Click for a pay bump?

Rob Allen

You're listening to the Cyberwire Network, powered by N2K.

Dave Bittner

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the Cyberwire. We've got a special episode of Hacking Human today. Joe and Maria are taking a summer break this week and my special guest is Rob Allen, chief product officer from Threat Locker. Rob, welcome to the show.

Rob Allen

Hello.

Dave Bittner

How are you? I'm doing well, thanks.

Rob Allen

Did you say two people were taking holidays today?

Dave Bittner

Indeed they are. I'm the last man standing.

Rob Allen

Yeah, you and me both. You're the last men standing.

Dave Bittner

I know. And I imagine for you, Rob, it's even stranger to hear that Americans are taking holiday right.

Rob Allen

It is one of the things that I have struggled to adjust to. Well, sorry, when I say I struggled to adjust to it. I did initially struggle to adjust to it, but I got used to it pretty quickly. I consider any holidays now or any PTO to be basically socialism. So I think that makes me an American.

Dave Bittner

All right, well, welcome to the club. And now a word from our sponsor. Threat Locker, the powerful zero trust enterprise solution that stops stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection. From Threat Locker, we are going to be discussing Scattered Spider, which is a cyber criminal group that's they're known for being sneaky, persuasive, and also surprisingly young. And unlike a lot of the hacker groups that we talk about who rely on technical tricks, Scattered Spider specializes in social engineering. And that makes that the perfect topic for us here on hacking humans. So let me toss it to you, Rob. I mean, when. When you describe Scattered Spider to people who may not be familiar with them, how do you do that?

Rob Allen

They apparently are a young, loosely affiliated, primarily English speaking ransomware gang and very effective ransomware gang, I might say. They've been responsible for some of the biggest breaches or events over the last couple of years. They seem to, and I think the reason they've come back into the news of late is they seem to target kind of an industry at the time, at a time. So I think lately they've been aiming at aviation, interestingly enough, again, presumably because they figured there's quite a few books to be had there. But as you said, they are predominantly around or about social engineering. They're not so much about the, I suppose, you know, down in the weeds, hacking and gaining access, they're more about persuading somebody to give them access.

Dave Bittner

And as you mentioned, they're, they're kind of a loosely affiliated group, which I think is how they got the name Scattered in Scattered Spider. They're loosely organized there.

Rob Allen

I, I almost wondered where these names came from. Well, I kind of know where the names come from, but equally where do the names come from?

Dave Bittner

Yeah, I'm with you. And as the guy who quite often has to pronounce them or align them because not every organization names these threat actors the same things. So we have, you know, fancy bears and cozy bears and scattered spiders and I don't know.

Rob Allen

Well, listen, to be honest, they're bad, but they're not as bad as the nicknames for Linux distribution. So there you go.

Dave Bittner

Yeah, we'll take what we get. Right, Right. Well, let's talk about social engineering specifically and the types of methods that these folks use that kind of set them apart from some of the other groups out there.

Rob Allen

A lot of it seems to be things like requesting password resets from understaffed and overworked support departments. A lot of it seems to be about applying pressure, which, I mean, realistically, you know, a lot of social engineering does depend on, but it's kind of like, look, you're the third person I've spoken to about this now I need it sorted out immediately. I'm on the phone to the CPO or the CTO or the CEO or whoever. I need this sorted right now. That those kind of tactics seem to be what they engage in. And again because they're predominantly English speaking, a lot of organizations and a lot of, as I said, overworked and underpaid and underappreciated support departments will just say, oh, okay, I'll do it now. They do it and then they have access.

Dave Bittner

So because of that, being native English speakers, that doesn't sort of reflexively throw up red flags for the folks who may be on the other end of that support call.

Rob Allen

Yeah, very, very much so. Very much so.

Dave Bittner

So we talked about them being youthful. Is there anything significant to that? Or is it as simple as a group of like minded people with similar experiences banding together?

Rob Allen

I suspect that that's probably what it is. Again, without any intimate knowledge one way or the other. But you know, young people hanging out wherever Young people hang out and you know, of similar mindset and interests, I suppose gather together and you know, if your moral compass is off somewhat and you figure there's a bit of money to be made in the likes of what they're doing, then it's a, I suppose an easy trap to fall into.

Dave Bittner

And when we say hanging out, where are the types of places that these folks are able to find each other?

Rob Allen

That's a really good question. I don't know. I would. And again, as a verifiable, not young person. The mall.

Dave Bittner

Well, I guess what I'm getting at here is that it would be expected that they would be hanging out on dark web forums and things like that. Not your, you know, these folks aren't taking part in an AOL discussion group or anything like that.

Rob Allen

Yes, no, presumably so. Presumably so. But I would imagine there's probably signal chats and all sorts of stuff that people get invited to. And I mean they apparently they've got quite a tight inner circle of the core group and then they have their, you know, lower level people and they've got affiliates. And as you said, the scattered nature of the organization, probably the scattered in the name of the organization probably comes from that fact.

Dave Bittner

And what is it that they seem to be after here? Are they primarily financially motivated? Is this an espionage group? What are they after?

Rob Allen

Oh yeah, I mean those estimates, they've made upwards of 65, 66 million in attacks over the last number of years. I mean I saw one organization apparently paid them a 10 figure sum which is pretty incredible. So again, what they're doing appears to be working. They don't appear to always actually use ransomware. They don't always run ransomware. In a lot of cases it's probably more about data exfiltration, you know, selling access, that kind of stuff. But it's obviously again based on the numbers, it's obviously pretty effective.

Dave Bittner

Yeah. For our listeners. Can we kind of walk through what this process would look like? I mean, suppose I'm an organization that Scattered Spider has targeted. How would they initially come at me and then how would the process play out?

Rob Allen

I think particularly it is about deceiving help desk personnel into things like resetting passwords or disabling MFA or re enrolling a device in mfa. And as I said, it's often about sort of applying pressure to the individual. You know, as I said, I'm on the phone to the CEO right now. I need this immediately. There's been some talk that they use AI generated voices as well, which again is Something that's becoming more and more prevalent now. The fact that those tools are so good and so easy to get your hands on. I mean, I've got a AI version of our CEO Danny and it's quite frankly terrifying. Now I, I've used it for nothing more malicious than saying he loves Max and Canadians and Scousers. But again, they would wouldn't be beyond the realms possibility that I could use my A.I. danny to call, you know, one of our infrastructure guys or one of our support guys saying hey, I need this immediately. So it's, it's, it's not beyond the realms of possibility. I mean even I, this is an example that I often use, which is Danny at one stage, I remember this distinctly, but Danny at one stage, about a year ago, and bear in mind that we're a cybersecurity company, we are a well educated and well trained staff. Danny sent a message on teams to everybody in the company saying I need you to download this and run it right now. Now, 40% of our staff tried to download and run the thing that Danny had just posted on teams just because it came from ostensibly Danny. Now anybody who knows Danny knows that he is only tangentially at any given time aware of the presence of his phone because he's very often on stage or you know, doing anything really that involves his phone not being on his person. But 40% of, as I said, a well trained and well educated cyber security companies workflow force trying to download and run an executable just because it came from the CEO was quite frankly terrifying.

Dave Bittner

And to be clear, this was just a test to see how you all did.

Rob Allen

Yes, not very well being the answer, but yes.

Dave Bittner

The cobbler's kids having no shoes. Right.

Rob Allen

Exactly. Now fortunately, I mean obviously it was just a test. It was just a little program that he'd mocked up. It was something that we block anyway because Threat Locker effectively blocks everything. So all of the people who tried to run the thing weren't able to, but it also showed up on our Unified audit going, this person tried to run it, this person tried to run it, this person tried to run it, multiplied by As I said, 40% of our staff. So it was just a test, but I think it was a very instructional or educational test insofar as it shows the weaknesses in people because fundamentally people very often are the weakest link. I mean you can't blame everything on people. But I mean these guys have obviously appreciated the fact that look, you can do the really hard, difficult hacking stuff. You can be out Looking for vulnerabilities. You can be trying to exploit those things or you can make a bunch of phone calls to a support, as I said, overworked and overstressed support department and you basically get access that way.

Dave Bittner

You know, it brings up a really good point, which is that I think a lot of people, when they find that they've fallen victim to this sort of thing or even fallen for like an in house phishing test, they will feel really bad, they'll have a certain amount of shame. And we try to remind people that this can happen to anybody. And as you're saying here, we have a company full of cybersecurity professionals and a not insignificant number of people in the company just did what the, who they thought was the boss asked of them without really thinking twice about it.

Rob Allen

Absolutely. So, I mean, it is not an exaggeration to say it could happen to anybody. I mean, look, we all know training is important and education is important, but look, we're SOC 2 certified. We have to do training every quarter. One of those things that people get trained on is don't just click on links because it came from somebody that you think it should come from or think would send you something like that. But as I said, it's a really good indication or illustration of the fact that realistically, with the best training, humans are still the weakest link in cybersecurity.

Dave Bittner

How do you take advantage of that teachable moment to turn that into a positive opportunity for the company to do better?

Rob Allen

Well, I mean, from our perspective, we use it, we tell people about it. We use it as an example that, look, if our well trained, well educated staff are, I'm not going to say this gullible, but this persuadable just because it came from who they thought it came from or who it came from. You know, Watson, typical, ordinary, not as well trained and educated environment going to be. I mean, we did a, again, Danny used to do a little bit of just sort of part time as a nice gesture of support for the school that his kids were in and same kind of thing. He basically, he just set up like a Gmail account saying, look, you know, this is Danny, I'm looking after your support, need your password to do X, Y and Z. And a frankly frightening amount of people literally said, hey, that's really cool, here's my password.

Dave Bittner

It's incredible. Yeah, people are very trusting.

Rob Allen

Well, they are. And again, it only takes a little bit of information to get people to be more trusting. And that's what a lot of these Gangs actually do quite well. I mean I. Another example from my quite distant past, I have to confess now because it was back in the days when I worked for an IT company back home in Ireland. And I'll never forget one. I got a phone call one night from a guy that I just did bits and pieces for. You know, he did a bunch of Macs and you know, set up his network and all this kind of stuff in his house. But he rang me one night pretty much in tears because he'd got an email to say that basically his everything had been hacked. We've been watching you through your webcam. We've seen you've been on an inappropriate sites and we've taken pictures of you while doing it. It. But the, the really interesting. And look, it's a standard scam, it's a standard spam email. I think I probably get 50 of them a week. But the point is, and how they made it more believable was they actually said your password is, you know, 1, 2, 3, 4, 5. Now they'd obviously pulled that from a breach site from some other breach a long time ago. But they use that little nugget of believable information, which is we know what your password is, and then gave them all of this other crap, which was we've hacked your everything. We can see what you're up to. And because of the believable part, he believed the whole thing and again applied the same to your overworked and underpaid help desk. You know, or if it, you know, it sounds like it's Danny on the phone. Hi, it's Danny here. Listen, I need you to retend my password immediately. I'm going to send you through a request right now. And it hangs up. Even if it's AI Danny rather than actual Danny. You know, you're overworked and underappreciated and underpaid. Help desk may well say, well, Danny was on the phone, so I'll do what he says.

Dave Bittner

You know, I had a similar thing happen with an associate who has a security company where they look after executives, you know, high value, high risk types of people. And he said, hey, for fun, is it okay with you if I go see what I can find about you and your passwords online? And I said, okay, sure. So he did. But you're absolutely right how disarming it is because he started saying to me, so tell me about this in your life. Is this your dog's name? Right? Like, what's the significance of this number? Was this the House number from when you grew up was this part of a phone number when you were in college? You know, and so what it really did was like all of these things where I thought I was being clever and stealthy, but also making it so that my passwords were rememberable for myself were useless, you know, because in these password breaches they could go in. And that's all that I think my friend did was, you know, cross referenced my name with a bunch of different password breaches and came up with this list. But what a picture together. Yeah. It was so easy to cross reference with information about my life that is easily available online. My hobbies, my interests, you know, all those kinds of things.

Rob Allen

Well, it's one of the reasons why those things have become so ineffective now because so much of that information is out there. The likes of the, you know, where did you grow up? Where did your parents meet? What's your mother's maiden name?

Dave Bittner

Right.

Rob Allen

They're as good as useless in this day and age because so much of that information is out there and gatherable.

Dave Bittner

Yeah. Let's swing back to Scattered Spider. You mentioned at the outset that one of the things that kind differentiates them or is notable about them is that they seem to focus on certain verticals at any given time. Yes, I think they were, they hit the insurance companies for a while and as you say, it seems like they.

Rob Allen

Had a bit of a. They had a bit of a thing for casinos not too long ago.

Dave Bittner

Is there any reason why we think they're doing this? Is it simply for their own convenience or what do you, what do you think?

Rob Allen

I actually, genuinely, I have no idea. I would imagine that they, perhaps they try a particular vertical, a particular industry. Industry. They have a little bit of success in that and they go, oh, we could have other targets here that are just as vulnerable as the ones that we just hit. So I, I don't think it's any more strategic than. Well, look, we've had success in this industry. Company X has paid us, you know, this amount. So maybe we can get the same off other companies in the same.

Dave Bittner

Yeah, I can't help wondering if there's kind of like a Dread Pirate Roberts thing going on where the, you know, as their reputation grows and. Because certainly if the, if the shop down the street who does the same thing that you do gets hit and there's publicity about that, all of a sudden you're going to be looking over your shoulder and I wonder if that makes the negotiations easier for the Scattered Spider group when the reputation precedes them.

Rob Allen

Possibly, possibly. And look, the fact that we're talking about it today, the fact that they, they, I mean the fact that they are a named group is something that means that the, the, the, their name, their tactics, their, you know, what they do and how successful they've been is out there.

Dave Bittner

Yeah.

Rob Allen

So as you said, if somebody is affected or if somebody is, is hit by them, then fundamentally they're probably more likely to take it seriously.

Dave Bittner

Well, let's talk about mitigations here in ways that people can best protect themselves. I mean obviously that is the business that you and your colleagues there at threatlocker are in. What are some of the basics, sort of universal guidance that you have and then if you can think of any, what are some specifics here that people should be on the lookout when it comes to scattered spider in particular?

Rob Allen

Well, I suppose there's a couple of parts of that, I mean as I said, quite unique insofar as they don't always deploy ransomware, they don't always try and encrypt data and they're, you know, a lot of cases, a lot of these groups, that's their primary function now they do often exfiltrate data as well, but it's with a view to effectively double extortion or getting paid twice potentially for the same data or you know, being more sure that you're going to get paid which is, hey, you guys got backups? You're going to get back up and running again? Well, we're going to release your data on the dark web. So a lot of the groups do that, that sort of two prong approach. These don't seem to be as preoccupied with the actual ransomware ring. It seems to be more about getting access, getting data. I mean obviously they're, they're quite, they're well evidently are quite adept at that. I mean, I suppose like obviously it's stopping the ransomware shouldn't be tremendously difficult insofar as like they're using, you know, well known ransomware strains are using Akira, alphav and Ransom Hub and things that have been out there for some time. I mean there's always new versions, there's always new things that people need to look out for. But realistically ransomware is ransomware. It's just code. So if you block everything then realistically you're going to block the ransomware from running again. You need to pay and appreciate and don't overwork your health. Decks staff would probably be a good place to start for a lot of organizations because they can very often be taken for granted. And you don't need to be that far up in the food chain to be able to do a lot of damage by, as I said, resetting a password for somebody who is in a position where they can do a lot of damage. So again, those people need to be again, trained, educated, you know, this is what you do, this is what you don't do. On the nose argument. It doesn't matter who's shouting down the phone at you. It doesn't matter if you think it's the CEO, if you think it's, you know who it is. These are the processes and the procedures. And if the processes and procedures aren't followed, then there's going to be trouble. So I mean, just, just, I suppose common sense is a long way, would go a long way towards preventing them being successful.

Dave Bittner

Well, and I think you bring up a really good point or important point which is that if anybody is trying to turn the heat up on you, is trying to put you into an emotional state.

Rob Allen

Huge.

Dave Bittner

Yeah. For. By yelling at you or saying, I don't have time for this or any of those sort of aggressive things.

Rob Allen

Yeah.

Dave Bittner

That you need to take a step back and gather yourself or, you know, maybe say, let me call you back.

Rob Allen

Yeah. No pressure is any sort of pressure like that is an enormous red flag. I mean, it's the same with email, you know what I mean? There's been a transaction on your account. You need to check it out immediately. I mean, basically email scammers use pretty much the same tactic, you know, which is to push people's emotional buttons to get a response. Same applies to these social engineering ones, which is that they are effectively pressing people's buttons and seeing what happens.

Dave Bittner

Yeah. All right, well, we are going to have a link to a really interesting article from our friends over at cyberscoop who really dug into some of the details about Scattered Spider. So we'll include that link in the show notes. We're going to take a quick break to hear from our sponsor. We'll be right back. And now back to our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allow listing, ring fencing and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network control locks down access by port, source IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. All right, we are back and Rob, it is time for our catch of the day. Our catch of the day comes from a listener who shared this. It was actually sent around from their campus IT department and this is a. A phishing example. So I'll read it and then we can unpack it together. Here it goes like this. It says, hello, you are qualified for pay increase on your next paycheck. Follow steps below to immediately confirm your details. Allow few hours for your congratulatory letter to be delivered to your email after confirming your details below. Click here to confirm your details. We thank you for your ongoing commitment to excellence here and congratulate you on your outstanding performance. Please note and be advised that matter relating to salary are confidential in nature and should not be divulged to other employees. Sincerely, Human Resources. Rob, what do you think?

Rob Allen

I think they, the bad guys need to try harder. In that case, genuinely, could they not just go on to ChatGPT, put it in and say, please English this better, right? It is not good. Allow a few hours.

Dave Bittner

Allow a few hours.

Rob Allen

Yes, yes, no. And also matter relating to your salary. I mean again, this has been known red flags for a long time. Was that bad English, bad grammar is pretty indicative that it is not the person that you think is going to be or who is actually emailing you, emailing you. But again, they're just massive red flags. And as I said, these scammers have obviously not tried very hard because they haven't gone to ChatGPT and said they English this better place.

Dave Bittner

Yeah, yeah. I guess the other obvious ones here are that this is something dealing with your paycheck. So they're looking for information related to that. We see a lot of these sorts of things where they try to get in the way of your.

Rob Allen

No, it's, it's, it's time related. You need to do this, otherwise you're not going to get your massive pay increase.

Dave Bittner

Right.

Rob Allen

The other thing is whoever gives money without being asked to give money, you know what I mean? How many companies do you know of that are saying performance is outstanding so we're going to give you loads of money without you asking for it.

Dave Bittner

Right, Right. It also seems to me like the kind of thing that your supervisor would come in and give you a pat on the back, right?

Rob Allen

Absolutely not.

Dave Bittner

Just send you an email from hr.

Rob Allen

Random email from hr.

Dave Bittner

The other thing that strikes me here is that they're saying that salary matters are confidential.

Rob Allen

Don't discuss this with anyone else.

Dave Bittner

Yeah.

Rob Allen

Again, big red flag.

Dave Bittner

Keep it to yourself. Allow a few hours for the letter to be delivered. Right, so give us time to steal all your money.

Rob Allen

Exactly. Exactly.

Dave Bittner

Yeah. This is not a long one, but there is a lot in here packed into such a simple phishing message.

Rob Allen

Yes, I'm interested as a few hours for a letter to be delivered to your email. It's not even a letter to be delivered. It's a letter to be delivered to your email.

Dave Bittner

Yeah, yeah.

Rob Allen

Because it takes so long for emails to get from A to B.

Dave Bittner

Right, right. All right. Well, that is our catch of the day. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com thank you. To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and that is Hacking Humans, brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show. Notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

Rob Allen

I'm Rob Allen.

Dave Bittner

Joe and Maria will be back next week. Rob, thank you so much for joining us this week.

Rob Allen

It's been a pleasure, Dave, thank you.

Dave Bittner

And thanks to all of you for listening.

Rob Allen

Sam.