Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Nick Mellem: 0:14

All right. Welcome everybody to another episode of the Audit. I'm joined today by Eric Brown and Nate Rustin. Nate, welcome to the show.

Nate Ristine: 0:26

Yeah, thanks for having me Happy to be here.

Nick Mellem: 0:28

Excellent. Today we're going to, you know, kind of go through everything Fishing. Nate is well. I would call him a subject matter expert in the field. He works us day to day, amongst many other things, but this is really what we wanted to dive into today. So, nate, first things first. What's your day-to-day operations look like?

Nate Ristine: 0:51

Well, first thing is coffee. You can't go without coffee, you need it. So two or three cups of coffee. Start looking through some alerts, digging through some of the phishing emails that have been reported. Sift out the false positives. Get through some of the phishing emails that have been reported. Sift out the false positives. Get those back into the rightful owner's hands. Then you find the malicious ones. The more fun ones to go through A lot of the day. When going through those is, I guess it really depends on how many you have. If you've got 100 malicious ones you've got to go through, then you've got to go through them kind of quick, get them done. But when you've got a few and you can really deep dive onto them and really look and see what the attacker's goal is, those are the most fun.

Nick Mellem: 1:39

Absolutely yeah. When you're going through these, is there a specific day of the week that you've noticed that's worse? Is it Monday? Is it kicking off right away, or is Wednesday more than others, or is there a specific day you can remember?

Nate Ristine: 1:56

Monday mornings. People are normally catching up on emails that are coming through the weekend or on Fridays, so you'll normally see quite a bit of them on Monday mornings.

Nick Mellem: 2:07

I always felt like, at least when I was looking through these types of things. I always felt like Fridays, things just blew up in your face and you were ready for a long day going into the weekend.

Nate Ristine: 2:20

To me, fridays have always been the calmest, because I don't think anyone likes to work on Fridays. That's a good point, or at least check their emails.

Nick Mellem: 2:28

They're late to check their emails on Friday.

Eric Brown: 2:30

Just to back up, a second on your coffee. Are you grinding your own beans or what are you doing there? I do grind my own beans. Yes, All right, let's unpack that, because I'm also.

Nick Mellem: 2:42

I'm interested now.

Eric Brown: 2:44

Yeah, a bit of a coffee guy myself, you could say. So what do you do? What's your routine?

Nate Ristine: 2:53

I take a half cup of whole beans, grind them up into a fine I guess fine powder, yeah, and put them in the Mr Coffee machine and let it run Gotcha.

Nick Mellem: 3:09

Oh, so you're not doing a pour over or anything.

Nate Ristine: 3:11

No, nothing fancy for me yet.

Eric Brown: 3:14

Cool. Are you getting the beans from anywhere? Special.

Nick Mellem: 3:18

Walmart. Hey, there you go, big spender.

Eric Brown: 3:23

What about you, Nick?

Nick Mellem: 3:25

Yeah, I kind of go all over the place. We have an espresso and we just got a new Keurig because they kind of crap out I feel like once a year, but the new one has a milk frother and everything, so it does all kinds of crazy stuff and it's like can it be on the Wi-Fi? Ours is not, but it can be. Oh, wow, yeah, one less point of failure to be hacked, so we'll leave it off the network. But yeah, I actually like to do pour-overs, I guess by regularly. That would be my poison of choice, I guess.

Eric Brown: 3:56

Yeah, cool and Nate, how many tattoos.

Nate Ristine: 4:02

Just the one.

Eric Brown: 4:03

Just one tattoo.

Nate Ristine: 4:04

Yeah, but the one is a quarter of my body, so okay, all right, so it's good.

Eric Brown: 4:10

I don't think you can be in security without any tattoos, can you? I mean, unless you're posing? I'm not sure. What do you think?

Nick Mellem: 4:15

yeah, I think you I think you got to have some of them. Yeah, I think they're kind of like battle scars, right.

Nate Ristine: 4:21

They just like comes with the territory that poses the question what are yours, eric?

Eric Brown: 4:27

uh, so interesting. I don't have any, so I must be posting, but I did. I went to ces this year and I got the prinker, which is a tattoo printer. So, like you can, you can print tattoos. They look, yeah, I don't know. They look okay, um, but uh, yeah, I started playing around with that uh, you actually bought the printer yeah the printer.

Nick Mellem: 4:53

That's awesome. I, because I saw you send that and I that's, that thing is pretty cool yeah, when I got home I ordered one yeah, that's really cool. So it's kind of like you can just print whatever tattoo you want. You can just find anything online and print it yeah, it's certain size restrictions, like you know.

Eric Brown: 5:10

It's like an inch wide by five inches long, something like that. Yeah, you can do some cool stuff with it. You can make a snake, yeah, and then nate, just by way of setting the stage, the organization that that you're working for now and doing a lot of research with you get about 100,000 emails a day, and of those, I don't know what do you think are spam. About 50% or 60% are spam, malicious, whatever like non-business related.

Nate Ristine: 5:45

From emails outside of the organization. Maybe 40% to 50% fit that not necessary range, whether it be marketing campaigns or malicious attachments, yeah.

Nick Mellem: 6:01

Nate. When you say not necessary, what do you mean by that?

Nate Ristine: 6:04

It can be a lot of spam or something that's truly malicious, or something that's a marketing campaign. It's not malicious, but 90% of people don't want to look at them either. So I guess low priority is a good way to classify them. Sure, absolutely good way to classify them.

Nick Mellem: 6:22

Sure absolutely.

Eric Brown: 6:24

So we were getting into. You come in, you have your coffee and you're starting to unpack these emails. So let's say you find one that bypassed all of the filters. It's actually a legit phishing email.

Nate Ristine: 6:40

What do you do If we've already determined that it's 100% malicious. Then I dive right into clicking all the links, figuring out where things are going, what the attacker's goal is, what kind of information are they trying to capture, and that kind of stuff.

Eric Brown: 7:00

Are you just clicking the links on your regular machine?

Nate Ristine: 7:03

Nope, I will bring the email into a sandbox environment, whether it be a virtual box, VMware or some random server up in Azure or AWS.

Eric Brown: 7:17

And are there tools that you use to see what they're doing, like how do you exploit this or how do you look at it?

Nate Ristine: 7:29

When opening up the link you can view the source code of. Normally it's an attachment that they send. So you can view the source code of the attachment or the landing page and kind of look through what they're supposed to be doing or what they're showing that they're going to do on the front end. That can lead to some information like pre-populating the email address of the victim in majority of cases, or causing redirects with a lot of phishing campaigns. They'll send you this attachment that loads up a web page. That web page is going to send you to two or three different urls before you actually hit the actual phishing site. So you can find a lot of the steps in the chain by looking at the source code. Once you start clicking on stuff and entering credentials or, well, fake credentials or other information that they're looking for, you can load up Burp Suite or some other proxy and capture all the information that's going back and forth. That way you can really see, well, I guess, what kind of information they're doing, what portions of the website are being executed and what format they're accepting the data in. What's something interesting that you've seen?

Nate Ristine: 8:55

I think the most interesting one I've found like that, when I went to submit credentials. It actually executed a PHP code, or some a piece of PHP code that was supposed to be hidden on the back end, but it was actually shown in the front. That are you. It was accessible on the front end so I was able to grab the code that was actually sending, or in control of sending, the credentials to their repository. So that was pretty fun. Unfortunately, they had that repository pretty locked down, so while they screwed up on the phishing site, they were doing things right on that side.

Nick Mellem: 9:39

Sure Nate, you mentioned Burp Suite. I think that leads me into wondering what are your go-to tools, or is there a handful of tools or one or two that you just feel like you couldn't do your job without Burp?

Nate Ristine: 9:56

Suite would probably be one of them. Capturing that data going back and forth is pretty essential, and a good text editor really is the other very important thing. A lot of these attachments they're just HTML attachments, or if you're looking at the headers. You want that data to look clean and be easily readable, so having a good text editor is very important.

Nick Mellem: 10:26

Yeah, that's good information to have, for sure. No-transcript, you've been kind of keying on that. You're seeing common trends, tactics.

Nate Ristine: 10:45

You know that you can comment on yeah, well, right now there's well, I guess not as much right now, but when the ukraine russian war began, uh, there was a lot of emails with information on that back during the the george floyd stuff there people were, there was fishing stuff on that.

Nick Mellem: 11:09

Any major event uh in the world is is going to, there's going to be fishing emails for it sure, and I suppose when you bring up, you know, the ukraine war, that that brings in kind of that emotional aspect. And, eric, I know you have spoken about this before as well you know, kind of a new thing we're seeing along with social engineering goes alongside with fishing as well, that emotional engineering. I think you know we're seeing it more and more, but I think we can probably unpack a lot there, right? Is that something? You're seeing it more and more, but I think we can probably unpack a lot there, right? Is that something you're seeing? Nate is, you know you click on this link, you get a free burrito, you know, do you? I see you laughing right now.

Nate Ristine: 11:50

So, yeah, it's kind of a fun one yep, um, emotional stuff can be one of the better ways for the attackers to actually get their phishing stuff to work.

Nick Mellem: 12:03

It's kind of a long and crude.

Nate Ristine: 12:04

Yeah yeah. A lot of the phishing emails you'll see are just kind of blasted out to everyone. They're very generic, but if it comes to a point where it's a more targeted attack, they can get pretty ruthless on how they do it when it comes to pulling on emotional heartstrings it's.

Eric Brown: 12:23

It's a good point, nick and nate. I was at a security meetup the other day and some pen testers were talking about some of the techniques, uh, and some of the clients that they worked with, and one pen testing company was replaced because their social engineering campaign, where they were doing a phishing attack to get a way into the organization, used some pretty harsh emotional engineering against a specific person, against a specific person, and the discussion then was around as pen testers, we're the good guys and we're not trying to cause emotional stress or strain or damage on an individual at the organization, because if we were, you could win every time, so to speak, because those always get through. So then the thought was well, can we come up with other ways to get into an organization without going to that extreme? And I think, unilaterally. The answer was yes.

Eric Brown: 13:44

Um, and then the conversation turned to what about the monthly campaigns that we do and, nate, you were talking about the real world examples that we're seeing tend to follow what's happening in the news, because that's current. So what do you guys think about that? Right, as we craft training emails for our user base, where do those training emails lie? Right? Are they on the side where there is that emotional piece, or is it a little bit more fun, kind of in the middle with the burrito, or is it something with misspelled words that looks pretty obvious to most that it's a phishing email really, because those very difficult or fishing simulations that are on that higher end, where they are very well crafted and and pull on those emotional heartstrings from a security perspective, should be what we're doing.

Nate Ristine: 14:55

We should be testing users for that, so that they're aware and they find those little details that that signify that it's a phishing email. But again, on the other side, we're a team, we're not their enemy, we're their coworkers, we're their friends. We shouldn't be pulling or pulling on those strings like that. So it is a very hard thing to balance.

Nick Mellem: 15:25

Yeah, it's kind of a double-bited sword.

Nate Ristine: 15:28

Yeah yeah, there's kind of a double-bited sword. Yeah, yeah, there's no winning. Yeah.

Nick Mellem: 15:35

I can see both sides of it, you know. Personally, I don't think we should be pinning them down all the time. I do think we need to just be honest with ourselves and we have to look at it through the lens of the attacker. They're not going to take it easy on our colleagues, coworkers too, even though they're our friends. We see them every day at the water cooler. They're getting the same emails that we are. We should be crafting similar ones to test them.

Nick Mellem: 15:58

When I was in the military, my senior leaders used to always tell us probably when we were complaining too much that the more we sweat in peace, the less we bleed in war. You know, the more we sweat in peace, the less we bleed in war. So I think if we can simulate the best training you know right that for our customers or clients or our colleagues, whatever have you you know we're really doing the best service for them because we want to train them for these. You know 50% of the emails that are coming in that we said earlier that are spam. We want to train them for the real deal. So, yeah, it's kind of a double-edged sword. You don't want to bait them in all the time. Think they're getting a free burrito or tickets to an amusement park per se, but those are the emails that they are getting, so we definitely have to train them for that.

Eric Brown: 17:08

Well, we spend a lot of time and effort dealing with non-business emails because the malicious actors are using that as a threat vector. So it hasn't gone away, it seems to be. It's probably gotten worse and no matter what tools we have, they still get through, right. I mean, there's great tools out there, new ways to catch these emails all the time, blow them up in a sandbox, but they're still seeing that right. It's still making it through all of those defenses and it comes down to the human at the end.

Eric Brown: 17:43

I've advocated in the past that from a business perspective, there's no reason to have commercial or emails from commercial accounts that contain Ahrefs links.

Eric Brown: 18:01

So if you removed the ability to click on a link from the email, that would, I think, solve a lot of problems. If the user really wanted to get to whatever that was, they could copy paste it into a browser, but most of the time you would see that it's a really long string of numbers and letters is masqueraded by that href link that goes to you know some common words that might entice you to click on it, but really it's just going back to a site that was spun up in some sort of cloud hosting provider that is used to capture creds or redirect or what have you. But it's probably a trillion, a trillion dollar industry that email filtering and nate you. You were talking before kind of offline about maybe some of the stuff that you do with with the credit cards. Right, because you'll, you'll, you'll get a phishing link, you'll exploit it and then it's asking for some sort of payment. What do you do there?

Nate Ristine: 19:13

So I've been trying to find new ways to dig deeper into the attacker's goals. So over the holidays I was sent a text message or a link from a text message that had for UPS. So I went in there and I was going through it and it looked. It was a very good looking site. I mean, if I didn't notice the, the URL, I would have believed it was UPS. I started going through it and you click on a couple of links.

Nate Ristine: 19:45

You enter in your zip code and they then want you to add personal information. So you throw in a fake name, fake address and everything. Then it tells you well, your package, it was redirected. Or we have. You have to pay a dollar and 45 cents plus vat, which is european tax, which didn't make sense, but some of the the attacks tax have done a little bit better is have American tax on there. But once you enter in all this personal information, then it asks you for a credit card to pay this $1.45 fee. Well, not many people want to give up their credit card number just for testing. So there's a site called privacycom. You can sign up for free. You link your bank account on one end and then on this privacycom end, you get to make as many free credit cards as you want, so you can use different names, different zip codes, different credit card numbers, expiration dates Everything can be different for every single purchase. Numbers, expiration dates Everything can be different for every single purchase.

Nate Ristine: 20:56

What I typically do is I'll set like a dollar spending limit so that way when they do try to charge my card they can't take more than a dollar. But yeah, so I throw one of those fake credit cards in there, wait a couple of days and then start seeing charges. This one specifically was for, is it? I think it was squarespace, which is a website hosting website or service. Maybe they were trying to set up a new phishing site, uh, to trick more people. Or maybe they were just using that to test if the card was valid to go sell the credit card number on the darknet. It's hard to know. But once that dollar, they tried to charge a dollar 45 cents and that failed because it was over my limit. So I guess I don't really know what they would have done next. So yeah, next time around maybe I step it up a little bit, maybe I risk $2, put $2 on the line to see where it goes next, you know.

Nick Mellem: 21:50

I think you should do that and report back, please. That's really interesting.

Nate Ristine: 21:57

There's been another thing I've been meaning to dig into a little bit more. With Google Workspace you can set up this business email address for fairly cheap and you can monitor the emails that have been sent out from like an admin perspective. So I let this account get compromised and then, from the admin side of things, I can see all the emails that go out from them to further investigate what their attacks are, what they're trying to do. But I'm a little bit skeptical about moving into doing that because then I'm knowingly allowing them to compromise this email and use it to attack others. So unless I can edit the email before it's sent and say like in the subject line, this is a phishing email, don't click, then I could see myself getting some, some negative, negative results. If, if I knowingly allowed an attacker to continue working, can you send it?

Eric Brown: 22:58

off to a different mail relay where you control that relay and then you can manipulate the the outbound messages like you could just shoot it to a trash can or something like that.

Nate Ristine: 23:18

Don't know. I haven't found that available or that option in Google yet, but maybe there's definitely other services that can do it, though I just don't know if.

Eric Brown: 23:24

Google Workspace can do it. So you're seeing. I think you mentioned text messages too right? Have you guys both been getting smishing or SMS phishing messages?

Nate Ristine: 23:35

I have one work phone and one personal phone. My personal phone I don't get anything, which I don't know how I've managed to do that, but I guess it was just luck of the draw.

Nick Mellem: 23:45

I'm not going to mess with you.

Nate Ristine: 23:46

What's your phone number? Yeah, 69-41028. Mess with you. What's your phone number? Yeah, yeah, six nine four one zero two eight yeah, your work phone. You get a lot donate yeah, my work phone gets a lot. I don't know why that would be. Maybe it, maybe it was just luck of the draw, maybe having it associated with different accounts.

Nick Mellem: 24:09

Whoever had the phone number before you could have used it and then was involved in a breach or something.

Nate Ristine: 24:14

Yep, yep, that's very possible.

Nick Mellem: 24:18

Yeah, for some reason over the past two days I've gotten one from Amazon that my account, you know. They noticed some you know some odd activity with a link and these are good emails. The only way that I know Is because of the sender Information that comes up on the top on an iPhone. I'm sure it does on the same thing on an Android.

Eric Brown: 24:41

Are you talking about text?

Nick Mellem: 24:43

Yeah, this is via text. Okay, I got another one A couple days before that From PayPal Saying the same thing. They want me to call. They didn't leave a number, but they specifically say to unlock your account, contact us or click on this link. Again, with the crazy, I didn't, I did not.

Eric Brown: 25:06

You should call it. Throw it on the speaker right now. Let's see what happens.

Nick Mellem: 25:10

This one right here. It says call us, but the number is blank. It doesn't have a number. That's why it's odd, Otherwise I definitely would be down to do that. And then I got one from Netflix, and I think we've all seen that one too, where they want us to change our password or what? Have you Suspicious activity logged in somewhere else? So they're definitely out there in abundance, that's for sure.

Eric Brown: 25:32

That'd be a fun episode If we each came a couple numbers and we just started calling them.

Nick Mellem: 25:38

it would be very interesting, that's for sure. I think people love that.

Eric Brown: 25:41

And then we just tie the two together and let them talk to each other and see what happens.

Nick Mellem: 25:45

Yeah, I think I've seen that as a video, where some lady calls the two um Chinese takeout restaurants and they're yelling back before no, you called me. No, you called me. What do you want? What's your order? No, you called me. So similar thinking that could be pretty.

Nate Ristine: 26:01

There's a couple Twitch streamers out there that focus on this kind of stuff, where they call a scammer and trick them. It's always fun to watch.

Eric Brown: 26:13

Where they're trying to get back and and, uh, I think I saw one where they were able to get the guy's camera on and see the, uh, the building that they were in. Yeah, how about offline stuff? Have you got anything offline mail?

Nate Ristine: 26:31

I don't think I've gotten anything too crazy in the mail. There's definitely the weird marketing campaigns, but other than that I don't really get anything from mail.

Nick Mellem: 26:42

Nate, because you're in this industry, do you get a lot of texts and calls from your mom or anybody family dad, grandma, grandpa saying hey, nate, I got this message. Is this legit? Do you get that?

Nate Ristine: 26:56

Yeah, there's definitely been the calls of what do I do? Uh, it certainly happened quite often. Uh, I, during this talk, I remember this, uh, this, call it. Like we were talking about earlier about calling the scammers and see what they're trying to do. A few years years ago my mom plugged in her computer and she got this pop-up saying call Windows support. Right now your computers locked for for this and that the common thing you'd see nowadays. But she called him and the guy kept asking for money. So she called me and she's like can you figure out what's going on? He's like yeah, it's a scam, let me call him.

Nate Ristine: 27:39

So I spent an hour on the phone with this guy just leading him an hour. Wow, yep, yep, I was. I was definitely bored, it was. It was quite exciting.

Nate Ristine: 27:51

After a while I I was just kind of telling him well, this is what's wrong with my computer and I've got this screen just making stuff up because I didn't really have computer or the alert in front of me. And he goes well, we're going to have to charge you to fix it. I was like how much? The guy didn't give me a price. He says how much can you pay? I was like wait, what, how much can you pay? I was like wait, what, how much can I pay? He's like, well, I've got. Uh, it's like let me look at my bank. So I look at my account and I'm like I've got five million just completely joking. And he's like, all right, it's gonna cost 50 grand to for us to fix it. All, right, you ready for the card number? And I read off a card number and, yeah, nothing ever came of it. But after a while he started to realize that I was messing with him and, yeah, some very naughty words came out after that.

Nick Mellem: 28:51

So he was posing as Microsoftrosoft support yep, funny.

Nate Ristine: 28:57

Yeah, that's a. One of the common ones now is if you come across uh, I guess you'd call it a malicious ad um, it kind of hijacks the browser and makes it go full screen and it's just a bunch of pop-ups and sometimes audio saying call support. Your computer's been locked for I don't know. Sometimes it's child porn.

Eric Brown: 29:33

So, nate, you've participated in some. Go through and do specific objectives, right? Mm-hmm, yeah, have any of those scenarios or the problems presented in those scenarios mimicked some of the things that you've seen in the real world at your job?

Nate Ristine: 29:53

some of the things that you've seen in the real world at your job. Yeah, the goal of a lot of the capture the flag stuff is it can kind of be twofold or two parts One is going to be more focused on teaching and one is going to be more focused on challenging. So in some of the early capture, the flag challenges, or in some of the early challenges they'll have you go through kind of your common steps, go, look through the headers to find some information. Whether the IP address is aligned or the sender's domain name or the email from is the same, so maybe they throw a flag in there.

Nate Ristine: 30:41

Another flag could be in the source code of the website or the link that you're going to, and another flag could be maybe an email you get or another phishing email you get after you submit your credentials or something of that sort. Then it can dive into the more challenging aspect, where it's going to be not just the things that you would see in a normal phishing email, but now you need to think outside of the box. This is going to be the challenge portion of it, where not everyone's going to be able to get it or not. Well, not a lot of the professionals are going to be able to get it or not. Well, not a lot of the professionals are going to be able to get it, because it's so out there. It's not something you're going to expect to see, but it's a challenge.

Nick Mellem: 31:25

Well, thanks again, nate, for joining us today on the Audit, and to all of our listeners, thank you again and be sure to check out our previous episodes anywhere you can find podcasts in your favorite platform and check out our website at itauditlabscom.

Eric Brown: 31:44

Want security leadership without the headcount. As an extension of the team, it Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation to improve cyber posture while reducing risk. Contact IT Audit Labs to find out more.