Reply All - #97 What Kind Of Idiot Gets Phished?
Episode Date: May 18, 2017This week, Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment... on her poor, unsuspecting coworkers. Follow Daniel Boteanu on twitter Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
From Gimlet, this is Reply All.
I'm Thea Bennett.
So for the last couple of weeks, I've been wondering nonstop about the same question.
The question is about this kind of hack, fishing.
I've always had the impression that fishing is something I shouldn't worry about.
Because nobody really falls for it.
And even here at work, in March, we were trying to figure out how Alex Bloomberg's Uber account got hacked.
And when Alex Goldman even suggested the possibility
that he might have gotten fished,
Bloomberg got genuinely annoyed.
Do you know what fishing is?
Yes.
Did that happen?
No.
You seem so mad.
I can't imagine giving my password
to somebody who wrote to me over email.
Bloomberg felt about it the way I did.
Fishing is for dummies.
But then, a month later,
news came out that the president of France,
his campaign got fished.
Like some of his staffers ended up handing over
their personal password.
words. And actually, I started to notice that a lot of the hacks that I'm reading about recently,
they start with fishing. John Podesta, that was fishing. The Sony hack by North Korea, that was
fishing. And it got me wondering, what kind of person gets fished? Is it just insanely gullible people?
Or could it happen to the smartest people I know? People like Alex Bloomberg. So I called up
This guy I know, he's a computer hacking expert, and I asked him, like, how hard would it be to rig up a test to fish Alex?
He said, that'd be no problem.
And I thought, huh, in that case, like, maybe we should try it on everyone at Replyle.
He said, sure.
So he sent every member of the Reply-L team some kind of fishing test.
And a couple days later, I asked Alex.
Alex Goldman, PJ Vote, and Alex Bloomberg to meet me in the studio.
Should I have my mic like?
And they had no idea what it was about.
Okay.
So you know how I have been pretty obsessed with like how we could get hacked?
Yeah.
And I spent a few weeks just looking into a bunch of different theories of what,
how somebody could hack into a computer, into a Gmail account.
And one of the theories that came up that we didn't really spend.
any time on is fishing.
Yeah, because when it came up, people got offended.
I was offended.
I associate fishing with like a clumsy attempt to get you to reveal your password that I
feel like I wouldn't fall for.
Well, so after you got offended, I got really curious.
And I ended up talking to this one guy.
He's a digital forensics investigator.
Daniel Botianno.
Daniel Botianno.
I remember him.
Now good friend of the show.
Real charmer.
Total charmer.
So.
don't be mad at me.
Uh-huh.
But I asked Daniel if he would try a fishing test
on the staff of Reply All
and on Alex Bloomberg.
All right.
Oh, damn.
Oh, that is so devious.
I'm so mad at you if I clicked on it.
So, oh, I'll just add one detail,
which is before I did any of this,
I went to president of Gimlet Media,
Matt Lieber, and said,
is it okay if I ask this man to do this thing?
And he said yes?
Matt Lieber said yes.
He pointed out that without permission,
somebody could be fishing us also.
Usually, like, I go to Matt for my nose
and Alex for my yes-s.
I'm surprised you got a yes out of Matt.
The suspense is killing.
I got to say,
Matt Lieber actually,
said during the whole Uber thing that he suspected that Alex had been tricked by a fishing
campaign.
Oh, this is a little personal for him.
Yeah, he has a very low estimation of you, apparently.
He was like, not every relationship has to be a PJ and Alex.
Well, so, okay, so Daniel started his test on a Monday morning, and by 6 p.m., the same day,
he had control of somebody's email.
Alex is slowly opening his laptop.
Well, so, okay, so before we started, I had no idea how Daniel was going to be able to do this.
But watching him work just open my eyes to all these different things fishing was capable of.
And the first thing that I saw is that Daniel can impersonate anybody.
And he said, actually, for this test to test like my coworkers, he was going to impersonate me.
Oh.
So to start with, let me tell you what happened to our executive producer, Tim.
because Tim was editing this piece,
he was the one person on staff
who knew that this fishing test
was going to be going on
and he didn't know what was going to happen,
but it just made him incredibly paranoid.
So for the last week and a half,
he's been sending me slack messages
like almost every day being like,
I was just fished.
You just attempted to fish me.
I'm catching you.
He's fishing himself.
Yeah.
So Monday morning,
Tim slacked me
and was like,
what's the audience?
you're emailing me about.
And I have no clue what he's talking about.
But I see him in the kitchen, so I grab my phone, hit record, and meet him there.
At which point, it's clear he's just realized what's going on.
What?
What?
I just sent you audio.
Yeah.
Should we go into the stairwell?
Yes.
Okay.
Yeah.
Yeah.
You don't know about the email it?
you just send me?
No.
So I just got an email.
Uh-huh.
That was, it had an audio file.
It sent to me, Alex and Struthi.
So I click on it and it says,
Gmail, you know, one password to rule them all, whatever.
And it asked me for my password.
So I said, fuck this.
And I wrote back, can you slack me the audio?
Uh-huh.
Because I don't want to.
I'm already signed into Gmail.
Yeah.
So I could tell that it's a fishing attempt for some smart asses.
is actually emailing me.
Uh-huh.
What's messed up about it is that like somebody on the other end is emailing me right now,
pretending to be you.
Yeah.
It sure fucking looks like you.
Really?
And I clicked on the thing and it says like...
He shows me the email and it's crazy because it completely looks like it's coming from me.
Like it looks like it's coming from Fia at gimletmedia.com.
But obviously I didn't send it.
Yeah, look it.
There it is.
Hey guys.
Ah, Fiat Gimlet R.
R Nedia. That's so funny. R plus N looks like an M.
Okay, now I really want to fuck with this person.
Let me explain how this works.
Daniel had bought a domain.
He bought the domain Gimletrmedia.com.
And he was sending the emails from there.
But Gimlet R Media looks exactly like Gimlet Media.
Wow.
Damn.
And after all of that, Tim and I were walking back to our desks and he was like,
So what's the audio you were trying to send me?
He's like a mouse trying to get cheese out of a trap.
Okay, so here's the second thing I learned.
You don't even need to fall for the scam for Daniel to learn a ton about you.
Okay.
So, for instance, PJ, you received this email that looked like an invoice coming from a consultant.
And when you clicked on the link in the invoice, it took you to a page that looked like a Google login page and asked for your user.
name and password. You didn't put anything in, but over in Toronto, the hacker, Daniel,
he was still watching you interact with that fake page. Here's Daniel. My records show that he
clicked on it from an iPhone. Probably saw that it was something suspicious, clicked on it a second
time from an iPhone, and then I have records showing that the same link is open two more times
from Mac computers, but two different computers. So I'm guessing PJ saw that,
something was going on and he started digging a bit deeper and trying to find out what happened
or what's happening with this email. And I'm suspecting that after PJ maybe sent an email
internally saying, hey, guys, this is what I got. Just be careful. Don't click on this on this email.
Wow. He could tell that. It's so funny. It's like knocking on the door of somebody's house.
Like even if they don't answer like a light turned on, it turned up like he can figure stuff out.
Right. Yeah. Like I opened it. I opened the email, thought it was real.
And then, like, I figured out what it was.
And I was really curious.
Like, I was like, oh, I wonder if I can learn anything.
So I was, like, trying to, like, examine the package to figure out what was going on.
And the moment that I was, like, definitively realized it was fake was that in the signature of the email, there's a phone number.
And I Googled the phone number.
And the phone number didn't go to, like, the made-up company that they were doing.
And I posted in Gimlet Slack saying, hey,
everybody, watch out.
Someone's trying to, it seems like someone's targeting Gimlet in particular.
Right.
And the reason Daniel thought you had done that is because he'd sent the same email to a bunch of members of the team.
And after you looked at it for the fourth time, nobody else clicked on it.
And that's okay for Daniel because he can try like all different methods of fishing the team and he can try it a bunch of different times.
So since you're sounding alarm bells, he probably won't include you in the next fishing attempt.
So, Alex, what did you get?
I have no idea.
I am on tenter hooks.
I do not recall this at all.
So you didn't figure out that anything was going on.
So you got an email that was just like Tim's,
but I was in the room when you got it.
And you turned to me and you were like,
what is this?
Why do I have to listen to this?
Did I open it?
You did not open it.
Congratulations.
That is definitely not because I was smart enough to recognize
It was a fishing scam.
I feel like had you not been in the room, this would have worked.
I know.
And Daniel said the same thing.
He was like, if I was trying this fishing attempt in earnest, I would have tried to
impersonate somebody who I thought wasn't going to be in the office that day.
Right.
Okay.
So now for the third thing I learned, which is my favorite thing I learned, even when you
try to protect yourself, like when you set up two-step verification, you're still not safe.
So this happened towards the end of the day.
at this point, nobody on the reply-all team had fallen for it.
I was a bit disappointed at first when I saw that, oh, it didn't work.
Maybe we did this.
All of the emails came at the same time.
We should have changed some things.
But then we got the big tuna.
So the big tuna.
I think we all know who that is.
So it worked on me, but I want to claim.
Just skipping over.
Oh, yeah.
Wait a brush right past that.
No, because I went, so I got the email.
What did yours say?
Mine says, hold on, mine says...
Who's it from?
Is it from Fia?
And it says, it says Uber Update.
Hey, Alex, was wondering if we're giving away too much of your personal information,
the Uber Update tape with Troy.
Will you listen and let me know what you think, not kosher, question mark?
And so...
And so it was just...
And then there's like this little thing, there's a little Uber update.
And it's coming from Fia at what I now realize is gimleturneedia.com.
which is really amazing.
Like you don't, you don't notice that.
I know that that's what it is,
and it still looks like,
Gimlet Media. It's crazy.
So then, but so I didn't open it
because I was like, I don't have time.
Again, it might have worked anyway.
And then I was like up on the third floor.
You were in a meeting with.
Truthy.
And I saw you guys.
And I went over and I, like, motioned
if I could come in.
You were in one of those glass conference rooms.
And I was like, hey, I got your email.
What's that about?
And then you looked so.
confused and
mad
and I thought you were like having
and I was like
oh I'm just being an asshole
I just bumbled into the meeting
like I'm the CEO
I was like don't worry
don't worry I'll listen
and so then I left
and then I had this whole narrative
I was like was that would I have done that
is this like abuse of power
and I was like no I wait people in sometimes too
it's okay so there was all this guilt
that was like sort of driving me
to like complete the task
of listening to this audio
and so then I went down there
and then I clicked on it to listen to it,
and then it's like it impersonates a Google Drive,
so then you have to go and put in your password
and stuff like that, which I did,
because I was like, I got to help,
I got to listen to the thing for Fia.
But if I don't know, yeah.
You're not only put in your password,
you put in your two-factor authentication code.
Yeah, yeah, yeah.
Yeah, so Daniel would fully be able to get into your email account.
Yeah, so how does that work?
So what did he do?
He was like, what was I putting my actual two-factor authentication code into?
What you put it into is his own little page that then forwarded it.
Yeah, so that's on a server.
And when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login.
And from there, because he put in your username and password, a two-factor code was texted to you.
And when you then put that again into his fake page,
he immediately put that into the real Gmail login page
and he was completely into your Gmail.
And the server he was using was actually based in New York.
So if you check where you've recently signed into Gmail,
it'll show a New York-based location,
which is what Daniel says they would really do
if it was a targeted fishing attempt.
That's hell of sophisticated.
It's really interesting.
thing. I do feel like if I hadn't, if you, you basically said you sent the email.
I know. You did, though. You came in and I said, I don't know. And you said, I don't know, but
you were like. And you said, I didn't look at it. You don't really remember. I'll go back and
check. Right. Because I was like trying to help you out and get back to you in time.
I know. I know. Thank you. After, after rudely interrupting your chapter, it was rudely.
Sorry. I don't know. Yeah. No, I mean, it feels like, obviously, like,
Yes, if you have your entire company conspiring to fish you, yes, they can trick you into clicking on something.
I don't think that proves anything.
If they know every little bit of context around your life, I think that you are being too cavalier about this.
You can be tricked.
Do you feel any differently about how offensive and an idea it was that you might have gotten fished?
Yeah.
No, I mean, yes, I do.
But I'm, I feel like this will unfairly, you know, sort of solidify an narrative about me that I'm not happy about.
If you hadn't said the thing about how Matt thought it was like that I was fished,
I thought this whole conversation very differently.
But yes, for the purposes of everybody out there, you two can be fished.
Yeah.
Okay.
We've kept you more time than we should.
All right.
Thanks, Alex.
I left the studio feeling like my experiment had totally failed.
I'd convince myself that fishing was real and pervasive, but I hadn't convinced Alex at all.
All I'd done is like made him feel sucker punched.
So I decided the only reasonable thing I could do now was to expand the experiment.
The results of that after the break.
Okay.
Seriously, why are you all here?
Does everybody have a microphone in front of them?
I do.
Yep.
Okay, so the last time we were all in a room together.
Yes.
We talked about this fishing test that I had.
Yeah.
Instigated.
Yeah, which I got really salty about, which I'm embarrassed about now.
You are?
Yeah.
I think I ever reacted.
I felt like I left that room feeling so guilty and just like bad about it.
No, it was just, it was no, it wasn't you, it was me.
Well.
But you did, you, you, underneath the saltiness, you were making an argument, which was that you felt like.
Because what we were trying to say, or like, I thought it was going to fit into a false narrative about me.
And rather than it being about whether fishing worked, it was about.
You felt like it was saying that you, Alex Bloomberg, are like a bumbling.
Like, if everyone else is like yes on this, you're like a no somehow.
Exactly.
Well, it seemed like you agreed on an intellectual level that, like, yes, anybody is capable of getting fished, but on an emotional level, like, this didn't really demonstrate that.
Right.
Wait, are you telling me that I've been fished again?
This is what about?
God.
No, no, no, no, no.
You probably hear to murder me.
No.
To murder my ego.
No, it was just after we talked in the studio the other day, we were as a team, like, trying to figure out, like, how could we do something that, like, actually at, like, an emotional and an intellectual level felt like people get fished and without it feeling like a murky test.
Uh-huh.
So, like, and proof that, like, it's not just Magoos who get fish.
Like, smart people get fish, too.
Okay.
And so it was like, is there somebody that Alex thinks is really smart that we could try the fishing test on?
And then it would feel, and we could do it, like, very purely.
And then, like, that would sort of make you feel better.
Help me feel better by helping somebody else to feel bad.
Yeah, I've learned no lessons.
Tell more lies to more people.
Well, yes.
Right.
So it was like, should we try to fish like Ira Glass?
So your old boss?
Yes.
Or maybe your old colleague, David Kestenbaum, or your brother-in-law, who's like super, super smart.
But we couldn't actually get permission to fish Ira or David.
And it turns out that your brother-in-law doesn't really use Gmail, which we needed for this fishing test.
So then we were like, maybe we've been thinking about this all wrong.
We do know somebody that Alex thinks is smart.
And that person also is maybe the source of part of why this feels so bad for Alex.
So you look so confused right now.
Wait, did you guys fish Matt Lieber?
So I thought it might be interesting.
So, yeah.
So we thought, what if we tried it on Matt Lieber?
Yeah.
But this time I wanted it to be very pure.
So I was like, Daniel, do not tell me like, I'm not going to be informed about anything that you're trying to do.
Don't help me cook this up with you.
Right.
Just try to fish Matt Lieber.
Got it.
So.
Very exciting.
So when was this?
So this was Monday.
Okay.
So Monday.
And it's now Friday.
And it's now Friday.
Okay.
So on Monday, Daniel sent Matt the fishing test.
And literally 41 seconds later,
Matt had fallen for it, he was fished.
Wow.
So, obviously, I wanted to tell him what had happened,
and I grabbed him, brought him into the studio.
I think this is the first time I've been in a studio.
But before I could tell him he'd been fished,
I had to tell him that you'd been fished.
And as soon as I told him that, he actually just started, like, crowing about it.
He fell for it?
Yeah.
No.
He fell? He got fished?
Yes.
Amazing.
So you, he, you, okay, so you successfully, um,
Um, fished Alex, your boss.
Yes.
Okay.
Wow.
Yeah.
Ooh.
So when we started this whole project, did you think that Alex, like, did you think that he was likely to fall for it?
Yes.
Why?
Um, uh, how do I say this without being like, oh, he's a totally credulous dalt?
He's in general, he's a, you know, he's a, you know, he's a, you know, he's a, you know,
He's a very, he's a, he always assumes the best in people.
Mm-hmm.
And he's generally like a very empathetic person.
That's one of his superpowers.
And so I don't think he's like looking out for people who are trying to screw him.
Uh-huh.
I'm the more like skeptical person when it comes to other people's motives.
Yeah.
Okay.
But I just want, I don't want to come off like I'm being a jerk about Alex because obviously Alex is like a great journalist.
which requires him to be skeptical.
And the truth is the fact that he was fished tells you that this could happen to anyone who is targeted.
Right.
So I think the same thing you think.
I think like everybody needs to be like crazy paranoid all the time and it is possible to fish anybody if you're targeting it.
But Alex felt like it was like not a clean test and therefore he like doesn't feel like anything's been proven.
I'm, of course, terrified that you're going to be like, we also fished you and we did so successfully, did you?
Well, have you received anything weird from anyone?
I don't know.
Like, anything like today, maybe?
Oh, my God.
Did you fish me?
Oh, my God.
Now this is like we're in a David Mamet movie.
I feel so, I'm...
This is like the worst.
experiment I've ever done.
So earlier today, you got an email from Alex Goldman.
Uh-huh.
At...
Oh, my God.
Fucking Goldman.
That was weird because of the way the file was attached.
Uh-huh.
The weird thing about it was because I kept having the two-factor authentication thing.
Oh, my God.
This is just, this is humiliating.
Because I've sat here in judgment of Alex.
No, but you actually like this confirm, does this confirm for you that it could happen to anyone?
Yeah, it could happen to anyone if you're an idiot like me.
God, he's so, this Daniel.
We should, we need to hire this Daniel guy.
He has such good insight into what would tweak people.
Uh-huh.
Because he sent me an email saying, as though it were from Alex Coleman, saying one of our producers found this document posted online, which reverect.
reveals Gimlet's salary levels.
Is this something that you think should be public?
And I was like, I was like, oh, my God.
Because if everyone's salaries got out, it would be like a nightmare, right?
So I click on it.
It's a PDF.
And in order to view the PDF, I have to log into my Gimlet account.
Yeah, yeah, your email.
Which I do.
I put in my username and password, which now I need to change.
That's why I want to talk to you.
And then I did the two-factor authentication.
I responded to Alex and I ced Katie Christians
and our director of people ops
who is the person who would know what the answer
like why is this out here
and she said I can't see the file
and when I went back to download it again
I had to do the two factor again
and I'm like that doesn't make sense
I just did the two factor authentication
why would I have to do it for a second time
but of course I was like in the middle of a bunch of things
and I was just like whatever it's Google I trust Google
Yeah.
And I put it in.
I feel like such a jerk now.
I feel like a jerk because I was saying like, oh, Alex Bloomberg, what an old person who doesn't know how to, like, protect himself in the real world or online because he doesn't have me.
Mr. Savvy, like Mr. Savvy skeptic who were like, terrible.
Wow, this was a real comeuppance.
So that's what happened to Matt.
God.
I feel terrible now because I feel better.
Then, like, one of my goals actually happened.
Yes, I do feel better.
You do?
Because I do, like, I do feel like Matt is the way more suspicious one.
And if I had to choose, like, which of us is harder to fish, I would have chosen Matt, for sure.
Here's the one thing that comforts me a little bit.
I never fished anyone that I assured I wasn't going to fish.
And that is a small comfort, but it is a comfort.
That is wild that that helps you sleep at night.
It does.
It is really.
So I want to say now, I promise to never fish anyone in this room again.
Just in this room?
Yeah.
Reply all is hosted by PJ Vote and me, Alex Goldman.
Our show is produced by Shruthy Pinnaminani, Fia Benin, Chloe Prasinos, and Damiano Marquetti.
Production assistance from Sharina Ong.
We're edited by Tim Howard and Jorge Just.
We're mixed by Rick Kwan.
Special thanks to Kashmir Hill, Emily Kennedy,
and a huge thank you to our Fisher, Daniel Botian.
Our theme song is by the Mysterious Breakmaster Cylinder,
and our ad music is by Build Buildings.
Matt Lieber is Bubble Tea.
Applications are open to be Replyall's fall intern.
The deadline for applications is 9 a.m. on May 29th,
and you can find out more on our website,
replyyle.com.
model. And you can find more episodes of the show on Apple Podcasts, Spotify, or wherever you get your podcasts.
Thanks for listening. We'll see you next week.