Recorded Future News Announcer (2:46)

Looking for more of the cybersecurity and intelligence coverage you get on Click Here, then check out our sister Publication the Record from Recorded Future News. You'll get breaking cyber news from reporters in New York, Washington, London and Kyiv, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.

Dina Temple Raston (3:13)

I'm Dena Temple Roost and this is Click Here's Mic Drop. Dan Guido runs a cyber security company with a curious name Trail of Bits.

Dan Guido (3:26)

I like the name. There's a lot, there's a lot to like about it. There's a long story about that. It's like alternately ancient Mayan death chant. It's like a punk rock band, fun little play on words to describe the trail of digital evidence that you leave behind on computers.

Dina Temple Raston (3:53)

It's a company trusted by the likes of darpa, Facebook and a variety of crypto platforms. So you'd think that would put him off limit to hackers. It didn't. Back in April, Dan Guido got a message on Twitter. Someone claiming to be a reporter from Bloomberg Crypto wanted to set up an interview over Zoom. Now, Bloomberg Crypto is a real thing, a unit of Bloomberg News focused on digital currencies, blockchain tech, and the billionaires who orbit them. In other words, a perfectly plausible place for someone like Dan to appear. So at first, he was flattered a journalist wanted to talk to him about crypto. Of course they did. But then the flattery wore off and the flags, the red ones, started to wave.

Dan Guido (4:46)

The fact that a Bloomberg News person, like, wouldn't talk over text, wouldn't talk over signal, wouldn't talk over email. They really insisted on Twitter, DMs or Telegram. They said, oh yeah, or we'll do Telegram, which is like a huge use red flag. And then the email confirmation from a Gmail address, like, I don't think so.

Dina Temple Raston (5:12)

He was pretty sure this guy asking for an interview wasn't on the up and up. But Dan was intrigued. So he agreed to talk to him over Zoom and pulled out an old Chromebook to take the call.

Dan Guido (5:26)

And I was ready to join a call and record it on a device that I thought would be impenetrable.

Dina Temple Raston (5:34)

But the hackers never showed. So Dan got to work figuring out who had targeted him. And he discovered that he'd been targeted in a hacking campaign launched by Elusive Comet.

Dan Guido (5:49)

I did figure out what they were up to, which was sort of shocking to me.

Dina Temple Raston (5:54)

At the heart of their methods is this a feature built into Zoom that most users never think twice about.

Dan Guido (6:01)

Zoom is a great product. It enables connectivity and interaction with people the world over and during COVID it definitely added a ton of value to people's lives. But it has so many features in it that I don't think everyone knows what it can do.

Dina Temple Raston (6:19)

Things like remote access.

Dan Guido (6:20)

There's actually this IT remote support feature that's built into Zoom that allows somebody else to take control of your screen, your keyboard, your mouse, and basically just sort of look over your shoulder and work on your computer.

Dina Temple Raston (6:35)

We've talked about this in the past in previous episodes.

Dan Guido (6:38)

It was just sort of a shockingly easy trick to play that only requires social engineering. And it gets you code execution out the other end.

Dina Temple Raston (6:48)

It only takes two clicks and, and looks a lot like some of the day to day popups you get on Zoom.

Dan Guido (6:54)

You have to go into your system settings in macOS and specifically allow the Zoom application to like, interact with the computer, record your screen, whatever. But that's a process that I think a lot of people have been sensitized to, and I don't think people know what that really means when they flip those settings.

Dina Temple Raston (7:14)

The hackers leverage people's general confusion about technology by adding some expert social engineering and their first step pressure.

Dan Guido (7:23)

And they're adding this time pressure of like, hey, we need to go to recording next.

Dina Temple Raston (7:28)

Some ego stroking.

Dan Guido (7:29)

They're saying, you're so important to talk to. We know all the great work that you've done and like, this is going to be great exposure for you. It's Bloomberg, you know, it's huge. And they just lean into it and lay it on pretty thick. Right away you feel really good about yourself, like, oh, somebody finally noticed me.

Dina Temple Raston (7:46)

And they use that to get inside your computer without you even knowing.

Dan Guido (7:53)

And a lot of people I think are willing to take that step and just click these buttons because they don't know what they actually do once they click them.

Dina Temple Raston (8:03)

When we come back, we follow Dan into the blockchain trenches where hackers are hoping to trick their unsuspecting victims into handing over millions. We'll be right back. Support for Click here comes from GiveWell. Let's say you're a detail oriented person. You don't just go to a movie. You read the reviews first. You recon the menu before going to a restaurant. I'm guilty of that. So how do you do your homework when giving to charity? That's where GiveWell comes in. GiveWell is an independent resource doing rigorous and transparent research into charities. They figure out which ones do the most good for every dollar donated. And they only recommend programs with the biggest impact on helping people and saving lives. That's why over 150,000 donors have already trusted them to direct over $2.5 billion to great causes around the world. So check out GiveWell next time you're giving to charity. To make a tax deductible donation Today, go to givewell.org and pick podcast and enter click here at checkout. Make sure they know you heard about GiveWell from. Click here again, that's givewell.org to donate or find out more.

Benson (9:32)

Every day it's getting harder to tell what's real and what's not.

Dan Guido (9:36)

Alex reassured me that he was a fully licensed and certified psychologist. But in fact, Alex is not a person. But it is an unfeeling chatbot.

Benson (9:47)

I'm Dexter Thomas, and every week on my podcast, Kill Switch, we look at the right now of living in the future. To help you take back control of your life. Listen to Kill switch in the iHeartRadio app, Apple Podcasts, or wherever you get your podcasts.

Dina Temple Raston (10:14)

Hackers like the ones that targeted Dan Guido are usually looking for something really specific. A crypto wallet. And the reason is simple. It potentially offers a way to make a lot of money really fast.

Dan Guido (10:27)

The community of attackers out there have realized that if you socially engineer somebody or get malware on their computer, the path to getting a payout is instantaneous. You don't have to navigate through a big company to find the secret formula to Coke buried 10 levels deep in some active directory domain. Instead, you've just got a single person's computer that has a private key on it, and as soon as you read it, you can go grab $2 million.

Dina Temple Raston (10:58)

So in the beginning, hackers exploited what used to be a vulnerable corner of crypto wallet tech, something called smart contracts, which sounds like something dreamed up by a Silicon Valley marketing department after a few too many lattes. But really, it's just bits of code, small self executing programs written onto the blockchain that essentially say, if X happens, then do Y. Imagine a vending machine. You put in your dollar, press B7, and you get your nacho cheese Doritos. No cashier, no small talk, no tip. That's a smart contract.

Dan Guido (11:39)

I think about them as like little finance bots. They follow their instructions and they can't do anything else. So, you know, you could have smart contracts that provide loans, right? Anything you could imagine a piece of software doing, they'll. They'll do it.

Dina Temple Raston (11:54)

And a lot of smart contracts are wallets where people store crypto tokens so they can be targets.

Dan Guido (12:00)

Hack them, and it's Like a financial pinata. And if you hit them hard enough and you find a way to exploit a vulnerability in them, you get all the cryptocurrencies stored inside.

Dina Temple Raston (12:15)

So hackers went after them as a sort of low hanging fruit. But these days, smart contracts are, well, smarter.

Dan Guido (12:24)

They're no longer cardboard pinatas, now they're made out of steel. People are writing smart contracts that are pretty reasonably complex. They're like multiple thousands, sometimes tens of thousands of lines long. So now it is harder to hack a smart contract on a blockchain than it is to just go after people's laptops and steal their private keys. And that wasn't true for the last five or six years. That really only flipped, I'd say, a couple months ago.

Dina Temple Raston (12:54)

It's become so much harder to hack a smart contract that hackers have had to innovate with things like this zoom hack. And in a lot of ways, it's easier to just go after someone's laptop and steal their private keys than to try to hack a contract. Humans are a lot easier to fool.

Dan Guido (13:12)

I mean, I feel like we've got enough evidence out there, enough people have been hacked where this seems to be pretty clear.

Dina Temple Raston (13:28)

So if you're into crypto, how do you protect yourself? Dan has some words to the wise.

Dan Guido (13:33)

The number one piece of advice that I always give is just separate your crypto wallet from the device you use every day. I think a single purpose device, you know, some cheap Chromebook that you use to access your giant holdings of cryptocurrency, is the most appropriate strategy. You shouldn't have $2 million or whatever it is at risk every time you talk to some guy on discord.

Dina Temple Raston (13:58)

Trail of Bits has been getting more calls lately. People in crypto suddenly interested in training around operational security, which is good, but Dan Guido says that's not enough.

Dan Guido (14:10)

The effectiveness of these techniques don't really go down. There are always people out there that haven't seen and internalized this information. And, you know, case in point, the Twitter accounts that contacted me, they're still up. They're seemingly still active. They are Twitter accounts you could talk to right now. And I would bet that there have been additional victims from those same two Twitter accounts since Trailer Bits published our blog on it. So I don't see a good reason for them to stop unless somebody actually tracks down who they are and literally arrests the people behind it.

Dina Temple Raston (14:49)

And in the case of Elusive Comet, Dan thinks arrests may be coming. The FBI is investigating, and the hackers are believed to be based in the west, maybe even somewhere inside the United States. Because while crypto might be mostly anonymous, it isn't completely untraceable.

Dan Guido (15:07)

I think the privacy protections on blockchains are notoriously porous, that in a lot of cases where somebody really applies all the effort available to figure out who did what transaction, you can generally track it down. There's also all kinds of operational security mistakes that happen from an attacker perspective, too. You know, if you have a single transaction or a single interaction with some company that you're trying to hack that exposes your identity, that information usually just lives out there forever. You can't take it back. So a likelihood over the long term that these guys get caught is probably pretty high in my mind. So enjoy your stolen cryptocurrency while you can, because I don't assume that this is going to last forever.

Dina Temple Raston (15:58)

So what do we take away from Dan's experience? Maybe it's this. Security threats aren't just about code. They're about human frailty, ego, urgency, a momentary lapse in skepticism. So install all the cybersecurity you want, but also keep your skepticism and that ego of yours in check. From Recorded Future News, this is Click Here's Mic Drop. It was written and produced by Zach Hirsch, Megan Dietrich, Sean Powers, Erica Guida, and me, Dina Temple Raston. It was edited by Karen Duffin. We'll be back on Tuesday. Until then, have a great weekend.

Recorded Future News Announcer (17:01)

Looking for more of the cybersecurity and intelligence coverage you get on Click Here, Then check out our sister publication, the Record. From Recorded Future News, you'll get breaking cyber news from reporters in New York, Washington, London, and Kyiv, among others, and you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.