A cyber carol. [Only Malware in the Building]

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K.

Rick Howard

In the cold, mysterious corners of the cyber world where digital ghosts haunt and malicious spirits lurk, three brave souls gather round the proverbial fireplace, ready to unwrap the secrets of malware. Tonight, meet our merry malware mavens. The wise yet weary Rick, the malware ghost to breach his past. The sharp and cunning Selina, the phantom of threats yet to come. And the ever cheerful, ever curious Dave, our ghost of malware presence.

Selina Larson

Let's see what ghastly gifts the cyberspectors have left under our tree tonight.

Dave Buettner

Ooh.

Rick

I spy a nasty ransomware attack. These have been lurking around for centuries.

Dave Buettner

And here's a holiday treat for us all.

Dave

A shiny new malware scheme wrapped in a bow.

Rick Howard

So snuggle up tight, brave listeners, as Rick, Selena, and Dave guide you through the malware stories that haunt, the ones that chill and maybe even a few that thrill. Because remember, the ghosts of malware never truly sleep.

Selina Larson

Merry Christmas.

Rick Howard

Welcome to the Cyber Carol, where every download could be your digital undoing. Now, who's ready for a little holiday haunt? Our journey begins with the ghostly trio of malware experts, each one bringing tales from different realms of cyber lore. First, let me introduce to you Rick, the malware ghost that breaches past.

Selina Larson

Yes, indeed, I've seen it all. From the very, very first viruses to the earlier ransomware that held his hostage. Think of me as the ghost that remembers where it all began. And I'm here to remind you why history has a habit of repeating itself.

Rick Howard

Next, guiding us through the haunted here and now, please welcome Dave, the ghost of Malware Presence.

Dave

I'm your guy.

Dave Buettner

For all the latest and greatest in.

Dave

Malware coming straight out of today's naughty list.

Dave Buettner

From phishing schemes to malware with festive new twists, I've got everything happening right.

Dave

Now in this chilling little stocking.

Rick Howard

And last, hailing from the unknown reaches of what may be, we have Selina, the phantom of threats yet to come.

Rick

The future's a dark, winding code riddled with exploits, zero days, and malware we've yet to imagine. I'm the ghost with a glimpse of what's lurking ahead.

Selina

So tread lightly, lest you find yourself in my shadow.

Selina Larson

All right? With a nod towards the Charles Dickens classic that we're trying to emulate here, A Christmas Carol. I am the Ghost of Christmas Past. Your past, Dave. And these are the shadows of multi factor authentication. Okay? And this is what they are. And what they are. Don't blame me, okay? And if you Remember back in the old days? Fernando Corbito invented passwords in the early 1960s. And ever since then we've been trying to figure out how to make that better. We haven't fixed it yet, but we've been working on it with two factor authentication. So let me summarize, okay, how they work and then we can talk about how secure they are. First up is SMS verification. If you're an Internet troll like me, the ghost of Christmas past, and I want to log into audible.com the website sends a text message with a one time code for me to use. I enter the code into the audible.com website to gain access to my account. So that's kind of the first two factor authentication scheme. The next is email verification. Very similar to sms, except the message is sent via email and not via a text message. The next is authenticator soft tokens like Google authenticator ID me, Blizzard's Battlenet, which I use every day, and LastPass. So authenticators use an Internet Engineering Task Force algorithm to generate one time codes. I want to log into my Google G Suite account. G Suite asked me for a one time code. I open the Google Authenticator application on my smartphone and look up the listing for Google. So I have several listings to choose from, like LastPass or others. The algorithm is standard. So Google's authenticator can be used to log into other companies apps like Microsoft or Amazon. And I noticed that for each listing there is a countdown like for every 30 seconds the Google Authenticator app generates a different code to use. So I try to remember the six digit code and enter it into the Google login screen before the timer winds down. The next method is push authentication. We get this kind of thing from Google, Apple and others. It's not SMS verification because they don't use codes. When I get summoned by my mother in law to fix some tech issue with her iPad, I might need to log into my Gmail account to retrieve some information. Google doesn't recognize the mother in law's iPad that I'm trying to use as a registered device and pushes a notification to me via the Google application on my iPhone. I open the Google application, push a button that says yes, I am indeed the ghost of Christmas past. And that's all it takes. It's way more harder to explain than it is to do, but in the end I get to access my Gmail account on my mother in law's iPad. Apple's version is similar, but it's not tied to an application. It uses the operating system. So there's one more shadow in the two factor authentication space that you may all have heard of. It's called Passkey and it uses the asymmetric key model made famous by Whitfield Diffie and Martin Hellman back in the 1970s. Apps or websites store your unique public key. Your private key is only stored on your device, and your device authenticates your identity. The two keys combine to grant your access to your account. Usually the device has software generating the passkeys uses a biometric authentication tool such as face ID or touch ID to authenticate your identity. Passkeys also sync across devices, making them really easy to use. And the last one on the list is Universal second Factor authentication. It's kind of an open standard that uses the universal serial buzz or near field communication devices. So I want to log into LastPass Password Manager to access corporate accounts. I enter my user ID and password, and then LastPass asked me to insert my physical authentication USB key into the laptop, in this case my Yubico Yubikey. I touch the button on the outside of the physical key and LastPass grants access. And the way this works is that the USB creates a public private key pair for each website like LastPass. The user's browser verifies those keys and allows me to gain access. So those are the things at our disposal. I've gone up from very old stuff, everybody from, you know, the original password, user ID, password pair back in the 1960s to kind of where we are today. Let me ask the ghost of Christmas Present, did I get all that right?

Dave Buettner

Well, it seems to me like you did. And what I wonder is, is the username and password combination is that the ghost of security past? And then multifactor authentication is the ghost of security present, and past keys is the ghost of security future.

Selina Larson

I really think it is. I think pass keys are the future for most of the things we need to do on the Internet. If you have to be really secure, like if you're a spy or if you're protecting corporate secrets, you should be using the hard token for your most important secrets. Right. But for everything else, I think passkey is going to be the thing. Selena, what do you think?

Rick

Absolutely. And unfortunately, though, I think there are many people that are still living in the past. Right. I mean, I think that MFA everywhere.

Selina Larson

Which is where I live, which I'm okay with.

Dave Buettner

Your words, not mine, Rick. Your words, not mine, Rick, is haunting.

Rick

The computers of everyone that doesn't use mfa. Yeah, I mean, it's interesting because everything has gotten a lot easier, right? I Feel like back in the day, it used to be this. When everyone was adding a second factor to their login and password and typically using SMS authentication, it was like, oh my goodness. Yet another thing that I'm going to have to remember to do. Yet another box I'm going to have to click. But I think we've seen a shift in human behavior where it's a little bit more accepted now, where it's like, oh, okay, I know that I have to do this. It's still a bit of a pain. But with the, like you were mentioning, Rick, like with the Yubikey and a physical key that you just. It's something that you have. It's so easy to incorporate into your Wake up in the morning and you log in and you touch something and you're all ready to go. So I think being more secure is also a little bit more streamlined in many ways.

Selina Larson

Well, you say that, but, you know, and I love the hard token authentication method, but I'm gonna lose that device, okay. As a ghost of Christmas past, there's no way I'm gonna keep track of that thing for the rest of my life. So that's the one downside.

Dave Buettner

That's why they send you two. So you take. You put one on your keychain and then you put one somewhere in your home where later you can't remember where in your home you put it.

Selina Larson

Exactly. Do you live in my house, Dave? That's exactly how that works.

Dave Buettner

Yeah. And you know what? I mostly agree that things have gotten easier. But I have to say, as much as I love hardware keys and the security and simplicity that they provide, if I'm sitting on my couch and I try to log into something and it demands my hardware key and I have to get off of my couch and walk over into the kitchen where I keep my keys. Like the drawer, the junk drawer where I plop my keys when I get home. I am PO'd about that.

Selina Larson

Yeah. That's not getting done that day. Okay.

Dave Buettner

I have. That's what that is. I mean, it's. I, you know, I, And I just, I keep. When I have to do that, I try to tamp down the frustration by saying, this is for security, this is for security. This is good. This is a good thing. But boy, it just. Because it's a roadblock, right? It just stops you from doing what you want to do.

Selina Larson

It's friction.

Rick

Are you waiting for the future of biometrics everywhere, Dave, where if you're sitting on the couch, you can just look at your Phone and it'll say, yep, this is Dave.

Dave Buettner

I'd say we're most of the way there because I love like face ID on my iPhone and I love touch ID before that. And I think they were very effective and overall very secure. And I think passkeys are going to be the next step with that. I'm curious that it seems to me that passkeys are a little slow out of the gate. Like, people are still figuring it out.

Selina Larson

It's so true. I mean, we may, you know, we say, yeah, it's way easier. Okay. But you know, it's one thing for a bunch of security nerves to talk about how passkey is easier to use, but I was mentioning my mother in law, who's 85, by the way, and slings the iPad like she's a warrior ninja somewhere.

Dave Buettner

Right.

Selina Larson

But explaining how passkey works to her. Okay. That we're not there yet. It's too hard for the normal, average citizen to use those kinds of things.

Dave Buettner

Yeah, I agree.

Rick

I have to admit, every time I use my Yubikey in my head, I don't know why, I don't know what this does about me, but I feel like it's taking like a drop of blood from my fingers.

Selina Larson

It's like, you must sacrifice little woodland animals.

Dave Buettner

We can use that for our Halloween episode, Selena.

Rick

I know, but every, I don't know why that's in my head. Every time I, like, I touch it, I'm like, what is this taking from me? You know, like what?

Dave Buettner

I mean, you're looking a little pale. You've been logging into a bunch of accounts this morning, Selena.

Selina Larson

You should sit down and drink some water, sir.

Dave Buettner

That's right. Here's some orange juice and a cookie.

Rick

I mean, I do think reducing friction as much as possible is really the only way that we are going to be secure and get people to embrace these technologies and use them as mandatory. Because, Dave, I've definitely been there too, where it's like, oh, you know, I don't want to go downstairs to buy this online. Right.

Dave Buettner

So I'm just doing it.

Selina Larson

Yeah, I don't really need it.

Dave Buettner

Right, right.

Rick

So it's, it's so. It's really interesting. But I do think that we have come a long way in trying to make things a little bit easier. I know. For example, like, Google has implemented some ways of reducing friction in their products and helping people basically say, you know, this is mandatory. We're going to explain to you why you need this and why you want this. And we're Going to walk you through the steps to get it. And hopefully it just becomes second nature because, I mean, look, we can learn to pick up a phone and do TikTok dances and figure out how to splice videos together immediately. As soon as we pick a phone up.

Selina Larson

You can do that.

Dave Buettner

Speak for yourself.

Selina Larson

Yeah. All I'm saying is the Ghost of Christmas Past, okay? We invented passwords in the 1960s. It is now 60 years have gone by before we've even started to make it slightly easier to log into things. So we have a ways to go.

Rick

Yeah, well, and Christmas Pass, because the Ghost of Christmas Pass, you have seen the evolution of all of these tools in large part because the threat actors, who are really the ghosts of the future keep creating new ways to figure out how to bypass these things. Right? I mean, obviously username and password, that wasn't enough. Then you move to mfa. Now you have SMS theft, right? Like spoofing, sms, trying to get those text codes. And then you have things like MFA fish kits. So there's like attacker in the middle, fish kits that are attempting to steal those cookies and use the tokens, replay them to log into compromised inboxes. So I think that there's an evolution too, in large part driving the broader adoption and the different ways that we have to be creative with these stuff. And ultimately, like, I think a lot of times people are like, oh, well, no one can impersonate your fingerprint, no one can impersonate your, you know, eyeball or something. But I suspect that there is a creative Ghost of Christmas Future out there that will be able to do such a thing once that's normalized.

Selina Larson

Those pesky bad guys, even for the push authentication, which I really like, they do this really low ball attack sequence where they just feed you more and more options to hit the button so much that it annoys you so much that you just push the button to make it go away, thus authorizing the bad guy to get into your system. So it's so low tech that it works just.

Rick

It'S a ddosing by being profoundly annoying.

Selina Larson

Yeah. So I think we've covered the Ghost of Christmas Past with the multifactor authentication. Any last thoughts from anybody?

Dave Buettner

Well, it seems like as you pointed out, it's been 60 years. So the gap between the invention of passwords and multifactor authentication was probably 40 years.

Selina Larson

40. Yeah.

Dave Buettner

Right. So then we've had multifactor for 20. Is it going to take 10 to get passkeys fully engaged?

Selina Larson

That is some high order math day that I can thank you very much.

Dave Buettner

Thank you very much. Thank you very much. Is it accelerating?

Selina Larson

I don't think it's accelerating, no. I think it will take that at least a decade to get that to be normal for everybody to use. And who knows what might show up on the horizon as we are working through that.

Dave Buettner

So do you think that we have to mandate shutting off the old stuff before the new stuff can take hold?

Selina Larson

Yeah. So many people just cry and scream about stuff like that. Right. And so I think it's a interesting idea, but I don't think anybody would do it.

Rick

Well, I'm also in the camp of SMS is still better than nothing. So if you, I mean, I know a lot of people want to make it, oh well, you can't use SMS as mfa. Well, for many people that is the easiest and most applicable way for them to have multifactor authentication. And for most people that's, I agree, good enough.

Selina Larson

It's better than a user ID and password. So why not? Okay, so why not? And it's easy.

Rick

Yeah, there's no, there's no catch all easy solution. Although it would be nice if in the future there really was one and everything had MFA by default. Regardless of what you choose, you have to choose something.

Dave Buettner

But what if the big players, if we got, let's say Google, Apple, Facebook, who else? Who's the other big one, Mark, Microsoft. If we got those big players to all say, okay everybody, 1-1-2027, we are going to transfer everything, we are going to migrate you to passkeys and you have a year beforehand where we're going to try to show you how to do it and we're going to make it as easy as possible. But this is happening. We have all decided what if Cissa said, you know, we want everyone to do this. What if, dare I say, it was regulated.

Selina Larson

Are you sure this is not the Halloween episode where we're supposed to be afraid of everything?

Dave Buettner

Dun, dun, dun.

Selina Larson

Well, there has been strives in that Microsoft during the pandemic years made big pushes for their user base on their Windows clients to use to get away from a user ID and password to log in. But they didn't get rid of the old way, they just put the new way up front. So maybe that's the way it is, make it easier that way.

Rick

I also have to say, and speaking of password innovation, Apple via iOS and the Apple ecosystem has their own password manager now. So with the most recent updates you can use Apple's built in password manager. They make it super easy to save and store and access passwords, having, setting up mfa, things like that. So I do think that the organizations, the big technology companies, consumer in terms of Apple and enterprise in terms of Google and Microsoft, have really pushed in that direction. But to your point, Dave, I think, frankly, I don't think there's really going to be any significant movement on a lot of the things that we would like to see across the security landscape unless there is some sort of consequence for not doing so beyond just paying cybercriminals when your enterprise is hacked. So it should be interesting to see. But yeah, for any Apple users, if you don't have the password manager or explaining to your family and friends that you should use one, there's at least a way to make that really easy now.

Selina Larson

Well, as the ghost of Christmas past, let me put an end to this discussion. It feels like multifactor authentication. The community still has one foot deeply in the past, so that's appropriate for me. So I think we should call that a quits for this particular topic.

Rick

Stay tuned.

Selina

There's more to come after the break.

Dave Buettner

All right, well, I want to talk about social engineering and I have created for you all a social engineering Carol, are you ready?

Selina Larson

I'm ready.

Rick

Ready.

Dave Buettner

All right, sit back and enjoy.

Dave

It goes like this. Click was careless to begin with. No one doubted it. Careless with his passwords, with his emails, with the relentless training reminders from it he swept aside with a shrug. Ebenezer Click was indifferent to cybersecurity right up until the night the spirits came calling to show him the vulnerabilities of the past, present, and the chilling risks of a future unsecured. One foggy December evening, as he's working late, Ebenezer is visited by a series of phantoms. Ghosts of social engineering, to be exact. Each spirit arrives to teach him a lesson on the costly dangers of his negligence and the profound consequences of overlooking cybersecurity. The first ghost, a wizened figure draped in a familiar nostalgic glow, appears and takes Ebenezer on a journey through past social engineering attacks.

Rick

Look, Ebenezer, at the lessons from the past.

Dave

The ghost beckons, showing him infamous breaches like the 2014 Sony hack.

Rick

In this case, just a few unguarded emails from employees allowed hackers to infiltrate and exploit weaknesses within the entire company. Back doors were found, sensitive information was leaked, and reputations were tarnished.

Dave

The smoke spirit then takes Ebenezer to a simpler time, his very own early days at the company, when he received training on password protection and phishing. Yet he recalls that he dismissed it even using the same password across platforms. This lack of caution, the ghost points out, has put him at risk ever since, illustrating how old habits linger, silently eroding his defenses. Next comes the Ghost of Social Engineering present, a sharp eyed phantom who peers over Ebenezer's shoulder at his computer.

Rick

Ebenezer, let us look at the present.

Dave

The ghost says, showing him the stark reality of today's cyber landscape. In a blink, Ebenezer watches himself in real time, clicking on a suspicious link in a fake LinkedIn invitation. The screen shows his profile, personal details.

Dave Buettner

And even confidential work contacts copied and.

Rick

Shared without a second thought. You let an attacker into your life and into your company, the ghost says.

Dave

Waving its hand to reveal an avalanche of phishing messages sent out using Ebenezer's contact list. With each click by a colleague, the attacker gains a foothold in the company network, positioning malware to extract information and map out the organization. The ghost also takes him to the world of his online presence, posts about work in conference locations, information about his family, and even a selfie he took at his desk with passwords visible on sticky notes. All of these details fuel the attacker's arsenal.

Rick

Social media Ebenezer is like handing your keys to a stranger, warns the Ghost.

Dave

Finally, a hooded figure, a ghost of Social Engineering future, shows him what lies ahead if he continues down this path of neglect. Ebenezer is shown a devastating scenario where.

Dave Buettner

His failure to heed warnings leads to a full blown data breach.

Dave

Critical company secrets are leaked and customers trust crumbles. He sees the news headlines, the frantic calls and the massive financial loss. His own name appears in the headlines, marked by scandal and negligence.

Selina Larson

Ebenezer Click.

Rick

Cause of largest data breach in Christmas Carol History.

Dave

Desperate to save his company's reputation, he struggles to recover. But the damage to the company's name and its customer base is irreversible. Is this truly my fate? He pleads with the ghost, who says nothing but points toward his inbox, where he has countless unread security updates and ignored training sessions.

Dave Buettner

When Ebenezer wakes, he struck struck by.

Dave

The realization that he's been granted a second chance.

Dave Buettner

With newfound resolve, Ebenezer rushes to his office window, throws it open and calls out to a passing intern below. What day is it? He shouts, excitement in his voice.

Rick Howard

Why, it's Cybersecurity awareness day, sir.

Dave Buettner

The intern replies, puzzled. Then there's still time. Ebenezer exclaims, grinning. Time to secure every last device, every password, every soul. Here.

Dave

He rushes back inside and from that.

Dave Buettner

Day on, He's a changed man, one.

Dave

Who'S vigilant, wise, and as ready to protect his company as he is to help others understand the importance of cybersecurity. Ebenezer Klick, once careless, now leads with awareness and purpose, embodying the spirit of.

Dave Buettner

A new kind of holiday cheer.

Dave

A world of works, spaces more secure, employees more aware, and systems more resilient today and every day that follows.

Selina Larson

Wow. Nicely done, sir. Okay, that is nicely done.

Rick

Incredible carol, Dave.

Dave Buettner

Thank you. Thank you very much.

Selina Larson

As we were preparing for this show, I went over and looked at the original Christmas Carol, and it's a novella by Dickens. It's very short. And, Dave, you managed to hit the nuances of that by making that a very compelling and short Christmas carol. So nicely done, sir.

Dave Buettner

Well, thank you. I did my best. I did my best. By the way, while we're on the topic here, each of us have our favorite telling of the Christmas Carol. Is there one that stands out to you?

Selina Larson

Oh, it was fun going through them this morning as we were preparing for the show. I will defer. Okay. What do you like, Selina?

Rick

My favorite is the Muppet Christmas Carol.

Dave Buettner

Oh, yeah, yeah.

Selina Larson

My favorite. My favorite.

Dave Buettner

I think it's my favorite as well. The fact that. Oh, what's the actor's name in that one, Rick, Help me out here.

Selina Larson

Michael Caine.

Dave Buettner

Michael Caine.

Selina Larson

Yes.

Dave Buettner

Thank you. The fact that Michael Caine plays it completely straight, as if he is cast with Shakespearean actors.

Selina Larson

Yes.

Dave Buettner

Yeah, yeah. Totally makes it. I'll say a close second for me is the one with Mr. Magoo. I don't know if you have ever seen that one.

Selina Larson

Of course not, Rick.

Dave Buettner

Maybe.

Selina Larson

Yeah.

Dave Buettner

Probably not for Selina, but Selina probably.

Selina Larson

Doesn'T even know who Magoo is. Right. That's how old that cartoon is.

Rick

I can't say I do well.

Dave Buettner

There's no shame, but the Mr. Magoo Christmas Carol used to be in heavy rotation when I was a child, and it was. Parts of it were frightening. The Ghost of Christmas Future, you know, the hooded figure with the bony hand pointing at the gravestone is quite chilling.

Selina Larson

Yeah. I will say that my second choice is the Disney version. And I thought that they did amazingly well at casting all the Disney characters in those various roles. Like the Ghost of Christmas Pass is Jiminy Cricket. Right. And which is perfect. It's just perfect. All right, so I'd be my second choice. But Muppets, we've talked about this before. Most of those shows, when the Muppet Shows where they do classics, my favorite is Treasure island with Tim Curry, he plays it straight too. Okay. And that's the way that makes those shows great.

Rick

I just recently rewatched Muppet Treasure island, actually, after we talked about it last time. It's so good. Still hold. It's fantastic.

Dave Buettner

I really want the Muppets to do a Rocky Horror Picture Show.

Selina Larson

Oh, man, that would be great.

Dave Buettner

Wouldn't that be amazing? I mean, it'll never happen, but that's one I would love to see.

Rick

Time warping Muppets. Can you imagine? Yes, yes. Animal in the back. I can see it now.

Dave Buettner

All right, so that's social engineering. Selena, what do you have for us?

Rick

So I like thinking about both of these topics. Past, present, future. They kind of all play a little bit into what I was thinking about recently. In the past, we saw a lot of targeting of consumers, right? Home users. Everyone had their photos that could be ransomware. We were all using various chat apps. People were, you know, had their home computers versus their work computers. And the threat actors were targeting individuals, everything going all the way back to the AIDS Trojan to pop ups and adware in your favorite websites, exploit kits. And then we saw the rise of targeted big game hunting within the enterprise. And so threat actors realize I could get a lot more money going after businesses than the individuals. Well, I feel like recently and perhaps looking forward, we're seeing the return to threat actors targeting people at home, on their phones, in their places where they are not conducting work. Oftentimes those overlap certainly and can be threats within the enterprise. But things like pig butchering, for example, romance based crypto scams where someone will, you know, lure them in a long con, which is kind of the evolution of romance scamming anyways. But the payouts can be really big and cost people their entire life savings. So it's not, you know, paying $250 to get a ransomware key, but rather potentially $250,000 into a fake crypto investment. So, you know, we've always had confidence scammers. I mean, there are certainly plenty in the days of Charles Dickens going around in their boxes selling snake oil, trying to get people to buy into things that didn't exist. And now what we see are the same confidence based scammers trying to get people to make decisions to do bad things. And in many ways it is coming back to the individual. And I think this plays a little bit with the mfa. It plays a little bit with the social engineering, but it's very much going and focusing on identity rather than potentially product or service. And so I think we Might see that more often.

Selina Larson

Well, as the Ghost of Christmas Past, I remember those early days when bad guys were attacking the individuals, right? And what it exposed back in those days was the elaborate business process that cyber criminals had. I mean, just, just imagine what you were talking about that Selena, where some bad guy calls grandma and says, if you want your pictures of your kids and your cats back, pay us a bitcoin, right? But the back end of that was there were English speakers and business processes that could walk grandma through a bitcoin transaction. Because I don't know if, I don't know if I still, I don't know if I could do that today right now without having to spend some time, right? So in a second language, explain to grandma how to get a bitcoin so they could pay for the ransom, right? So it exposed how organized the back end business process was of cyber criminals.

Rick

And we still see that. And if anything, it's gotten better, it's gotten bigger, it's gotten more profitable, and it's building criminal ecosystems that function pretty much as businesses. And I think, you know, we're seeing the sort of pig butcher scammers. They're, they're having these same businesses. They're, you know, working in groups and trying to prey on people and their emotions and their individuality to try and get them to do things. And I think, you know, that whether, whether it's trying to get into an enterprise or trying to get personal bank information, right, you have to be creative and targeted and kind of using social engineering, using that identity that you might get from MFA bypass and to target, you know, specific individuals. And, and it's, it's. I don't know, I think it's very interesting because people, we've gone from not trusting the Internet at all to trusting it and believing it and believing everything you read to back, oh, wait, we have to not trust it again.

Dave Buettner

So, you know, I remember about five years ago or so, and I'm probably off by a year either way. But, you know, at the end of the year, lots of people want to talk about predictions for the coming year, right? When I'm talking, interviewing people about what do they think is coming next? And I remember there was pretty much consensus, and this was back in the days, the early days of ransomware, where it was about locking up Grandma's computer for 50 bucks, right? And there was consensus that in the coming year we were going to see ransomware fade away and the real action was going to be crypto mining, because crypto mining was kind of A victimless crime, because you could crypto mine on somebody's machine while they were asleep and they probably wouldn't notice. So you could just have these botnets of crypto miners and that would be the way to make money. And of course, the opposite happened, right? The ransomware folks, they went in for big money. They shifted from the home user to the whales and going after corporations and millions of dollars. So to me, like, it's an interesting thing to look at the past and try to predict the future, how here was something that a lot of people thought it was going to go one way and it went exactly the opposite way of what everybody thought.

Rick

Well, and also what's interesting is, okay, if you're thinking from a threat actor perspective, I'm doing all this crime, I'm targeting these home users. I'm getting a little bit of a payout, but I will get more if I target the enterprises. But then you have law enforcement being like, oh, hold on a second, that's a lot of money that you're stealing. And that's, that is disrupting, that is disrupting critical infrastructure, that is disrupting finance, that is just, that is making huge waves. Wait, wait, wait, wait a second. We have to go after them now.

Selina Larson

So threat actors, I didn't understand that till you just said this. I was saying what made them go back to the, the individual, because the money is where at the big corporate gigs. Right, but you're saying because they focus law enforcement on them, they need to go where they're not being paid attention to. Is that what you're saying the cause is?

Rick

I think that might be playing a role because we had this year major disruptions to law enforcement, disruptions to malware ecosystems, from ransomware strains to the loaders and the botnets that were enabling these sort of big game hunting. And it's interesting because since then, at least from the cybercrime perspective, the landscape has been fairly quiet. We're all wondering like what happens next. And then you see the evolution of things, like a lot more targeted type of threats, lower volume, very specific. You have threat actors that are now calling people or sending phone numbers to get them to interact with them, to download something, to specifically text them on their phone, offering them a job, offering them a romance scam. So it's not necessarily not as much.

Selina Larson

Money, but a safer way to operate is what you're saying.

Rick

I mean, I think that could potentially be playing a role, maybe not hitting quite as big to try and not make such a big impact. So yeah, there might Be a change in calculus a little bit with all the heat paid to some of the most successful cybercrime.

Dave Buettner

You know, I've wondered sometimes when I'm alone, if dangerous pastime.

Selina Larson

I know.

Dave Buettner

Well, my thoughts get the better of me and I wonder if there are white hat or gray hat hackers out there who quietly think about in their retirement years, will they adopt what I refer to as nuisance ransomware. Right. Just a low level sort of thing where, you know what, this retirement account isn't paying off, what it, what I thought it would. And so I'm going to send out nuisance ransomware.

Selina Larson

Yeah. Retirement job. It's a, you know, a hobby.

Dave Buettner

Right. You're saying you're just reaching out to people and saying, okay, look, I locked up your system. 10 bucks. 10 bucks and I'll unlock it. Right. And so if you do that to enough people. Because the other part of that, speaking about the safety part, I mean, the folks I talk to, like on hacking humans, if you go to your local law enforcement and say, somebody cheated me out of $50 through a social engineering thing, they're just going to be like, and yeah, yeah, right. It's a threshold.

Selina Larson

It's like $10,000 or something like that. I forget.

Dave Buettner

So, you know, I just wonder, is there a return, as you say, Selena, is there a return to nuisance level? Low threshold, but still profitable ransomware. And where.

Selina Larson

What's the equilibrium, especially for a retiree?

Dave Buettner

Right. What's the equilibrium like? Where do we hit where society says we can live with this?

Selina Larson

Can I just pause before you answer that, Selena? Because I think that's the first time I've heard it mentioned anywhere that we are considering hackers to be considering retirement for themselves. Right. It's the first. Right. We've never talked about that before.

Dave Buettner

Well, that's true. I mean, the, Well, I mean, so you think about it. The first generation are at retirement age now, and that's never happened before. That's never happened. Yeah. So what are they going to do?

Selina Larson

Breaking news.

Rick

If they're, if they're not collecting a government paycheck in their retirement age, then I define something else. Yeah, I, you know, I'm not sure this again, is just Selena having a hot take, but I am seeing that the rise of pig butchering with the evolution and expansion of a lot of social engineering techniques and these scams and fraud that are a little bit less profitable, but still kind of following some of the techniques that we're seeing, I think that's definitely a possibility. And I do think that right now, all different threat actors across the cyber criminal spectrum, especially those who are a lot more sophisticated, are seeing the impacts of law enforcement disruption and wondering, what do I do now? And how can I either fly under the radar or should I just be out the game entirely? Should I call it quits? Stay on my yacht in the Black Sea, you know, drinking vodka and enjoying the sunshine.

Selina

We'll be right back.

Dave Buettner

Well, gang, I have to be moving along here. I am actually getting a little hungry, and I have fixed myself a festive and delicious dip for the Christmas holiday. A cranberry jalapeno cream cheese dip. That's right. Cranberry and jalapeno. It's red and green for the holidays. It's a perfect mix of sweet, tart, spicy and creamy.

Dave

And it works with all the holiday flavors.

Dave Buettner

So I'm going to run off and enjoy that.

Selina Larson

And you're sharing that with the crowd, right, Dave? Or am I wrong about that?

Dave

No, I'm not sharing that with anybody. It's mine.

Rick

I am going to a white elephant party and will be wrapping up all of my presents as something cyber related. So maybe I will pack up some yubikeys and put them in various stockings.

Dave Buettner

I'll bet you're popular at parties. Oh, here comes Selena with her two factor authentication. All right, just smile. Just smile and nod.

Dave

Smile and nod.

Dave Buettner

How about you, Rick? What are your holiday plans?

Selina Larson

My holiday plans are to sit in my in front of my big fireplace, thinking about the past and not doing a damn thing. That's what I'm gonna do.

Dave

I think we can all get behind that.

Rick

The perfect plan. Absolutely.

Selina

And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes, mixing in sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpie is our publisher.

Dave Buettner

I'm Dave Buettner.

Selina Larson

And I'm Rick Howard.

Selina

And I'm Selena Larson. Thanks for listening.