Keeping your inbox safe: Real-life BEC attacks and email fraud careers

Today’s episode is all about email fraud. John Wilson, head of the cyber intelligence division at Agari by HelpSystems, discusses Business Email Compromise (BEC), spearphishing, whaling, romance fraud and more. If you can name it, John’s studied it. And he’s likely collected intel that’s managed to freeze cybercriminals’ assets — and even put them away. He gives career tips and advice for engaging in threat research at all levels, we discuss the pyrrhic victory that is the modern spam filter, and John tells me why BEC fraud hunters’ best asset is a degree in psychology! All that and loads more, today on Cyber Work!

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 – Free cybersecurity training resources
  • 0:58 – Overview of today’s episode
  • 1:58 – Who is John Wilson?
  • 3:02 – Getting into cybersecurity
  • 4:58 – How spam has evolved over the years
  • 8:12 – Why pursue a career in fraud?
  • 11:10 – 3 primary vectors for email attacks
  • 15:20 – Is BEC ever an insider threat?
  • 16:16 – Is education making a difference on BEC attacks?
  • 20:55 – Tracking down BEC actors and recovering assets
  • 23:50 – Two angles to preventing BEC attacks
  • 29:12 – Careers related to BEC and phishing prevention
  • 34:42 – How to gain cybersecurity experience and get hired
  • 37:25 – Agari and email fraud protection
  • 42:16 – Outro

  • Transcript
    • [00:00:00] CS: Cyber Work listeners, I have important news before we dive into today’s episode. I want to make sure you all know that we have a lot more than weekly interviews about cybersecurity careers to offer you. You can actually learn cybersecurity for free on our InfoSec skills platform. If you go to infosecinstitute.com/free and create an account, you can start learning right now.

      We have 10 free cybersecurity foundation courses from podcast guest, Keatron Evans. Six cybersecurity leadership courses from also podcast guest, Cicero Chimbanda. 11 courses on digital forensics, 11 courses on incident response, seven courses on security architecture, plus courses on DevSecOps, Python for cybersecurity, JavaScript security, ICS and SCADA security fundamentals and more. Just go to infosecinstitute.com/free and start learning today. Got it? Then let’s begin today’s episode.

      [INTRODUCTION]

      [00:00:57] CS: Today on Cyber Work, I speak to John Wilson, Head of the Cyber Intelligence Division at Agari by HelpSystem, and what we talk about is email fraud and all its flavors and permutations, business email compromise, spear phishing, whaling, romance fraud. You name it, John studied it, and he’s collected intel that’s managed to free cybercriminals’ assets and even get them put away.

      He also gives career tips and advice for engaging in threat research at all levels, and we discussed the Pyrrhic victory, that is the modern spam filter, and John tells me, by one of his key BEC fraud hunters’ best asset is a degree in psychology. All that and loads more today on Cyber Work.

      [INTERVIEW]

      [00:01:42] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

      John Wilson has been combating email-based fraud since 2006, when he developed an authentication based anti-phishing solution as CTO of Brandmail Solutions. John continues his mission to rid the world of email fraud as the head of Agari. Agari?

      [00:02:15] JW: Agari.

      [00:02:17] CS: Agari by HelpSystems cyber intelligence division, where he uses active defense techniques to unmask the criminal organizations conducting email-based crimes, including business email compromise and romance scams. John holds a BS in Computer Science and Engineering from MIT. So John’s work as a threat researcher puts him up very close with not only the people who create the hyper specialized email fraud subsections known as spear phishing and business email compromise, but also the mechanisms that drive their choice of weaponry.

      So today’s episode is going to focus specifically around BEC, how it works, how to protect against it, and maybe we’ll get some stories of some particularly unconventional scams that actually worked. John, thanks for joining us today. Welcome to Cyber Work.

      [00:03:00] JW: Thank you, Chris. Happy to be here.

      [00:03:02] CS: So to help our listeners get a sense of your personal journey in security, can you tell me how far back does your interest in computers and tech go, and what specifically from there drew you into the idea of email fraud and the security awareness that surrounds it?

      [00:03:16] JW: At the risk of dating myself, in 1980, I had a paper route, and I saved up my paper route money, and I bought myself a TRS-80 Color Computer. At first, I used it. I would go to the arcade. I would play Pac Man or Space Invaders. Then I would try to reproduce those games on my color computer. Now, it turns out, I didn’t have quite enough horsepower to do that, but I got the maze working. I got the things working around. But eventually, I wrote an inventory management program for a local restaurant owner and had my first paid gig with a computer. That was sort of the moment where my mom said like, “Okay. Now, it makes sense why you bought that computer,” because she thought it was just a big waste of money.

      Getting to my interest in email security, in 1997, I set up my own web server and my own like personalized email domain. I actually ran that on my home PC at the end of a DSL line. After a few weeks, I started getting spam, and then I started getting a lot of spam, and I got more and more spam. So I started playing Whac-A-Mole. I had my little mail program. I forget exactly what it was. But could write a rule that, “Oh, don’t accept mail from this IP address. Don’t accept mail from this email address. Don’t accept mail with this subject line.” I started writing those rules, obviously. After a few weeks, I realized this isn’t the way to fix the problem. I finally realized it’s a really tough problem that couldn’t be solved with a set of rules alone.

      That’s kind of what sparked the interest, and I’ll get a little more into that as we get on with our conversation. But that was the genesis, if you will.

      [00:04:54] CS: Okay. Well, I want to ask you a question that’s not on my questions here. But I’m curious what you think about spam as a phenomenon then versus now. I mean, most people’s emails, email programs have sort of a built-in spam blocker that’s so-so effective. Sometimes, you’ll get an actual message that will go into the spam filter and vice versa. But it doesn’t feel quite as intrusive as it did in the late ‘90s, early 2000s, where you might only have 10 actual messages to 50 spam messages, and they were all swimming together.

      I mean, what are your thoughts on the way sort of the signal to noise ratio is now? Because I know, also, when I click on the spam folder, like you just get a title flood that’s hiding down there that you can’t even believe.

      [00:05:43] JW: Absolutely. So I think that a couple of innovations have allowed us to get much better at filtering spam. One is machine learning. So you can start to analyze these messages. Look for patterns. Find similar patterns and say, “Okay. Well, these were all labeled spam by a user. These other ones are very, very similar. They have a lot of the same indicators. Therefore, we’re going to take action on it.” So that was one of the big things.

      The other, however, even greater influence or greater impact was this concept of massive scale. So if you look at the likes of Google or Microsoft or Yahoo, they’ve got such a corpus of messages to deal with that they can see the patterns much broader view than my little one domain, just me sitting at home could have ever possibly done. I didn’t get to see 10,000 or 10 million users getting spam. I got to see one user getting spam. So I think those are the two big innovations.

      I got to be honest with you, though, Chris. In the last two weeks, I’ve seen a slight uptick in both my Gmail and my Yahoo account, letting a few things slip through and getting into the inbox. I don’t know what’s going on with that, to be honest. Obviously, it’s one of these things that you build a better mousetrap. The mouse gets a little smarter.

      [00:07:08] CS: We’re just going to say it’s an arms race. Yeah, yeah.

      [00:07:10] JW: It is. It’s an arms race and around and around we go.

      [00:07:12] CS: You can feel someone has found an advantage somewhere. But, yeah, it’s also – Again, I don’t want to [inaudible 00:07:18] this too far, but I love talking about this stuff. But I feel like a lot of the old workarounds of spam are not a thing anymore. Like you would get like a couple of random words at the end of a subject line, or you would get like a proper name. There were all these very sort of cheap sounding, and it made spam subject lines just look hilariously weird. Sometimes, they still do with like different like like fonts and stuff.

      But it is interesting to see that sort of like that evolution of the workarounds. Yeah, like you said, it’ll be curious to see maybe in six months from now. We’ll find out why some people are making it through the through the barrier and some aren’t.

      [00:07:58] JW: Absolutely.

      [00:07:59] CS: So your career path has been pretty consistent going from an application consultant for Oracle in 1993 through several CTO roles in the early mid-2000s, up to your current role as a senior fellow threat research with Agari. So you’re working with Agari, and the company’s work overall is based around email security. What specifically around that area of security? Well, you talked about it a little bit, but like what caused you to sort of continue, especially within the sort of fraud space?

      [00:08:29] JW: Yeah. So, Chris, for me, it was always very personal. It started with me getting some spam. But I started to realize – So I had received a few phishing emails. On more than one occasion, I was duped into clicking. Now, I know enough about technology that once I saw like, “Oh, that’s not PayPal. I’m not going to put my PayPal credentials in.” But it can be realizing, “Okay. If I was dumb enough to click, and I know this stuff, I do this stuff for a living, what possible chance does my mom have, do my brothers, my cousins, etc.?”

      So I really said this is an area where I can actually kind of help people do my tiny little part to make the Internet something that I think is just an amazing tool when used for good. But it can also be pretty horrific if you don’t know what you’re doing on there. I figured I can’t fight every battle there, but this email battle is one that I can help people.

      [00:09:28] CS: I love that. You’re one of our guests who really has like a specific mission within their work. It’s not just this is fun, but like you can see yourself actively like changing things for the better.

      [00:09:40] JW: Yeah. In 2006, a friend of mine started a company called Brandmail Solutions. So the idea there was we put in the logo of the company right there in the inbox, next to the messages from that company, but only if they were legitimate. So if somebody tried to use a Gmail account to send an AT&T message, or they spoofed the message from AT&T, they wouldn’t get the logo. We had this up and running, actually. We had it working in Ireland. We had it working in Germany at a couple of webmail providers. Unfortunately, we were a little ahead of our time.

      There’s a standard today known as BIMI, Brand Indicators for Message Identification. It’s only been around a couple of years, and it’s finally doing that in a standardized way, and folks like Google and Yahoo have adopted it. But prior to that, we were blazing the trail. Then along came the 2008, 2009 sort of economic collapse, and we were out trying to raise money, failed to raise any additional money, and suddenly had to shut the doors.

      But as luck would have it, while I was scrambling to find a new job, I reached out to a contact, Pat Peterson. Pat had been at IronPort, and we had met each other at many events, since we were both out there trying to stop email fraud. I found out he just started a new company. So within a month later, I suddenly found myself as Agari’s fourth employee, continuing the mission albeit under a new company.

      [00:11:06] CS: Interesting. Okay. So thank you for that. Today’s episode, as I mentioned, is all about email fraud and its many permutations, but especially that sub specialty known as business email compromise or BEC. So to start with, let’s define some terms. I mentioned spear phishing in the intro, which, of course, is a phishing attack specifically targeted to an individual through research on that individual.

      Then there’s also whaling, which has a higher level of danger and payoff, as it tends to target C-suite person in a company who can, say, authorize a massive bank transfer on a moment’s notice. So how did these individual types of phishing attacks within the greater umbrella of the concept of business email compromise? Or are they sort of different camps?

      [00:11:49] JW: Yeah. So I’m going to take one step back first. When I look at the email attack landscape, there’s really three primary vectors for an email attack. The first we’re all familiar with, it’s a malicious attachment. So typically, that attachment’s going to infect your computer, install some unwanted software, steal credentials, etc. The second is what I call a link-based attack. A link-based attack is your typical phishing, fake message from PayPal. Your account is blocked. Please log in here to fix the problem, whatever it may be. They want you to click a link, go to a website.

      BEC is a subset of the third type, which is what I refer to as a response-based attack. What I mean by that is the action the actor wants you to take is to hit reply. So BEC falls under that. Now, another category of that is what I refer to as a romance scam. You get an email from some attractive person for whatever may meet your fancy, and they want to strike up a friendship. Obviously, it’s not that they’re trying to get you to click a link or download an attachment. They think you’re going to carry on a conversation with them, and that’s the same for business email compromise.

      Within that, we then have a number of subcategories. Some folks in the industry will refer to what we call business email spoofing. So business email spoofing means I’m basically just impersonating an executive, a vendor, somebody else in your trusted ecosystem, but I’m not actually using their email account. Now, I may have conducted a lot of research to try to craft a very interesting lure, but I’m not actually breaking in anybody’s account.

      Then we have what we refer to as true business email compromise, where somebody in that food chain, somebody in that conversation has actually got a bad guy monitoring all the conversations. When the time is right, they either inject themselves into the conversation right from the compromised account, or they may, at that point, set up a lookalike domain or some other – Set up a Gmail account with the correct name. But what they’re armed with is all the intel, the thread, the history of this conversation, and they jump in just at the right moment.

      [00:14:12] CS: Now, is it – Sorry, go ahead. Go ahead. I’m sorry.

      [00:14:14] JW: No. So I was just going to lastly say, to me, whaling is just an attacker being a little more greedy than somebody spear phishing. Honestly, it’s the same attack generally. It’s just a question of how brave are they, how –

      [00:14:36] CS: Also, sort of the depth of research I would imagine, and you don’t just need to know. Spear phishing, it’s easy enough to say like, “Oh, you know this person’s boss,” and then you can do a fake boss email. Whereas here you need to know like time of day, a certain key account. Make sure you send it to so-and-so on accounting to have a bank transfer to China, stuff like that.

      [00:15:01] JW: You have to know when they’re on an airplane to Hong Kong. So you can say, “Hey, as you know, I’m about to board my flight to Hong Kong. I need you to do this for the next couple of hours.” Exactly.

      [00:15:11] CS: Then there’s rain for seven hours. Yeah, yeah. Or 17 hours. Is this still primarily externally based? I mean, when I hear business email compromise, there’s also a sense of is there a sort of an insider angle ever? Or is this mostly coming from people outside who are able to, as you said, sort of make their way into the conversation and just get a reply?

      [00:15:36] JW: So we do see an insider threat. But typically, it’s what I refer to as an unwitting insider. What’s happened is someone in the company has been co-opted by an external party, convincing them that they are somebody they are not and now getting that person to do their bidding. I have a few examples of that we’ll get into a little bit more in a moment. But as far as this being a true insider threat, where you have a malicious insider, I’m sure cases of that exist. But generally, I think it’s in most people’s career interests not to participate in that.

      [00:16:13] CS: Yeah, for sure. Excuse me. My next question, business email compromise, obviously, it’s been a problem for a lot of years, and you’ve been researching it since way back. I know it’s never going to actually go away. But do you have any feeling of whether BEC is a thing that has – The knowledge of business email compromise has reduced the incidence. Is there any kind of learning curve in business, or is it getting worse? Is it – I mean, obviously, it’s still possible to know that BEC exists and fall for it.

      But like what do you feel about like in terms of like the old days when no one even knew to look for it versus now, know to look for it, but there’s more people doing it?

      [00:16:56] JW: Yeah. So I’ll give you one stat. $2.4 billion, according to the FBI and the IC3, were lost in 2021 to business email compromise scams. That’s a high watermark. It’s been increasing year over year over year. Now, I believe a lot of that is just that a lot more people are realizing there’s good money to be had, if you’re successful at this. So a lot of bad actors who perhaps may come from places where they have a good education, but they don’t have good economic prospects.

      At the end of the day, they want to feed their family. They’re going to find a way to do it, even if that involves criminal activity. I know people are aware of these scams, and yet no amount of training is going to stop it completely, especially the most sophisticated attacks. One attack I’d like to talk about that’s, I think, really is worth a lot more education is what I call the real estate scam.

      The way the scam works is somebody – First of all, you have to understand most real estate agents are sort of these independent brokers. They’re using their personal Gmail, Yahoo, etc. accounts. They don’t have some corporate email security layer on top of this or anything. So they get phished out of their credentials. Bad guy goes in and puts a rule in there quietly in their inbox that they just get a copy of every message going to and from this person. Basically, they tap the line, right?

      Now you got a young couple buying their first home, for example. They’re supposed to show up with a check at closing when they go to escrow or whatever the case may be. But, no, instead, the scammer waits till just the right moment. Just when they know the real estate agent has signed off for the day, they shoot an email over, “Hey, make sure you wire your down payment funds to this bank account before you come to closing on Friday.” It’s the saddest thing in the world. You end up with homeless homebuyers, basically. They’re still on the hook for the loan, but they don’t have the home. They don’t have the down payment anymore. Actually, some FBI friends of mine have said they’re aware of at least two suicides. They personally were aware of as a result to someone being victim of that scam.

      Here’s the problem, right? A real estate agent, in theory, should know better because they sell houses every day of the week. You or I buy a home. Unless you’re a real estate agent on the side, Chris, you and I might buy a home one to five times in our entire life. So you may not know that the scam is out there, that that scam exists. Now that’s an extreme example. But even internally, it’s amazing. I see people all the time falling for things. I got a call from a company a few years back. They had just had somebody impersonated their CEO and said, “I need a copy of all employee W-2s,” and they sent him the file with megabytes of W-2 forms, which the scammers then went and, obviously, did identity theft to try to file for tax refunds, etc.

      I mean, imagine the joy of having to deal with the IRS when they tell you, “Oh, no. We already sent your refund.” You’re like, “The hell you did. I’ve just filed my taxes.” It’s just such a – I don’t know. It’s a terrible crime. But, yeah, I don’t think it’s going away here.

      [00:20:26] CS: No, it doesn’t sound like it. It sounds even worse, like a pretty bad idea. But that sounds even worse.

      [00:20:34] JW: My friends call me Debbie Downer, by the way, when it comes to this particular thing.

      [00:20:39] CS: You’re not the only guest that’s made me want to [inaudible 00:20:40] a cocktail at the end of the episode. Yeah. I’ll tell you some stories from the infrastructure security people that I talked to. Anyway, well, to that end, I guess because this is such a fast and shadowy crime, is there any – Not retaliation but has there been any look at like tracking down some of these larger sort of crime people or is it – Do they really just disappear back into the shadows again?

      [00:21:11] JW: No. Actually, there’s been a lot of good work. So I personally was able to – So we have a program at Agari we call our active defense program. We actually will carry on conversations with BEC scammers. We’ll get their bank accounts that they want us to launder the money through. We’ll get their email addresses. We have relationships with the email providers with the banks, and we’ll get those assets taken away. We’ll get that bank account frozen, so they can’t move the money.

      But we have some other techniques, where in some cases I’ve actually been able to identify the individuals involved. We did refer one case to the US Secret Service, and they arrested three. They happen to be Nigerian nationals. They were living in South Africa. That was just before the pandemic. From what I understand, they’re all still sitting in jail awaiting trial. Now, they got [inaudible 00:21:57] for money laundering. These guys are driving brand new Mercedes, living in these gorgeous apartments with ocean views, etc. Yet they have absolutely no source of income.

      What gets interesting is the means used to prosecute. The FBI has done a few great things. They had WireWire, and then they had I think Operation rewired, where they have gone and made some mass arrests of some multinational gangs. Finally, much of this crime actually sort of stems from West Africa, particularly Nigeria. So the EFCC, which is a group, it’s like, I forget exactly, electronic fraud and financial crimes unit. Think of them, if you will, as like the Search Bloc from the Pablo Escobar days, except instead of going after the drug lord, they’re going after the Yahoo Boys, the guy who’s doing this sort of fraud. They made some very high profile arrests, including many politicians who were taking kickbacks to sort of look the other way, etc.

      Cooperation globally has gotten a little bit better. We’re far from to the point where every – These guys typically don’t get caught. But every time some high profile guy does get caught, such as Hushpuppi, for example, that I think makes a lot of wannabe scammers say, “Maybe I should rethink my life choices.” I don’t think – Yeah, there are [inaudible 00:23:23], whereas there did not use to be any. It used to just – I mean, they literally could brag about their crimes, post pictures of themselves in a first class airplane seat, comfy in their Bentley, when they get to the destination, etc. They post it all over social media. We’re seeing a lot less of that now. Because they realize you get a little too big, the lawnmower’s going to chop your head off.

      [00:23:49] CS: To that end, obviously, we were not going to be able to wait until all the bad guys get rounded up and put away. So in the meantime, from a technological or psychological standpoint, do you have advice for listeners who want to keep themselves safer against BEC? Like what to sort of – I mean, we’ll keep talking about all the social engineering tricks and so forth. But I guess even from a defense standpoint, you were talking about the real estate agents who are getting compromised. I mean, do you have any sort of thoughts in terms of like comprehensive, like two-factor or –

      [00:24:24] JW: Yeah, absolutely. So I look at this really from two angles. The first is the corporate angle. So let’s take the corporate angle first. You need to have a layered approach. So obviously, you’ve got your spam filter. Spam filters are actually not that great at stopping business email compromise messages because the content in them looks similar to normal business communications. There’s not that – They’re not talking about Viagra or some adult website or some new weight loss drug –

      [00:24:51] CS: Yeah, having egregious typos in them or – Yeah.

      [00:24:57] JW: Yeah, exactly. Instead, they’re often very simple. Hey, are you available? I have a task I need you to do, or we have a payment that needs to be made, etc. So there are solutions out there. Agari by HelpSystems actually sells one. But there are others out there as well that are specifically designed to detect identity impersonation and identify – Because that’s one of the hallmarks of all of these attacks is if you’ve got somebody saying, “My name is Bob, and you’ve never heard of me in your life, and I need you to wire $53,000 to this account,” that’s your problem.

      But when Bob is your CEO, and Bob is telling you now to wire 52,000, obviously, they’ve impersonated Bob, and they’ve used that trust, as well as authority aspects of social engineering to do that. So number one, I suggest that companies consider investing in this additional layer over the top of their spam filter. Second thing, train your employees. There are – Again, HelpSystems has solutions in this area. There are other companies out there as well, phishing simulation and training. You try to phish your employees. The ones that fall for it end up having to go take a class kind of thing. So that starts to inoculate folks a little bit.

      But, yes, you hit the nail on the head before, especially with the real estate agent and with individual’s multifactor authentication. If all you need is my username and password to get into my email, that’s a big problem. Why? Well, think how many breaches there have been. All of our addresses and passwords are out there. The password reuse is rampant. So even if the site that got leaked had nothing to do with email, chances are you’re going to find some percentage of those folks –

      [00:26:42] CS: Keep testing it until –

      [00:26:44] JW: Exactly. We call it credential stuffing. So MFA is absolutely crucial. Personally, I’m more of a fan of those things that generate a unique code than simply using SMS because there has been things like SIM swapping. But let’s be honest. This is like the low-hanging fruit, right? The attacker is going to find the person who doesn’t have multifactor, the person who doesn’t have these other things, before they’re going to try to do a SIM swap attack.

      The other thing that’s highly effective are just simply internal policies. So for example, if somebody sends an email to payroll and says, “Hey, can you please update my direct deposit account,” the correct answer is, “Go log into your payroll portal, please.”

      [00:27:28] CS: Yup, which is two-factor on it.

      [00:27:30] JW: Exactly. As opposed to, “Oh, I’ll just update that in the system for you.” It’s amazing how they’re able to socially engineer their way around those things. But if you’re buying a house, and you get a message from the real estate agent, pick up the phone. Call the number you already have in your contacts. Or go to the website and find the number there. Don’t use the number in the bottom of the email.

      I’ll give you a quick little story here. So years ago, my mom gets a message supposedly from her choir director. Choir director says, “Oh, you should check this out. It’s funny. You’re going to laugh your ass off.” Sorry, your butt off. Anyway, my mom thought it was a little bit weird, so she – She knows what I do for a living. She said, “Oh, my son would want me to double-check this.” Did she pick up the phone? No, she replied to the email. She said, “Did you really send me this?” He’s like, “Oh, yeah. Absolutely. You’re really going to laugh.” She clicks it. Next thing you know, I find all this out because I get an email from my mom with the same document. Hey, check this out. You’re going to laugh your butt off. I called up. I’m like, “Mom, you fell for one.” Exactly.

      Anyway, so the point is use that second channel. Again, don’t trust the phone number that might be in the email, and definitely don’t just reply to the email because you have to assume the bad actor is in that mailbox and is just as able to respond as the real owner.

      [00:28:56] CS: No. I’ve got my mom and I’m like, “Call me at any hour of any day if something weird comes through.” At this point, she just doesn’t even anymore. I think I’ve terrified her of the possibility, which is just fine as she doesn’t need it that badly, but yeah. So, I mean, the purpose of our show, Cyber Work, is to talk about the careers around these people, our guests and their expertise. This is such a bigger career stack than I was thinking when you talked about people who are actually taking the fight and working with the FBI and [inaudible 00:29:30].

      I know that there’s a bunch of different types of job roles around business email compromise, whether it’s security awareness training, like you said, or whether it’s implementing policy in your office. But like what are some things that people who are listening to this now could do right after they turn the video off to get them a little closer to having the qualifications to sort of work in this area, especially the higher tech areas like threat researcher like yourself or even working with the sort of secret service and so forth?

      [00:30:03] JW: Yeah. It really starts out with an understanding of how the Internet works. You need to understand the protocols. You need to understand what different types of infrastructure are out there. You’ve got companies that play different roles, companies that are providing broadband access, companies that are providing hosting services, companies that are providing colocation or cloud-based computing services. You need to understand, if you’ve got an IP address, how can you use open source intel or what we call OSINT? How can you use that to go figure out, “Well, who controls that IP address?” If there’s a problem, if there’s stuff coming out of that IP address as bad, how do I know who to contact to get that taken care of?”

      So you have to have the basics of how the Internet works. Do you have to be an absolute expert in like BGP routing or something like that? No, of course not. But you got to have the basics if you’re going to jump into this because you’re going to be pivoting across different things, and you have to know the connections between those things.

      Now, specifically, to be a threat researcher, you have to have kind of a creative and analytical mind. You’re never going to have the whole picture put in front of you. I’ll give you an example. We had a guy on my team a few years back, who was actually the guy who found – Figured out who the guys were that had stolen from this woman in the romance scam that resulted in that arrest. He read through. So we had managed to get our hands on the mailboxes that some of these guys were using to do their scams. We had worked with the victim and got some bank account information, and we were able to call up some friends. In this case, I called somebody over from the Secret Service who has access to the FinCEN database, which is every time there’s a large transaction moving money, I think the limit is $10,000, it gets filed.

      Specifically, if there’s anything that looks suspicious, banks are supposed to file what’s called a SAR, a suspicious activity report. I don’t have access to that database, but the Secret Service guy did, and he was able to go spider all that out. But then we were able to tie some social media accounts, and a lot of this came down to my analyst who just has this like eidetic memory, where he’s like, “Wait a minute. I’m pretty sure that I saw that same user name on a completely different system.” Let me go check it out. Sure enough, he found it. We followed the breadcrumbs. We tracked it down.

      Now, does every person on the team need every skill? No. At the end of the day, why this works is we have a team. If it was any one of us, I don’t think we would have made half the progress that we’ve made. You need to be able to know how to use different tools to sort of visualize data. I’m a very visual person. If I can get something in the right chart or graph, I’m in a much more of a position to start to see the pattern with my eyes. This other guy was actually better with the words. He could just read through 10,000 emails in the space of an hour and be like, “Okay, yeah. There was an email with this keyword. Go search on it.” “Oh, yeah. That tied this to this.” It’s a variety of different skills.

      But, yeah, the core of this is, first, to understand that and then comes the whole second aspect. Specifically, if you’re going to go after business compromise or other social engineering scams, having a little hint of sort of the psychology of these things, how it works, is very helpful. We used to have a guy on my team. He’s long since moved on to do other things, but he had a degree in psychology. One of the things he always talked about through our active defense techniques is if you don’t think you’re going to get some sort of payout and then you get a payout, obviously, you’re quite happy. If you don’t think you’re going to get a payout, and you don’t get the payout, you’re mildly annoyed. But if you think you’ve got a big payout coming, and then it falls through, if you don’t get it, that’s like emotionally devastating.

      We used a lot of those techniques against the bad guys, where they think they’re getting $100,000 wire on Friday. But in the meantime, not only are they not getting their $100,000 wire to their bank account, whatever was in the bank account isn’t going to be there on Friday either. There’s a lot of that. So, yeah, those are some of the –

      [00:34:24] CS: That’s fascinating. You had someone in-house who had a psychology or psychiatry background who was able to like tweak the wording of like the messages you were saying.

      [00:34:35] JW: Exactly. To really essentially reverse social engineer these folks.

      [00:34:40] CS: Amazing. Okay. I love that. That’s mind-blowing. The next stage after that, I mean, I really want to, as much as I can, just like put this in the hands of people who are listening to this right now and to get into this. Learning can only take you so far, obviously. You can’t just necessarily knock on a door and say, “I’ve learned all this stuff. Give me a job.” Like what are some ways that people who don’t have experience in this field can demonstrate experience until they can work for a company or be on a team and get real experience?

      [00:35:16] JW: Absolutely. I look where we source folks from my team. They come from a number of different places. I’ve had people join my team from an engineering discipline where they were writing software, so they had the basic understanding of the Internet and some aspect of it. Then, of course, we really did make the leap and give them the additional training they needed. Some of my team has come from some three-letter agencies. It turns out that the government is pretty good at training people to do this stuff. They also don’t pay very well. So it’s pretty good. It’s relatively easy to lure folks away after they receive their training.

      I guess the other thing, of course, would be an internship, especially for your younger listeners and viewers. I know a lot of companies are more than happy to bring somebody in as an intern. In fact, we’ve had several interns that have come through. After they graduated, we brought them on full time. Eventually, they were ready to take the next step in their career, and they moved off to another company where they could maybe take more of a leadership role in this. It’s like anything, though, Chris. Getting that toe in the door is so impossible.

      But the one upside, there’s an estimated three million unfilled jobs in cybersecurity. I forget whether that’s globally or in the US. I think that’s just in the US. The good news is that the bar of entering is a little bit lower than it might have been some time ago, simply because the lack of talent. You may find there’ll be companies willing to work with you. Give you that little bit of training you need.

      [00:36:54] CS: Take a chance.

      [00:36:56] JW: Exactly.

      [00:36:57] CS: Yeah, yeah. We’re hoping so. My previous guest, Diana Kelly, we had a very long talk about some of the pipeline issues involved, which is anything from higher HR departments looking for unicorn candidates to not really knowing how to sort of get around the tracking, getting the right keywords in your resume. It’s a whole thing. But, I mean, you know the story.

      But, no, this is all very inspiring and a lot larger than I had expected at the front. So as we wrap up today, John, you told us a little bit, but please feel free to tell us more about Agari and some of the services and research methods you utilized. Also, if you have any big projects on the horizon, feel free to promote those as well.

      [00:37:37] JW: Sure. Agari is in the business of stopping email fraud. We got our start with a solution called Agari Brand Protection. That solution helps companies implement a standard known as DMARC. What DMARC does is it makes sure that if you own paypal.com, and you’re not PayPal, you cannot use that email address. That may seem like very obvious. Of course, if you’re not PayPal, you can’t use paypal.com. Before the DMARC standard and before Agari, anybody could send a message saying they were from PayPal. Typically, it would get delivered. That was our first product.

      The second thing we did was we built Agari phishing defense. That’s that thing I alluded to earlier, where we’re modeling the normal sending behavior of the identities that are trusted within your organization and then finding those anomalies and preventing delivery of those messages. So for example, if your CFO normally uses her work account and once in a while forwards her hotel receipts to an assistant, the system will quickly learn those are the only two addresses that the CFO is sending from. Therefore, when one comes in from a completely different one, it will block it.

      Our third product is called Agari phishing response. That’s kind of the catch all. Now you’ve trained your users up. They know when to see phishing. But somebody in your mail client, you’ll have a button or you can right click and say report phishing. Well, guess what? When you report that, if you’re an Agari customer, that goes over to a very phishing response. Someone reviews it. Determines that if it’s a threat or not. If it is a threat, we can spider that out and see who else in the company may have been hit by that same attack. Then we obliterate the whole thing in one fell swoop. Remediate the threat. Then those indicators go back to all of our other customers to inoculate them against that same thing.

      Then lastly, what’s near and dear to my team, I head up the Agari Cyber Intelligence Division. We offer a solution called Active Defense, where our customers send us their BEC emails, and we spin up a fictitious persona and just reply back and say, “Hey, I got your message. What do you need me to do?” We extract bank accounts. We feed those over to the bank so they can take action on them. We feed the email accounts over. We track all sorts of stats, figures, etc. Then all of that intel goes into our products as well to make those stronger in the future.

      The other thing that I’m doing, what’s latest for me, is here at HelpSystems, we are – HelpSystems has grown very recently by – They’ve been around for quite some time. But after starting a cybersecurity practice, they’ve been on a bit of a buying spree. In fact, I think we’ve acquired about five companies post Agari, which was just one year ago.

      My role is very much involved with integrating the threat research from all of these different siloed companies so that we’re not – If you’ve got that – I’m sure you see the – Yeah, we’re getting all the data in the same place. Exactly. Then we can connect all of this – We can connect the dots in ways that no single product could have done in the past. So be on the lookout. Some exciting stuff coming down the pipe when we start connecting these together.

      [00:40:53] CS: Yeah. Really cool. Well, last question, for all the marbles here. If our listeners want to learn more about John Wilson and Agari by HelpSystems, where should they go online?

      [00:41:01] JW: Absolutely. Well, certainly, our websites. If you go to agari.com, or helpsystems.com, you can learn all you want about our solutions and such. One area that I very much encourage people to go to is ACID, acid.agari.com. That’s where you will find our research reports where we break apart each of those threat groups I was talking about before, where you can learn their tactics, techniques and procedures. You may well say, “Wow! Look at that message in my inbox. Based on what I’m reading from Agari, yeah, that’s this group over here that’s doing it. Oh, they’re based here. They use this particular infrastructure. They base the email accounts like this.” Whatever. We have all these different indicators that sort of help guide us and attribute the attacks to a specific group.

      So yeah, I very much encourage your readers and listeners to go there. I think there’ll be somewhat entertained, because we really kind of walk through the threats, and we tend to take a little bit of – There’s a tiny bit of humor along with it, along with, of course, the educational value.

      [00:42:07] CS: I was going to say, there’s got to be enough crazy stories out there that there’s got to be some entertainment value as we’re all sort of sweating our next potential effect coming at us.

      [00:42:17] JW: Exactly.

      [00:42:18] CS: Well, John Wilson, thank you very much for your time and insight today. This was an absolute blast. I really appreciate talking to you.

      [00:42:24] JW: Likewise, Chris. Have a great day.

      [00:42:26] CS: As always, thank you to everyone listening and supporting Cyber Work. New episodes of the Cyber Work Podcast are available every Monday at 1:00 PM Central, both on video at our YouTube page and on audio wherever you get your podcasts.

      I want to make sure you all know that we have a lot more than weekly interviews to offer you. You can actually learn cybersecurity for free on our InfoSec skills platform. If you go to infosecinstitute.com/free and create an account, you can start learning right now. We have 10 free cybersecurity foundation courses, six cybersecurity leadership courses, 11 courses on digital forensics, 11 on incident response, seven on security architecture, DevSecOps, Python, JavaScript, ICS data, and more. Just go to infosecinstitute.com/free and start learning today.

      Thank you very much once again to John Wilson and Agari, and thank you all for watching and listening. We’ll speak to you next week.

      [END]

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.