Podcasts
The Microsoft Threat Intelligence Podcast
Ep 71
The Microsoft Threat Intelligence Podcast 6.17.26
Ep 71 | 6.17.26

Hot Cybercrime Summer:  Smishing, Supply Chains, and Sleuthcon

Show Notes
Transcript

Sherrod DeGrippo: Welcome to "The Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step in to the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us in to the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. It is getting hot out there. And we are in what Microsoft is calling hot cyber crime summer right now. Every week it seems like there is another ecosystem revelation, a supply chain compromise, a criminal marketplace, or more fraud operations scaling up. What I'm interested in is that these really aren't isolated incidents anymore. They're systems. They're economies. It's entire operational models. So today on "The Microsoft Threat Intelligence Podcast" I'm talking to two researchers that are presenting at SleuthCon in Arlington on June 5. Their work really captures two different sides of the modern cyber crime landscape and I would like to welcome to "The Microsoft Threat Intelligence Podcast" Aurora Johnson from SpyCloud. Aurora works on security research partnerships for SpyCloud labs and previously worked at CISA. Her upcoming SleuthCon talk is titled "Smish and Chips: a Crash Course in Chinese Smishing, Carding, and Fraud." Aurora, thank you for joining us.

Aurora Johnson: Yeah. Thanks for having me.

Sherrod DeGrippo: Great title, by the way. I love it.

Aurora Johnson: Thanks.

Sherrod DeGrippo: Also joining us is Amitai Cohen from Wiz. Amitai leads the attack vector intel team at Wiz and focuses on emerging threats to cloud infrastructure and CI/CD environments. His talk is called "Angel Dust in the Cloud: Team PCP Shows the Vulnerability of CI/CD Systems." And they will be at SleuthCon on June 5 so you can see their entire presentation while we're there. So this is a little bit of an episode about cyber crime, what we're going to see at SleuthCon. Aurora, I'll start with you. Myself and the rest of the CFP board at SleuthCon really found that your abstract framing the Chinese language fraud ecosystems was not like a collection of scams or a collection of fraud. It really was like this well developed complex ecosystem. So my question to you is we are western defenders for the most part. What do we misunderstand about this space? What do we need to know here?

Aurora Johnson: Yeah. So I think this ecosystem really came on a lot of our radar a few years ago, maybe like 2023 time frame when there was a lot of smishing text messages that were about fake missing packages and fake toll road violations. Those were the two biggest lures.

Sherrod DeGrippo: I got -- I got the toll road ones.

Aurora Johnson: Definitely. Yeah. I feel like everyone got them, and they were all localized which was kind of cool, I guess. Innovative. I think that has gotten like more people in the west I guess interested in this Chinese language fraud and scam ecosystem, but there's a very well developed ecosystem. It's somewhat related to the pig butchering ecosystem in Southeast Asia as well. But then there's also a lot of Chinese language individuals that are just focused on phishing domestic people in China and then also have expanded out in to phishing mostly credit card information for people overseas outside of China. So our talk really gets in to basically how that missing USPS package text message gets sent to your grandma's phone and all the infrastructure behind that. And then what happens next to actually monetize her credit card information and turn it in to money.

Sherrod DeGrippo: So tell me. Let's keep following that attack chain a little bit further. You get this text message. I've gotten them. A lot of people have gotten them. The text message says, you know, you didn't pay a toll or you owe some kind of money to a government agency. It's usually like traffic or sometimes there's like a court fee that you didn't pay or permit fee or something. What happens next in that attack chain?

Aurora Johnson: So they have interesting cash out mechanisms a lot of times that take advantage of NFC relay features in mobile phones. So essentially they'll often load your credit card information in to a digital wallet sometimes with 3D payment stuff that will actually also get the two factor code in order to like load it in to the wallet. And then they have interesting ways of using tap to pay to kind of turn that in to goods that are worth money and money in general. So they'll have partnerships with point of sale owners all around the world where they can relay the card information to phones anywhere they want and those phones can then be tapped in order to do transactions where they're coordinating with the owner of that terminal. They also will often send out mules and buy like luxury goods, expensive electronics, and gift cards which they can then sell for cash. There was actually a case in Tennessee, I want to say, where they caught 11 Chinese people that were just going around to like gas stations tapping these NFC relayed like card payments to purchase gift cards. And the actual -- the person that's operating the phishing panel is often located far away from the person that's tapping on the terminal. And they have these like mobile apps. So I think there's like three or four of them right now where you can send and relay the basically the tap payment so it can go to anyone's phone anywhere that is on the other side of that and then they can purchase gift cards, purchase an iPhone, whatever they want.

Sherrod DeGrippo: So this sounds really operationalized which we've been seeing more and more with the crime actor groups. How many people would you suspect are in this ring? Because it sounds like a crime ring basically.

Aurora Johnson: Oh. I mean there are lots of crime rings. I would say it's like a well developed ecosystem or even like a crime subculture. And you have I think there was like a lot of talk about the B1 guarantee. That's basically like it's almost like a cyber crime form with a complicated ESCO process, but all through a series of interrelated telegram groups. And now that B1 has kind of gone away there's all these other guarantee groups that people have moved to. So basically what we're seeing is coordination between different vendors and like service providers in the ecosystem to all bring that chain together. So you have a different person creating the phishing panel, actually operating the phishing panel, sending out the SMS, RCS, or iMessage messages in bulk. Those are all like often three separate groups of people. Then you also have like cash out money mule groups as well and then you have different people developing those like NFC cash out apps. And sometimes you also have people that coordinate with a ring of point of sale terminal owners in different countries. So it's a really well developed ecosystem. And then you also have people that sort of run the guarantee groups as well. So they each have their own set of administrators and like a fairly complicated and transparent escrow process which we don't get in to this as much in the SleuthCon talk, but also makes it interesting to track the payments that are going in to the centralized wallets within the guarantee ecosystem because a lot of it's operating just through like cryptocurrency transactions to a centralized wallet.

Sherrod DeGrippo: And so help me understand. You said that this is China. It seems China based. Are these Chinese nationals in other countries? Are these -- is it actually originating from mainland China? What's the China nexus here?

Aurora Johnson: Yes. So it's like Chinese language actors often operating in mainland China, but also close to China in like Southeast Asian countries. So you obviously have the big scam center operators in Southeast Asia, but you also I think have a lot more minor actors that are operating there. You have people in mainland China. And then also one development that I think is interesting is previously for the fake ecommerce site phishing kits and panels those were -- used to only be available like in Chinese. But now you're seeing more and more kits have like an English button. So you don't have to rely on like the in browser translator because they are trying to offer them to a more internationalized audience because they're so successful and it's becoming so popular. So the Chinese language smishing ecosystem is actually I think permeating even outside of Chinese language threat actors as well.

Sherrod DeGrippo: So it sounds to me like the maturity level of these communities to operate is really high. This sounds really highly operationalized.

Aurora Johnson: Yeah. Definitely. I think you saw kind of a move away from the credit card focused phishing kind of in more western and Russian language ecosystems. So it's all really focused now on man in the middle logins to single sign on portals and web mail portals. That's what a lot of -- where a lot of the kids are going, I think. And they're trying to bypass like MFA and get persistent logins to these like SSO portals. But what you see in the Chinese language ecosystem is they found actually a significantly renewed success phishing for credit card information. And they did that because of the use of bulk smishing also with RCS and iMessage which are encrypted messaging protocols directly to people's phones. And then also the use of these sort of novel cash out methods with the NFC payment information. So I think it was kind of dead over here and then now it's had renewed success because of this specific Chinese language subculture that's focused on smishing.

Sherrod DeGrippo: So it sounds like there's a platform element to being able to provide all of these different crime tools and transfers. So it's like infrastructure messaging, phishing kit developers, people who do the cash out, people who do the money movement, and then like the operator of the marketplace.

Aurora Johnson: Yeah. There's a lot of service providers. There's like all these - I think we at SpyCloud like to call it cyber crime enablement services.

Sherrod DeGrippo: Okay.

Aurora Johnson: So the ecosystem of tools and services that all go in to the actual fraud or crime that's happening which a lot of times is complex. And then there's also like some of the services are sort of in a gray area. So, for example, you see people operating bulk SMS like messaging services seeming to advertise as like a legitimate business that offers them for marketing purposes to other businesses. But they're advertising them in essentially crime groups. So I think they know what most people are using the bulk SMS messaging services for. But technically it's kind of a gray area service provider.

Sherrod DeGrippo: I guess that's something in the crime landscape that is an interesting kind of question or like an interesting way to frame it. It's like if your customers are only using your product for crime are you a criminal? And, you know, I would dare to say yes, but different countries have different legalities around that.

Aurora Johnson: Yeah. For legitimate research purposes only [inaudible 00:11:35].

Sherrod DeGrippo: Right. Yes. For entertainment purposes only. Don't use this for bad stuff. Amitai, your talk hits another them I think the industry is really dealing with right now which is CI/CD environments as the attack surface. There's so much to unpack here about just that, but what do you think defenders have underestimated? What do they not know when it comes to CI/CD pipelines?

Amitai Cohen: So the main thing I think that team PCP which is the main topic of our talk they're paying more attention to than defenders are, at least over the past few months, is mainly configuration and vulnerabilities in the workflows. So you have basically all the sorts of automations that people can set up in GitHub which are super useful. I mean I use them. Everybody uses them. They've become kind of the standard. You know, they're free and people don't know how to configure them properly. So what happens is that they add all these actions that are trying to make their lives easier. For example, you know, they want -- they get a bunch of pull requests from all sorts of anonymous contributors that want to take part in their open source project. And they have a bot and the bot's job is to review those pull requests and, you know, add a few comments. You know, check for code issues. And the problem is that that is in and of itself an area where you are basically trusting content that shouldn't be trusted. And if those bots also have access to interesting secrets or if they have permissions in your cloud environment or if they have permissions to publish, you know, new versions of your software then attackers are going to basically be able to steal those. And I think over the past few months actors like Team PCP have been proving that this is definitely possible. And AI is making it super easy for them.

Sherrod DeGrippo: So first thing I want to know is are you talking to developers and what is their temperature and read on how dangerous this stuff is? Are the developers clued in or are they still just naive?

Amitai Cohen: So I think as of let's say six months ago I think many people were very naive about this. They kind of just assumed that it was working. They assumed that this is how you're supposed to do things. But then a bunch of open source tooling came along that made exploiting this stuff super easy and then actors like Team PCP realized, "Okay. We can use this to make money." You know, there's a monetization opportunity here, especially if we're going to use this to basically chain a bunch of different supply chain attacks like a triple/quadruple supply chain attack against a big enterprise company that can pay out. But I think over the past few months the positive I guess effect of Team PCP's activity and the fact that they're so prolific and the fact that they're so outspoken, as I guess young hip cyber criminals are, is that they've raised awareness. So I think if you ask people now I think a lot of developers are quite aware of the risk.

Sherrod DeGrippo: I talk to developers a lot. Since coming to Microsoft that is a new world for me. I have never been around so many software developers in my life. And, you know, obviously it's a spectrum of understanding, but I think we're starting to pull them in to the security world in ways that we've always told them they needed to be, but they never had to be. They were never forced. And I think now seeing just threat actors shredding through open source projects, getting in to the supply chain like machines, I think a lot of these maintainers, the contributors, the developers, they may not fully be security people yet, but they are begging for help.

Amitai Cohen: I mean you can see it even in the platforms themselves. Like you can see the response that GitHub and NPM and [inaudible 00:15:38] and a bunch of the other registries, you know, over the past few months they've basically I guess revamped their road map to add a bunch of security features to compensate for what's going on. And they've made a lot of things that were already available enabled by default in some cases. Still not enough in my opinion. Like if I was manning those ships I think I would be a lot more opinionated about making, you know, the default's more secure. But it's definitely moving in the right direction.

Sherrod DeGrippo: Aurora, I see you. I want to get a comment from Aurora here because this is something I'm sure you're dealing with and seeing too. So what's your perspective on that? Because you're shaking your head and I'm like uh oh. What does she got on this?

Aurora Johnson: No. I just agree wholeheartedly. I mean I think it also kind of shows the entire software ecosystems reliance on open source because people are freaking out so much about this. It's like well there was like one guy developing this on his personal computer and so I think it's --

Amitai Cohen: In Utah. In Utah.

Aurora Johnson: You're right. So like if he gets popped and it produced a supply chain attack that affects all these major companies maybe that is an issue too. Maybe that's a choke point. So I think that Team PCP was smart to take advantage of it, but also I think it's exposing dependencies that we have just like in the software development system.

Sherrod DeGrippo: Yeah. Some of these stories that I've heard -- and it's funny that there's multiple ones of them now just in the past couple of months where it is either an individual maintainer or a very small group of maintainers and one of them gets social engineered and they're just like, "Here's a commitment." Great. Happy to have the help. In a lot of ways I feel bad because these are small projects maintained by one person or a really small group of people on their off time. You know, these aren't billionaires maintaining our open source foundations. These are people working regular jobs, you know, and then they get the offer for help and it's kind of too good to pass up sometimes I think, especially when these threat actors are doing social engineering for months and months and months to get ingratiated in to those communities. Amitai, tell me about Team PCP. What can we say about that threat actor group?

Amitai Cohen: So Team PCP I have to say I'm not like an expert on cyber crime internals I guess. You know, my focus is on what -- everything until the monetization step and more on the technical side. But I can say that, as far as I'm aware, they are an English speaking threat actor. They kind of came on the scene around December 2025. Their initial MO was very different than what they're doing now. They were like scanning cloud environments, exploiting like react to shell and all sorts of other like one days to basically steal credentials. It's possible that that was like, you know, their like they were a startup and that was their initial idea and then they decided to pivot when they realized it wasn't working in their favor. And then around March they suddenly started to do the GitHub action exploitation thing and I have been waking up every morning since then wondering what the next package they'll attack will be. You know, wondering what my colleagues overseas were working on overnight and what sort of blog post I'll have to be writing when I wake up. And they've been doing this really well. The main thing that they've been doing well is I mean I actually counted a few days ago when we were working on the presentation they've already breached like over 500 packages and I think around like 100 of those exist in at least like 5% of like enterprise organizations based on our data. And that's not even counting like the transient dependency. So like you might have a package that many other packages depend on. Right? And those have other users. So they're very, very good at playing this like this really, really, really multidimensional supply chain thing. And again it's way too easy for them. They're doing way too well relative to how new they are and how easy AI is making it for them. And AI should be making it easier for us. Right? Like that's the promise.

Sherrod DeGrippo: That's what they told us. Right. So what you're saying is that Team PCP as well as the other supply chain focused, software supply chain focused, threat actors have a beautifully rich attack surface in terms of options that they can go after. And they're doing it and they're doing it operationally and they're really focusing where they can have the most impact. It reminds me of kind of the golden age of Silicon Valley software development when people would talk about, "Oh, you write spaghetti code." And I feel like we're in a time of like spaghetti dependencies where everything is like weirdly smashed together in terms of what it depends on and there's a lot of like recursive dependencies and foundational dependencies and forks and as someone who's not a software developer it's hard for me to like understand and track all of that stuff. So help me understand what developers need to do if they want to, for example, not get hit with a Team PCP situation.

Amitai Cohen: So that's like the really important question here, and I don't know if I should be happy or sad about this, but the answer is actually quite simple. And it's just hard to implement because again like a lot of the -- a lot of the solutions here are available. They're just not enabled by default. And organizations might even know about them, but they just choose not to implement them because they're hard, because they create friction for developers. Just to give you an example -- and I think part of this is even like we should be blamed for this as a security community which is Team PCP is basically relying on the fact that everybody is constantly updating their software to the latest version. Now why are they doing that?

Sherrod DeGrippo: Turn updates on. Auto update. Auto update.

Amitai Cohen: Yep. And part of that is, you know, the feature aspect. Like I want to have all the latest features. But the other is the security aspect. Like we've taught organizations, you know, you need to be on the latest version if you don't want to get hit by the next RC. Right? And they're taking advantage of that. So one thing which we've been telling people to do is something called pinning dependencies which basically means instead of having your developers always pull the latest version when they're building software have them pull a specific version that you know to be safe, that you've tested. And know once in a while only when you need to should you update to the latest version. And even then, you know, one of the pieces of advice that's been going around that we're a big supporter of is something that's been called cool downs where you basically live like you have a time machine and you live in the past and you never download anything unless it's like more than a week old. Like you let your dependencies age like wine and, you know, you live retro, I guess.

Aurora Johnson: Don't patch too early. Don't patch too late. Right in the middle. Goldilocks patching.

Sherrod DeGrippo: And that's a new complexity layer that we're adding for security teams that they need to think about now which I think the return that you will get on creating some of that guardrail is pretty significant when you're dealing with a library or a package that is massively dependent upon across multiple projects that you're using in your environment. Something else I wanted to ask about before we move on is what was in your view -- what was the role of automation in the ability to amplify and make this more painful?

Amitai Cohen: Yeah. That's a really good point. So in our talk we basically talk about what the attack surface here actually is. So it can basically be divided in to two parts. One I think is the more familiar part which is end point devices. Like you have developers working on laptops. They're running, let's say, VS Code. They have extensions. Those extensions auto update. They're building software. They're running software. They're doing Pip install and PM install and then they're pulling all these things in and if they get lucky then they'll get Team PCP's latest present for them. But that's sort of the more traditional side and that isn't necessarily where most of the problem is because I guess developers have to sleep so that's only like half the day where Team PCP actually has an opportunity to target you. The thing is you have CI/CD systems. You have basically what's called -- what's known as runners which are basically virtual machines that are constantly running CI/CD workflows like the bot that I mentioned before. That's basically building software all the time. You know, a developer pushes some -- a new feature and then the software gets rebuilt and then another version gets pushed out. This is mostly common in organizations that have like SAS products where they're basically -- there isn't like a version every week. It's like a version every few minutes or a version every hour. And those machines are always on and they're constantly pulling the latest versions and that's another thing that Team PCP can take advantage of. So yeah. The automation plays a very big part here and like our data has shown that a lot of these packages, you know, they get pushed. Someone immediately notices because everybody's monitoring this stuff and checking for malware and reporting it and taking it down. It could be in the air for like an hour and if the package is popular enough it could still spread to like 10% of the users because of that automation which is nuts when you think about it. Like they get millions of downloads so even if you're in the air for an hour you're going to get a lot of downloads because it's like a big numbers game.

Sherrod DeGrippo: I think for the last couple years we have all been talking about the fragility of the software supply chain and that's been the past few years. We've been talking about S bombs and how to know what you're dependent upon and all this stuff. But I think we are really in a scary time for the supply chain. This is like we're at war.

Amitai Cohen: It feels like it. Yes.

Sherrod DeGrippo: It's under attack. Yeah. It really does. And I feel like the threat landscape always is evolving. Right? We've seen all kinds of different eras. We've seen like the browser [inaudible 00:26:06] era. We've seen the root kit era, the exploit kit era, the drive by download era, social engineering smeared on top of all of these. But now it really does feel like we are in an era where the software supply chain in my opinion if I were to qualify where we are I would say the software supply chain is under attack more than ever at higher velocity and network devices. Network devices are just the nexus of brutality right now. I see threat actors just wanting to be on that hardware. So we've got some work to do, people. So let me ask you both. Looking at these two presentations which I'm super excited about, Aurora, I'll ask you first and then, Amitai, I'll get your point of view as well. Have we crossed a threshold even more to where cyber crime is operating just straight up like a mature business?

Aurora Johnson: Oh definitely. I would say so. I mean there are complicated business relationships, at least in the Chinese language cyber crime ecosystem, and we also see that in other cyber crime language group ecosystems where it's they have their own supply chain. They have vendors and they have customers essentially if you're operating in this cyber crime ecosystem. You are a small business owner.

Sherrod DeGrippo: Amitai, what are we looking at in terms of the operational maturity of the crime landscape?

Amitai Cohen: So I can't speak to the monetization, but I will say that it does feel like we've entered sort of like an industrial revolution where, you know, you have, I guess, robots on the ground that are doing like the threshing of the fields and they're doing it way more efficiently than the farmers were using their hands and their tools. I think a good example of this is, you know, when we talk about one thing that a lot of these actors that are targeting supply chains have been doing is using a worm where basically there's no human in the loop. Like you steal the credentials and you immediately publish another malicious version to some legitimate popular package. And, you know, Team PCP and actors like them just, you know, they sit back and they watch this going on and they watch the credentials start flowing in. And then, you know, they can work with all their partners to start thinking how they can monetize this and, you know, what data they want to sell off, what data they want to keep to themselves, what other big supply chain attacks they want to facilitate using the credentials that they've stolen. Like I imagine them like this dragon that's sitting on this capitalist hill of MPM GitHub AWS Azure GitHub secrets and just waiting for the right opportunity to make their money. So yeah. Definitely feels like a business to me.

Sherrod DeGrippo: Amitai, was that a "Lord of the Rings" reference?

Amitai Cohen: Yes. Of course it was. That was a small, yeah, Benedict Cumberbatch doing his thing. I want him to voice them in the movie if possible.

Sherrod DeGrippo: I think that that would be fantastic.

Amitai Cohen: Is he a listener? Does he listen?

Sherrod DeGrippo: Yeah. Benedict Cumberbatch is a big listener to "The Microsoft Threat Intelligence Podcast." He writes in emails all the time and I'm like, "Benny, chill." No. I love that because I reference Smaug quite a bit as well at work. Like because I saw this chart of highest net worth of fictional characters and he is considered the richest fictional character ever because he's a dragon obsessed with collecting gold. So that's a really good analogy. I love that. Aurora, any comment on what we're seeing there?

Aurora Johnson: My favorite Team PCP detail is that they were preappending malicious commits with the strong every boy we build is a wormy boy. I just wanted to mention that because you mentioned the worming.

Sherrod DeGrippo: Every boy we build is a wormy boy. And I take the work very seriously, but at the same time I don't always take myself real seriously. I take the landscape seriously. I take protecting, you know, the global digital ecosystem really seriously. But when you're up against -- when you're up against some people with some interesting absurdist senses of humor it can be pretty amusing, especially in crime. I think that's one of the reasons that I'm so interested in the crime landscape is that these threat actors they just they don't have an incentive to stealth. They don't have an incentive to not really, really being caught. When you're dealing with nation sponsored threat when they're doing espionage or they're trying to get access for disruption they cannot get caught. The op sec is much higher and it's on purpose and it's intentional and, man, the crime landscape. They just do not care.

Amitai Cohen: They're on Twitter talking to security researchers, you know. You know, if you try to connect to their C2 address to explore it you're hit with a redirect to YouTube to some song that they choose because they want -- you know, they want to control what you listen to. They're having fun.

Aurora Johnson: I think one thing in the Chinese cyber crime space is a lot of them have -- a lot of the like persona influencer actors will have profile pictures that are like American cartoon characters. So there's like I've seen like a SpongeBob. I guess technically Japanese, but there's like a Squirtle actor that's really big in the Chinese cyber crime like phishing communities. So I just I think that's like a fun aspect of them as well. If you want to track Chinese cyber criminals you need like tether on TRON USDT cryptocurrency. You need a cartoon character profile picture. And you need to get on Telegram. That's the starter pack.

Sherrod DeGrippo: So what's interesting to me about that is that it kind of speaks to the digital cultural vernacular. Like we all speak this language whether we're on the defender's side or on the threat actor's side. We're kind of all the same age. We're kind of all raised on WiFi. We're kind of all like of the same culture in a way even if we're from different countries, even when we speak different languages. We all know what Squirtle is.

Aurora Johnson: We all know what Squirtle is.

Sherrod DeGrippo: You know, the truly unifying -- what is he? Pokemon.

Amitai Cohen: Our cyber heritage.

Sherrod DeGrippo: Yeah. It is.

Aurora Johnson: We're all in the Squirtle squad.

Sherrod DeGrippo: We're in the Squirtle squad and we all kind of have that same language. We all kind of speak that same langua and it's kind of weird. So, Amitai, let me ask you. In your abstract you say that this was likely AI or LLM assisted malware creation. Tell me what are the indicators that are giving you that?

Amitai Cohen: So there are a few things. One is sort of more classic signals like a lot of common -- like over commenting their code. That's one thing. But beyond that they do a lot of iteration like really, really fast. Like you can see a malicious payload in one package and then a few hours later it's completely different and it's also clear that they're learning from their mistakes. And they're reading our blogs. What happens is they have a bug. Someone realizes they have a bug, blogs about it. And then a few hours later they fix the bug. I think they're moving very, very fast, and it kind of feels like they're using AI both for exploitation just because it's really easy to find the vulnerabilities that they're exploiting with AI, and they're also using AI for development.

Sherrod DeGrippo: I think that's the new way forward. Right? Is that when a tool is available and it can accelerate, it can provide scale, it can make things go faster, better, etcetera, everybody's going to use it whether you're a defender or threat actor. It doesn't matter. Like if you have access to tooling that makes your life easier you're going to do it. Aurora, have you seen any AI impact around fraud operations?

Aurora Johnson: Yeah. So I think there was a researcher last year that talked about one of the most popular Chinese phishing kits which is called magic cat. Some people also call it darcula because the coder of the phishing kit went by darcula. But they were bragging about using AI to very quickly allow their users to make custom new kind of phishing pages. So they could do any brand skin, create that, and create like a custom phishing page out of it that required you to put in your credit card information or your login information extremely quickly using AI tooling. So I think that's like an interesting way that they're using it. It also allows them, I think, to better get over language barriers which is part of the reason you see such success with individuals operating in China and Southeast Asia phishing people in the United States, because they're using large language models to help them get over language translation barriers.

Sherrod DeGrippo: So I'm really excited about seeing these talks at SleuthCon. Aurora, I know you've been to SleuthCon before. Right? Have you been before?

Aurora Johnson: Yeah. And I went to the first one which was BrunchCon.

Sherrod DeGrippo: That's right.

Aurora Johnson: Name.

Sherrod DeGrippo: I did the keynote for that one. That was the one where John Hultquist messaged me like six months before and said, "Hey, do you know any cyber crime people?" I was like, "John, that's like all I do, man." Yeah. So SleuthCon was originally called BrunchCon because it was the morning after CyberWarCon when kind of everyone was done talking nation sponsored and wanted to have a little crime time fun.

Aurora Johnson: To have fun. Yeah.

Sherrod DeGrippo: To have some fun.

Aurora Johnson: Because it's more fun.

Sherrod DeGrippo: It is more fun. Amitai, have you been to SleuthCon before?

Amitai Cohen: Yeah. I was also at BrunchCon.

Sherrod DeGrippo: Okay. You were at BrunchCon too.

Amitai Cohen: I remember your keynote and it's one of my favorite talks ever I think.

Sherrod DeGrippo: Oh thanks. It was definitely mostly about poking fun at John Hultquist which is one of my favorite pastimes. Aurora, give us one reason that listeners should keep an eye on SleuthCon.

Aurora Johnson: I guess I'll appeal to people that don't think they like crime, but I think that the linkages between cyber crime and cyber espionage are much closer than some of the espionage people like to admit. I think they're intrinsically interrelated.

Sherrod DeGrippo: Oh. That's such a good answer. Amitai, why should people come to SleuthCon and check it out?

Amitai Cohen: So I think criminals have different interests and that makes them operate differently and cyber crime also affects way more people.

Sherrod DeGrippo: Yeah. It's big. And I think just kind of what I was saying earlier. Our nation sponsored threat actors, nation state actors, oh they really don't want to get caught. That is a big part of the trade craft is staying under the radar, maintaining access, things like that. But these cyber crime actors because the world is available to them in any direction they want to go they are wild. They just really bring a lot of creativity, a lot of innovation, a lot of new ideas. And that creativity and innovation will make its way to nation sponsored because when it works in the trade craft that's what they care about. If it works right, they want to take it. So I encourage everyone to check out SleuthCon and keep an eye on that. I want to give a huge thanks to Aurora Johnson and Amitai Cohen for joining us. We will be at SleuthCon on June 5. So if you are attending make sure to check out their talks. We will put links in the show notes so you can see any video and bios of these two fantastic speakers. I think we're really seeing that cyber crime is going from this kind of opportunistic here and there thing to much more structured, adaptive, and hitting things like the software supply chain and a variety of different currency and payment networks. So, Aurora, Amitai, thank you so much for joining me.

Aurora Johnson: Thank you for having me.

Amitai Cohen: Really happy to be here.

Sherrod DeGrippo: Thanks for listening to "The Microsoft Threat Intelligence Podcast." Be sure to follow us wherever you get your favorite podcasts. Thanks for listening to "The Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. Msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Deputy CISO, GM Customer Security at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft