bittner: [00:02:18]  So give us the backstory of what Robert is taking issue with. 

Joe Carrigan: [00:02:21]  So what they were saying was that we need to put two-factor authentication on our conversations by following up with the person who says something in a certain context, right? Like, if somebody says, hey, here's some new banking details in an email, you don't just say, OK, I'll enter those new banking details. You verify that information somehow. And Dave mentioned using Teams. Well, if you're using Office 365, and someone has conducted a business email compromise campaign and has compromised someone's Office 365 account, they have not only compromised their email, but they've also compromised their Teams account. 

Dave Bittner: [00:02:56]  Oh, I see. 

Joe Carrigan: [00:02:57]  So if I send a message back to somebody via Teams, and the attacker's listening, the attacker can just go, yeah, that was me. Go ahead and do it. Now, you think you've conducted the two-factor authentication on this conversation, you know, this human two-factor thing. But you haven't. You've just talked to the attacker twice. What Robert says is a very good point. And what Robert talked about is also a very good way to defend yourself on this - just pick up the phone and make a phone call. 

Dave Bittner: [00:03:22]  Right. 

Joe Carrigan: [00:03:22]  That is something that requires a telephone conversation or face-to-face conversation. 

Dave Bittner: [00:03:26]  Right. So make sure that whatever you're using as a second factor is actually a separate platform than the... 

Joe Carrigan: [00:03:32]  Right. 

Dave Bittner: [00:03:33]  ...One you're using initially. 

Joe Carrigan: [00:03:34]  Right. And he also says... 

Dave Bittner: [00:03:35]  That makes sense. 

Joe Carrigan: [00:03:36]  ...If you're using Slack, which is not in the Microsoft domain, what if that person uses their Microsoft email for a password reset. And I'm going to control that email. Remember, we had somebody on who said that email is the key. If I can compromise your email that you have all your password reset emails going to, if I can compromise that account, I own you. That's it. 

Dave Bittner: [00:03:54]  Right. And no matter what, make sure you have two-factor on your email account. 

Joe Carrigan: [00:03:58]  Right. Absolutely. 

Dave Bittner: [00:03:59]  I mean, it's - that is probably the keys to the kingdom for so many things. 

Joe Carrigan: [00:04:03]  Absolutely. 

Dave Bittner: [00:04:04]  Yeah. All right, well, let's move on to our stories. Thanks to Robert for sending that in. We do appreciate it. We'd love to hear from you also. Please send in your comments, and we will address them on the air. Joe, my story this week is actually an email that I got, and I have to say it drove me to distraction and sent me down a little bit of a rabbit hole. 

Joe Carrigan: [00:04:26]  Really? 

Dave Bittner: [00:04:27]  So - (laughter) yes. And, well, let me just describe it to you. So I'm sitting here at work. I'm going through my emails, minding my own business. And this email comes up. And it says it's from Disney Account Member Services. And it says new sign-in to your account. It says, hello, Dave. Your account was just used to sign into Disney, a part of the Walt Disney Family of Companies. And it says source - Chrome, location Novi Sad, Serbia. If this looks familiar, then you can ignore this message. If you believe that someone else may have access to your account, then you should use the button below to change your password and... 

0:05:05:(LAUGHTER) 

Dave Bittner: [00:05:05]  ...Secure your account. And there's a button there, and it says change password. Now I have to say that this email is very well constructed graphically. There's the logo from the Walt Disney Company. 

Joe Carrigan: [00:05:16]  Right. 

Dave Bittner: [00:05:17]  There are logos with many of the Walt Disney Company's affiliated companies, companies like ESPN and ABC and Marvel. 

Dave Bittner: [00:05:23]  And, you know, Disney owns just about everything these days (laughter). 

Joe Carrigan: [00:05:26]  Now, I'll tell you, Dave, I am also a customer of Disney with this. And I sign in with the same account to not only Disney+ or whatever the Disney service is but also to ESPN - the ESPN service - and to my Marvel subscriptions. So when it says here in the first sentence - it looks a little awkward. It says your account was just used to sign into - and it just has Disney. I don't know. That would raise a red flag for me. 

Dave Bittner: [00:05:55]  Yeah. Well, so I just want to share my thought process through here of how I unpacked this because, hopefully, it'll be useful to some of our listeners. So the first thing I did was I wondered, is this a fake phishing account. 

Joe Carrigan: [00:06:08]  Yeah. 

Dave Bittner: [00:06:08]  You know, we here at the CyberWire - we subscribe to a service that occasionally sends us fake phishing messages. And I'm pretty good at spotting them. And in fact, I have figured out that if I go look at the source code for the message, there is a tell in there. And I can always - (laughter) if I'm suspicious... 

Joe Carrigan: [00:06:26]  (Laughter). 

Dave Bittner: [00:06:26]  ...I can go look, and I can see where it came from. And I know a-ha, it's one of these fake things. I have not yet written a filter to automatically send those into a folder. But it's on my to-do list. 

0:06:35:(LAUGHTER) 

Joe Carrigan: [00:06:38]  And thus you defeat the purpose of the training. 

Dave Bittner: [00:06:41]  Well, exactly. But, you know, you're not going to outsmart me, training company. So... 

0:06:46:(LAUGHTER) 

Dave Bittner: [00:06:46]  So I looked at that. And I look for the usual tell, and it's not there. 

Joe Carrigan: [00:06:49]  OK. 

Dave Bittner: [00:06:49]  So my second thought was, OK, well, maybe this phishing training company has just upped their game and (laughter)... 

Joe Carrigan: [00:06:55]  Yep. 

Dave Bittner: [00:06:56]  Right? Right? But then I noticed that this email was not actually addressed to my CyberWire account. It was addressed to one of my personal accounts, a previous email address that I have used for over 25 years, right (laughter)? 

Joe Carrigan: [00:07:11]  Right. 

Dave Bittner: [00:07:11]  This is one of my original email addresses that has so much stuff associated with it. 

Joe Carrigan: [00:07:17]  Yeah. 

Dave Bittner: [00:07:18]  All right. So what do I do next? Well, of course, the last thing in the world I'm going to do is click on that button... 

Joe Carrigan: [00:07:22]  Right. 

Dave Bittner: [00:07:22]  ...That says change password, right? Now, I did hover over it, and it had what looked like a plausible domain that it would go to. It was something like go.disney.com. You know, Disney does own the go... 

Joe Carrigan: [00:07:36]  Yep. 

Dave Bittner: [00:07:36]  You know, that's a brand that Disney uses, has used in the past. Yeah, it's part of their... 

Joe Carrigan: [00:07:41]  Part of ABC. 

Dave Bittner: [00:07:42]  Part of their network. Yeah, exactly. So the next thing I did was I did just a plain old Google search for Disney account password reset scam. And that took me to a page on Reddit which had a ton of listings from this and similar emails to it. And the frustrating part about this was about - it was about 50/50 split between people saying, yeah, totally a scam - don't click the link - and other people saying, no, this is legit. This is from Disney, and here's why. So this wasn't particularly helpful to me (laughter). 

Joe Carrigan: [00:08:16]  Right. 

Dave Bittner: [00:08:17]  Right? 

Joe Carrigan: [00:08:18]  Right. 

Dave Bittner: [00:08:18]  And so here I am. I'm spending a good amount of time on this email that - who knows what the actual verdict is on it, OK? 

Joe Carrigan: [00:08:25]  Right. 

Dave Bittner: [00:08:26]  So in the end, I did not click on the link to change my password. I have not done that yet. 

Joe Carrigan: [00:08:33]  OK. 

Dave Bittner: [00:08:34]  And I probably won't. I suspect that this is a legitimate email from Disney, but part of my risk equation here is, what account is this? Because this is not something that I'm actively engaged with. My guess is that this is the result of a credential-stuffing account because I know there are credentials associated with this email address from long ago before I saw the light and learned the ways of the world. I was one of those people who reused passwords many, many places. 

Joe Carrigan: [00:09:07]  I was, too. 

Dave Bittner: [00:09:08]  And so I know that some of the passwords that I reused are out there in some of the large data breaches. 

Joe Carrigan: [00:09:15]  Yep. 

Dave Bittner: [00:09:16]  And I suspect that's what this is the result of. I think this is a zombie account for something I did with Disney who knows how long ago. And so the question in my mind - what I still haven't settled on is, am I better off leaving this zombie account be? There's no payment information in there. There's certainly no up-to-date payment information in there. If I had ever purchased something, it would have been with a long-ago-expired credit card, right? 

Joe Carrigan: [00:09:42]  Right. 

Dave Bittner: [00:09:43]  Or is it worth the risk of going through and trying to get to the bottom of this? Now, I did go in and looked at just Disney and try - saw, could I sign in with something? You know, and that basically - I didn't really get very far with that, either. So... 

Joe Carrigan: [00:09:59]  So are you still in control of the email account? 

Dave Bittner: [00:10:01]  I am, yes. 

Joe Carrigan: [00:10:02]  Okay then what you should do is go through their forgot password workflow. 

Dave Bittner: [00:10:06]  Right. 

Joe Carrigan: [00:10:06]  And then with that - 'cause this is not the email account that you use to sign up your Disney+ account, is it. 

Dave Bittner: [00:10:12]  No, my Disney+ account is actually through my wife's email address. 

Joe Carrigan: [00:10:16]  OK. 

Dave Bittner: [00:10:16]  So I have nothing to do with that. 

Joe Carrigan: [00:10:18]  Right. So... 

Dave Bittner: [00:10:18]  So that I feel insulated with. 

Joe Carrigan: [00:10:20]  OK. So what you should do is - what I think has happened here is somebody has signed up for a free trial of Disney+ using your email account as a way of getting their free trial, so they can watch Disney for however long. And then when that's up, they move on to another free trial. So I think that might be what this is. But then you can go in, and you can close the account out. This has happened to me with Netflix before. Somebody signed up - almost the exact same situation. Netflix in my house is set up through my wife's email account. I got an email that says, hey, your Netflix account has been signed into, or your password is changed. I'm like, I don't have a Netflix account. So I went in, and I shut the account down. That made sure - I actually just took it over and gave it a new password so that nobody else could ever abuse my email address to do that. And I only did that out of spite, right? 

0:11:07:(LAUGHTER) 

Joe Carrigan: [00:11:07]  Because I'm like, how dare you do this to me? 

Dave Bittner: [00:11:08]  You, Joe (laughter)? 

Joe Carrigan: [00:11:11]  Do you know who I am? I have a podcast with Dave Bittner. 

Dave Bittner: [00:11:14]  (Laughter). 

Joe Carrigan: [00:11:14]  So it's perfectly fine to probably ignore this, you know, let Disney deal with it on their own and let them, you know, give away their free two weeks to somebody, I think. 

Dave Bittner: [00:11:23]  Yeah, that's probably what I'm going to end up doing here. But I guess the reason that I wanted to share this was just to highlight how this stuff is hard. 

Joe Carrigan: [00:11:32]  Yeah (laughter), it is. 

Dave Bittner: [00:11:32]  And I took - I mean, I spent not an insignificant amount of time on this reverse engineering the email, looking at all of, you know, the source headers and everything, trying to figure out, where did this come from? - weighing the pluses and minuses of what could possibly be going on here. And, you know, it's not like I'm not up on this stuff, right? 

0:11:52:(LAUGHTER) 

Dave Bittner: [00:11:52]  So... 

Joe Carrigan: [00:11:53]  One might even call you an expert, Dave. 

Dave Bittner: [00:11:55]  Well, perhaps. I don't know. That might be going a bit too far. But I would say my knowledge of this area is probably above average. 

Joe Carrigan: [00:12:02]  Yep. 

Dave Bittner: [00:12:02]  And so the ambiguity here, the uncertainty, there's not necessarily a totally clear path of how to handle something like this. And I guess that's part of life. But I figure it may be be good to share with our listeners so maybe they get some insights from it as well. 

Joe Carrigan: [00:12:19]  Yeah. I agree. 

Dave Bittner: [00:12:20]  All right. Well, it's not a very satisfying ending (laughter). 

Joe Carrigan: [00:12:24]  No, it's not. 

Dave Bittner: [00:12:25]  So let's move on to your story, Joe. What do you have for us? 

Joe Carrigan: [00:12:28]  All right, Dave. This week, my story comes from a Twitter follower, Storm Shadow at @stormshadow1371. And he sent me this back in April, but thanks to Twitter's terrible interface for when you have a message request because I wasn't following him, I got a little tiny blue thing, so I didn't see it until yesterday. 

Dave Bittner: [00:12:44]  (Laughter). 

Joe Carrigan: [00:12:45]  But - so I'm a little bit behind on this. But he's on a lead to a thing that's going around right now called the blessing loom or the cash app money wheel. Have you ever heard of this, Dave? 

Dave Bittner: [00:12:56]  No, not specifically. No. 

Joe Carrigan: [00:12:57]  OK. So here's how it works. Someone will publish on some social media account - Instagram, Facebook, Twitter, whatever - generally not Twitter. It's a picture of concentric geometric shapes. And in the center is a purple circle with one person's name on it. Outside of that, there's a pink square with two people's name on it. And outside of that is a green octagon with four people's names in it. And then outside of that is a blue octagon with eight spaces for names. And these spaces sell for some amount of money, these eight spaces on the outside, let's say a hundred bucks, which is a very common amount I found on this. Everyone who buys one of these spaces pays the person at the center of the wheel or at the center of the loom. They're $100. So when all the outside spaces are sold, the person in the center has received 800 bucks. And then the loom splits into two new looms, and everybody moves closer to the center. Does this sound familiar to you, Dave? 

Dave Bittner: [00:13:52]  (Laughter) Well, I am reminded of a different kind of shape that schemes are named after. 

Joe Carrigan: [00:13:57]  Yes, precisely. This is a pyramid scheme. That is what this is. It is totally illegal in the United States and many other countries. Actually, running one of these is a felony, and promoting it can actually be a misdemeanor in many states. OK. It's actually a repackage of an old pyramid scheme called the airplane game. Now, the airplane game was presented in a way that looked more like a pyramid. So anybody who looked at it would say, OK, that's a pyramid scheme. 

Dave Bittner: [00:14:23]  Right. 

Joe Carrigan: [00:14:24]  But it had the same thing. You were - at the top, you were the pilot and everybody paid the pilot. Below the pilot, you had two co-pilots. Below the co-pilot, you had four crew members. And below the crew members, you had eight passengers. And all the passengers paid the pilot to ride. And when the flight was filled up, the two co-pilots would become pilots and it moved on and on, right? 

Dave Bittner: [00:14:42]  And I remember these things being like chain letters back in the day. In the pre-internet days, they would move, you know, much more slowly, but they did happen. I have a recollection of these sorts of things, my parents interacting or, you know, friends trying to get them to get in on these sorts of things when I was a kid. 

Joe Carrigan: [00:14:59]  Yes, absolutely. It was very popular in the '80s. But the blessing loom looks like an attempt to get rid of the pyramid look of the scam because it doesn't really look like a pyramid. It looks like a circle, right? But it actually... 

Dave Bittner: [00:15:12]  (Laughter) A gentle, innocent, harmless circle, right? 

Joe Carrigan: [00:15:15]  Right. 

Dave Bittner: [00:15:15]  No pointy edges (laughter). 

Joe Carrigan: [00:15:17]  It actually looks very much like a pyramid from the top, right? Like, if you're standing over directly the Pyramid of Giza, it looks like that, OK? So that's your perspective. These scams are taking place on apps like Cash App. And unlike, say, PayPal, on Cash App, if you send somebody money, it's pretty much gone, right? It's a quick way to move money around. A couple of things - this is happening on social media, so it spreads very quickly, right? And there is nothing that stops me from just starting one of these things, right? I could just put it out on social media and say, everybody give me 800 bucks or give me a hundred bucks and then I'd disappear. There's nothing that stops me from doing that other than my high moral character and the threat of felony charges. 

Dave Bittner: [00:15:58]  (Laughter). 

Joe Carrigan: [00:16:00]  So I don't do it, but anybody could. It's not really all that hard. And it is a scam. I did a little looking around Facebook, and I was absolutely amazed. First off, I did some looking around Twitter as well, and everybody on Twitter was just deriding this thing as a scam. There was nobody that says, hey, you can actually make money with this. Everyone on Twitter was very bitter about this. But that kind of fits the personality of Twitter, right? 

Dave Bittner: [00:16:20]  Yeah, yeah. 

Joe Carrigan: [00:16:21]  But I found some posts on Facebook. I found one person who put a post up, and listen to this post, Dave. All right. I'm back again with the blessing loom. This time, it's big boys only stimulus check edition - $1,200 gets me $8,200. Scared money don't make no money. Hit my inbox for the Cash App. 

Dave Bittner: [00:16:42]  Wow. 

Joe Carrigan: [00:16:42]  So this guy is looking to scam people out of their stimulus checks. 

Dave Bittner: [00:16:47]  Wow. 

Joe Carrigan: [00:16:47]  Their $1,200 stimulus checks. 

Dave Bittner: [00:16:50]  Help me and everybody else understand. What is the breaking point of this? Because is this one of those things where eventually, like many of these multi-level things, eventually you just run out of friends? 

Joe Carrigan: [00:17:01]  Yes, absolutely. The breaking point of this happens very quickly because this has already been going on for a number of years. This is not new. There is no guarantee that when you actually fill up a loom, as it is, that you actually move up in the next step. To me, it just reeks of total scam. I don't know that there is a - what you're calling a breaking point. Like, in most pyramid schemes, pyramid schemes collapse when they can't find people to come into the bottom of the pyramid, and the majority of people lose their money in the pyramid scheme. That's why they're illegal. But I don't even know that this is actually a pyramid scheme. This is - I think this is just straight up scam. I mean, it's just send me a hundred bucks and then eventually you'll get 800 bucks. I don't think - here's another one. Looking for a team-oriented group? Look no further. This is from a group. This is a Facebook group that exists on - this is from a group, a Facebook group that is solely for the purpose of running these things. Our group has boards that level up from $1 to $8, $2 to $16, $5 to $40 and $25 to $200. So they're actually going after smaller pots of money. And then they promise strong reinvesters, which is not at all what this is. And here's a really despicable person. This person says I have $25 boards to cash out at $130, also $100 boards that cash out at $550. So this person's not even giving the people all the money that they should be getting in the scam. Right? They're taking a cut. 

Dave Bittner: [00:18:23]  Right. Yeah. Well, I mean, you know, it takes effort to organize these things, Joe. You know. 

Joe Carrigan: [00:18:28]  Right, right. Yeah. Nobody works for free. Right, Dave? 

Dave Bittner: [00:18:31]  I mean, come on. Got to wet your beak, right? 

Joe Carrigan: [00:18:33]  Yeah, exactly. If you see this out there, it's a scam and it's illegal to participate in it in the United States. There are very few countries in the world where it isn't illegal. If you're listening to me, probably illegal in your country. 

Dave Bittner: [00:18:47]  (Laughter) Yeah. And just be warned. And as always, spread the word to your friends and family that it's not worth it. You're probably going to lose your money. But also, you could get in legal trouble as well. 

Joe Carrigan: [00:18:56]  Yeah, absolutely. I made a couple phone calls about this last night. So... 

Dave Bittner: [00:18:59]  Really? 

Joe Carrigan: [00:18:59]  Yeah, I did. 

Dave Bittner: [00:19:01]  What - to your friends and family to get in on this deal - this money-making deal? 

Joe Carrigan: [00:19:04]  No. No, Dave. Like I said, Dave - strong moral character and a fear of felony charges. No. 

0:19:10:(LAUGHTER) 

Dave Bittner: [00:19:10]  OK. All right. 

Joe Carrigan: [00:19:11]  More the fear of felony charges. 

Dave Bittner: [00:19:14]  OK. Very good, very good. 

Dave Bittner: [00:19:16]  All right. Well, those are our stories this week. It's time to move on to our Catch of the Day. 

0:19:21:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:19:24]  Joe, why don't you share the details of our Catch of the Day this week? 

Joe Carrigan: [00:19:27]  OK. Our Catch of the Day comes from Twitter user Spencer Medby (ph). And his tweets starts off, LOL - very funny. If you're going to try to scam someone, at least do it properly - fake email address and the lack of a signature, blank after a sincerely. It's not going to trick me. So Spence is not falling for this. 

Dave Bittner: [00:19:45]  All right. Well, I'll go ahead and read this. So this is an email that has a logo at the top from YouTube, and this has the YouTube logo. And next to that it says certified, so of course... 

Joe Carrigan: [00:19:55]  It's certified, Dave. 

Dave Bittner: [00:19:56]  ...You know it's legit. Right. It says, hi, creator - we've checked your content. Your channel is now eligible for the verification badge - and it has a checkmark next to it. Prepare your channel. This form will help you with your request. If you need help, please reply to this message and we will contact you within 24 hours. This invitation expires in 20 days. Sincerely - and then there's a block, like this big old square, a big rectangle and then a bunch of question marks. 

Joe Carrigan: [00:20:23]  I think the rectangle's from Spence. 

Dave Bittner: [00:20:25]  Oh, he blocked it out? 

Joe Carrigan: [00:20:25]  Right. Yeah, he blocked it out. And he blocked out the email address, too. So... 

Dave Bittner: [00:20:28]  I see. I see. All right. 

Joe Carrigan: [00:20:29]  It just says sincerely. 

Dave Bittner: [00:20:31]  Yeah, sincerely - period. Right. 

Joe Carrigan: [00:20:33]  That's it. Sincerely - period. Nothing after that. 

Dave Bittner: [00:20:36]  The email address is from just some site that generates email addresses. I mean, there's nothing related to YouTube here at all. It's from mailjet.com. 

Joe Carrigan: [00:20:46]  So Dave, YouTube does have a verification badge that goes on channels. You have to apply for it, and your channel has to have over 100,000 subscribers. 

Dave Bittner: [00:20:54]  Hmm. OK. All right. Well... 

Joe Carrigan: [00:20:56]  And I just looked this up. And it says here - Google is very helpful - it says, it looks like your channel isn't eligible yet... 

0:21:01:(LAUGHTER) 

Joe Carrigan: [00:21:03]  ...because I'm signed into my - I don't have any subscribers, Dave. 

Dave Bittner: [00:21:06]  Yeah. Well, you know, maybe if you get more people to sign up for your your blessing loom, then you know, you'll get a little more popular there. Right? 

Joe Carrigan: [00:21:15]  That's right. 

Dave Bittner: [00:21:17]  All right. Well, that is our Catch of the Day. And of course, we want to thank everybody who sends those in. We do appreciate it, and we always enjoy sharing those with you. 

Dave Bittner: [00:21:26]  So let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. You can hear more of Stu's perspectives in KnowBe4's weekly CyberheistNews. We read it, and we think you'll find it valuable, too. Sign up for CyberheistNews at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:22:12]  Joe, I recently had the pleasure of speaking with Neill Feather. He is chief innovation officer and co-founder at SiteLock. And we spoke about how some of these scammers out there are filling the void when folks are out there in this time of the pandemic and it's hard to get your hands on some retail items. I suppose toilet paper is probably top of mind - anyway, here in the United States. The scammers are taking advantage of that and trying to fill that gap for their own purposes. Here's my conversation with Neill Feather. 

Neill Feather: [00:22:45]  Broadly speaking, I would say that folks are looking to take advantage of, you know, the current situation with the coronavirus in a variety of ways. And one of those things that's happening is that there's a lot of supply chain issues and shortages that we're seeing in various areas. And so one thing that's popping up is we see these cybercriminals setting up, you know, scams that attempt to trick people into believing that they can get in-demand goods like toilet paper or hand sanitizer or something like that and utilizing that kind of as bait to trick people into giving over sensitive information like credit card information or, you know, other types of passwords or credentials that they can use for other attacks or for financial gain. 

Dave Bittner: [00:23:33]  So the scenario here would be like, say, for example, I'm looking to buy some some hand sanitizer on Amazon, and I find that they're all out. Where would I go next? 

Neill Feather: [00:23:45]  A lot of people would go search for it. And what people will do is try to rank for certain search terms and then utilize those links until the search engines catch up with them to potentially offer a product that, you know, they're not really selling just for the sake of it. I think the other thing that a lot of people are seeing is an increase in phishing attempts where these cybercriminals are reaching out via email to consumers with the intent of offering a product or service that's in demand and, you know, in that way extracting sensitive information from a consumer. 

Dave Bittner: [00:24:23]  And so ultimately, would I be going to a website that looked like a legitimate site, but it actually wasn't? 

Neill Feather: [00:24:29]  Yes, so many phishing attacks will happen that way - right? - where, you know, in a business setting, they may set up a site to look like a Windows site and get you to log in there. But in this case, they may set up a phishing site to look like, you know, a online merchant that would offer a product like this, maybe even one that you trust, like a grocery store or other kind of chain outlet that you might know. And, you know, a lot of times, what they'll even do is go one step further and utilize otherwise innocent websites to set up these pages and these, you know, stores so that they're leveraging the website's reputation in order to, you know, trick users into giving over this information. So a lot of times, they've gone ahead and compromised a website, and they put their own content in a hidden area of the website that they then would link to via email. And for you as a person receiving that email, you would never know that any of that happened, you would just land on a website site that looks OK and, you know, maybe has a fine-looking, you know, domain name, a lock at the top and everything else that you'd expect. But, you know, the people behind the scenes are looking to steal information from you. 

Dave Bittner: [00:25:43]  Oh, that's fascinating. So I could end up on a site that I trust, that I've perhaps done business with before. And the bad guys have created their own pages on that site and even a place for me to check out and enter my purchasing information. 

Neill Feather: [00:25:58]  That can definitely happen. And, you know, at a minimum they would set up a site that looks like that. You know, one thing that we see sometimes with our small-business customers is their email lists will get compromised at the same time that their websites do. And so, you know, these two things kind of happen at once where you're getting an email from a site you trust, and you're also getting - you know, seeing the website set up, you know, that you would trust. And that does happen from time to time, where, you know, these types of identity compromises or financial compromises can occur. 

Dave Bittner: [00:26:28]  Well, help us understand here - how can we protect ourselves against these sort of things? What's the best way to come at it? 

Neill Feather: [00:26:34]  One thing, you know, that we recommend is really kind of, especially in the case of phishing, making sure that you really review the email that you're getting because a lot of times, it will come from - it looks like it's coming from Amazon or PayPal or something like that. But, you know, in reality, it's coming from a nefarious actor. And they're able to do some techniques to make it look like it's coming from there. But if you look deeper at the email, a lot of times, you can spot things that are inconsistent. The other thing we would encourage people to always do is look at - if you do click a link, make sure it's taking you where you expect to go because even though you may expect it to take you to PayPal, you know, it may actually take you to a website that has nothing to do with that. And that's how a lot of these phishing attempts actually happen. The other thing I would say to folks is if you're in doubt, don't click the link. Just go to the website directly where you think you want to go. And, you know, that way, you take out a lot of the risk in kind of unsolicited links and things that, you know, are intended to trick you. 

Dave Bittner: [00:27:37]  What about it coming at it from the other direction? If I'm a small business person and I'm making my products available online, what sort of steps should I be taking to make sure that the bad guys aren't taking advantage of me from that side? 

Neill Feather: [00:27:51]  One thing I think - you know, especially in this current time, so much is happening online. And so it's even more important to protect that online presence. There are a lot of great tools out there. Obviously, we offer some. But, you know, you should definitely be scanning your website for any evidence of a compromise or malware on a daily basis at a minimum. You also want to be able to, you know, quickly get rid of those issues and, you know, really be more proactive now than ever about your website and its security by, you know, making sure that, you know, you are identifying any weak points in your website or vulnerabilities and cleaning those up as quickly as possible and really looking to block any threats that come to the website. You know, so I think there are tools out there that can be quite affordable for small businesses. And, you know, I think that there's a lot - like I say, now more than ever, the website has become the primary means of commerce for a lot of small businesses. And so you've really got to be proactive in protecting that. 

Dave Bittner: [00:28:52]  Can you give us a little bit of insight as to what goes on behind the scenes with some of these tools? I know that's something you offer. And there are a lot of them out there. But what are they doing? Are they scanning for changes? What sort of thing is going on behind the scenes? 

Neill Feather: [00:29:08]  Yeah. So in our particular case, what we're looking for is any evidence that a malicious act has taken place. So we're looking for specific patterns in the code of the website. We're looking for specific behaviors of the website that might indicate that something has happened there. And then, you know, many tools, ours included, will actually, you know, clean up these issues for you, you know, in some cases in real time so that you don't stop or some of the negative impacts that we mentioned before of a compromise. So, you know, there's a lot of technical work going on behind the scenes through machine learning and other techniques to identify unusual behaviors and to identify malicious attempts that will, you know, help website owners who aren't necessarily technical experts or security experts really protect their online presence while they focus on growing their business. 

Dave Bittner: [00:30:01]  Where do you think we stand these days? Are we gaining ground on this? Or are the bad guys running away with things? What's the state of things right now? 

Neill Feather: [00:30:10]  Well, look - I think, you know, one thing that this current crisis really proves to us is that there's no shortage of creativity in the cybercrime market. And there's - wherever there's a financial incentive for people to attempt these types of cybercrimes, they're going to get creative as they can. So, you know, from our standpoint, as a provider of security services and products, you know, we are always looking for, you know, new attempts and new attacks out there. I'd love to say that we have a 100% solution. I think with the amount of creativity and the amount of changes and the millions of new variants that are happening every day, there's, unfortunately, no 100% solution out there. 

Neill Feather: [00:30:49]  What is useful, though, is trying to attack it from as many different avenues as possible - so protecting your digital assets, protecting your employees and, you know, making sure that you are - staying as far ahead of the curve as you can, as a business owner, will help mitigate that risk. I would just advocate for folks to be careful out there and make sure that they're educating themselves. You know, one of the things that I think gets missed sometimes is how frequently, for a small business, employees are at the center of breaches. One stat I've seen recently is about two-thirds of breaches that involve small businesses were caused by an employee or a contractor's negligence. So making sure that your employees are up to speed and trained is just a really important thing that's often overlooked because there's so much else going on. 

Dave Bittner: [00:31:36]  All right. Joe, what do you think? 

Joe Carrigan: [00:31:37]  Dave, I want to talk about toilet paper for a second. 

Dave Bittner: [00:31:40]  (Laughter) Oh, goody. 

Joe Carrigan: [00:31:42]  I have been trying to buy toilet paper, been having a very difficult time doing it. But I think I know where the toilet paper's going. 

Dave Bittner: [00:31:48]  Oh? 

Joe Carrigan: [00:31:48]  Because I have a friend who works in building maintenance. 

Dave Bittner: [00:31:51]  Yeah. 

Joe Carrigan: [00:31:51]  And he was telling me that they have 36,000 rolls of toilet paper for their building. 

Dave Bittner: [00:31:56]  Huh. 

Joe Carrigan: [00:31:57]  Because their businesses are shut down, right? 

Dave Bittner: [00:31:59]  Right. 

Joe Carrigan: [00:32:00]  So all the industrial toilet paper, you know, the corporate toilet paper, is going into these corporate facilities, and all of the retail toilet paper is leaving the stores. 

Dave Bittner: [00:32:10]  Yeah. 

Joe Carrigan: [00:32:10]  Because people are not at their office. 

Dave Bittner: [00:32:13]  Their habits have shifted, if you will (laughter). 

Joe Carrigan: [00:32:15]  Their habits have shifted, and the market's not yet adapted to it, and I don't know that the market should adapt to it. 

Dave Bittner: [00:32:19]  Yeah (laughter). 

Joe Carrigan: [00:32:19]  I don't know. That's just an interesting aside, I think. You know, I like to think of myself as the big brain who figures things out, right? 

Dave Bittner: [00:32:25]  Uh-huh. Uh-huh (laughter). 

Joe Carrigan: [00:32:26]  But anyway, one of the problems with the internet is that, generally, we have no idea who's on the other end of the connection. And this has been a problem - it's one of the first things I ingrained in my kids. I say, you do not know who you're talking to on the other end of the conversation. When you send an email to somebody, you think you're talking to somebody else. You know, of course, we always worry about the internet predators when we have kids, right? That's one of the biggest fears we all have, and it's a justified fear... 

Dave Bittner: [00:32:52]  Sure. 

Joe Carrigan: [00:32:53]  ...From some of the reading I've seen on the subject. But, you know, we know who Amazon is, right? 

Dave Bittner: [00:32:58]  Right. Yeah. 

Joe Carrigan: [00:32:58]  But we, generally, don't know who a new merchant might be. Like, if you see Joe's Website and I'm selling, you know, commodities right now, you don't really know who I am. You don't really know who you can trust. And you never really know who's on the other end of some chat interface, especially if it's a new person that comes to you out of the blue. Again, Neill talks about the little lock at the top that doesn't mean that you're secure. It doesn't mean you're talking to who you think you're talking to. All it means is that somebody can't intercept the traffic and decrypt it. 

Dave Bittner: [00:33:27]  Right. 

Joe Carrigan: [00:33:27]  So we've got to get beyond that lock at the top and thinking that means secure. And I think - you know, I hope we're moving around that. But you really have to be talking to the right person, and you have to validate that you're talking to the right person, which is kind of difficult to do. Inspecting the phishing email - Neill talks about paying attention to the phishing email. But that may or may not work, right? These phishers are getting better and better all the time. And much like your story today, I say never click the link - just never click the link. Just go to the website that you're being told to go to and use a link or type in the URL manually. Or optionally, you can use a Google search, but be sure you're not clicking on any ads once - when you use a Google search, right? Because that can also come back to bite you. 

Joe Carrigan: [00:34:11]  There is no shortage of creativity among these cybercriminals, and the reason is that they have the flexibility to be creative because they exist without restrictions on their creativity. I could very well say, you know what? I could scam people out using a Blessing Loom. But no, I have that limitation on myself (laughter) because there's laws against it. 

Dave Bittner: [00:34:32]  (Laughter). 

Joe Carrigan: [00:34:33]  But scammers don't don't have that problem, right? Scammers go, I don't care about the laws against it; I'm going to scam people out of $800. 

Joe Carrigan: [00:34:39]  And finally, he says that two-thirds of breaches were caused by negligence. I understand what he means when he says negligence. I would use the term mistake. I would say an error. I don't really think people are being negligent or stupid when they fall for these things; I think they're being targeted and victimized by malicious actors. Yeah, it's up to us to be diligent and everything, but you got to remember, people are trying to do their jobs. Their top-of-mind is, I've got to get this done by the end of the day. And we have to change the cultures of these companies, of all - every company. I have to get this done by the end of the day and be secure while doing it. 

Dave Bittner: [00:35:12]  Yeah. Yeah, absolutely. No, it's a good point. Well, our thanks to Neill Feather for joining us. He is from the company SiteLock. And we do appreciate him taking the time. We want to thank all of you for listening to our show. 

Dave Bittner: [00:35:27]  And of course, we want to thank our sponsors KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishingtest. Think of KnowBe4 for your security training. 

Dave Bittner: [00:35:43]  Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:35:51]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:36:04]  And I'm Joe Carrigan. 

Dave Bittner: [00:36:06]  Thanks for listening.