X

Easy Prey Podcast

Their Loss is Another's Gain

DDoS Attacks

“We have not completely solved the phishing and scamming side of things, because it's far easier to phish somebody than it is to find a zero-day and break into a network.” - Jared Smith Share on X

Scammers are getting smarter, understanding the psychology behind social engineering and the challenges companies face every day can help keep networks secure. This episode will show how to anticipate these threats and secure networks against ever-changing vulnerabilities. We’ll focus on practical, real-world solutions to protect data and trust.

Dr. Jared Smith joins us to share his insights from his role leading research and development at SecurityScorecard. He also co-founded UnCat, a B2B accounting technology company serving thousands of customers and teaches as an adjunct professor at the University of Tennessee, Knoxville and NYU. His experience shows why social engineering is so effective and how companies can adapt to a world where attackers are always refining their techniques.

This episode shows how even small oversights or minor issues can lead to big breaches. Dr. Smith shares concrete steps to strengthen defenses, and why we need both technical solutions and employee awareness. By looking at the psychology behind the attacks, he’ll show that staying one step ahead depends on using smart security tools and a culture that recognizes vigilance at every level.

“I'd like to think that there’s at least something that would cause cyber to change so much that they'd have to develop entirely new classes of techniques.” - Jared Smith Share on X

Show Notes:

  • [01:19] Jared is a distinguished thought researcher at SecurityScorecard. He's built systems and helps vendors monitor and secure their networks. He also has a PHD in computer science. He focuses on Border Gateway Protocol or BGP. 
  • [02:16] He was also a high clearance government national security researcher.
  • [03:02] Jared shares a story about how sophisticated phishing scams are becoming.
  • [08:43] How large language models are making more sophisticated social engineering possible.
  • [10:26] The importance of thinking about cybersecurity needed in the next 10 years.
  • [11:02] BGP is like the plumbing of the internet. BGP poisoning breaks the typical internet traffic route. It's very nuanced traffic engineering that uses the Border Gateway Protocol.
  • [13:34] BGP is also useful when you have multiple internet connections and one goes down.
  • [14:20] The most sophisticated DDoS works are called link flooding attacks, where they identify links that have a certain amount of bandwidth, and they flood that specific border gateway protocol link, effectively segmenting the internet in those places.
  • [15:39] Managing DDOS attacks and where the traffic comes from.
  • [16:02] Being aware of botnets, because they are what's rented out or being used for these attacks.
  • [17:32] Lizard Squad launched DDoS as a service. 
  • [21:00] Attackers try to get the actual IP addresses from behind a CDN.
  • [23:41] How AWS has the ability to manage large amounts of traffic.
  • [25:24] There are some DDoS that just require sending enough traffic to fill up the buffers on the other side of the application.
  • [28:15] The size of a botnet for DDoS to take down a big network like X. We explore potential paths for these attacks.
  • [32:21] We talk about the uptick on attacks during tax season. A large accounting firm with a lot of clients could be spoofed.
  • [36:50] The predominant attacks are coming from organized cybercrime groups and ransomware groups.
  • [45:40] The vast majority of large networks taken out are usually a result of user error.
“It's getting very sophisticated. To me, it's the timeliness and the thoroughness of the scams. They’re just so relevant and so consistent.” - Jared Smith Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Jared, thank you so much for coming on the podcast today.

Yes, thank you so much, Chris. I'm really happy to be here.

I'm really looking forward to this. In the green room, we pivoted away from our original discussion into something newsworthy. Not that the other topic wasn't interesting, but we'll get there. The last-minute pivot, which is always fun. Can you give the audience a little bit of background about who you are and what you do?

Absolutely. Thank you, Chris. Like I said, I'm glad to be here. My name is Jared Smith. I work at SecurityScorecard, and I am a distinguished threat researcher working in our strike team, which is our threat research group. While I've been at Scorecard, I built lots of systems. At the end of the day, we monitor the internet, all of the companies out there, and their vendors to help them secure their networks. We've increasingly pivoted to building our own data in-house and working on the workflows of how we can make people more secure versus just the score itself.

My background before that, I got my PhD in computer science from the University of Tennessee. Go, Vols. Hopefully, we pull something out here in March Madness. On that topic, I focus on border gateway protocol and how we could use BGP itself to actually mitigate things like DDoS and congestion from massive attacks. I'm really thrilled to be here. I would love to talk about anything that we want. I also spent time in government, as a national security researcher with a very high clearance. I can't talk about a lot of that, but I can always give context and what the private/public sector are doing and should be doing more to really put a stop or at least bring the trend of breaches down versus where they are now.

Awesome. One of the questions before we start that I ask my guests that are in the cybersecurity space and counter-scam, counter-fraud space is have you been a victim of a cybersecurity incident, a scam, or a fraud?

Yeah. I've not been a victim of one that's affected me adversely, but I was pretty recently a victim of one that is just emblematic of the sophistication phishing. A bit of background: I have a startup outside Scorecard. I've had it for five and a half years now. It doesn't really take a lot of time, but it's one of the top apps in the QuickBooks accounting space as well. We work on categorizing transactions for our customers, so it's called Uncat. We have a Stripe dashboard for that, so all of our money flows through Stripe.

For anyone that doesn't know what Stripe is, if you've gone to pretty much any site on the internet, you're having to process a card. It could be through Stripe, it could be through Braintree, or one of these providers. You can think all of the very important data's in there, customer data, our type of data on the payments or processing. Nothing sensitive like card numbers; they encrypt all of that.

Regardless, I got a Stripe email, branded like any other Stripe email. My unknowledgeable self, I should know this, but I didn't click into the domain to see if it was being spoofed because it was branded so well. In fact, it was asking, “Hey, you need to do your FinCEN registration.” FinCEN, the financial ownership of a company, is being pushed heavily by Stripe and the others. I was like, “Oh, gosh. We forgot to do this.” I clicked onto it, pulled me to what I thought was Stripe’s UI. It literally was styled the exact same way.

I go and put my username and password in there, I click login, and the site just breaks, doesn't do anything. It goes to some other page, and that page doesn't even work. I'm like, “Step back for a second. Is this actually Stripe?” Then I look at the URL and like, “Oh, my gosh. It is not Stripe.” Thankfully, I use random passwords for every critical service, so good luck. They're not going to get into anything else.

I should have known that they didn't take me to the multi-factor authentication page. It was definitely a phishing site. I wouldn't change my password immediately. I talked to Stripe; they didn't see any weird activity. I take know-before tests once a month for my own job. I help my own customers protect themselves against phishing and targeted attacks against their network, and yet all it took was them having a perfectly written email with a perfectly relevant topic and a login page that I pulled up side by side. They looked the exact same, and they took my password. It's crazy, man. It's getting very sophisticated.

Yeah. To me, the timeliness and the thoroughness of whether they're phishing attempts or scams are just so relevant and so consistent. Every guest that I've talked to that has gotten partway down that process, it was about something that was in the news that was something relevant to what they do. If I got one of the BOI notices about my business, it would've been, “Yup, yup. I've got to do that. You've got kicked back. I have to do it now.” It wouldn't have surprised me if I got that from my provider.

Yes. On top of that, just to think the number of—if they're doing it to me, it's likely, or more than likely, that they're doing it to lots of people. There are people that will be affected by very targeted attacks. You think of journalists, politicians, that thing. I'm not that important. Even the companies that I work for and the businesses I own, they're sizable, but it's nothing like a politician.

The fact that it's being sent to me and it's well-designed and well-written means at least a thousand other people got it, if we're just throwing numbers out there. That's scary because all they've got to do is rinse and repeat on this. If we look at the trend in breaches, if you compare the trend of breaches going up year over year, and then you look at that same timeline from a place like Statista or Gartner on how much money people spend on security, you would want those trends to be opposite. Spend more money on cyber products, breaches go down. They're both just going straight up. I like to think that that is almost entirely due to the fact that we have not completely solved the phishing and scamming side of things, because it's far easier to phish somebody than it is to find a zero day and break into a network.

Yeah. I'm surprised that people are even still trying to break into networks. It just seems to be so much more better use of time to phish people.

I look at it too. I had a background in pentesting, and I used to teach pentesting; NYU as well, so the grad students there. You feel disconnected when you're doing pentesting, where you're not having to deal with a real person unless you're on the social-engineering side.

As a hacker myself, I'd much rather get into a system, and I never have to talk to someone to get into that system, where it might be. The fact that we still see those people making those attacks, obviously there are reasons for nation state or a ransomware group to take that path. From the phishing side, you've got to know, “Oh, I'm going to actually be toying with some of these people.” Maybe that's why we don't see that being a hundred percent of attacks. The psychology of it, that's what I think.

Well, you get some people that are excellent at programming, and you got another group of people that have more social skills. For one group of people, the technology is easier. The other group of people, the social engineering is easier.

Especially now, we see large language models, which I wasn't a huge believer when they first came out because I had spent a decade working with traditional machine learning. It took me a bit to really buy into it. Now that I'm more or less bought in, that starts to scamming with that conversation because the people that aren't as technical or they are more technical, now they have something that understands English better than I do as a native speaker. If we're not already thinking about whether the social-engineering defenses of the next 10 years, not right now.

Before, for as big of a company as they are, they haven't solved phishing. A proof point from an email protection, they've made a huge dent in making that better, but they haven't solved it, nor is Google. What is the next 10 years going to look like for a truly definitive solution, if there even is one? That's what I think we really need to be thinking about. I don't know what that is. I just don't think what we're doing right now as an industry is working.

I agree it's not working. I don't know if there's ever going to be a definitive solution to preventing phishing.

Exactly, and that's the hard part. We all want our jobs in cyber and that depends on being a cat-mouse game. At the same time, as someone a bit younger in the industry, even with a lot of experience, I'm already jaded about and question why do I even do what I do when it's just getting worse.

I'd like to think that there's at least something that would cause cyber to change so much that they'd have to develop entirely new classes of techniques. I don't know what that preventative tool could be, but I think it's good for the industry to be thinking about that more so than thinking about what's next. Is it ZDR or Alpha DR that we need to launch to the internet? That being said, we are doing some of that stuff at Scorecard, but hey, that's what people need right now. We've still got to be thinking about what's the next 10 years going to need.

Yeah. I think we're struggling to keep up with stuff, let alone starting to forecast what do we do next. I want to pivot and we'll come back to this. You had said that you had done research on BGP, and everyone who's not a network of engineers, what the heck is BGP?

The way I like to describe it, and many people before me is if you think about how water gets around in the house, it has to get there via pipes. BGP really sets up like the plumbing of the internet. If I want to go to a website on my computer, you run whatismyipaddress.com; my computer doesn't know anything about the IP address of that domain. It uses DNS for that. Now, it gets the IP address. To know how to get the IP address, somebody out there has got to say, or some system, “This is BGP, has said to go from your IP, in which case I'm on AT&T,” or if I'm through work, I'm on our VPN. Your IP has this path to get to WhatIsMyIPAddress host.

You guys are on CloudFlare, so it's pretty much one-and-a-half hops, so it's very, very close on average from wherever I'd be. That path has to be established. The border gateway protocol is responsible for every network, every distinct autonomous system or ISP is somewhat interchangeable. It tells the world, “Here's how to get to me. Here's my paths through me and everyone converges.” Believe it or not, the whole internet converges on a global agreed-upon map.

My research was on how can we break that map in a way that everyone else still does what they're supposed to do. Me, as a small network, can actually traffic engineer, but what we were using was called BGP poisoning in order to tell these people, “Hey, I don't want you to send my traffic down this route that I typically have no control over. Instead, I want you to go over here on this route because there's something going on in this other one that I don't like.” Typically, you would just not listen to me and send it down the path that's most effective for you, but I don't care. I want you to go around.

We were doing traffic engineering with very nuanced uses of the border gateway protocol and that's how my first paper at IEEE S&P, one of the scariest talks I've given from 900 experts around the world and everything cyber. Our back was actually the test of time award that year was first presented 20 years earlier at the same conference, a world based access control, so I'm sitting there thinking, these people are looking at this 23-year-old kid, he doesn't know what he is talking about. It was one of the better talks I think I'd given because it was a really interesting way to use BGP to avoid DDoS.

One of the neat things about BGP is that if you have multiple internet connections for your company, if your connection with one particular provider goes down or gets saturated, BGP, just by the nature of the protocol says, “Well, here's another way you can get to me.”

Yup. My research over the years I did my PhD was take that relationship, where you have two direct outbound paths, but now you know that two hops down from you also has two, three, four, five. I built a system where you could tell them to choose a particular path for your own traffic. Whereas BGP, without using things like communities and some of these more specific attributes that aren't implemented widely, would not let you do that.

That can be helpful for a few cases, one being a DDoS attack avoidance. As we've seen, some of the DDoS that's come out over the years is starting to get even more sophisticated. One of the ways that the most sophisticated DDoS works are called link-flooding attacks, where they identify links that have a certain amount of bandwidth. They flood that specific border gateway protocol link effectively segmenting the internet in those places.

When we've seen really massive attacks on ISPs and it's cascaded throughout the whole internet versus today with just Twitter, Twitter wants a targeted attack. But if I want to bring down everything on the East Coast, I'd have to identify a lot of links to target and flood. If I want to cut off connection to a country in East Africa, that's very straightforward because there's one or two links upstream that will cut off the whole side of that continent.

When I'm thinking of DDoS, there's probably multiple platforms, vehicles, payloads. You can flood somebody's web server with more requests, more than the web server can handle and cause the web servers to backlog. You could do more requests than their router can handle. At that point, they don't even need to be, “Hey, show me your website,” or you can start attacking weak links up the chain. How are each of those attacks managed, and where does that traffic come from to create those attacks?

Yeah, that's a whole business in and of itself. A lot of this comes back to the people that distribute and run information steelers that then turn into botnets. The one thing we do a lot of research on is Scorecard. SecurityScorecard is being able to say and being able to tell our customers, “This is a botnet that's out there. It's a new one. It's one that you should be aware of.”

The reason for that is those botnets are the things that are being rented out or used to do these types of either large-scale exploitation campaigns or DDoS attacks. It's the case of a DDoS against an application layer. We were just talking before the show about Lizard Squad. They were the ones that have done numerous big attacks over the years that were using botnets that you could get and acquire for a certain amount of money on the dark web. Those types of things can be pointed at either a website, a specific gateway IP address, if you know where the router is, or in the case of BGP, a specific link between two autonomous systems.

At the end of the day, we always work our way back to things like phishing and things like CVEs, because how do you produce a DDoS attack? You need infected boxes. How do you get infected boxes? You either have to get the credits directly from someone, you need to get leak credentials from the internet, or you need to compromise the box. In the case of those first two, anytime I can phish someone and get credentials, or anytime I can find existing phished and posted the credentials, that now gives me, have I been pwned? Billions of things I can try against many thousands of types of products that I might be able to get and turn into something like a botnet server.

My experience with Lizard Squad is not too long after they launched their DDoS for hire, DDoS as a service, I think they would sell their DDoS in 15-minute or one-hour increments. It was really interesting because before I was behind a CDN, content delivery network, that would protect me for denial of services tax, I would see almost exactly 15-minute increments of attacks against my site. It'd be 15 minutes of everything gets saturated, the servers get saturated, the network gets saturated. As quickly as it started, exactly 15 minutes later, it's just gone.

That's crazy. Yeah. It's such a business model these days. Even on the ransomware side, they're operating as businesses. Lizard Squad's a good example really even the bigger rise of ransomware a bit later because the Lizard Squad attacks. I remember that Christmas Day incident. We were trying to play Xbox and it would not work. I'm sitting there dead, like, “What is going on?” I'm not a kid, but I was in college, but that was in 2014.

In 2014, a lot of the ransomware, and yet they're still thinking, “OK, we're going to do this as a business.” The 15-minute interval brings back memories of like, “Wow, we're just going to sell this out in buckets because we know we could do that.”

Yeah. There was also an extortion element to it. Over time, originally I was seeing a hundred megabits and then it was 250 megabits up, upgrading hardware to accommodate larger amounts of trying to keep online through larger and bigger attacks. I remember getting an email to the support address of, “Hey, you need to pay me this amount of money or I'm going to launch a gigabit-level sustained attack against you for weeks at a time. It was like, “OK, what do I even do?”

At that time, I was behind one of the CDM platforms. Because the network or my servers had pre-existed my use of the CDN, I knew the IP addresses of my network were still out there. It's like, “Well, they might be able to get around it.” I'd seen stuff even make it through the CDNs before, that if you just have enough machines, you make enough requests, and they're not known machines on a botnet, you can get through a CDN pretty easily for some period of time.

I was like, “Who do I even call?” My local police department would laugh at me if I'm being, “Hey, you're being extorted for this. What are we going to do about it?” I went to the colocation facility and went to the CDN company and said, “Hey, I just want to let you know I got this threat, so heads up that something might happen in the near future.”

It's crazy that even with the CDNs, to your point, there were people in that transitional period, where if you haven't moved your infrastructure itself, those IPs can still be out there. In fact, a lot of threat actors, if they're trying to coordinate the DDoS, they recognize most large sites have a CDN. They're looking at, how do I get the actual IP addresses behind that CDN? That's where you can do more social tactics. You can look at existing passive DNS, flows, and other things they might have access to. CDN is great assuming that you've never disclosed those IPs. Even when you haven't, it's still something that it's a 95% solution as you've seen. The 5% when it gets through, it can still be a problem.

That was something that has surprised me over the years, partly due to the nature of my website. This is not an advertisement; please don't do this. I wanted to say, “Well, I wonder if I can take them down. I wonder if these guys have good security,” or, “Hey, I want to script my entire botnet to figure out their own IP address. Let's just scrape Chris' site on my half-a-million machine botnet.” Okay, that's a little bit off track. We're going to do it every minute or every couple of seconds.

Yeah, that's just ones I'm just thinking, and Python. If my time sleep is one second, and I really meant to put two zeros after that, the impact on Chris's site is very different just from one mistake, depending on the volume of my botnet.

It may not even be a mistake, it might just be intentional. I just want to make sure my botnet has no latency in it in knowing the IP addresses of all the slade machines. Even to this day, the current CDN catches probably about 90% of the non-human traffic. Still, 90% of what hits my servers is still non-human traffic. To me it's just like, “OK, maybe I have a popular website, but I'm not whitehouse.gov, I'm not X/Twitter, I'm not Facebook.” How much traffic must these guys see? How big must their infrastructures be in order to manage against these types of attacks?

It's no wonder why people like Facebook implemented their own routers and their own router operating systems, and AWS runs its entire own networking stack. They often talk about it in talks as being magic. -Dr. Jared Smith Share on X

That's knowing people at Facebook and Amazon having a few close friends at some of these places that work in the networking groups. It's no wonder why people like Facebook implemented their own routers and their own router operating systems, and AWS runs its entire own networking stack. They often talk about it in talks as being magic. It is magic because the ability to handle that much traffic, not just application traffic, but to your point, attack traffic and mitigate all of it.

The fact that it rarely goes down, and when it does it, it's usually US-East-1, which is why my stuff, I'm outside of work, is in US-East-2, because never once has that gone down. That's just a tip, starting a company on AWS. Don't put it in North Virginia, even though everyone it defaults to their dual Ohio because for some reason, it doesn't mess up as much. They build almost everything custom because they get to that point where they have to, and that I think is the telltale sign that these people see this thing every day. If you don't and if you're not constantly prepared for it, then why else would you build your own networking stack if you didn't have a reason just to use a Cisco firewall or something like that?

Occasionally, we'll see news stories where Akamai or CloudFlare will talk about, “Oh, hey, it was a terabit.” I think we've crossed terabit attacks now. What does a fiber in-home internet connection cost now? OK, I've got a gigabit into my house. They're trying to sell me a five-gigabit connection. Something on my network gets compromised and a few thousand of my friends. It used to take a million machines to take down a network, now it's a few dozen, a few hundred maybe.

Yeah, and the types of DDoS too. We talked a bit about them earlier. There are some that don't even require sending fast, overwhelming rates of traffic. It's just sending enough to fill up the buffers on the other side of the application itself, where it just reaches the max request that it's going to handle it once by keeping them alive. Just think of an Engine X or Apache; they have these max requests. Typically, you configure those servers to restart. Once they reach the max, they'll restart. If you just keep them restarting for sites not behind the CDN, you don't need more than a hundred things to do this effectively now. It comes to the CDN; it's scary.

On the same hand, though, they've got to have so many nodes to do some of these attacks because I go back to this example. When I was first building our global scanning platform at Scorecard, we used to buy a lot of scan data. Things showed in, we ended up building that house. I did that about four-and-a-half years ago, and now there's the whole team that runs it. It's been making big improvements to it and new versions of it.

At the very beginning, I was like, “OK, I understand how to build this. I need to take mask scan, scan the internet, and you take all the open ports, feed them to Nmap, pull out the more specific granular details, feed the domains to a crawler, pull out those details. There's a pipeline there.”

I started mask scan two weeks to build a POC of this. I'm just screwing around. I'm like, “I'm just going to run mask scan on all the 0.0.0 through whatever because I've literally never used it before. I'm going to run it on my desktop, and I'm going to turn the parallel threads up to the max.” I clicked that enter button. I heard my computer start to spin louder than a thunderstorm itself, it got really hot in here, and then my entire home network just shut off. It was because the router just did not like that at all.

Back to my point here, that's why these bots have to be so big. You try and push too much traffic on even a single router, not only will people notice, they probably aren't going to know that it's infected. They're just going to call AT&T, but it just won't work. The thing that's crazy to me is that there are just so many botnets out there. When somebody needs a new one, it's either rather renting it or finding a new CVE that's not talked about or disclosed yet for a router, and then running a scan to find all of them, popping every one of them, putting a little client on there that's going to be in the next botnet. It's almost too easy for the people that are willing to go to jail for it. Again, the people that could go to jail are not based in the country where they'll go to jail. So political, but that's the nature of it.

That's the reality. We talked to earlier about X having stability problems today, not of their own making. It looks like they're under a substantial denial of service attack. I haven't looked at the news since hearing about it this morning. How big does a DDoS attack have to be to start to take down an infrastructure like X or Facebook?

Very large would be the least, I would say. I don't know if this is real, but literally in the last hour, there's a group called the Dark Storm Team, a cyber group known for launching DDoS attacks that's claiming this attack. We might have the next Lizard Squad on our hands, I'm not quite sure. For them to do that, they're not only going to have a substantially large botnet we're talking about, at least tens of thousands, if not hundreds of thousands of boxes, but they probably had to find the right path on the API and the service to actually target because again, CDNs are only as good as they're configured to work for. A CDN on our side at Scorecard, it's going to protect all the main stuff.

Let's say we happen to push up an API endpoint that was just on a separate box, not behind the CDN, maybe it's on a subdomain link in the same network in AWS. Somebody finds that and realizes, “Oh, that looks like it's on the same network; maybe I can saturate it that way.” I'm not saying that's what they targeted with X, but those are the types of approaches. If you're going to bring down a site that big in an error of CDNs, you've got to do that.

On the other hand too, I don't know what the budget is like at X other than it's a lot less. Maybe they were using a CDN before they started to trim them on services they're using, and maybe they've been running it themselves and haven't really seen this yet. All speculative at this point, other than just to say it had to be extremely large. If not extremely large, at least very targeted to something that's not quite known yet.

Yeah. This is a big news story. In the cybersecurity space, it's a relatively big. It's not an uncommon news story, but it's up there of interesting to follow. Also people that are trying to keep up with Musk, Twitter, politics, and social media, would you expect to see phishing attacks and scams based off of what's happened with X today?

Yeah. I would expect to see somebody to take advantage of that thing in a sense. I'm just literally brainstorming here if I was a threat actor. I might be like, “Hey, it turns out Twitter was down for this amount of time; you might want to check out this other service that we've launched.” And you just make a very simple clone. It's like, “But we support your existing Twitter username and password, so put that in right here.” You hit enough people with that that aren't very technically savvy, that aren't, again, computer science, computer people like we are. I feel like it's more of a negative than a positive in life, but the one area that's a positive is we're supposed to know when things are scams in this case. That might be one.

Another path I could see when it comes to types of attacks like this, if I'm expecting to use Twitter and I go to other sites that I'm not yet familiar with, it could leave people not aware of like, “Hey, maybe we'll use something that's not as secure.” I'm just  thinking through this here.

On the phishing side, I think the tie goes back to, how do they get those botnets in the first place? They've got to infect the boxes or they've got to get login to all these routers. It just all comes back to having leak credentials. I feel like we see that at Scorecard a lot. If you have credentials to get in the network, you can do business email compromise or get in the network. It's so much easier the next pointing an unknown zero day.

Yeah. Let's pivot a little bit again. I know that you have the cybersecurity background, and then you also deal with things on the accounting side. How much with your customers do you see a significant uptick in newsworthy events? OK, it's tax season. How much of an uptick is there on the financial side with taxes, seasonal filings, and things like that?

In terms of the types of attacks that people see, it's definitely more that are going on. I mentioned that story earlier back with the FinCEN targeted Stripe attack. We see the same thing in the accounting space and taxes, where all I've got to do is pick a relatively large accounting firm that has lots of clients, spoof their domain. Most people don't use DMARC and DKIM. That's something we score at Scorecard, and it's not very widely implemented still. If you don't do that, you won't get the reports that someone is spoofing our domain.

As somebody's spoofing an accounting firm, you’ve just got to send it to clients out there that might be using them. That's not very targeted. The thing is, can I be more targeted about that? If you're just looking at many of these sites, they'll have customer case studies from some of their largest clients. You might end up with 20 or 30 clients that have willingly disclosed or that they work with them as a threat actor. I just need to pick a hundred firms.

Let's say 20 case studies or maybe they post on LinkedIn they use them too. Now I've got at least a few hundred, if not a thousand businesses I can target. I only need to take down one, two, or three of them in order to ransomware their network or to get them to send money and say, “Hey, I'm your account and you forgot to pay me or give me a pay-in-advance thing. Send me money for that.”

It's a scary time. What sucks about the whole thing is that accountants and bookkeepers are some of the most under-appreciated people out there because they do a job that is not easy, because the hardest part for them from what I've seen is not so much the math. It's working with people like us that own businesses where we're just annoying, like, “Hey, give me my thing. I need this file. Here's some new thing I didn't tell you about.” For them to have to deal with this stuff too, it's just way over the top. It is the world that we live in.

The opposite side of that is you can look at people who are in the accounting space, pretend to be customers, and start sending them documents. “Hey, this is my tax form.” “I don't recognize the email. The email address is from Bob. OK, I've got two clients named Bob. Let me open up the files to see which Bob it's for.”

Yeah. We do annual pin tests on the Uncat side with Intuit through Synopsis, their testing partner. The funniest thing is four-and-a-half years ago, the first time we did it, they uploaded the ICAR malware as an attachment in our SaaS app that works with QuickBooks. I'm like, “Guys, seriously, you want me to put an AV-scanning engine here just to prevent my clients from uploading malware? Why would the client send malware to their accountant?” It comes back to this. I have to set back.

I'm a security person. I understand, I'll do it. I don't like that I have to do it, but it's a real, targeted…it’s a vector that they can get into those firms. Once you get not just the accounting firm's data, you get all their clients' data. It's the same value in a threat actor of breaching a legal firm. You get not just the firm's data but all of the clients that are in that firm.

As a threat actor, this is how they do think. They think about, “What are the biggest rewards I can get from the least amount of effort? On top of that, those targets, which are the most susceptible ones?” Tax season is a time where people are not thinking about much other than, “I need to get these things done in files for my clients.” It's very easy to be unaware.

Both on my side at Uncat as well as when we're working at Scorecard, we've got to be cognizant of our customers. For us, it's important for them to be secure, but for them it's more so important that they get their business smooth and running every day. Just a give-and-take that we've got to do when we work with them.

When you are monitoring things on the internet and you're monitoring threat actors, are you seeing more organized crime, nation state, small groups, or individuals in terms of being threat actors?

The predominant world we're living in now are still as it has been in the last few years: these organized cybercrime groups, specifically ransomware groups. I wouldn't say the majority, but it could be. I haven't looked at the most recent numbers, but at least a couple years ago, a large amount of attacks were still ransomware from cyber criminals.

Nation state threat actors are still a big deal. We've done all the research on Volt Typhoon and Lazarus Group at Scorecard. We've done all kinds of this stuff; the whole industry really has. It's easy for us to think, “Oh, let's talk about this flashy Volt Typhoon, Salt Typhoon, or some cool name for the Chinese government. At the end of the day, yes, that's important, but a large percentage of the attackers are just criminal groups that are not going to be prosecuted by the countries they live in.

That's where that tie, especially in our side and that research, is when we find affiliations and ties between IP addresses, domains, and C2 servers from a ransomware group in the nation they're in, we can start to drive connections from past campaigns, where they're either directly working with or relying on infrastructure from a state-sponsored group. If you're in North Korea and you're Lazarus Group, either a lot of your people in your group are working for the North Korean government or you're just de facto answering to them because it's North Korea. Same thing you would see in Russia or China, just with a little more lax ability to make money and not give it right back to the government.

I'm sure that you're starting to see, “We have one group that is really good at operating botnets, another group that's really good at executing phishing scams, another group that's really good at laundering money, another one who's good at moving cryptocurrencies.” You probably start to see, “Oh, OK, there are multiple entities using the same botnet. Either it's getting rented or these other entities are somehow interrelated.”

Yes, absolutely. We keep talking about it; it's a business. It really is a big business for them. There are the groups that do. There are the affiliates that their job, for the ransomware group, is to go out, find, or provides in many cases the initial access. There are the brokers that are helping sell that initial access and then the negotiators helping to do the negotiations. Above all of this, in those groups, there's a few people that lead them, but really they're using these people much like scorecard monitors.

The suppliers of our largest customers, that's our whole job, supply chain security. They've got their own supply chain in the cyber side and anything as an industry, we might want to think about how do we weaponize our ability to protect our customers via knowing their supply chain. Maybe..why don't we figure out what these people's supply chain is on the threat actor side and disrupt that? We can't do necessarily offensive security things, but that's one I talked about earlier.

That's maybe one of those 10-year ideas. If we don't strike back or if we were to strike back, why not do the same thing they do to us to disrupt their supply chains? We're working with the FBI and others. It's something we do and that's very important. Just like any other business that hits the slump, they'll find a way if they're a good business to get back up and see the same type of organism that we see in legal, private, and public sector. We see that in these groups that use lots of different people. They're best at certain things.

“If this threat gets big enough, we know how to take it out online, but we don't want to tip our hands that we have this capability because once everybody knows we have this capability, then people can start protecting against it.” I wonder how much of that is out there where there's, “Oh, don't worry. We've got this covered when we need to, but it's just not a big enough problem yet.”

We have tens of warrants for hackers that we know are still living in Russia, China, and North Korea that are never going to be arrested because of the place that they reside. We've already identified them. By we, I mean the industry. FBI leads this stuff, but we work with them. Lots of people in our industry work with them to help find and identify these threat actors. Are they ever going to be arrested? Most likely not.

It is interesting from a political standpoint as well as a social standpoint, where it's a game where you don't want to give out away. It's most clear when you look in some of these dark web forums, explicitly say, “No discussion of Russian-type entities because of no targeting of Russian entities.” It's in their foreign rules. They say, “Don't post any IPs of people you want to dox in Russia or in China. Don't post anything unless it's Taiwan. Don't post anything about targets you want because it's just right there.” They're telling you who they're affiliated with and who's off limits.

At least on that individual side, it's an interesting trend. I don't know if this is measurable, but it just seems like anecdotal from the news. It seems like we're seeing more of those individual or bunch of teenager-type threat actors in the US and the UK. At least we're not known to host as many state-sponsored threat actors, maybe other than the equation group like NNSA.

The teenagers in the UK—I think it was last year or year before; I can't remember exactly—but that was a big thing. That's where we see the individuals. We still see those people overseas as well, but the cyber criminal groups are going to want to be in places where they're not going to be jailed if they're identified by Western NATO or that government.

As we start to wrap up here, when it comes to not end users and not protecting against ransomware in your local systems, how resilient and protected is that core internet infrastructure against large denial service attacks, BGP poisoning, or these things?

On the poisoning side, it's funny because the research I did is getting harder and harder to reproduce now. Actually, the second paper of my trifecta papers in my dissertation was actually doing this on the real internet from a worldwide BGP test bed. It's still run by USC, one of the first nodes in the early ARPANET. It worked then, and it's getting harder to do now because the internet community and the providers are getting better about putting strict enforcement in around BGP routes.

On the DDoS attacks in general, I just challenge us to think about the last time DDoS this big was in the news. It's been a little bit. It doesn't happen as much as there are other types of attacks simply because the internet may be held together by a bunch of duct tape and good wishes, but it worked for so long because it's a well-designed, open, and self-healing for the most part system. There are lots of research and academics that want to redeploy the whole internet and the new protocol, which is awesome. I support that, but we have to recognize AT&T is not going to spend the money to move to IPv6 until they absolutely have to.

They might be a bad example because they're a cellular provider, but let's pick someone else that doesn't have cell stuff. These people aren't going to be incentivized to good IPv6. Why are they going to literally deploy a new protocol next to BGP and wait for all their other peers to deploy it?

I'm pretty trustworthy. If I'm to give a zero to a hundred of how good do I feel about the state of the internet from a network infrastructure routing side, I'm at 85. It's solid. There are still those cases where you make one route change and you brick your whole network or you mess up a config. Typically, that is localized to the person that screwed up. CloudFlare's done that a few times last. We've seen that. It's the same thing with CrowdStrike.

That CrowdStrike example, we've seen that CrowdStrike example in BGP all the time because when somebody messes up a route config, the whole network goes down. But we didn't think that they would even not test their deployment to the world's endpoints before they pushed it. That's crazy.

Where people take out their own networks and take out their own platforms really are almost always user error. Somebody pushed a bad configuration. I think it's been a while since AWS has had any major outages, but you get these really complex systems. Someone pushes a wrong config one place, and it causes this one thing to crash. There's these three other things that are dependent on that and then this other thing that was dependent on the first thing. If you bring them all back in the wrong order, it doesn't work.

You make me think of something interesting. I'm surprised that none of these misconfiguration bricks the whole network of the BGP has been done by a phishing attack to start. That seems like a great way to bring it out. You don't even need DDoS, you just need some of the CloudFlare's login. It's a network admin with the access to the routing table and just drop all the routes, or route everything to AT&T. All CloudFlare's traffic just goes straight to AT&T. Boom, AT&T is gone, CloudFlare's gone, and then the Internet's just going to fall over after that.

It's interesting because you only need one compromised device to execute something like that. You don't need a million compromised computers to do that thing. You compromise some core BGP stuff.

It's crazy. One of the attacks we saw during my PhD, it wasn't so much an attack as a very nefarious usage, as there was a CDN that ended up routing all of the traffic that was bound from a US box to US box through China and back to that box, all because of a misconfig. If that same router was under control of a state actor or a cyber criminal group, and all they had to do is just direct all of the CDN’s traffic to one other large network, there's the concept of tier one AS in the BGP space, and there's not very many of them. I can't remember what it was, like 10 or something. There's really not many.

It has been a while, man. I'm trying to think about what the actual definition is, but they're very highly connected. They all have a path to each other directly. You knock any of those out or multiple of those out, and we're talking about stone age-level disaster if the right backups and things are in place. Cross our fingers and hope, but CrowdStrike didn't have a backup. It took them in weeks. What's to say AT&T has the backup?

Good news, everybody. The internet's getting turned off tomorrow.

That ties back to the phishing. All to me goes back to the people. Until the AI agents take over our jobs, if you are not careful, then it can cascade. Let's just […] to think about everything now.

People are always the weak point in the system. If people want to get a hold of you, where can they find you online?

Absolutely. I used to be a lot more active on X, but LinkedIn, linkedin.com/in/jaredthecoder, because it turns out there's a lot of Jared Smiths. There's a billionaire Jared Smith. I'll never be like that, but you can just find Jared Smith SecurityScorecard. In general, I'm happy to talk about this stuff anytime and more happy to talk to you, Chris, as somebody that runs a site that I've used for a decade now. That's pretty cool to get to hang out.

Yeah. Where can they find SecurityScorecard?

Yup, securityscorecard.com as well. You sign up for free and see your own scorecard. Love to have you. We have our strike team, our threat research team. We're more than happy to dig in on things that you're interested in from a threat actor perspective.

Cool. Jared, thank you so much for coming on the podcast today.

Thank you so much, Chris. I appreciate it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site