CyberWire Daily - Encore: Separating fools from money. [Hacking Humans]
Episode Date: December 25, 2020Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham... Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Some people who do email scamming and get rich off of email scamming are really vocal about that in Nigeria and take pride in it and show off their wealth.
And there's kind of a sense that if people are dumb enough to get tricked, then they don't deserve to have their money.
And the scammers sort of outwitted them and outsmarted them and deserve
to have it. Hello, everyone, and welcome to the Cyber Wire's Hacking Humans podcast,
where each week we look behind the social engineering scams, phishing schemes and
criminal exploits that are making headlines and taking a heavy toll on organizations around the
world. I'm Dave Bittner from the Cyber Wire. And joining me, as always, is Joe Kerrigan from the
Johns Hopkins University Information Security Institute.
Hello, Joe.
Hi, Dave.
As always, we've got some good stories to share, and later in the show, we'll have my interview with Lily Hay Newman from Wired.
She's discussing her recent article on Nigerian scammers.
But before we get to that, a quick word from our sponsors, our friends at KnowBefore.
Step right up and take a chance. Yes, you there. Give it a try and win one for your little friend
there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they A,
my late husband wished to share his oil fortune with you, or B, please read important message from HR, or C,
a delivery attempt was made, or D, take me to your leader. Stay with us and we'll have the answer
later, and it will come to you courtesy of our sponsors at KnowBefore, the security awareness
experts who enable your employees to make smarter security decisions.
who enable your employees to make smarter security decisions.
And we're back.
Joe, we've got some fun stories today.
Yes, we do.
Let me get started with this one.
This is an actual true story from a friend of mine,
actually a former professor of mine from college.
He was hired to test the security of various physical systems, let's call them.
This was not long after 9-11.
You think back, there was an era of heightened security all around.
And one of the places he was hired to test was airport security.
So here's what they did.
They hired someone who had significant physical disabilities.
And this was someone who was in a really high tech wheelchair.
Right. Right. So imagine Stephen Hawking, that sort of thing. He's got a respirator on the back of the thing. This person has a lot of tubes hooked up to him. He's a very thin,
you know, sort of frail looking person because of the situation that put him in that wheelchair.
So they hire that person, buy him a plane ticket and send him through the line.
But they gave him a little something extra plane ticket and send him through the line.
But they gave him a little something extra to take with him to test the security.
Strapped to the side of his wheelchair, they put a colostomy bag filled with chocolate milk.
Okay.
And just to make sure there wasn't any confusion as to what they were up to,
they put a hand grenade in the bag full of milk. It was inert, right? It was inert indeed, yes. So they put an inert hand grenade.
So something that's going to create a big, you know... Something that should be obvious at what it is, right? That's right. That's right. There's not a lot of nuance to the metallic signature
that this thing will have in this colostomy bag.
And they have the bag, you know, sort of hosed up to him and lots of tubes and there's lots of tubes and beeping things and so forth.
But this is part of it.
So they put this person in line and they have someone else with him, a nurse, a handler, someone who's very friendly to sort of interact with the security people and help get him through the line.
So imagine this situation.
You've got someone here who is unable to be disentangled from his metallic wheelchair.
That's the story that they spun up here,
because if they disconnect him from all of the things that he's connected to,
he will not survive.
So they send him through the line.
And then just for good measure,
they put several people who were also on this team behind him in line to kind of put the heat on with the security people.
Right.
So they've got people saying, come on, I got a plane to catch.
You know, why are you taking all the time with this guy?
You know, I'm going to be late to my plane.
So these people are hired, you know, part of the game to be jerks.
Right.
To try to move things along.
So they send him through and the folks, the security folks do their scanning and everything.
And sure enough, what do you know?
The hand grenade got through.
Sure.
No problem at all.
Sure.
So let's walk through this.
There's a bunch of different social engineering techniques that were going on here.
Yes.
I will say this, though.
The crew of people behind them yelling at them may be part of the test, maybe not part
of the social engineering organization, because I believe that they're trying to emulate actual
angry passengers. Yeah. Well, I think the social engineering component of that is you're trying to
put more pressure on people whose job it is to test these things. That's right. You want to get
them to hurry it along. Right. The bigger part of this social engineering piece is that here's a frail guy who has already been through a lot of stuff.
Let's not hassle this guy anymore.
Right.
And we need to.
What are the odds that this person is up to no good?
Right.
So you've got that coming into play.
So there's social engineering there of saying, you know, well, you know, this this person probably is not going to cause any trouble.
So let's give him a cursory check.
He has this
wonderful person with him, this nurse. What are the odds that we have a problem here?
Right.
But of course, the test was to see how easy it could be to get something through here. And this
is the kind of thing where if some bad guys wanted to get something onto a plane, well,
this worked.
Who's going to want to touch a colostomy bag?
Right.
You know?
Right. So you're dealing with a yuck factor. Right. Exactly. So you've got sympathies,
right? People have a natural, they don't want to put this person through any further indignities.
Yep. You've got the yuck factor, like you're talking about, and then you've got the pressure
factor behind you of people yelling at you. And all that makes for something that pushes
essentially a weapon through the security process. Right. And made it through without a hitch. Right. So an interesting lesson
there, you know, a little different from some of our cyber stories, but certainly an interesting
exercise of lots of combined social engineering techniques. Yep. And these folks were successful.
I would consider that a physical penetration test. Yep, absolutely. All right. So what do
you got for us this week? So I have something on one of my favorite topics, Dave, and that's passwords and breaking them.
Okay.
And it seems that the norm is that password use and password choosing, I guess you could say,
is risky and lazy at best.
Right. We reuse passwords, period.
Right. We're reusing passwords or we're slightly modifying a password and then reusing that.
Right.
So some researchers at Virginia Tech
have published a paper back in March of this year called The Next Domino to Fall,
an empirical analysis of user passwords across online services. And they document their password
analysis. And what they did was Virginia Tech researchers showed that more than 16 million password pairs can be cracked with just 10
guesses. So if I know who you are, and by password pair, they mean username and password.
Right.
So if I know your username, like let's say in a breach that's happened, I get your email address.
Well, chances are you will use that email address across multiple sites.
Sure.
So if I see the same email address and I know that you reuse passwords or I think that you reuse passwords and you do reuse passwords or you slightly modify them and then reuse them, then I can guess your password in less than 10 guesses.
That's what these researchers are saying. Wow. What stood out for me in the paper, one of the points that stood out for me was they collected 497 million passwords that were hashed and they were just hashed. They weren't salted.
They were just plain hashes, but they broke 460 million of them in a week.
Wow. That's 92% of half a billion passwords they cracked in a week. Okay. So that alone
speaks volumes to the problem, right? The study was demonstrating the social engineering of
that's
involved in understanding that people reuse the passwords or just slightly modify them.
Virginia Tech then provided the data set anonymized to Dashlane. And Dashlane researchers
noticed the prevalence of something called password walking, which is the practice of using
letter and number combinations that are next to each other on the keyboard.
letter and number combinations that are next to each other on the keyboard.
So, you know, you think of 1, 2, 3, 4, 5, 6 or Q, W, E, R, T, Y.
Right, QWERTY, yeah.
Right. You don't really think of 1, Q, S, Z, X, S, W, 2. Because if you look at that as a password string, you're going to say, hey, that looks kind of normal. But if you look at a QWERTY
keyboard and just go down the first column and back up the second column, there's your password.
I see.
Right? And Dashlane noticed a prevalence of that as well.
Interesting.
Also, lots of people use brand names as well as the names of cultural and musical icons
in the report. So like Pokemon and Metallica and Star Wars were in there.
These are remarkably easy to guess. They fall very quickly just to a basic dictionary attack
because the word Metallica is going to be in every single password dictionary. Some passwords were obviously created out of frustration.
They noticed the use of some profanity in these things.
Of course, naughty words and phrases.
Exactly. The research noted that it's difficult for people to remember
passwords for each of their 150 plus online accounts and then plus their business accounts
and everything. And the solution that most people arrive at is they're just going to reuse or modify passwords.
And that's an untenable situation.
Right, right.
For example, I can see, you know, someone decides that they want to use the word hedgehog as their password.
Right.
And then they'll use hedgehog Facebook to log into Facebook and hedgehog Twitter to log into Twitter Hedgehog Bank of America to log into Bank of America.
Well, those are all going to get cracked probably in under 10 guesses.
Well, and if I get one of them, it doesn't take a rocket scientist to figure out what
the pattern might be for other login places, right?
Yeah.
If I break your Twitter password and find out that it's Hedgehog Twitter, then I'm going
to guess.
The first guess for Facebook is Hedgehog Facebook.
Right. Right. Hedgehog Twitter that I'm going to guess. The first guess for Facebook is Hedgehog Facebook.
Right.
Right. So this harkens back to one of my points of evangelism that I say over and over and over again, and that is use a password manager. And use a password manager and set all of your passwords
to random 20-character passwords at a minimum. And I've gone over this before, and I say this
at every talk I give, you don't just
go in with the monumental task of going in and changing all your passwords, you just start using
a password manager. And over time, as you start logging into sites, you look and see if it's in
your password manager. If it isn't in your password manager, you add it to your password
manager and you change the password the next time you log in. Right. Just start modifying it as you use it. And this will have the effect of the websites that you use most frequently, which are
probably the most important to you, will get changed first. And the websites that are least
important to you that you don't use that often will get changed later down the road. So it
automatically prioritizes this for you. And in effect, it'll bulletproof you from these sort of
social engineering attacks. Well, it'll bulletproof you from these sort of social engineering attacks.
Well, it'll bulletproof you from the social engineering attacks. That's right. They won't
be able to use that because you'll be just using some random set of characters, numbers, letters,
and uppercase, lowercase, all that. But you're still going to be vulnerable to a brute force
attack. But it's still going to be very, very hard to randomly guess a 20-character password,
even with an MD5 hash, which is a very
fast and very weak hash for password security. So I guess you sort of shifted to that scenario
we joke about, where if you and I are being chased by a bear, I don't have to outrun the bear,
I just have to outrun you. Right. So if the bad guys will go after the weak passwords first,
presumably. That's right. They'll pick off the little weak, sick ones. Right. Exactly.
All right, Joe, it's a good one. Protect yourself from those social engineering attacks.
Password managers, random long strings.
Yep.
All right, Joe, it's time for our catch of the day.
This week's catch of the day comes from friend of the show, Graham Cluley.
He had something he put up on Twitter. He said,
Sheesh, my dumb email filter shoved this email
from JP Morgan in my spam folder. Imagine if I hadn't spotted it, I could have missed out on
millions. I'm going to read the email here. He was really tempted to read Graham's part with a
British accent because of course Graham is, and he loves it when I do that. But I resist. So
here's the letter. Dear sir or madam, I am the operational
manager in account management section in charge of credit and foreign bills of J.P. Morgan Chase
Bank here in USA. I helped a customer purchase security bonds worth $6,500,000 in the capital
market. The customer dies in an accident in test state with
no one to succeed his estate been the one that handled his financial affair for the last eight
years the private firm where the funds is presently lodged after i liquidated the security bonds from
the various investment is simply waiting for me to present the next of kin i am prepared to place
you in a position to instruct the bank to release the deposit to you.
Please use my private email account to contact me if the proposal is of interest to you.
Regards, Mr. David Kent, JPMorgan Chase Bank, USA, borough of New York City.
Graham, you're going to be rich.
What are you going to do with all that money, Graham?
I hope he shares it with his friends here in the USA.
So pretty straightforward.
I mean, pretty, pretty obvious.
I mean, this is about his classic.
I don't have a copy of this.
How do they spell intestate?
I-N space T-E-S-T-A-T-E.
Because I thought they might have spelled it as more than one word because it is one word.
Ah, okay.
Meaning without a will.
Ah, all right.
Yeah.
So, you know, about as straightforward as a Nigerian email scam is without actually talking about a Nigerian prince.
Right.
It's coming from a very reputable source, JPMorgan Chase, right?
That's right.
You've heard of JPMorgan Chase.
Absolutely.
You've never heard of some guy in Nigeria who claims to be a prince.
And if anybody was going to have $6.5 million sitting in the bank.
They'd keep it at JPMorgan Chase.
It would be JPMorgan Chase, right?
So all the, yeah, I mean, legitimacy here.
You can see how someone could possibly fall for this.
But the English is so broken.
Yeah.
It's obviously not somebody from New York.
And as Graham pointed out, this got automatically routed to a spam filter. So
bravo to whatever email service he's using that they recognized it and routed it there. So,
all right, that is our catch of the day. All right, coming up next, we'll have my interview
with Lily Hay Newman from Wired. But first, a message from our friends at KnowBefore.
And what about the biggest, tastiest piece of fish bait out there?
If you said, A, my late husband wished to share his oil fortune with you,
you've just swallowed a Nigerian prince scam.
But most people don't.
If you chose door B, please read important message from HR.
Well, you're getting warmer, but that one was only number 10 on the list.
But pat yourself on the back if you picked C, a delivery attempt was made.
That one, according to the experts that know before,
was the number one come on for spam email in the first quarter of 2018.
What's that? You picked D, take me to your leader?
No, sorry, that's what space aliens say.
But it's unlikely you'll need that one unless you're doing
The Day the Earth Stood Still at a local dinner theater.
If you want to stay on top of phishing's twists and turns,
the new school security awareness training from our sponsors that know before can help.
That's K-N-O-W-B-E, the number four dot com slash fish test.
Joe, earlier this week, I had the opportunity to speak with Lily Hay Newman. She's the security
staff writer at Wired, and she recently authored a story for them, and it was titled,
Nigerian Email Scammers Are More Effective Than Ever. Here's my conversation with Lily Hay Newman.
I think for a lot of us who've been at this for a while, who've been around throughout the years from the beginnings of email, the Nigerian Prince scam was probably one of the first
scams that we may have seen, certainly related to email. Can you take us through
the history and evolution of these scams coming from Nigeria? They are very classic and kind of
embedded in popular culture, mainstream thought, I feel. People reference the Nigerian print scam
kind of all the time, just casually. Basically, the scams are very consistent and they noticeably have not evolved
that much. They definitely have in some ways and some of the techniques are improved or changed or
updated. But what's most impressive about them, I find, is that they're really based off of very
simple confidence man hustle that dates back even farther than email,
truly the classic schemes that are sort of feeding on urgency, feeding on compelling story,
a simple story, not too many details, and just going after a big population,
and you only need a few people to get tricked.
So all of it is very classic, very sort of elegant, simple premise.
Obviously, the Nigerian Prince scam itself, which now I think most people would be wise to that specific one because it is so well known,
because it is so well known, is a foreign royal, or, you know, someone who claims to have some sort of like royal mystique or status in their community or their country, reaches out and says,
hey, you know, I'm trying to move a lot of money out of my country, if you'll pay to help me do a
wire transfer, you know, you'll give me some money so that I can then
move a lot of money.
That would really help me because I'm in a bad situation or something like that.
And so it's just that simple idea of it's sort of a celebrity or someone important asking
you for help and you don't have to do very much.
Maybe it doesn't raise alarms that
it would be sort of all your money or something like that. It's just sort of a good amount of
money, and you really want to help and you really want to do something quickly, and then you're
going to have the promise of all this money back. So all the scams kind of work that way. They just
don't necessarily use that hook of like a foreign royal person or
important person, but they're all just operating on this premise of sort of give a little, get a
lot. And one of the things you pointed out in your story was how they're targeting small businesses.
Right. So I would say that that's the biggest change in the past few years. This concept of business email compromise
has really grown.
And there's always been, businesses have money.
People have always been trying to steal the money.
So again, it's not that much of a technological innovation
or something.
It's just that these types of scams,
the scammers realized, oh, we can do a lot of the same stuff
and just sort of tailor it to business
and it'll be effective there too and the money could be even greater. And one of the smartest
things they do is they'll tailor emails to appear to be a real vendor or someone that a business
really could conceivably contract with and just send a
professional looking invoice. They figure out, try to map out who in an organization
is the right person to send this email to, or they'll send five of them or something,
trying to find the people who handle financials within the company. And again, an invoice that
looks pretty legit and is asking for the company
to pay a reasonable amount of money, like this person would approve every day. Yeah,
it's the same urgency of, well, this is what I'm supposed to do. I pay bills all the time.
And if we don't pay the bill, the company gets in trouble. So of course, I would pay the bill.
But instead, you're actually wiring money into the scammers hands.
Yeah. One of the interesting points you made in the article was that these folks aren't
technically sophisticated, but they have a tremendous amount of patience.
Yeah, there's a lot of patience. There's a lot of faith in the hustle, basically,
that if they work hard enough on refining it, and if they cast a wide enough net that they will get
some people to pay out, that they will trick some people.
So there's really sort of a maturity to the concept that there's a lot of restraint and just sort of it'll work.
Let's we just keep doing what we're doing.
the scammers is that many of them come out of these Nigerian sort of crime syndicates, sometimes called confraternities, that are sort of mafia-like gangs. There's a whole cultural
growth out of these groups. There's a whole lifestyle that's part of it. Some people who do email scamming and get rich off of email scamming are really vocal about that in Nigeria and take pride in it and show off their wealth.
And there's kind of a sense that if people are dumb enough to get tricked, then they don't deserve to have their money.
And the scammers sort of outwitted them and outsmarted them and deserve to have it.
Yeah, so there's just this whole community element, cultural element.
And that has allowed the infrastructure for the scamming to kind of build up all over the world.
Because it starts with these sort of insular groups in Nigeria.
But then as people live their lives
and emigrate around the world, the scams kind of move with them and they're recruiting money mules,
they're recruiting people in all different places to carry out different parts of the schemes.
So it's really built up this sort of international infrastructure of how the scamming works. And then
it's just coming from everywhere and coming from all sides.
And though most of the easy ones are going to get blocked by your spam filter and stuff,
the fact that it's spread out all over the world does make it difficult for email providers
to keep up with the blocking because it's just coming from everywhere and the emails
look really legit.
And why Nigeria? Is the Nigerian government turned a blind eye to these folks?
I think that is part of it. As the international law enforcement community has attempted to respond
to this, there have been issues at times getting the Nigerian government to cooperate
with apprehending suspects themselves or allowing extradition.
But there is traction to maybe kind of turn the tides on this. I just reported this week on an
announcement from the Department of Justice that they had completed an international operation to arrest 74 scammers, some in Nigeria,
some in the US, and a few in other countries. And they're sort of doing a lot of international
collaboration and trying to gain steam on doing this. And in that case, there was cooperation within Nigeria. So it's getting there. But for
many, many years, this has just been unchecked and there weren't a lot of consequences and just
free money. What are the recommendations for people to protect themselves against this? Is
it a matter of technical solutions or does training come into play? I think for businesses, some of
the things that are helpful are requiring two people at least to sign off on big transactions
over a certain amount. That's sort of, I mean, probably in practice, businesses doing tons of
transactions every day and paying tons of bills,
it probably does add some friction into the system. But when you have a second person look
at something, they might immediately say something's weird about this, or they might
be the person who says, we don't contract with that person. We don't contract with that company.
I don't know what this is. So getting a second check is always helpful. And that's also in a less codified way.
That's a great tip for individuals when you're feeling caught up in something and you're
feeling the urgency.
It may feel like there's no time and you have to act right then, but you really can take
a few seconds and message a friend or call someone and say, what do you think of this?
Do you think I should do this?
And just getting that gut check, sometimes just verbalizing it to someone else, you hear yourself
and you think, oh, wait, no, this is a scam. Right. Yeah. How many times do all of us look
back and say, what was I thinking? Right. Exactly. So, yeah, maybe it's kind of embarrassing,
but it's definitely worth it versus having your money taken. So things like that are
really helpful. There's a lot of controls they can implement in their email to make it a little
more obvious when something might be fishy. Another way that the scammers will try to initiate
something is to send emails that pretend to come from a higher up in the company, like an executive or somebody's
boss. And generally, they're using email addresses or email domains that look like the company
email address, but they're actually a little bit different in some way because the scammer doesn't
actually control the real email. What you can do in that case is businesses can implement controls
on their email so that any address that isn't from internal within the company just gets a little flag that it's not internal.
And most of the time when you're emailing with a vendor or something, you know that they're not part of the company.
So that is fine.
But if and you just ignore it.
But if something's flagged from and it looks like it's from your boss, that can tip you off, you know, that maybe something's weird there. But it gets tough because if they can, if a scammer or a
phisher can compromise a real email address, like if they can guess a password or something, or
someone used a reused password that was exposed in a leak, and it's online or something like that,
sometimes they could be sending the emails from a legitimate address. And that protection that was exposed in a leak and it's online or something like that,
sometimes they could be sending the emails from a legitimate address and that protection wouldn't apply. So it gets really hairy, but there are steps people can take to at least help and kind of minimize the risk as much as possible.
All right. Interesting stuff.
I thought that was a great interview.
All right. Interesting stuff, huh?
I thought that was a great interview.
One of my takeaways from this is that these guys in Nigeria seem to live by the adage or principle, rather, never hesitate to separate a fool from his money.
Right. And that that's perfectly fine.
Right.
You asked him for the money. He sent it to you.
It's an interesting, I guess, moral construct.
It is.
It's not my moral failing for taking the money from you, it's your failing for being gullible enough to give it to me.
Right. And I kind of disagree with that. Sure. I kind of disagree.
Yeah. Yeah. But, you know, they do have a different moral construct, it seems.
Yeah, absolutely. I also really liked her advice of talking it over with somebody.
She called it a gut check. I think that's great. When you start saying something that you're
thinking and it sounds stupid, and this happens to me a lot, right? Like I'll be talking to someone
and I'll be saying something. I'll go, wait a minute. This is just a terrible idea, right?
And it doesn't have to be with anything like this. It can be like with our plans for the day.
It can be something as simple as that. And just the fact of dumping that out of your mouth and saying it to somebody can
let you know by hearing yourself say something that just lets you know that this is a profoundly
bad idea. Right, right. All right. Well, that is our podcast. Thanks for listening. And a final
word about KnowBe4 who sponsored our show. They've got new school security awareness training, and their platform is user-friendly and intuitive. It scales from 50 to 500,000 users and was built for busy IT pros
that have 16 other fires to put out. Try their free phishing test at knowbefore.com slash phishtest.
That's K-N-O-W-B-E, the number four, dot com, slash phishtest.
Thanks to the Johns Hopkins University Information Security Institute for their participation.
You can learn more at isi.jhu.edu.
The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our coordinating producer is Jennifer Iben. Editor is John Petrick. Technical editor is Chris Russell. Thanks for listening.