CyberWire Daily - A cyber carol.
Episode Date: December 27, 2024Please enjoy this encore episode of Only Malware in the Building. Welcome in! You’ve entered, Only Malware in the Building. Grab your eggnog and don your coziest holiday sweater as we sleuth our wa...y through cyber mysteries with a festive twist! Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, our cyber ghosts delve into the past, present, and future of some of the season’s most pressing threats: two-factor authentication (2FA), social engineering scams, and the return to consumer-targeted attacks. Together, Rick, Dave, and Selena deliver a ghostly—but insightful—message about the state of cybersecurity, past, present, and future. Can their advice save your holiday season from digital disaster? Tune in and find out. May your holidays be merry, bright, and free of cyber fright! Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security. In the cold, mysterious corners of the cyber world,
where digital ghosts haunt and malicious spirits lurk,
three brave souls gather around the proverbial fireplace,
ready to unwrap the secrets of malware.
Tonight, meet our merry malware mavens.
The wise yet weary
Rick, the malware ghost
that breaches past. The sharp
and cunning Selena, the phantom
of threats yet to come.
And the ever cheerful, ever curious
Dave, our ghost of
malware present.
Let's see what ghastly gifts the
cyberspecters have left under our tree
tonight.
Ooh, I spy a nasty ransomware
attack. These have been lurking around
for centuries.
And here's a holiday treat for us
all. A shiny new malware
scheme wrapped in a bow.
So snuggle up tight,
brave listeners, as Rick,
Selena, and Dave guide you through the malware stories that haunt, the ones that chill, and maybe even a few that thrill.
Because remember, the ghosts of malware never truly sleep.
Ho, ho, ho, ho! Merry Christmas!
Merry Christmas!
Welcome to the Cyber Carol, where every download could be your digital undoing.
Now, who's ready for a little holiday haunt?
Our journey begins with the ghostly trio of malware experts, each one bringing tales from different realms of cyber lore.
First, let me introduce to you Rick,
the malware ghost that breaches past. Yes, indeed. I've seen it all from the very,
very first viruses to the earlier ransomware that held us hostage. Think of me as the ghost that remembers where it all began. And I'm here to remind you why history has a habit
of repeating itself. Next, guiding us through the haunted here
and now, please welcome Dave, the ghost of malware presence. I'm your guy for all the latest and
greatest in malware, coming straight out of today's naughty list. From phishing schemes to malware with
festive new twists, I've got everything happening right now in this chilling little stocking.
And last,
hailing from the unknown reaches
of what may be, we have
Selina, the phantom of
threats yet to come.
The future's a dark, winding code
riddled with exploits, zero days,
and malware we've yet to imagine.
I'm the ghost with a
glimpse of what's lurking ahead,
so tread lightly lest you find yourself in my shadow. All right, with a nod towards the Charles Dickens classic
that we're trying to emulate here, A Christmas Carol,
I am the ghost of Christmas past, your past, Dave.
And these are the shadows of multi-factor authentication.
Okay, and this is what they are.
And what they are, don't blame me.
Okay, and if you remember back in the old days,
Fernando Corbetto invented passwords in the early 1960s.
And ever since then, we've been trying to figure out
how to make that better.
We haven't fixed it yet, but we've been working on it
with two-factor authentication.
So let me summarize, okay, how they work,
and then we can talk about how secure they are.
First up is SMS verification.
If you're an internet troll like me, the ghost of Christmas past,
and I want to log in to audible.com,
the website sends a text message with a one-time code for me to use.
I enter the code into the audible.com website to gain access to my account. So that's kind of the first two-factor authentication scheme. The next is email verification, very similar to SMS,
except the message is sent via email and not being a text message. The next is authenticator soft tokens
like Google Authenticator,
ID.me, Blizzard's Battle.net,
which I use every day,
and LastPass.
So authenticators use
an Internet Engineering Task Force algorithm
to generate one-time codes.
I want to log into my Google G Suite account.
G Suite asks me for a one-time code.
I open the Google Authenticator application
on my smartphone and looked up the listing for Google. So I have several listings to choose from,
like LastPass or others. The algorithm is standard, so Google's Authenticator can be used to log into
other companies' apps like Microsoft or Amazon. And I noticed that for each listing, there is a
countdown, like for every 30 seconds, the Google Authenticator app generates a different code to use.
So I try to remember the six-digit code and enter it into the Google login screen before the timer winds down.
The next method is push authentication.
We get this kind of thing from Google, Apple, and others.
It's not SMS verification because they don't use codes.
It's not SMS verification because they don't use codes.
When I get summoned by my mother-in-law to fix some tech issue with her iPad,
I might need to log into my Gmail account to retrieve some information.
Google doesn't recognize the mother-in-law's iPad that I'm trying to use as a registered device and pushes a notification to me via the Google application on my iPhone.
I open the Google application,
push a button that says,
yes, I am indeed the ghost of Christmas past,
and that's all it takes.
It's way more harder to explain than it is to do,
but in the end, I get to access my Gmail account on my mother-in-law's iPad.
Apple's version is similar,
but it's not tied to an application.
It uses the operating system.
So there's one more shadow
in the two-factor authentication space that you may all have heard of.
It's called PassKey, and it uses the asymmetric key model made famous by Whitfield Diffie and Martin Hellman back in the 1970s.
Apps or websites store your unique public key.
Your private key is only stored on your device, and your device authenticates your identity.
The two keys combine to grant your access to your account.
Usually, the device has software generating the pass keys, uses a biometric authentication tool,
such as Face ID or Touch ID, to authenticate your identity.
Pass keys also sync across devices, making them really easy to use.
And the last one on the list is universal second factor authentication. It's
kind of an open standard that uses the universal serial bus or near field communication devices.
So I want to log into LastPass password manager to access corporate accounts. I enter my user ID
and password and then LastPass asks me to insert my physical authentication USB key into the laptop. In this case, my Yubico YubiKey.
I touch the button on the outside of the physical key and LastPass grants access.
And the way this works is that the USB creates a public-private key pair for each website like LastPass.
The user's browser verifies those keys and allows me to gain access.
So those are the things at our disposal.
those keys and allows me to gain access. So those are the things at our disposal. I've gone up from very old stuff, everybody, from the original user ID password pair back in the 1960s to kind of
where we are today. Let me ask the ghost of Christmas present, did I get all that right?
Well, it seems to me like you did. And what I wonder is, is the username and password combination, is that the ghost of security past?
And then multi-factor authentication is the ghost of security present.
And passkeys is the ghost of security future.
I really think it is.
I think passkeys are the future for most of the things we need to do on the internet.
If you have to be really secure, like if you're a spy or if you're protecting corporate secrets,
you should be using the hard token for your most important secrets, right?
But for everything else, I think pass key is going to be the thing.
Selena, what do you think?
Absolutely.
And unfortunately, though, I think there are many
people that are still living in the past, right? I mean, I think that MFA everywhere is...
Which is where I live, which I'm okay with.
Your words, not mine, Rick. Your words, not mine.
Rick is haunting the computers of everyone that doesn't use MFA. Yeah, I mean, it's interesting
because everything has gotten a lot easier, right?
I feel like back in the day,
it used to be this when everyone was adding a second factor
to their login and password
and typically using SMS authentication,
it was like, oh my goodness,
yet another thing that I'm going to have to remember to do,
yet another box that I'm going to have to click.
But I think we've seen a shift in human behavior where it's a little bit more accepted now where it's like, oh, okay, I know that I have to do this. It's still a bit of a pain.
But with the, like you were mentioning, Rick, like with the YubiKey and a physical key,
that you just, it's something that you have. It's so easy to incorporate into your
wake up in the morning and you log in and you touch something and you're all ready to go. So I think being more secure is also a little bit more streamlined in many ways.
Well, you say that, but you know, and I love the hard token authentication method,
but I'm going to lose that device. Okay. As a ghost of Christmas past, there's no way I'm
going to keep track of that thing for the rest of my life. So that's the one downside.
That's why they send you two.
So you put one on your keychain,
and then you put one somewhere in your home
where later you can't remember where in your home you put it.
Exactly.
Do you live in my house, Dave?
That's exactly how that works.
Yeah, and you know what?
I mostly agree that things have gotten easier,
but I have to say, as much as I love hardware keys
and the security and simplicity that they provide,
if I'm sitting on my couch and I try to log into something
and it demands my hardware key
and I have to get off of my couch
and walk over into the kitchen where I keep my keys,
like the drawer, the junk drawer where I plop my keys when I get home. I am PO'd about that.
Yeah, that's not getting done that day. Okay. That's what that means.
I mean, and I just, I keep, when I have to do that, I try to tamp down the frustration by saying,
this is for security.
This is for security.
This is good.
This is a good thing.
But boy, it just, because it's a roadblock, right?
It just stops you from doing what you want to do.
It's friction.
Are you waiting for the future of biometrics everywhere, Dave?
Where if you're sitting on the couch, you can just look at your phone and it'll say, yep, this is Dave.
I'd say we're most of the way there
because I love like Face ID on my iPhone
and I love Touch ID before that.
And I think they were very effective
and overall very secure.
And I think PassKeys are going to be
the next step with that.
I'm curious that it seems to me that pass keys are a little slow out of the gate, like people are still figuring it out.
It's so true. I mean, we say, yeah, it's way easier. But it's one thing for a bunch of security
nerds to talk about how pass key is easier to use. But I was mentioning my mother-in-law,
who's 85, by the way,
and slings the iPad like she's a warrior ninja somewhere.
Right, right.
But explaining how Passkey works to her,
okay, we're not there yet.
It's too hard for the normal average citizen
to use those kinds of things.
Yeah, I agree.
I have to admit,
every time I use my YubiKey,
in my head, I don't know why,
I don't know what this does about me,
but I feel like it's, you know,
taking like a drop of blood
from my fingers.
It's like, you must sacrifice.
Little woodland animals.
We could use that for our Halloween episode, Selena.
I know.
But I don't know why that's in my head every time
I touch it. I'm like, what is this taking
from me?
You're looking a little pale. You've been logging into
a bunch of accounts this morning, Selina?
You should sit down and drink some water
or juice. That's right. Here's some orange juice and a
cookie.
I do think reducing friction as
much as possible is really the only way that we are going to be secure and get people to embrace these technologies and use them as mandatory.
Because, Dave, I've definitely been there, too, where it's like, you know, I don't want to go downstairs to buy this online.
Right.
So I'm just not going to do it.
I don't really need it.
Right.
So it's really interesting.
But I do think that we have come a long way in trying to make things a little bit easier.
I know, for example, Google has implemented some ways of reducing friction in their products and helping people basically say,
this is mandatory.
We're going to explain to you why
you need this and why you want this. And we're going to walk you through the steps to get it.
And hopefully it just becomes second nature. Because I mean, look, we can learn to pick up
a phone and do TikTok dances and figure out how to splice videos together immediately as soon as
we pick a phone up. You can do that.
Speak for yourself.
All I'm saying is the ghost of Christmas past,
we invented passwords in the 1960s.
It is now 60 years have gone by before we've even
started to make it slightly easier
to log into things. So we have ways
to go.
And Christmas past, the ghost of
Christmas past, you have seen
the evolution of all of these tools
in large part because the threat actors
who are really the ghosts of the future
keep creating new
ways to figure out how to bypass
these things, right? I mean, obviously
username and password, that wasn't enough.
Then you move to MFA. Now you have
SMS theft,
right? Like spoofing SMS, trying to get those text codes.
And then you have things like MFA fish kits. So there's like attacker in the middle fish kits
that are attempting to steal those cookies and use the tokens, replay them to log into
compromised inboxes. So I think that there's an evolution to in large part driving the broader adoption and
the different ways that we have to be creative with this stuff. And ultimately, like, I think
a lot of times people are like, oh, well, no one can impersonate your fingerprint. No one can
impersonate your, you know, eyeball or something. But I suspect that there is a creative ghost of
Christmas future out there that will be able to do such a thing once that's normalized.
Those pesky bad guys, even for the push authentication,
which I really like, they do this really low ball attack sequence
where they just feed you more and more options to hit the button
so much that it annoys you so much that you just push the button to make
it go away, thus authorizing the bad guy to get into your system. So it's so low tech that it
works, right? It just kills me. It's a DDoSing by being profoundly annoying.
Yeah.
So I think we've covered the Ghost of Christmas past with the multi-factor authentication.
Any last thoughts from anybody?
Well, it seems like, as you pointed out,
it's been 60 years.
So the gap between the invention of passwords
and multi-factor authentication was probably 40 years?
40, yeah.
Right?
So then we've had multi-factor for 20.
Is it going to take 10 to get passkeys fully engaged?
That is some high-order math, Dave, that I can't do.
Thank you very much.
Thank you very much.
Thank you very much. Is it very much. Thank you very much.
Is it accelerating?
I don't think it's accelerating, no.
I think it will take that at least a decade
to get that to be normal for everybody to use.
And who knows what might show up on the horizon
as we are working through that.
So do you think that we have to mandate
shutting off the old stuff before the new stuff can take hold?
So many people just cry and scream about stuff like that, right?
And so I think it's an interesting idea, but I don't think anybody would do it.
Well, I'm also in the camp of SMS is still better than nothing.
So if you, I mean, I know a lot of people want to make it, oh, well, you can't use SMS as MFA.
Well, for many people, that is the easiest and most applicable way for them to have multi-factor authentication.
And for most people, that's good enough.
I agree. It's better than a user ID and password.
So why not?
Okay, so why not?
And it's easy.
Yeah, there's no catch-all easy solution,
although it would be nice if in the future there really was one
and everything had MFA by default.
Regardless of what you choose, you have to choose something.
But what if the big players, if we got, let's say, Google, Apple, Facebook,
who else?
Who's the other big one?
Microsoft.
Microsoft.
If we got those big players to all say,
okay, everybody, January 1st, 2027,
we are going to transfer everything.
We are going to migrate you to PassKeys.
And you have a year beforehand where we're going to try to show you how to do it. And we're going to make it as easy as possible. But
this is happening. We have all decided. What if Sissa said, you know, we want everyone to do this?
What if, dare I say, it was regulated. Oh. Are you sure this is not the Halloween episode
where we're supposed to be afraid of everything?
Dun, dun, dun.
Well, there has been strides in that.
Microsoft, during the pandemic years,
made big pushes for their user base
on their Windows clients
to get away from user ID and password to log in.
And so, but they didn't get rid of the old way.
They just put the new way up front.
So maybe that's the way it is, you know, make it easier that way.
I also have to say, and speaking of password innovation,
Apple via iOS and the Apple ecosystem has their own password manager now.
So with the most recent updates,
you can use Apple's built-in password manager.
They make it super easy to save and store
and access passwords,
setting up MFA, things like that.
So I do think that the organizations
of big technology companies,
consumer in terms of Apple and enterprise
in terms of Google and Microsoft
have really pushed in that direction. But to your point, Dave, I think, frankly, I don't think
there's really going to be any significant movement on a lot of the things that we would
like to see across the security landscape unless there is some sort of consequence for not doing so
beyond just paying cyber criminals when your enterprise is hacked.
So it should be interesting to see.
But yeah, for any Apple users,
if you don't have the password manager
or explaining to your family and friends
that you should use one,
there's at least a way to make that really easy now.
Well, as the ghost of Christmas passed,
let me put an end to this discussion.
It feels like multi-factor authentication,
the community still has one foot deeply in the past.
So that's appropriate for me.
So I think we should call that a quits
for this particular topic.
Stay tuned.
There's more to come after the break.
Stay tuned. There's more to come after the break.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
All right.
Well, I want to talk about social engineering, and I have created for you all a social engineering carol. Are you ready?
I'm ready.
Ready.
All right. Sit back and enjoy. It goes like this. Click was careless to begin with.
No one doubted it.
Careless with his passwords, with his emails,
with the relentless training reminders from IT he swept aside with a shrug.
Ebenezer Click was indifferent to cybersecurity,
right up until the night the spirits came calling
to show him the vulnerabilities of the past, present,
and the chilling risks of a future unsecured.
One foggy December evening, as he's working late,
Ebenezer is visited by a series of phantoms, ghosts of social engineering to be exact.
Each spirit arrives to teach him a lesson on the costly dangers of his negligence and the profound consequences of overlooking cybersecurity.
The first ghost, a wizened figure draped in a familiar nostalgic glow, appears and takes Ebenezer on a journey through past social engineering attacks.
Look, Ebenezer at the lessons from the past, the ghost beckons,
showing him infamous breaches like the 2014 Sony hack.
In this case, just a few unguarded emails from employees
allowed hackers to infiltrate and exploit weaknesses within the entire company.
Backdoors were found, sensitive information was leaked, and reputations were tarnished.
The spirit then takes Ebenezer to a simpler time, his very own early days at the company, when he received training on password protection and phishing.
when he received training on password protection and phishing.
Yet he recalls that he dismissed it,
even using the same password across platforms.
This lack of caution, the ghost points out,
has put him at risk ever since,
illustrating how old habits linger,
silently eroding his defenses.
Next comes the ghost of social engineering present,
a sharp-eyed phantom who peers over Ebenezer's shoulder at his computer.
Ebenezer, let us look at the present, the ghost says,
showing him the stark reality of today's cyber landscape.
In a blink, Ebenezer watches himself in real time, clicking on a suspicious link in a fake LinkedIn invitation.
The screen shows his profile, personal details, and even confidential work contacts copied and shared.
Without a second thought, you let an attacker into your life and into your company, the ghost says,
waving its hand to reveal an avalanche of phishing messages sent out using Ebenezer's contact list.
With each click by a
colleague, the attacker gains a foothold in the company network, positioning malware to extract
information and map out the organization. The ghost also takes him to the world of his online
presence. Posts about work and conference locations, information about his family, and even a selfie he took at his desk with passwords visible on sticky notes.
All of these details fuel the attacker's arsenal.
Social media, Ebenezer, is like handing your keys to a stranger, warns the ghost.
Finally, a hooded figure, the ghost of social engineering future,
shows him what lies ahead if he continues down this path of neglect.
Ebenezer is shown a devastating scenario where his failure to heed warnings leads to a full-blown data breach.
Critical company secrets are leaked and customers' trust crumbles.
He sees the news headlines, the frantic calls, and the massive financial loss.
His own name appears in the headlines marked by scandal and negligence.
Ebenezer Click, cause of largest data breach in Christmas Carol history.
Desperate to save his company's reputation, he struggles to recover.
But the damage to the company's name and its customer base is irreversible.
Is this truly my fate?
He pleads with the ghost, who says nothing but points toward his inbox,
where he has countless unread security updates and ignored training sessions. When Ebenezer wakes, he's struck by the realization that he's been granted a second chance.
Ebenezer wakes. He's struck by the realization that he's been granted a second chance.
With newfound resolve, Ebenezer rushes to his office window,
throws it open, and calls out to a passing intern below.
What day is it? He shouts, excitement in his voice.
Why, it's Cybersecurity Awareness Day, sir.
The intern replies, puzzled.
Then there's still time, Ebenezer exclaims, grinning. Time to secure every last device, every password, every soul here.
He rushes back inside, and from that day on, he's a changed man.
One who's vigilant, wise, and as ready to protect his company as he is to help others understand the importance of cybersecurity.
Ebenezer Click, once careless,
now leads with awareness and purpose,
embodying the spirit of a new kind of holiday cheer,
a world of workspaces more secure,
employees more aware,
and systems more resilient,
today and every day that follows.
Wow.
Nicely done, sir.
Okay, that is nicely done.
Incredible, Carol.
Thank you. Thank you.
Thank you very much.
As we were preparing for this show,
I went over and looked at the original Christmas Carol,
and it's a novella by Dickens.
It's very short, and Dave, you managed to hit the nuances of that by making it a very compelling and short Christmas Carol.
So nicely done, sir.
Well, thank you.
I did my best.
I did my best.
By the way, while we're on the topic here,
do each of us have our favorite telling
of the Christmas carol?
Is there one that stands out to you?
Oh, it was fun going through them this morning
as we were preparing for the show.
I will defer.
Okay, what do you like, Selena?
My favorite is the Muppet Christmas carol. Oh, what do you like, Selena? My favorite is
The Muppet Christmas Carol.
Oh, yeah.
Yeah.
My favorite.
My favorite.
I think it's my favorite as well.
The fact that,
oh, what's the actor's name
in that one?
Rick, help me out here.
Michael Caine.
Michael Caine.
Yes, thank you.
The fact that Michael Caine
plays it completely straight
as if he is cast with
Shakespearean actors.
Yeah.
Yeah.
Totally makes it.
I'll say a close second for me is the one with Mr. Magoo.
I don't know if you have ever seen that one.
Of course I have.
Rick maybe?
Yeah.
Probably not for Selina.
Selina probably doesn't even know who Magoo is, right?
That's how old that cartoon is.
I can't say I do.
Well, there's no shame.
But the Mr. Magoo Christmas Carol
used to be in heavy rotation when I was a child.
And parts of it were frightening.
The ghost of Christmas future,
the hooded figure with the bony hand
pointing at the gravestone is quite chilling.
I will say that my second choice is the Disney version.
And I thought that they did amazingly well at casting all the Disney characters in those various roles.
Like the Ghost of Christmas Past is Jiminy Cricket, right?
And which is perfect.
It's just perfect, right?
So, that would be my second choice.
But Muppets.
We've talked about this before.
Most of those shows, the Muppet shows where they do classics,
my favorite is Treasure Island, okay?
With Tim Curry, he plays it straight, too, okay?
And that's the way that makes those shows great.
I just recently rewatched Muppet Treasure Island, actually,
after we talked about it last time.
It's so good.
It still holds up.
It's fantastic.
I really want the Muppets to do a Rocky Horror Picture Show.
Oh, man.
That would be great.
Wouldn't that be amazing?
I mean, it'll never happen, but that's one I would love to see.
Time-warping Muppets. Can you imagine? Yes. Yes. Animal in the back. I could see it now.
All right. So that's social engineering. Selena, what do you have for us?
So I like thinking about both of these topics, past, present, future.
They kind of all play a little bit into what I was thinking about recently. In the past, we saw a lot of targeting of consumers, right?
Home users, everyone had their photos that could be ransomwared.
We were all using various chat apps.
People had their home computers
versus their work computers.
And the threat actors were targeting individuals.
Everything going all the way back to the AIDS Trojan,
to pop-ups and adware and your favorite websites,
exploit kits.
And then we saw the rise of targeted big game hunting within the enterprise.
And so threat actors realize, you know, I could get a lot more money going after businesses than the individuals.
We're seeing the return to threat actors targeting people at home, on their phones, in their places where they are not conducting work.
Oftentimes those overlap, certainly, and can be threats within the enterprise. But things like pig butchering, for example, romance-based crypto scams where someone will lure them in a long con, which is kind of the evolution of romance scamming anyways.
But the payouts can be really big and cost people their entire life savings. So it's not paying $250
to get a ransomware key, but rather potentially $250,000 into a fake crypto investment.
So we've always had confidence scammers. I mean,
there are certainly plenty in the days of Charles Dickens going around in their boxes selling snake
oil, trying to get people to buy into things that didn't exist. And now what we see are the same
confidence-based scammers trying to get people to make decisions to do bad things. And in many ways,
it is coming back to the individual. And I think this plays a little bit with the MFA,
plays a little bit with the social engineering, but it's very much going and focusing on identity
rather than potentially product or service. And so I think we might see that more often.
Well, as the ghost of Christmas passed, I remember those early days when bad guys were attacking the individuals, right? And what it exposed back in those days was the elaborate business process
right and what it exposed back in those days was the elaborate business process that cyber criminals had i mean just just imagine what you were talking about that selena where some bad guy calls grandma
and says if you want your pictures of your kids and your cats back pay us a bitcoin right but
the back end of that was there were english speakers and business processes that could walk grandma through a Bitcoin transaction.
Because I don't know if I still,
I don't know if I could do that today right now
without having to spend some time, right?
So in a second language,
explain to grandma how to get a Bitcoin
so they could pay for the ransom, right?
So it exposed how organized
the back-end business process was of cyber criminals.
And we still see that.
And if anything, it's gotten better.
It's gotten bigger.
It's gotten more profitable.
And it's building criminal ecosystems that function pretty much as businesses.
And I think we're seeing the sort of pig butcher scammers,
they're having these same businesses.
They're working in groups
and trying to prey on people and their emotions and their individuality to try and get them to
do things. And I think that whether it's trying to get into an enterprise or trying to get
personal bank information, you have to be creative and targeted and kind of
using social engineering, using that identity that you might get from MFA Bypass and to target,
you know, specific individuals. And it's, I don't know, I think it's very interesting because
people, we've gone from not trusting the internet at all to trusting it and believing it and
believing everything you read to back, oh wait, we have to not trust it again.
You know, I remember about five years ago or so, and I'm probably off by a year either way,
but at the end of the year, lots of people want to talk about predictions for the
coming year, right? When I'm talking, interviewing people about what do they think is coming next?
And I remember there was pretty much consensus, and this was back in the days, the early days
of ransomware, where it was about locking up grandma's computer for 50 bucks, right? And there was consensus that in the coming year,
we were going to see ransomware fade away,
and the real action was going to be crypto mining.
Because crypto mining was kind of a victimless crime,
because you could crypto mine on somebody's machine while they were asleep,
and they probably wouldn't notice.
So you could just have these botnets of crypto miners
and that would be the way to make money.
And of course, the opposite happened, right?
The ransomware folks, they went in for big money.
They shifted from the home user to the whales
and going after corporations and millions of dollars.
So to me, it's an interesting thing to look at the past
and try to predict the future,
how here was something that a lot of people thought
it was going to go one way,
and it went exactly the opposite way of what everybody thought.
Well, and also what's interesting is, okay, if you're thinking from a threat actor perspective,
I'm doing all this crime, I'm targeting these home users, I'm getting a little bit of a payout,
but I will get more if I target the enterprises. But then you have law enforcement being like, oh, hold on a second. That's a lot of money that you're stealing.
And that is disrupting critical infrastructure. That is disrupting finance. That is making huge
waves. Wait, wait, wait a second. We have to go after them now. So threat actors.
I didn't understand that until you just said this.
I was saying,
what made them go back
to the individual?
Because the money
is where the big corporate gigs, right?
But you're saying
because they focus
law enforcement on them,
they need to go
where they're not being
paid attention to.
Is that what you're saying
the cause is?
I think that might be
playing a role
because we had this year
major disruptions to law enforcement disruptions to malware ecosystems from ransomware strains to the loaders and the botnets that were enabling these sort of big game hunting.
And it's interesting because since then, at least from a cybercrime perspective, the landscape has been fairly quiet.
We're all wondering what happens next.
And then you see the evolution of things like a lot more targeted type of threats, lower volume, very specific.
You have threat actors that are now calling people or sending phone numbers to get them to interact with them, to download something, to specifically text them on their phone, offering them a job, offering them a romance scam. So it's not necessarily... So not as much money, but a safer way to operate,
is what you're saying. I mean, I think that could potentially be playing a role,
maybe not hitting quite as big to try and not make such a big impact. So yeah,
there might be a change in calculus a little bit with all the heat paid to
some of the most successful cybercrime.
You know, I've wondered sometimes when I'm alone.
Dangerous pastime, I know.
Well, my thoughts get the better of me.
And I wonder if there are white hat or gray hat hackers out there who quietly think about in their retirement years, will they adopt what I refer to as a nuisance ransomware?
Right. Just a low level sort of thing where, you know what, this retirement account isn't paying off what it what I thought it would.
And so I'm going to send out nuisance ransomware.
Yeah. Retirement job. It's a hobby. I thought it would. And so I'm going to send out nuisance ransomware.
Yeah, retirement job.
It's a hobby.
Right.
Keep your hand in.
You're just reaching out to people and saying,
okay, look, I locked up your system, 10 bucks.
10 bucks and I'll unlock it.
Right?
And so if you do that to enough people,
because the other part of that, speaking about the safety part,
I mean, the folks I talk to on Hacking Humans, if you go to your local law enforcement and say, somebody cheated me out of $50 through a social engineering thing, they're just going to be like, and?
Yeah.
There's a threshold.
It's like $10,000 or something like that.
Right.
Exactly. So, you know, I just wonder, is there a return?
As you say, Selena, is there a return to nuisance level, low threshold, but still profitable ransomware?
And what's the equilibrium?
Especially for a retiree.
Right.
What's the equilibrium?
Like, where do we hit where society says we can live with this?
Can I just pause before you answer that, Selena?
Because I think that's the first time I've heard it mentioned anywhere that we are considering hackers to be considering retirement for themselves.
Right?
It's the first, right?
We've never talked about that before.
Well, that's true.
I mean, so think about it.
The first generation are at retirement age now, and that's never happened before.
That's never happened.
Yeah.
So what are they going to do?
Breaking news.
If they're not collecting a government paycheck in their retirement age, then they have to find something else.
Yeah.
You know, I'm not sure. This, again, that's been something else. Yeah. I, you know, I, I'm
not sure this again is just Selena having a hot take. But I am seeing that the rise of pig butchering
with the evolution and expansion of a lot of social engineering techniques and these scams
and fraud that are a little bit, you know, less bit less profitable, but still kind of following some of the techniques that we're seeing.
I think that's definitely a possibility.
And I do think that right now, all different threat actors across the cyber criminal spectrum,
especially those who are a lot more sophisticated, are seeing the impacts of law enforcement disruption and wondering,
seeing the impacts of law enforcement disruption and wondering,
what do I do now?
And how can I either fly under the radar or should I just be out the game entirely?
Should I call it quits?
Stay on my yacht in the Black Sea, you know,
drinking vodka and enjoying the sunshine. We'll be right back.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Well, gang, I have to be moving along here.
I am actually getting a little hungry, and I have fixed myself a festive and delicious dip
for the Christmas holiday,
a cranberry jalapeno cream cheese dip.
That's right, cranberry and jalapeno.
It's red and green for the holidays.
It's a perfect mix of sweet, tart, spicy, and creamy, and it works with all the holiday flavors. So I'm going to
run off and enjoy that. And you're sharing that with the crowd, right, Dave? Or am I wrong about
that? No, I'm not sharing that with anybody. It's mine. I am going to a white elephant party and will be wrapping up all of my presents
as something cyber related.
So maybe I will pack up some Yubikeys
and put them in various stockings.
I'll bet you're popular at parties.
Here comes Selena with her two-factor authentication.
All right, just smile.
Just smile and nod. Smile and nod.
How about you, Rick?
What are your holiday plans?
My holiday plans are to sit in front of my big fireplace
thinking about the past and not doing a damn thing.
That's what I'm going to do.
I think we can all get behind that.
The perfect plan.
Absolutely.
And that's Only Malware in the Building, brought to you by N2K Cyber Wire.
In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths,
we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind.
We'd love to know what you think of this podcast. Your feedback ensures we deliver
the insights that keep you ahead in the ever-evolving world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
If you like the show, please share a rating and review in your podcast app.
This episode was produced by Liz Stokes.
Mixing and sound design by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilby is our publisher.
I'm Dave Bittner.
And I'm Rick Howard. And I'm Selena Larson. Thanks for listening.