Twenty years ago, cybersecurity was something that only nerds talked about. Now cybersecurity has gone mainstream. Listen in as we talk about common scams, the recent Twitter hack, and organized crime with Graham Cluley from The Smashing Security Podcast.
Graham Cluley has been working in the computer security industry since the early 1990’s. He was in senior roles with Sophos and McAfee. In 2011, he was inducted into the Infosecurity Europe Hall of Fame. Graham runs his own award-winning computer security blog and hosts the Smashing Security Podcast which has been a successful cybersecurity podcast since 2016.
Join us as we discuss cybersecurity threats both past and present and learn more about how to protect yourself, your business, and your loved ones.“Don’t be too complacent and assume that you won’t ever be targeted due to lack of interest in your company.” - Graham Cluley Click To Tweet
- [1:00] – Graham shares how he started in the cybersecurity business as a poor college student who created Shareware games. Someone sent him a package with a job offer with an anti-virus company.
- [2:46] – When Graham began working, there were about 200 new computer viruses per month and had to send out anti-virus updates through the mail on a floppy disk.
- [3:27] – Today there are literally hundreds of thousands of new pieces of malware being written everyday. In the blink of an eye there’s more than one new piece of malware released.
- [4:01] – We see much more organized crime and state sponsored cybercrime these days.
- [5:59] – Back in the day, hackers tended to be young people writing malware to show off. But now, malware is harder to detect because they don’t want to be detected.
- [7:45] – Graham shares a story about The New York Times being targeted and hacked. Hackers were able to see articles and information as they were being drafted, including information on secret informants.
- [9:05] – Don’t be too complacent and assume that you won’t ever be targeted due to lack of interest in your company. Hackers may not be interested in your company, but may be interested in your suppliers or customers.
- [10:35] – Business email compromise scams are when hackers get into a business email account and can see correspondence. They then can jump into the thread and can pose as an employee or contractor to receive funds. Businesses have lost millions to this scam.
- [11:50] – You can have all the defenses in place, all the layers of security, and all the patches in place, but you can’t patch the human brain.
- [13:40] – Email compromise scams are very simple but successful and a huge threat.
- [14:51] – Have a procedure set up where it is okay to say no to senior management so when a scam email comes through suggesting a break to a rule, an employee can say no and avoid a problem.
- [16:31] – Graham and Chris discuss the recent bitcoin Twitter hack, which included big name accounts like Barack Obama and Bill Gates.
- [18:39] – The Twitter hackers social engineered people by emailing them posing as a Twitter IT department member. They convinced them to type their information into a fake site that appeared to be Twitter and while doing so, the hackers gained access to their real accounts.
- [20:19] – Similar to the recent Twitter hacks, scammers have been known to pose as your bank and gain access to your accounts.
- [22:28] – The saddest part about cybercrime is the effect it has had on average people becoming petrified of learning new technology.
- [23:44] – Graham recommends products like iPads or Chromebooks for basic computer use because they are more locked down. Although there are still risks, these are great options.
- [25:21] – Because of new Covid-19 websites, anti-virus companies were being notified of suspicious behavior because the websites were so new.
- [27:32] – Short Twitter names are more likely to be targeted than the more difficult long ones.
- [28:48] – Graham explains the problem of organized cybercrime that produces targeted attacks through malware designed to steal data from their targeted company.
- [30:32] – Garmin was targeted by an organized cybercrime entity called Evil Corp and they were ransomed for ten million dollars.
- [32:05] – Evil Corp is led by Maksim V. Yakubets in Russia.
- [35:40] – VPN companies can be created and run by organized cybercrime entities.
- [36:31] – There are situations where using a VPN is fine, such as using one to access streaming content.
- [38:40] – If you’re in your home and you trust your internet service provider, you won’t need to use a VPN.
- [39:33] – Graham says to stay abreast of security news and listen to Smashing Security. It is a lighthearted take on cybersecurity.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Graham Cluley Web Page
- Smashing Security Podcast
- Graham Cluley on Twitter
- Graham Cluley on YouTube
- Graham Cluley – Naked Security by Sophos
- Infosecurity Europe Hall of Fame
Can you give me a little background about how you got involved in IT Security?
Oh my goodness. It's a crazy story. I was once a poor, impoverished computer programming student and my girlfriend at that time was studying overseas. I wanted some money to be able to go and visit her.
I wrote some shareware games, and at the end of these games, which I wrote—if you remember shareware, the whole concept was you gave the games to each other, and if you like them, you would send me some money.
I imagined no one would ever do that. No one will ever send some money. What I did was at the end of the games, I displayed a very sad romantic message about how far away I was from my girlfriend, how I was poor and impoverished, and all I wanted to do was collect some money to go and buy some cheesy biscuits or go fly and see her.
I did all of it to the tune of Love Story that played the [hums Love Story] through your speaker while it was doing it, and amazingly people did. People sent me some money through the post. They wrote a check, put it in an envelope, and sent it to me before e-commerce existed.
One day, a great big parcel arrived containing a packet of cheesy biscuits—so I didn't have to buy them, containing the check for £20—which is more than what I was asking for, and it had a letter inside it saying, “If you want a job, give me a call.”
The person who sent that was a guy called Alan Solomon who wrote the leading European antivirus product at that time—Dr. Solomon's Antivirus Toolkit—and I became his first Windows programmer as a result.
That is a great story.
It's bonkers, isn't it? What a strange thing, and I've been doing this coming on for 30 years ever since then. And the world has changed enormously because when I began, they were around about 200 new computer viruses every month, and people used to think, “Oh, how are we going to cope when there are thousands and thousands of viruses?” Because we used to send out antivirus updates. We didn't send them out on the internet because most people didn't have an internet connection. We used to send them to the post in an envelope.
Oh my goodness.
It used to go out on a 360 KB, 5.25-inch floppy disk (if you remember those). One day, there were so many viruses and so many definitions in our database that we had to go to a 1.2-megabyte floppy disk, and then we went through the 3.5-inch floppy disk.
Today, there are literally hundreds and thousands of new pieces of malware being written every day. In a blink of an eye, there's more than one new piece of malware being released. The problem has grown enormously. It used to be kids in their bedrooms. To be honest, those are the good old fun days.
And they probably still are kids in their bedrooms, a lot of them.
Yes, as we’ve recently seen. There's obviously still some teenagers hacking, which is going on, but of course, the ramifications—if they're caught—are considerable today. And we see much more organized crime and, of course, state-sponsored cybercrime.
That's the kind of thing which when I started, the thought that the Russian government, the American government, or even the Greeks have written a Trojan horse. The thought that they would do that kind of thing was just pure science fiction and James Bond, but now they don't even blink about it. Of course they do. Of course they will use the internet to hack each other.
Yeah, it's amazing to think that it has scaled up and grown so exponentially in such a short period of time, and obviously, the methodology of identifying viruses and malware has changed. You're now looking for behavior as opposed to chunks of code, I assume.
Yeah, that's right. Even in the very early days. I remember way back in 1991, we weren't looking for a sequence of bytes. We weren't doing a grip of files because that would be too alarming. There were more sophisticated techniques than that. But today's modern antivirus software not only can specifically identify particular families of malware, but it has heuristics, it looks at behaviors.
There's a variety of methods you can use to stop ransomware for instance. The kind of malware which encrypts your files and stops you from accessing them. That's unusual behavior for lots of your files to suddenly be accessed and be changed is rather peculiar. Antivirus software can identify that and say, “Oh, something a wee bit odd is going on here. Maybe this is ransomware.”
All kinds of tricks that you can use, but I do kind of miss the days where it was only teenage boys without girlfriends writing malware. The organized criminals—they don't have so much of a flourish when it comes to writing the malware. It's not as much fun.
They're not trying to show off in the same way.
No, and that's really what was driving—back in those days, it wasn't about making money. You called yourself a name—The Dark Avenger, Slartibartfast, Apache Warrior. You would have this grandeur sense like you were a member of the World Wrestling Federation. Of course, you would do something on the screen. You would put up a skull and crossbones.
Interesting by the way, ransomware is the one kind of malware that throws back to the old malware of being very visual because it wants you to know—Ransomware is the one kind of malware that’s very visual because it wants you to know it’s done something. -Graham Cluley Click To Tweet
I've done something.
Yes, it's disastrous for ransomware if you don't realize that you've been infected. It's like, “How will they get the money?” They will do something dramatic, but most malware doesn't do that. Most malware is very stealthy, it's insidious, they want to infect you. Maybe they want to infect you for months before you realize that your files have been stolen or they're spying on your activity or stealing passwords.Most malware is stealthy, insidious. Maybe they want to infect you for months before you realize your files have been stolen. -Graham Cluley Click To Tweet
Yeah, the most malicious event is when you've been compromised and you never know about it. Where they're slowly just skimming information and so you can't tie it back to, “Well this event happened on this day, that’s when I was compromised.” It could have been three months ago, it could have been six months, and I assume that's a lot more of the nation-state hacking is looking for, “We just want to be able to watch what's going on over the long haul to see what you're doing and how you're doing it.”
They're playing the long game. They don't want to draw attention to themselves. There's an old joke, which is there are two kinds of companies. The company that’s been hacked and the companies who don't realize they've already been hacked. But they're going to find out sooner or later that they’ve got a problem as well.
But you're right. I can remember some attacks which have happened. There was one—I think it was Chinese hackers who targeted the New York Times some years ago—and they were inside the New York Times' content management system—their CMS, which meant that they were able to change stories. But also, critically for them, they were able to see stories as they were being drafted and the work which the journalists were doing. There was a huge concern that maybe journalists’ notes about secret informants and such might have fallen into the hands of an oppressive state, which might abuse that kind of information.
That is much more frightening. The good news is, most companies, there's not much you can do about state-sponsored attacks, to be honest. If they're determined to get in, they really want to get in. At the simplest level, when you put out a job advert and say, “We want a new guy on our IT team,” a state-sponsored attacker could if they wanted.
I'm looking for a job.
And then you've given them all the passwords, you've given them the physical access, and they can do all kinds of mischief inside there. They could do that, but they also have lots of other resources.
What I say to people is don't be too complacent because even if you think—maybe you're a company making mattresses, for instance—why would the Russians, the Chinese, or the Belgians want to hack my bed-making company? Well, it might be they are actually interested in some of your suppliers or some of your customers, and you might be the weak link, which they come in order to try and target those people instead.
And we're actually starting to see a lot of scams working that way. When Company A is sending a document to Company B, the hackers are intercepting that document, throwing some malware in it, and then sending it on its happy little way.
Here's this perfectly expected interaction between two entities with the document that looks and feels like the document it's supposed to be. No one is any of the wiser that this is slowly propagating itself through companies.
That's right, Chris. I find it frustrating sometimes that people say, “Oh, well I can spot a scam email because it will be badly spelled, or they'll make some grammatical error.” It's like, well, if someone is really determined, it will look like that company. They will forge the email properly. They will take previous emails maybe, or they might have already hacked your email system and seen other communications which are happening between your company and your supplier so they can actually jump onto the email chain, on to the thread and suddenly say, “By the way, our bank details have changed, or here's the invoice for the work we've been doing.”
That's what we're seeing with business emails and compromised scams, which I think are actually probably a much bigger threat than ransomware to most companies because of the millions and millions which you can lose. These are the scams where the bad guys find out who your suppliers are, who you're giving contracts to, and then they pretend to be that contractor.
They contact your finance department saying, “We finished the work. Here's our bill.” And your finance department says, “Has the work been finished?” They say to you, “Yep, it has been finished. Are you happy to pay?” “Yeah, we're happy to pay them. They've done a great job.” And then the money goes into the wrong bank account. Companies have lost millions because of that.
And smart people.
We're talking major corporations are losing millions of dollars to these types of scams.
I think Facebook and Google have said they've lost $100 million to precisely those kinds of scams. Those are smart guys. You expect them to be well protected, but you can have all the defenses in place in the world. You can have all the layers of security. You can have all the patches in place, but you can't patch the old human brain. People will be distracted, busy that day, or they’ve got a screaming kid because they work at home, and they're not paying attention and click. You've clicked on the wrong thing, and bam, it's too late.
I know someone personally that his accountant got an email that looked like it came from him. They had gone out and registered a domain name that was similar to the corporate domain name. They obviously had an email conversation with him because they knew who the accountant was, how he normally addressed her.
They had his exact email signature, so they fired off an email: “Hey, I'm on a conference call with someone that is really important that I need to send off this wire transfer. Here are the account details. I'm on the phone, don't bug me. We'll talk about it afterward, but I need you to send it right now.” So she gets it and looks like his regular email signature. It wasn't a six-figure amount of money. It was a few thousand dollars, so she happily started going along and doing it, and then realized, “Oh, wait. We're in the process of transitioning bank accounts. I need to figure out which bank account that he wants me to send it from. The new one, the old one?”
The real guy sticks his head out of the office, and she goes, “Oh hey, which account did you want me to send that money from?” And he's like, “What are you talking about?” “Well, you sent me the email saying to transfer the money.” “I didn't send you an email.” “They called me up and said, ‘Hey, we've been hacked.’” I'm like, “Well, let me look at it. No, it's a fake email.”
Yeah, and you don't have to be that sophisticated to do one of those attacks. Remember all those letters from Nigeria we used to get? To be honest, there are still some of those going on.
Personally, I'm not getting as many as I used to. Maybe they've taken me off their list, but the whole inheritance, or we've identified you are the descendant of someone who died in a car crash. Now, all those were emails, and all business emails compromised—at the simplest level at least—is email. Truth is, you can make millions out of it.
And obviously, they do because these scams have proliferated for decades now.
Yeah, very successful. When I speak to businesses about the biggest threats that should be keeping them awake, it's not zero-day threats. It's not APTs. Things like ransomware are a threat, but I actually think this business email compromise is a much bigger threat. Training all your staff to be wise to those kinds of threats and having an atmosphere inside your organization that it's alright to say no to the CEO. It's alright to say no to people, or have a procedure, and if anyone tries to break the procedure when a bank account changes (or something like that), then that's a big problem.When I talk to businesses about the biggest threats, it’s not 0-day threats or APTs. It’s business email compromise. -Graham Cluley Click To Tweet
You have to be prepared to say to your senior management, “Thank you for telling me to do that, but we’ve got a rule—as you know—which always has to be abided by.”
That was the exact suggestion I had for that was you need to put a rule in place that some specific paperwork has to be completed and either faxed or handed over in person. Anytime a new account was being set up, anytime an invoice was outside of its normal range, it's just part of the process. Humans unfortunately are always the weakest link.
Sadly, it's often the bosses. It's often the people that are at the very top who think the rules don't apply to them, or indeed even if they're not obeying the rules and they're sticking USB sticks or downloading who-knows-what from the internet. If they’re not obeying the rules in so much trying to make their own staff usurp their own security systems to get something done quickly, they should be grateful those employees are obeying the regulations and the practices because they are saving that company's bacon.
Yeah. I know you've talked about it, but this really ties a lot in with the Twitter hack. I’m not sure if that was really a hack in that sense—with the Bitcoin Twitter post from world-renowned million follower accounts of people that you wouldn't expect to be sending out, “Hey, I'm going to double your money if you send me some Bitcoin.”
It was bizarre, wasn't it? First of all, we saw Coinbase and Binance, who are cryptocurrency exchanges. Maybe it's plausible that if they say, “Send X number of Bitcoin to us, we will send you X back for a limited amount.” Maybe that's plausible as some kind of good for the world because we all need some cheering up at the moment. But when you then saw Barack Obama, Elon Musk, Bill Gates, Kanye West, and all the rest of them saying the same thing, you think, “Hmm, I'm not so sure about this now.”
It's a collaborative effort.
The last time celebrities collaborated, of course, was when Gal Gadot got together with her celebrity chums to sing “Imagine,” and we know how disastrous that was. The thought that they would probably do this with crypto, and amazingly, over $100,000 worth got transferred into the bad guys’ account as a result.
Interestingly, Coinbase actually spotted it really quickly and they froze payments, so there would have been another $280,000, which would have got there if they hadn't acted so quickly. Maybe it wasn't a good idea that hackers actually hacked Coinbase's account as well.
What's interesting is these guys were able to gain access to Twitter's internal systems in order to hack into Joe Biden or Barack Obama's account. It wasn't that those people had weak security. They probably have two-factor authentication, they probably do have a strong password on their accounts, but Twitter has something like 1000 members of staff and contractors who had access to an internal tool, which meant they could basically access anybody's account and do what they wanted with it.
It was the infamous god mode.
Right. Why do 1000 people need to be—it's a bit crazy that they were doing that. That’s some egg on the face of Twitter there, but obviously, what these kids did—and it was kids, it turns out who were behind this, it appears. They socially engineered people. They sent emails. They communicated whether it be by phone, email, or web with these Twitter members or staff claiming to be the IT department, it seems, and getting them to log in to a system.
And it was a fake system, which meant that when those Twitter members or staff entered their password and their 2FA code, the hackers were able to type it in real-time on the real site in order to gain access to the internal system.
I've heard of a bank scam that followed some similar lines. We'll talk about that in a minute.
Yeah. It's extraordinary. You do think, “Well, hang on a moment. This shouldn't have been possible because there should have been stuff like GoIP locking. They should have locked down ranges of what computers are actually allowed to access Twitter's internal systems.” But if you have 1000 members of staff, it's probably quite hard to police that and manage it to keep it up-to-date.
You'd think they would have to be on corporate VPN in order to access this internal system and not just to be able to quickly access it.
Yeah, we don't have all the details exactly.
But they got an account for the VPN as well.
Maybe they did. Maybe they managed to infect an employee’s computer and then used that as a proxy. To be honest, it's a little bit frustrating that we don't have more information from Twitter at the moment, but I can well understand they're just making sure that everything is buttoned down because they don't want to have another one of those happen. It's going to be bad for the company.
I remember reading about a bank scam that kind of followed the same functionality where the scammers will contact a person via SMS and say, “Hey, your account has been compromised. Hey, this is a live chat. We're going to chat with you to get this resolved, and we need you to log in to your account.” When the person logged into the account, it would send a 2FA. The scammers would say, “Hey, can you read back to the 2FA to confirm that you got it. We're going to confirm verbally that you got it.”
Now the scammer has logged into your account with the two-factor authentication, and the scammer in the background is saying, “Oh gosh. It looks like they're in your bank account right now.” What the scammer would do is they'll set up a wire transfer, which would initiate another SMS message which says, “Hey, do you approve setting up this account?” And they would perfectly time that with a message of, “We need you to press one for us to lock your account to get them out.”
They had this whole thing just timed just right, so the bank is texting them, the fake agent is texting them thinking it's a real-life scenario playing out right in front of them. They think they're helping protect their account when in fact, they're enabling the scammers to get into the account, set up the transfers, approve them, and send the money away.
Yeah, you're absolutely right. Those sorts of things happen. I really feel sorry for the non-nerds out there. How's my auntie supposed to cope with something like that? How are you supposed to warn her about it?
You can say be wary of unsolicited phone calls or text messages. Did you know that even though the text message says it comes from your bank, it may not be? You'll just end up with a long list of instructions and caveats that people end up petrified of using technology because they think they're going to get hacked all the time.
That's the real tragedy of cybercrime is there are little old ladies who no longer speak to their grandchildren on the other side of the planet because they don't want to have a computer. They don't want to have a webcam because they've had bad experiences in the past, and they think, “Why am I even bothering with this? It's just all too complicated.”
That is a really unfortunate side effect: “I'm going to throw up my hands. I don’t want to deal with it. It's too much of a risk.”
Yeah. All of us who work in technology find ourselves in the situation where we are the tech support team for the rest of the family, right?
I can’t relate at all. Yes, yes.
And there are some things, which I'm really good at with IT which I know inside out. Other times, my brother-in-law will come around with something and it's like, “I know nothing about this particular area of IT.” “But you're the computer expert.” “I know about this area of computers, I don't know anything about this area over here.” It's a challenge as to how we're meant to protect it.
Obviously, I do my best for my neighbors and my family, but there are times when you just think, you know what? What actually is easiest is maybe you should just get an iPad, or something like that, or a Chrome laptop. Something a little bit more locked down. Although there are still threats, you'd still be phished, and all kinds of things like that, at least you don't have to worry so much about malware infecting your system and ransomware.
Yeah, that is a really good recommendation, and for most people, they are really just using their device for email, a little bit of banking, chatting with family, surfing the web. A really locked-down device is a really good option for a lot of people.
Yeah. I think 90% of what people are doing is going to be a little bit of online shopping on maybe Amazon or eBay and some social networking probably as well. A bit of email, a little of FaceTime, and bingo, you're pretty happy.
Yeah. It was funny. Earlier you were talking about antiviruses looking for unusual behavior. I was having a conversation with a previous guest, and he had written some AI to monitor domain names that may be suspicious. He realized that his whole machine-learning AI blew up because of COVID-19 because all of a sudden, all these government entities are creating these COVID-related websites and not paying a whole lot of attention to what they're doing. Unusual behavior is good and bad. It's a spottable event, and it's not a spottable event.
Suddenly, everyone was getting directed to websites, which may have been up there for a week or two. Normally, you would steer clear of anything like that. That's suspiciously new websites.
And you wouldn't have all of a sudden lots of government entities linking to these websites that just came overnight. That smacks of a hack.
You could also mention Coinbase noticed unusual behavior. Was it that they just saw their account used to promote a particular Bitcoin account and locked it because of that, or was there actually some fundamental behavior that they saw that was unusual about the Bitcoin transactions?
I think it was primarily actually their Twitter account being hacked. I would imagine there are so many transactions happening on Coinbase all the time that the relatively small amount of activity which had happened, I think they spotted it within 13 minutes. I don't think any sort of algorithm that they're running would have spotted that coin so quickly. Maybe if a large number of people have begun to do it, then perhaps, but I think it was more the fact that the hackers actually defaced their Twitter account.
It's interesting, by the way, everyone talks about the cryptocurrency hack being the thing, which the hackers did. It sounds like there was more than one hacker who had access to that internal system and may have had access for a while and might have abused it in different ways.
It appears there was also, for instance, a right-wing politician—I think he was in the Netherlands—who had his account defaced in other ways as well. It wasn't actually the cryptocurrency thing, but I think they were trying to embarrass him, and obviously bring him into even more disrepute than he is already in. There was that.
There was also a fair amount of selling of access to accounts. One of the attractive things for hackers sometimes is they want a Twitter account with a really short name. Wouldn't it be cool to have a three-letter name or two-letter name on Twitter? And if you are someone who has the misfortune of having a Twitter account with a two- or three-letter name, you are more likely, I suspect, to be targeted by an attack than if you have one of those ridiculously long names, which some of us have.
I have a domain name that I bought back in the early ‘90s, a four-letter domain name. I won't say what it is, but I have the .com, .net, .org. I have all of them, and it's not QQ8B, and I routinely get people trying to generate fake transfer requests and trying to get into the account where it's registered because it's a four-letter domain name that's been around now for 30 years almost.
It has a history as well. If anyone is running some code or a suite, which actually looks to see how old the domain is to try and verify whether it might be legitimate or not. That obviously works to its advantage.
That it does. You had talked about organized crime as well. Any new stories recently about organized crime moving into cyberspace?
Oh my goodness. I think every criminal gang is moving into cyber in such a big way. We see this astonishing group at the moment called Evil Corp., are you familiar with them?
I have heard of Evil Corp…
Evil Corp. is the guy. Years and years ago, they did the Zeus banking Trojan, which was a very effective Trojan horse designed to steal your credentials from your online banking site, and it was a menace for many, many people. Then they moved to another malware called Dridex, and most recently, they've been launching very targeted attacks—ransomware attacks against companies.
Ransomware has changed in its nature in a few ways in the last couple of years. One of the most worrying things is that ransomware attackers now aren't just encrypting your data, they're also stealing it. There's an extra incentive for companies to pay up because otherwise, the bad guys say they will release the data.
I, for instance, run a security news website. I've been contacted by hackers before who say, “We've hacked someone. Here is their data. We think you'll find it really interesting. Here are some bits, which you could write stories about.” My personal view is I'm not going to help the bad guys with their extortions, so I refuse to write about that kind of thing. We know this is all on data. I don't want to go through the minutiae of it.
There are plenty of news websites out there who will do it for the clicks but I'm not going to do it. Thankfully, Evil Corp. isn’t stealing data, which makes them unusual, but they did just hit Garmin, which of course are known for their fitness trackers, and they are also used in aviation shipping, and all kinds of other things as well.
Garmin went down for a few days. Rumor has it they were asked for $10 million, and it's just been confirmed. As we're recording this, at least, it's just been confirmed that Garmin went to an intermediary company that negotiated the ransom on their behalf, which means that the company can basically say, “Oh, we haven't paid the cybercriminals.”
We paid this other company to pay them.
We don't know what they did, but they've come up with the decryptor for us mysteriously afterward. The reason why that's particularly relevant is that Evil Corp. is based in Russia, and last December, I think it was, the Department of Justice in the United States, they're basically after a few members of Evil Corp. including the leader whose name is Maksim Yakubets.
And there are actual sanctions now in place. You are not allowed to pay Evil Corp. If you get hit by ransomware by them, you're legally not supposed to pay them at all. It's not like regular ransomware. It's like you do not pay that company. Do not do business with them. Hence, it's quite good to have this intermediary.
The fascinating thing about this chap, Maksim Yakubets, he's lived very openly in Moscow. He has incredibly expensive fast cars and he does donuts around the Kremlin. The local traffic police stopped him and realized who he is because he is married to the daughter of a senior member of the FSB.
So however much America right now might want to get their hands on him, my suspicion is that powers that be in Russia are not going to move very much.
I think you should also be worried about the FSB connection, and if this person has so much connection in the intelligence community, I wonder if there's another strain of what Evil Corp. is producing, which is actually used for espionage.
Maybe. Who can say, right? Certainly, they’ve got expertise in some areas, and they've been very effective hacking different companies, finding vulnerabilities, getting in, causing mayhem, and making themselves a large amount of money.
There's another interesting potential business angle as well. I mentioned that some companies exist, and they say, “We are the ransomware negotiators. If you don't want to pay the bad guys, if you think that will look bad, PR wise, pay us instead. You may even want to pay us more than the extortionist wants and we will work on getting a decryption for you.” And of course, what they do is they go to the criminals, get it off them, and they make a nice little profit.
If you were a cybercriminal gang for which there were sanctions against you, you could just set up another company, couldn’t you, and say, “We are experts at negotiating with Evil Corp.”
And we're based in the Maldives or wherever the sanctions don't apply.
I want to stress I'm not saying this has happened in this particular instance, but it's just the way my devious mind works. A way for them to get even more money out of you is to be the intermediary as well.
Yeah. I could very much see that being the fact. The devious part of my mind thinks back to, okay we're talking about privacy and security. A VPN company. Gosh, the CIA has an awful amount of money. They should just spin up a world-renowned VPN company. We can have really good rates, really good servers, and we're right in the middle of it all to snag a little data that we want. The CIA has been known to run business entities before and so no reason why it wouldn't do it now.
There's been such a furore over the years about American Intelligence maybe hacking large technology companies or having backdoors into them and how they could use some of the Snowden revelations. Maybe it's a lot less effort to create something like a VPN company and keep the logs as to who's doing what. VPN is fascinating because I'm now getting people who are now in my extended family who aren't nerds who've heard of VPNs and they're saying to me, “Whould I be running a VPN, Graham?”
I'm thinking, “Why do you want to run a VPN? Explain to me first why you want it.” “It's mostly because it will stop me from getting hacked.” I'm like, “No, no. It won't stop you from getting hacked.”
What it's going to do is it's going to route your internet traffic rather than being through your ISP. It's going to route through somebody else who you hope is going to be legitimate and is not going to keep logs. I think there are some VPN companies, but there's also some who I find quite shady including some big names who I won't mention. I have definitely been like, “I'm not sure I like you guys.”
Yes. It's all a question of who do you distrust more? The ISP or the network that you're getting on, the government of that entity, or the VPN company? In some cases, you might go, the VPN is the lesser. Even if they are monetizing my data and injecting a little bit in there, modifying ads and whatever, at least it's not my ISP sneaking on me or it's not my government monitoring me. Unless, of course, the VPN is owned by the government.
There are situations where I do use a VPN, and I'm very happy to, but we have this situation now. We have GDPR. It's all kinds of data regulations here in Europe, and American companies, I think some of them were caught. They didn't realize it also applied to them if they were on the web and if they had European customers.
I find there are quite a few known US news websites which when I try to visit them, they pop up a message saying, because you're coming from Europe, we don't support Europe at the moment. You can't read anything. It’s like, “Come on, guys. It's been a couple of years now. You should be on top of this.” But anyway, I will use a VPN to pretend to be in America. Then I can obviously access them, and I think people do that for Netflix or streaming services as well.
That seems to be one of the most common usages. I just want to access some content that either my government won’t let me access, my ISP won't let me access, or the person at the other end is being overly restrictive. I don't want to be involved in it, so get a VPN and then visit me.
I would certainly love to see less scaremongering from some of the VPN companies. There are VPN companies who will say, “If you ever connect the internet, bad guys can grab all your passwords.” Hang on, most of the internet now is using SSL, is https, so I'm not convinced that's as big a problem as you are making out to people.
Yeah, I think they are overly promoting the security aspects of it. Definitely, in terms of if you are getting on shady WiFi. Once you're connecting to somebody else's network, there's the ability to man-in-the-middle, in some cases.
It's like you were saying, what was it you said?
Who do you trust less?
Or distrust more.
But realistically, if you’re in your home and you don't distrust your internet service provider, you're not going to gain a whole lot from using a VPN.
And we're all in our homes right now and we’re going to be for some time.
Yeah, you have a very valid point there. We're all at home now, unfortunately, all over the world.
It's about time for us to wrap up here, and I super appreciate your Slartibartfast reference. I don't think there are that many people who know who Slartibartfast is, and if you don't, you have to Google and find out.
It's all about the crinkly fjords.
Yes, the crinkly fjords. Such a great character name.
Well, it’s been a pleasure chatting with you, Chris. Thank you very much.
You're very welcome. Any parting advice for the audience?
Oh my goodness. Keep yourself abreast of the latest security news. If you're listening to Easy Prey, then chances are you have an interest in staying secured, more private on the internet, being safer, and helping your friends. Listen to podcasts like this and read reputable news sites to find out what the bad guys are up to. In that way, you can protect yourself before they manage to target you.
Would one of those reputable podcasts to listen to be Smashing Security?
I wasn't going to mention the name of my podcast. I thought that would be too tacky, but yes, absolutely.
It's not tacky.
Once you've listened to all of the Easy Prey episodes, I do a weekly podcast with my co-host, Theriault, called Smashing Security, which takes a lighthearted look at the week’s cybersecurity news, and we'll be very happy to have more people who listen.
I think it's always a good way to keep abreast of what's going on, and lighthearted is what we all need right now.
Absolutely, yeah. Don’t we just?