Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:16

Hello and welcome to the Audit by IT Audit Labs Today. I'm joined by Kyle and Nick. We're going to review social engineering fishing, smishing and other trickery. Hey guys, how are you this afternoon?

Nick Mellem: 0:33

Good Mandy, how are you?

Mandi Rae: 0:35

Pretty good, thanks. What's the agenda for today?

Nick Mellem: 0:40

So today we put together kind of the whole team here collectively put together some examples of some different fishing smishing, some good fishing examples that we've seen in just the past couple of weeks. Just going to run through some of that and a couple of stories we have, so should be a good one. We'll kick it off here. We are going through this smishing the SMS messaging. We have a couple examples here, but what we've been seeing recently is messages and I'm sure many people that are listening to this they're getting these as well. You're the ones that log into your Netflix account or your package has been delivered from Amazon and it's got a link and it's pretty clear on these that it's not from who it says it's from. And the first dead giveaway is the URL is not right. Let's say it's not from who it says it's from. The first dead giveaway is the URL is not right. Let's say it's from Home Depot. If you want to get this $100 free Home Depot gift card, the URL that it's going to has nothing to do with Home Depot.

Mandi Rae: 1:40

Yokohama was a big giveaway.

Nick Mellem: 1:42

Yeah exactly. I guess for us it's kind of comical. Right Like this other one that says your package has been delivered is from like US-PSU, it's just totally off right, and iPhone has done a pretty good job recently because it even has a report as junk, so they're thinking it's fake as well.

Kyle Rosendahl: 2:05

Yeah, and when we talk about this too, right, I mean, most of us are, I think, familiar, specifically when we work in cybersecurity with you know what phishing is. But I mean, essentially, these people are just trying to get you to click the link or respond to them in some regard. Click the link or respond to them in some regard, and typically Nick, then what are they trying to get you to do after that point? Right, Because you or I or Mandy here, we mostly recognize that these are fake. They're not real. They're saying they're going to give you free money, or they're saying, hey, look out, your package went to somebody else's house, click here to fix it money. Or they're saying, hey, you know, look out your package went to somebody else's house, click here to fix it. But why are people sending emails out like this, Like what is their goal in trying to get people to click?

Nick Mellem: 2:53

I think the fairly quick, short answer is they need a reaction to their action. Right, they're sending this out and they need a reaction from us. So as soon as we make that connection right, a couple of things are going to happen. Either you're going to go to a landing page and you're going to put personal information in to try to get this gift card or figure out where your package is. That could range from an email to hopefully you're not putting any person identifiable information, but they're looking for that. Or, and probably the worst part, is they're looking to make an actual connection with your machine. So those are that's typically, I think, what they're looking for and the one connection with the machine. Then you know you could have a live person on the other end. That's getting an actual notification that says you know we've connected with nick's computer or phone and they have a live connection. They can extract data or actively, you know, have a session with the machine and take off what they want.

Mandi Rae: 3:49

Gotcha yeah, crazy, because they're either insinuating you won something or they're insinuating like there's there's something that we have of yours, that that we need you to take action on right, trying to catch you off guard and also entice you it's really yeah, it's really a play on emotions, right, because who's not going to get excited about getting a free home depot gift card?

Nick Mellem: 4:14

we've seen plenty of these with an itunes gift card, right? A lot of us we you know instant gratification. If you're going to get something, especially a hundred dollar gift card to something, you're probably going to jump on there and finish this quick survey, unless you've been trained or understand that this is fake.

Kyle Rosendahl: 4:30

In most cases, are they trying to do malware onto the computer, right, as we think about those kind of malicious pop-ups that you run into on websites where, hey, we're going to lock your computer unless you give us something. Are they looking for that remote connection? Are they just looking for additional information? Are they looking to, I mean, extort money in some way? I mean, I think, if you've seen some of the videos out on YouTube of these people who go in and, you know, kind of scam the scammers and will create kind of reverse tunnels back into their kind of scam call center or tech centers or whatever it happens to be, it looks like there's a pretty big operation to.

Kyle Rosendahl: 5:09

You know, we're going to collect money via Amazon gift cards. You know, go to your Walgreens, buy an Amazon card, come back here, give me the code and then I'll take it, get the money off of it and then kind of leave you with nothing. But are they doing that just as a monetary gain or are they trying to collect more than that from just kind of typical individuals? Or does it just go on like a case-by-case basis?

Nick Mellem: 5:34

Yeah, my personal opinion is it's a case-by-case basis right. They're going to take what they can get, right, and that could be exactly what you're explaining. I recently well, not recently, it's a few years ago I had somebody that I worked with got a phishing email and in the email it was a phishing scam and it was really spoofing our manager, or one of the managers, I should say. And the email was saying hey, I'm in a meeting right now, so don't shoot me a text message, or anything like that. The email was saying hey, I'm in a meeting right now, so don't shoot me a text message, or anything like that. But I want to surprise everybody at our company meeting later with 10 $100 gift cards to iTunes.

Nick Mellem: 6:12

Well, she falls for this and goes and gets these gift cards. In the email it also says scratch off the back, write the code and send them to me. Luckily, before she does this, she sees this person and gives them the 10 gift cards and then, from that point, they're confused on why they have the gift cards. So there's your monetary value that you know. If it's going to come in a form of money, cash or whatever it is gift cards they're going to get that $100, or, in this case, $1,000, to iTunes gift cards.

Mandi Rae: 6:44

they're going to get that $100 or in this case $1,000 to iTunes Right, and maybe that's the important point here for non-technical folks, clicking on it is the first no-no, but if you do that and if you get further activity, no one should ever need the data on the back of a Visa gift card or on gift card, unless it's for nefarious purposes.

Nick Mellem: 7:07

Yeah, and I think and this goes into different ways Of being able to protect yourself I recently had An eBay transaction. I did and this is roughly a couple months ago but when I was going into this I was purchasing a camera and when I was doing it, I was talking to my wife and I said, well, this is either the best deal ever or it's going to turn into a really good podcast topic. Well, it turns out it was a good podcast topic because it was fake. I went round and round with this person after I had made the purchase and contacted. The moral of this whole story if I'm backtracking one second is that you really want to use and protect yourself with using a credit card and PayPal.

Nick Mellem: 7:54

It was, in this instance, what saved me. So I went to this comfortable knowing that I did that. But when I'm talking to this person, they're sending me tracking codes so I can track this package. And when I'm tracking the package, it's saying it's going to somebody else's house, right? So in this example, I was able to clear up and get my all my money back by using these couple of protections, by using eBay and PayPal. And the third was I used an Apple credit card and they sent me my money back instantly and then a month later PayPal reached back out and said that this was a scam. So they all don't come hidden in a text message. It could be something that is literally just on eBay for you to purchase and you fall into their trap and purchase it Right. So they're really coming at us from all different directions. But that was just a quick, quick story I had of recent purchase on eBay that actually ended up being a scam.

Mandi Rae: 8:56

So to dig in a little deeper, Nick was the actual scam part, so you did buy something from a legitimate seller.

Nick Mellem: 9:04

Yep.

Mandi Rae: 9:05

And where did this scam come in?

Nick Mellem: 9:15

Yeah, so what had happened here is the seller on here's account was actually breached, so somebody was in between right. This person's account was being used by a malicious actor. They put some pictures of a camera up that they don't actually have on somebody else's eBay account. So the scam was to get you to buy this account, hopefully wait a certain amount of days and wait for PayPal to release the funds to this person, and then you never see it again.

Mandi Rae: 9:39

So then, when you tracked this tracking number that you were given, it was actually a legitimate tracking number for a package unrelated to your purchase. Yep correct, so I had gotten it, but that's what triggered you.

Nick Mellem: 9:52

Well, I was kind of, you know, I was on edge extra throughout this whole process, obviously because I was, you know, thinking it was way too cheap to be real.

Nick Mellem: 10:02

But when I was getting given these tracking numbers, I called FedEx right right away and I said I know you're not going to tell me where this package is going, but can you verify the address? I'll verify my address and you can tell me if it's coming in there or not. So every time I did that it wasn't coming to my address, it was going to one that was, you know, in my proximity, but so that's what it looked like. It was out for delivery in you know that certain city, so you wouldn't track on her. You know track on what they had right away. But by calling I was able to verify that it was a scam, because you can actively buy malicious actors can actively buy actual track numbers online, and that's what this person was doing. They had purchased, you know, multiple active, different tracking numbers that were actually being shipped during this whole process. So it looked very legitimate if you, you know, didn't have some extra training or knowledge on what's actually happening.

Mandi Rae: 10:59

Did you get your money back?

Nick Mellem: 11:01

I did Yep. So PayPal worked with this person and they didn't release the funds. And what actually happens with PayPal is they don't release the funds to a lot of eBay sellers for five to seven business days. So I had notified them like two or three days after, so they put the money on hold. I had notified them like two or three days after, so they put the money on hold and they gave this person I think it was 20 days to respond. They didn't respond, so they released the money back to me. The second part of it was Goldman Sachs is the holder for the Apple card and during this time they released the money back to me and when the money was released back from PayPal, the refund was complete. It all worked out in the end.

Mandi Rae: 11:55

That's good to hear with your circumstance, because it's not always how these situations play out.

Nick Mellem: 12:02

Yeah, I'd say most of the time it's unfortunate, but if people aren't getting their money back, they've fallen into the trap and you know their money is gone and hopefully it's not a whole bunch of money like this was. This is just. This is roughly like $4,000. So it wasn't cheap at all, but a lot of times it's a much lower amount of money. But you know they do it so often that people just they're not getting their money back. Right, but it adds up over time. So I had another one that came up as well.

Nick Mellem: 12:33

I thought this was kind of interesting and this was an actual fraud on my credit card. So one of the days I was at home and my wife and I we both work from home and she I got this email that says thanks for your panera order. And in doing this I go to my wife and ask if she had ordered panera bread. Turns out she didn't. So then I call this panera bread and I let them know that we didn't order this and to cancel it.

Nick Mellem: 13:04

Well, the way I figured this out was is looking at the actual email here. It shows the address. Well, it's in Indianapolis. I was in Minneapolis at the time, so you know. After that I called my bank USA and had them cancel the credit card, but to this day I still don't know how my card was stolen. This is a little while ago in January or in June, excuse me and I just had my credit card replaced, but it was a very, you know, it was an active time where credit card had been stolen and it was a debit card, which is a little bit scarier. So that was another one of my points before is to use a credit card whenever you can, because it's a lot easier there to work with your credit card company versus debit card money.

Mandi Rae: 13:49

Yeah, I think we learned about that too. It was an important point that Eric made in previous podcasts. The personal information security. These are exactly the kinds of things that you're trying to avoid when you know protecting yourself, your credit, your passwords, your logins, et cetera.

Nick Mellem: 14:10

Yeah, thanks for bringing that up. I was actually going to mention that I believe Eric did bring that up before about using a credit card whenever you can. So, yeah, thanks for doing that. We had a couple other phishing examples that I think, mandy, you had sent in and you know these are similar to the ones we've been talking about on this episode about different links with the emails to clicking on, and this one here is actually from Susan, with a couple kissing lips, and I was wanting you to click on this link here for a webcam to meet some specific people, mind you, I didn't know Susan.

Mandi Rae: 14:53

I didn't click to see her private parts.

Kyle Rosendahl: 14:58

I feel like you see a lot of these online too. I mean, there's the whole like meme across the internet too, where it's like oh, when I had my ad blocker on right, all the hot singles in my area disappeared. So you know, once I turned my ad blocker off, all of a sudden they found me again.

Mandi Rae: 15:15

Does that mean the hot singles in your area are spoofs and bots?

Kyle Rosendahl: 15:20

Apparently, yeah, when it comes to my free email inbox, yeah, um, but no, I mean, it's such fascinating stuff because, like, you'll see these or you'll see other ones that are like you know, check out my, you know, add me on instagram or add my snapchat, and you know there are these links to these pages and these profiles that it's like, oh, oh, there's this beautiful model on this page and you know it's fake, right? And you know they're trying to get your money. They're trying to get you to connect and talk to them so they can either get you to connect back or, oh, just pay me, I'm trying to get my business off the ground. Can you get me a Google Play Store $50 gift card, right? Or go to this link and subscribe to this and I'll send you this stuff, right?

Kyle Rosendahl: 16:09

I mean, it's all just so like exploitive, but, at the same time, like you know that these profiles that they're building out there are just fake, I just really wonder, like, how effective these scams are, because I would never click on a link like this that I just get in my email from someone I don't know, but you wonder how many people actually click on these things and then what types of data they're collecting on you. Once you click, are they pulling stuff from your browser? And then what's their goal after that? Do they just want you on the webcam page? Are they trying to do more? I don't know. It's fascinating stuff.

Mandi Rae: 16:49

It's super fascinating, especially when I think, like, how did they get my information? I can promise you, in this email account I'm not doing anything to solicit any Susans when it came to being offered like the DeWalt power tool or anything like that, I am renovating a home and somehow they must have got my information. And this was really relevant to me and what I was doing on the internet, what I was buying, and that in itself is kind of invasive and scary also.

Nick Mellem: 17:22

Yeah, these are great examples, and I I'm laughing at the susan one again here, because because, going back to what kyle was saying, how many people actually click on this? Right, I'm not thinking, wow, I'm gonna click on this and I'm gonna meet a bunch of people, but I'm I'm guessing there's people out there out there that do fall for this and they click on this and it brings them to some sort of website that's probably malicious and that's you know. They're getting their personal identifiable information, but absolutely.

Mandi Rae: 17:51

I remember it must have been in 2012. I'm kind of dating myself, but before smishing was prevalent and fishing wasn't as well. I guess I feel like those of us that weren't in the tech community weren't as educated about phishing attempts. I received one of those links where you click on it and it turns on your webcam and it takes a picture of you and I was making the world's most awful face ever because I'm like looking at my computer, like what are you doing? Like just not understanding what's happening. And then it goes into that timer and it's showing you that horrible image of yourself it captured and it's saying it wants money to make it go away. This is just kind of that next level what people are doing.

Nick Mellem: 18:38

I'm actually glad you brought that up, mandy, because that triggered another story in my head. I know this went around, I think maybe five or six years ago, where you know people hadn't, you didn't have to be on some sort of adult website but your computer is physically being locked and said the FBI is going to contact you because you're on some wanted list for some sort of pornography or something of the nature. Well, people were paying the ransom because it gave you the option you can pay the ransom or the fbi is going to contact you. Well, I believe it.

Mandi Rae: 19:11

If you're guilty, I would have paid money. But that picture I was like this isn't so bad. What's the worst you're gonna do? I didn't give them anything in?

Nick Mellem: 19:17

this instance, it was like you know the person they're interviewing was a cheat, was a teacher, right? So obviously those two don't mix, so this person actually paid the ransom. I it was like you know, the person they're interviewing was a teacher, right? So obviously those two don't mix, so this person actually paid the ransom. I think it was $10,000. But you bringing it up sparked that.

Mandi Rae: 19:33

Scary situations. Don't click on things and don't pay people money unless you know who they are. It's the moral of our story.

Nick Mellem: 19:40

Exactly, and you know there's plenty of these different. Hey, congratulations. It looks like it's coming from looking at an example here from cole's, some sort of ninja food grill. Well, you know, it looks legit, but if you look around a little bit more right, the email address might be off. But there's a lot, a lot of things that look weird, um, you know. So what we're getting at is don't click the link if you don't know.

Mandi Rae: 20:06

Ask right before you, before you do anything if it looks sketchy, it's definitely probably too good to be true yep, I think you're spot on there.

Nick Mellem: 20:17

I'm looking at this example right here. It just says the congratulations on the cole's one and you know the font seems a little bit off. But other than that, like right, if you're not somebody that's in the industry or looking, this one looks pretty real.

Mandi Rae: 20:31

I'd say I think one of the best educations I ever received is going back up and looking at the sender Right I think one of the ones you showed earlier in terms of the smishing. I think one of the ones you showed earlier in terms of the smishing. It was very obvious that the sender was not Home Depot.

Nick Mellem: 20:50

Yeah.

Mandi Rae: 20:50

And I think nine times out of ten, that's the way. It's the easiest way to discern if it's true or not.

Nick Mellem: 20:56

Right, yeah, say, you're on your computer, you can hover over the sender and it will actually reveal where you came from. You can hover over the sender and it will actually reveal the name from. Well, one of the examples we have here too is from Norton, lifelock that it was saying you know the subscription is going to be up, you know pay your bill. Well, if you look at the actual sender, it came from a random person's name at Yahoocom. Well, norton is not sending from a personal, personal email, so that was the dead giveaway there. Um, and if you actually call the number, which I did do on here, it goes to some foreign location help center and as soon as you start to kind of play their game, they generally they hung up on me.

Mandi Rae: 21:37

So I started receiving something similar like this norton lifelock. One is another one where aesthetically it looks legitimate, but in some of the keys you've given us it's A. I didn't make this purchase. I wasn't expecting an order confirmation, right. B. Where is this coming from? Hovering over who sent it? I've been receiving a lot of different phishing attempts from customers. What's the geek squad?

Mandi Rae: 22:03

oh, sure, yep where, just like you're mentioning the things, the logo looks a little off. The sender isn't legitimate, but it actually wants me to download an attachment. It's saying it's my invoice and I know I don't use geek squad because I have kyle and nick's cell phone numbers. So obviously I reported it as phishing and deleted it.

Nick Mellem: 22:23

But I could see how that one would be tricky too oh yeah, and I mean they're really tripping you up here because I know we've said it a few times and it's mandy, what it's like what you're saying. But when you look at this norton life lock one, you know it's a very legitimate looking order summary. There's an order number, activation key. I mean it's, it looks real. If I didn't make this purchase and didn't know right away, anybody could think that this is. We had spoke before about, you know, making the connections to people's computers. Yeah, that's something you do with alliances. Is there anything you can speak to on that?

Kyle Rosendahl: 23:05

Is there anything you can speak to on that? Yeah, I mean, I think it happens more with, like those voice phishing attacks, right, if someone's calling you on your phone and you pick up and they say hey, you know, I'm from the extended warranty center for your car. You know, can you tell me what kind of car you have, what year is it? You know? Confirm your phone number for us. And now you know we're going to look up your car. Oh, you're, you're able to get this, but we need to get some additional info. Like we can connect to you remotely and, you know, help you find that information on your computer if that would be helpful. And they'll have you go to a site like TeamViewer and it's a free service that provides that remote connection to a computer. So it's not a paid service, there's a free version.

Kyle Rosendahl: 23:51

They'll have you download it, run an agent on your computer and then they'll say okay, now read me your six-digit code that we know is on the screen there.

Kyle Rosendahl: 24:00

You'll give that to them.

Kyle Rosendahl: 24:01

They'll use that to initiate a connection from wherever they are if they happen to be somewhere in Southeast Asia or in India, which is typically the two places they connect from and then they'll ask you to give them control over your computer and then from there they can dump files, they can pull stuff off, they can do things, you know, kind of whatever they want remotely on your workstation.

Kyle Rosendahl: 24:24

So that's typically what they try to get you to do. And you know I'll talk with them on the phone and just kind of see what they're after, just for fun, just to get a better understanding of how these things work. But yeah, downloading anything, I mean pretty much no one that calls you on the phone should ever be asking you to, you know, download a piece of software so they can connect remotely, I mean, unless you know it's part of a business that you work for or anything specific right, but I would never download anything. That's, someone on the other side of the phone that I've never talked to in my life before tells me to do so well, yeah, no, that was great.

Nick Mellem: 25:02

Thank you for that. I think, uh, and the two of the kind of scary thing about that is, once you've made that connection, they can pin that and it's, you know, until you keep that computer off, right, it's, they can jump back on it technically whenever they want. So it does make it a little bit added. It's a little bit more scary that way because if they can jump back on, they can do whatever they want later. Little bit more scary that way because if they can jump back on, they can do whatever they want later. Pull that information, you know, look at your recent browser history, you know, and start sending specific targeted phishing emails or something of the nature.

Mandi Rae: 25:34

Or this is just another good example of how we talked about earlier a best practice would be not saving your username or your password in your web browser. Although we get it's so convenient, it's really essential to use a password manager because in circumstances like you guys are talking about, if someone has access to your home or work PC via that team viewer, they could go back in and that's where they could do malicious activity and it'd be really easy for them.

Nick Mellem: 26:05

Yeah, absolutely Password managers. Whenever possible, Don't save it in your browser.

Mandi Rae: 26:11

Well, I think this concludes our podcast on just being aware of phishing, smishing and other web trickery. To find out more, you can visit us on itauditlabscom. We're also on all the socials and we have other podcasts, if you haven't checked us out before, that talk a lot about personal information security, best practices and things to watch out for. Any closing comments. Nick or Kyle.

Kyle Rosendahl: 26:47

Nope, nothing for me, just appreciate everybody being here.

Mandi Rae: 26:51

No, nothing for me. Thanks everyone. Thanks for your time today. We hope to see you again on another episode of the Audit by IT Audit Labs.

Eric Brown: 26:59

IT Audit Labs assesses security, risk and compliance. Our threat assessments find the soft spots before the bad guys do. Whether you are looking for a point solution or a broader security program, contact IT Audit Labs to reduce your organizational risk.