How COVID-19 is changing phishing, social engineering and security
Individuals and organizations are shifting routines to accommodate Coronavirus health concerns, and bad actors are updating their strategies to capitalize on the new opportunities. Aaron Cockerill, CSO of Lookout, discusses how cybercriminals are looking to cash in or otherwise disrupt organizations during the pandemic, as well how workplace security is evolving with so many individuals now working from home.
Aaron Cockerill joined Lookout with nearly 20 years of software product management experience. As the Chief Strategy Officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world. Most recently, he served as VP of Mobile Technologies at Citrix, where he and his team were responsible for the development of Citrixâs mobile apps and container technology, while driving the acquisition of Zenprise. Prior to working on mobile technologies, Aaron drove the creation of Citrixâs desktop virtualization product, XenDesktop, which grew into more than $1 billion yearly revenue for Citrix during his five years of leadership. Before joining Citrix, Aaron worked for Akamai leading product management on their enterprise content delivery solution as well as working on the development and deployment of many of Akamaiâs advanced content delivery networking technologies. Prior to that, Aaron led product management for OneSoftâs e-commerce system, and he held multiple positions at BHP Billiton in Australia. He holds a BE Materials (Honors) from Wollongong University, Australia.
- Learn cybersecurity with our FREE Cyber Work Applied training series: https://www.infosecinstitute.com/learn/
- Use code “cyberwork” to try Infosec Skills free for 30 days: https://www.infosecinstitute.com/skills/pricing/
-
View transcript
-
[00:00] Chris Sienko: Itâs celebration here in the studio, because the Cyber Work With Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. Weâre celebrating, but weâre giving all of you the gift. Weâre once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.
To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
Enough of that, let’s begin the episode.
[01:04] CS: Welcome to this week’s episode of the Cyber Work With Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
We hear in every other TV commercial, email ad, Facebook, promo post, etc., weâre living in unprecedented times. The modern age of sheltering-in-place has changed huge swaths for societal interactions or lack thereof and has led to new strategies for everything from work from home methods, to life concerts streaming live and often build on platforms not built for the purposes theyâre currently supporting.
With so much instability in our day-to-day routine, thereâre plenty of opportunities for phishers and other bad actors to target the constantly-shifting nature of our online routines. That means new and different attack vectors for phishing and other types of social engineering. Todayâs guest, Aaron Cockerill of Lookout is going to tell us about some of these new COVID-19 and lockout-related phishing attack patterns that are showing up and how it help us continue to stay safe and secure from online attacks.
Aaron Cockerill joined Lookout with nearly 20 years of software product management experience. As the chief strategy officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world. Most recently, he served as VP of mobile technologies at Citrix, where he and his team were responsible for the development of Citrixâs mobile app and container technology while driving the acquisition of Zenprice.
Prior to working on mobile technologies, Aaron drove the creation of Citrixâs desktop virtualization project, product, XenDesktop, which grew into more than 1 billion yearly revenue for Citrix during its five years of leadership. Before joining Citrix, Aaron worked for Akamai leading product management on their enterprise content delivery solution as well as working on the development and deployment of many of Akamaiâs advance content delivery network technologies.
Prior to that, Aaron led product management OneSoftâs ecommerce system and he held multiple positions at BHP Billiton in Australia. He holds a BE materialâs honors from Wollongong University in Australia. Aaron, welcome to Cyber Work.
[03:17] Aaron Cockerill: Thanks. That was very thorough.
[03:20] CS: Yeah. I like to let people know what weâre getting into. Yeah. I mean, we got a little bit on your work background, but tell me about your sort of life background. Where did you first get interested in computers and tech and when did you get into cybersecurity as a job and a calling?
[03:36] AC: Well, from a⌠getting to computerâs perspective, I was pretty young. I guess Iâm just telling everyone my age on here. My first computer was a Commodore 64.
[03:47] CS: Same here. Yup. Weâre the same age.
[03:50] AC: Yeah.
[03:53] AC: Yeah. Thatâs when I first got involved, got into some computers. I guess I didnât take a direct routing to computer science, but ended up being materials engineering, as you mentioned, working for BHP Billiton. But itâs a really interesting learning experience. Iâve worked a lot with robotics systems and PLCs, back then, and programming in Fortran to operate giant machines, like a cold mill that squashes steel and working in crazy environments like they used Halon gas systems to make sure that the computers that we were working on didnât catch on fire, wouldnât lose everything.
It was a really interesting time back then and things have changed dramatically obviously, but that really got me interested in computers. I think the transition to cybersecurity, I didnât actually pursue a career in cybersecurity. Every time I got involved in solving customer problems in general in IT, I would say, everything Akamai onwards, one of the primary issues that we kept facing was addressing cybersecurity.
Especially like, for example, in Citrix. Citrix is not specifically a security company, but their products are frequently used in high-security environments. I was always adjacent to it and customers always seemed to be frustrated that they were having trouble solving â I mean, so differently. That was their biggest problem. It was great to be able to help them with things like what we did in Akamai and what we did at Citrix and the great companies, that I want to get closer to solving what seemed to be the biggest problem, which I think still today is cybersecurity unfortunately.
[05:45] CS: Right. Yeah. Letâs jump in to sort of present day. How, if at all, has your day-to-day work routine changed in the last few months? I mean, assuming itâs changed somewhat. Were you a work from home person before? If not, what changes, or concessions, or maybe even improvements have been implemented in these emergency measures?
[06:02] AC: I would say at Lookout, weâve always had the ability to work from home entirely online, but we used online services for more productivity, apps and so on and elsewhere and services are online. Weâre very cloud-oriented company and relatively modern from that perspective.
Though, personally, I wasnât originally a work from home employee. I would spend a lot of time in all of our offices. I did spend a lot of time on the road traditionally. I spend a lot of time on the road talking to customers and presenting and talking to people like yourself, which â I donât know, we would have probably still done this virtual, but I do a lot of them in studios, labs, all that thing. The big change has been staying at home.
There are a couple of challenges. In fact, we had a discussion right before I joined. I think I need to invest in a better microphone and setup for my home office. You could see it here. I donât know if the audio is okay, but I hope everyone can hear me. I will be investing in another mic in the future. But thatâs the biggest change. I think how thatâs impacted us, especially at Lookout for me, we do a lot of â What weâve been doing is really pushing the edge of innovation in mobile technologies, mobile security. Iâm really proud of that. I love doing what I do. Itâs more difficult to do cutting edge innovation, brainstorming. That type of interactivity… I love that weâre talking on Zoom right now. Iâve used most of the tools for virtualized meetings, and there are whiteboards that you can share and that sort of thing, but it doesnât feel actually being in a same room with a bunch of smart people and coming up with brilliant ideas. At least Iâve not been able to recreate that environment. For me, thatâs probably the biggest impact. That and my dogs keep barking during interviews.
[08:20] CS: Yeah, weâre all seeing a lot of everyoneâs life during these things. Itâs kind of nice. I mean, do you think thatâs something that people will eventually get used to in terms of being able to interactive over a computer space versus â We talked about e-reading 10 years ago. People were saying, âOh, itâs never going to replace paper books and things like that,â but do you think that thereâs just a learning curve here and that people eventually get it or is there just no substitute for in-person collaboration?
[08:48] AC: I think that two things will happen. I definitely think that thereâs an opportunity for improvement, and I do think that we will learn how to do it, but I think it will take changes in the tools that we use. I mean, when you look at the tools that we use today, theyâre mostly focused on this type of engagement or more a formal meeting. If you think about what you do in a design context where youâre taking lots of post-it notes and sticking it on a wall and trying to categorize a particular idea and that sort of thing. Iâm sure that weâll be able to solve these problems virtually and I look forward to seeing innovative companies that do that. Just something weâre quite there yet.
[09:33] CS: Not there yet. Okay. As I mentioned at the top of the show, we want to talk specifically phishing and how itâs sort of â The social engineering and attack vector nature of it has changed in this present time. Weâve had a few guests in the past and Iâm thinking way back, I think it was episode 13. We had a guy named Pedram Amini from InQuest who talked about the latest phishing trends. Thatâs back in 2018 at this point. Based on your own research, how is the nature of phishing changed since this first major shelter-in-place order back in March? Has there been an increase, decrease, similar number?
[10:10] AC: No. Significant increase â Well, let me put it this way. There is a significant increase in the targeted phishing that is leveraging the whole COVID pandemic as a tool for social engineering. Whether thereâs been a specifically an increase in generalized phishing as a result of that incremental step in COVID, I think that the numbers are a little bit too early to say but it does look like that from where I sit.
But youâve got to understand, when I talk about phishing, I actually am talking about something slightly different that I probably should explain, and what Iâm about to explain is sort of being on a curve like this for months now, like the start of 2018 and 2019. What Iâm referring to is less about the email that you get from some long lost uncle in Nigeria that left you a million dollars or whatever. Actually not even necessary email, but someone sending you a personalized message that has a link in it that you click on.
In the mobile world, that tends to be is an SMS, or Iâm not picking on any platforms, but Facebook Messenger message or WhatsApp or could be telegraph or it could be any type of social media where they can send you a link and say, âHey, if you click on this, youâll get something for free or youâll be able to see awesome pictures of someone or something, or even more troubling, which is whatâs happening in the current pandemic, we found that someone has COVID-19 in your office. Click on this link for more information.
That type of social engineering attack where you click on a link now, most often then the link is geared towards stealing information for further espionage or direct attacks. Anything like your credentials for online banking, your credentials for company access to your productivity tools like Office 365 of Gsuite or whatever, which we see huge amounts of examples like Salesforce, but also your personal details and personal credentials. No one ever uses the same password for both services obviously. That wouldnât be safe.
[12:33] CS: Yeah. Oh, yeah. Yeah, thatâs definitely never happened ever. Yeah, weâre sort of getting into that, but let me just sort of talk on a larger scale here. What are the most common types at the moment of phishing types? You said that there are links within emails and things like that and that sort of like the sort of text story-based things might not be as prevalent these days. Along with click this link for more information, what are some of the primary sort of like phishing types to watch for? I mean, are attachment URLs big? Are fake invoices, docs, PDFs? What are you seeing?
[13:22] AC: In the mobile space specifically, lots around someone has COVID-19 in your office. Click here for more information. That type of thing. Iâll put them all in a category similar to attacks where we see horrible ones that say like your daughter has been injured at her elementary school with the parent name and the school name. Click on this link for more information. Yeah, I wouldnât click on that. Put them all in a sort of health accident type scenario.
Thereâs a bunch that weâve seen around this is how you get your COVID-19 check.
[13:59] CS: Stimulus check. Yeah.
[13:59] AC: â â from the government. Anything from enter your credit details here. Weâll send you the money. That type of thing. Thatâs directly relating to COVID, but you see in a financial context youâll see frequently a link to, say, this is â Youâll receive this check. Authorize the deposit here, or thereâs been untoward activity on your account, and this is all financial. So thereâs been untoward activity on your account. Click here to change your password. Of course, then they capture your password. Verify this transfer or someoneâs trying to send you money. Click on this link. Theyâre the types of financial ones, and they do a relatively good job of putting it in the correct context. Theyâll often know what your bank, who your bank is and that type of thing.
[14:59] CS: Yeah. So thereâs some research involved.
[15:02] AC: Yes. Then the next category are along the lines of getting you to do something that you probably shouldnât do, and a lot of that involves business email compromise and impersonation. Sending a message to an executive assistant to say, âPlease send me all of the companies W2s. I need them for some random reason.â Then the bad guys file all the ones that have got a return and that type of thing, or send me the HR database for this reason, or send me corporate information of some sort.
I would make a distinction. Theyâre the general categories that we see. Financial intellectual property or some sort of company theft, financial and the ones that are around healthcare or personal information. Those categories exist actually in email and PCs. Thereâs one that I would talk a little bit more about, which is business email compromise, where youâre impersonating someone else to get something. In mobile, that â Mobile is impacted equally by emails, since everyone reads their email on their phone. But thereâs also impersonation of like the SMS sender and that sort of thing you have to worry about on mobile, because thatâs relatively easier to pretend youâre someone else when youâre sending an SMS message.
Thereâs another category which is less applicable on mobile. Itâs not completely â It does exist, but itâs more frequent that the attack on mobile devices tends to be click on a link, and that link, more of often than not, tries to extract information rather than on PCs. Frequently, that link, or more appropriately, an attachment in email for us to get you to open package to install software, to do something on those lines.
Thatâs not where Lookout is focused or the tools that are existing email phishing tools today. Very good helping in that sort of area. But because mobile operating systems are less focused on processing of attachments andâŚ
[17:29] CS: Right. For sure.
[17:31] AC: It tends to be more focused on click on this link and then steal info.
[17:35] CS: Right. Got it. Now, thinking of phishing attacks that are happening specifically within a work context, last couple of months have been a lot of â As we said, people have been kind of improvising their new work spaces or clearing space out on the kitchen table or a card table or whatever. Thereâs a lot of sort of like just general instability especially those first couple of weeks. Now, did you find that people were more likely to sort of succumb to phishing attacks during that because everything was so in free fall or was it maybe that everything was sort of uncertain that everything that came across your desk looked more suspicious?
[18:15] AC: No. Phishing attacks were far more successful than that period for a couple of reasons. I wouldnât say that that period has ended. Itâs continuing today.
[18:24] CS: No. Yeah, of course. Weâre all still figuring this out.
[18:29] AC: Two big things that we noticed. The first and sort of the most obvious is everyoneâs working from home. Unless youâre operating 100% of the time through a fat VPN tunnel back into your work infrastructure, youâre outside, which by the way has its own issues, because then all of a sudden your home network and everything on it becomes part of the corporate network, which is IT security nightmare.
[18:58] CS: Yeah.
[18:59] AC: If youâre not using a big fat VPN pipe like that, then youâre outside the corporate perimeter. The corporate perimeter has traditionally had things like secured gateways and advanced firewalls and so on that are able to protect you from these sub-sufficient links and these types of content in general.
Right now, people are working from home and their access to the internet is completely unfiltered. They donât have the advanced security infrastructure thatâs available when theyâre on-premise using the corporate network. That applies to, as I mentioned, the secured gateways and advanced firewalls and that, but even things like data loss protection and UEFI and all those types of tools that we used for monitoring for things like insider threats or data loss. Theyâre all sort of out-windowed. I would put all of that in the same bucket as these phishing links. Thatâs the first problem.
The second problem is when youâre at home and you have an 8-year-old that you got to go teach how to use Zoom because theyâre talking to a teacher and a 13-year-old that has an algebra problem and youâve got work trying to go on and thatâs got to work as well and youâve got one office, maybe, in your house. You start working in not normal working environments. To be honest, and I actually sort of brought this here. Your tablet, your iPad, I found becomes a much more convenient working tool than sitting in an office to a desktop â I think Citrix used this term, time slicing.
Like Iâve got sort of an hour focused on you right now, but as soon as I get done with this, if Iâm not on a dedicated call with a customer, Iâll be replying to email then doing an algebraic question for a 13-year-old math and then trying to solve an audio problem on Zoom. Itâs just crazy like that. I found tablets are far more convenient than sitting down glued to sort of a work environment.
[21:13] CS: Youâre kind of taking it place-to-place.
[21:15] AC: And they are not â In most cases, theyâre not company supplied. Theyâre typically BYO. They typically are managed. Thatâs a whole new â
[21:28] CS: Yeah. Do you have any tips for sort of securing these sort of rogue devices like that?
[21:35] AC: I mean, because of the company I work for and because of my beliefs, I think the most important thing is to have mobile security. IPad is no different to a phone for us, tablet. Android tablet is no different to a Pixel. For us, itâs all the same thing. You can install Lookout or other security software for mobile operating systems from app stores. Of course, I recommend ours. But itâs a good start to have that on your device if your company doesnât provide it.
Many of our customers though are quickly rolling out protection for more devices as a result of this sort of â Weâve seen a significant uptick in that sort of deployment recently. If your company it, try and put the protection on the devices you use for work is something that I recommend. If your company doesnât, go get something from the app stores.
[22:35] CS: Yeah. Letâs sort of break down into â I mean, we talked about some of the main sort of appeals, especially things like your coworker has COVID. Click here to find out more or whatever. Can we sort of go sort of syntactically and talk about like some of the language thatâs getting people to click in these types of emails? What are some of like the emergency search term, or the emergency sort of like hot button terms that make people sort of. Social engineering is all about getting you to act before you think. What are you seeing that are some of the sort of like successful sort of writing stream? You can tell a bad phish when you see it, if the language is garbled or just weird formatting or whatever. But what are some of the things that theyâre doing effectively that we should be watching out for?
[23:25] AC: I think I want to highlight something that you said there, which is to protect yourself, you should not click on links or take seriously emails with grammatical errors.
[23:40] CS: Yeah, absolutely.
[23:42] AC: Just throw those away. Thatâs a really good start, because they are frequently originating from non-English speaking countries. English tends to be limited in many cases. Thatâs a really good tell that most people should take close aware of.
The ones that are most effective tend to fall into two categories. The first one is initiating that, I guess you could almost call it fight or flight, my daughter is being injured, like we talked about before or someoneâs got sick in the office like we talked about before. Anything that can â Your financial, your bank account is under attacked for fraud. Your password has been stolen. Any of those things that would be a shock. Passwords stolen, even your order has been rejected, the credit card was rejected. There was an issue with your delivery, which is a big thing right now.
[24:45] CS: Everyoneâs getting so many deliveries right now. Yeah, thereâs an issue with your delivery, or your order is on its way and itâs something really expensive that you didnât order or something like that.
[24:54] AC: Yeah, thatâs a good one too. Yeah. Like I said, something really expensive and your credit card was declined. Those types would make you typically uncomfortable. Thatâs the one category. The one I laugh, itâs a little funny and it probably affects males more than females, because weâre very visual. But weâre all stuck at home and especially people that are dating online or something, thereâs a lot of these fix to say click on this link or install this app to have a more intimate interaction with me, so to say. Thatâs a common one as well.
[25:36] CS: Okay. We mentioned it with the tablet and stuff, but could you give me some sort of overall sort of requirements or guidelines that employees or IT departments or companies could do to make these altered working environments more safe against phishing and other social engineering attacks? Obviously, we want to put the right defense on the BYOD devices and stuff, but like what it in your mind is sort of like a really good kind of plan of attack that IT departments should be doing to sort of keep the endpoints safe and so forth?
[26:13] AC: Thatâs a tough one to be honest, because â I donât want to seem self-serving, because weâre one of the unique companies that solves this problem. But the challenge that IT departments have is that the devices that theyâre needing to connect, sort of protect right now, are outside their network. So, there are a lot of tools that allow you to extend the corporate network into the home like VPNs, and if youâre being attacked consistency through these types of phishing attacks, it may be worthwhile extending your VPN into your employees homes. That might be their approach.
Thatâs really the only alternative other than having effectively the secured gateway type technology, which is what our phishing protection does, which is blocking links, blocking URLs that are inappropriate on the endpoint. Unfortunately, right now, thereâre only those two solutions available. Of course, we recommend the one being deployed on the endpoint because it means that the device is safe no matter what network itâs connected to, but extending your network protections out to your users if you donât have something available like Lookout might be the right way to do.
In that scenario where youâre extending the VPN apps, the home network â Actually, there is one other solution which Iâll come back to. But if youâre extending your corporate network out to home computers or whatever, I would try and encourage your employees to have it on a singular device thatâs dedicated for work and make sure that obviously that your operating system is up-to-date and all the applications are up-to-date and that they have some form of security on the device. In fact, most companies these days have some sort of Mac setup, so that if the VPN is going be running on that device it does some rudimentary checks as to whether the device is safe before that connection is made. If you donât have that, I would encourage to set that up. Thatâs one solution.
Obviously, deploying something like Lookoutâs phishing and contact protection recommend that as well. The last scenario having come from Citrix, solutions like VDI are amazingly effective in this type of environment. Iâve gotten off the phone recently with a number of customers that reminded me that I met you back when youâre working for Citrix and Zendesk help saved us in this scenario because weâre able to remote everyoneâs desktop out to them.
Thatâs a great solution if you have it in place. Itâs pretty difficult to spin it up quickly, although there are service providers that provide that type of capability. But what that allows you to do is have a full work desktop running on a device that you donât really have to worry too much about when it comes to the underlying operating system and so on because itâs completely virtualized. Theyâre the, I guess, three scenarios that the VDI tends to come with a fair bit of custom implementations set up if you havenât got it or operating so the VPN wiring and mobile threat protection on your endpoints is probably faster and more productive solution for most companies.
[29:46] CS: Okay. I want to sort of move. Youâre talking about time slicing and sort of the way that people are working now, especially for people who are working at home. It seems like work time and leisure type time for a lot of people might be increasingly blending together. Do you have any advice for people who find themselves who are sort of always sort of at work? You might be watching TV with your family but youâre checking email or slack on a tablet or going over reports while everyoneâs hanging out in the living for family time, and I feel like that not only is a technical and mechanical risk waiting to happen, but also the fact that youâre sort of your mind is everywhere. Youâre less likely to check in on these things. A friend of mind just said that he got hit with ransomware because he was checking his work email at 12:30 at night. With some of us having more forced barrier between personal time and work time, what can we do to sort of be less susceptible to these kind of attacks than if we would be during work hours?
[30:44] AC: I think I should stop by saying that if my wife is listening in on this call, she would say that Iâm not the right person to be giving that advice.
[30:52] CS: Okay. Iâm speaking of a hypothetical person out there. Yeah. All right.
[30:59] AC: Exactly. Itâs really good advice to try, especially if itâs even vaguely important, try and keep it to not so much work hours, but when you have the opportunity to think particularly about what youâre doing.
[31:16] CS: Focused time anyway. Yeah.
[31:18] AC: Yeah. I try, not that Iâm very successful at this, but I try and deal with the more focused work stuff earlier in the morning and then I tend to try and have a lot more social engagements type things over Zoom in the afternoon, which is work related for me, and lately might go until later at night. Wine and security donât mix very well either.
[31:48] CS: No. Sadly no. Weâve all tried it. Yeah. Okay. Well, that sort of brings me nicely to my next question. With so many work in social events currently being hosted by platforms that werenât meant to support them, whether itâs the aforementioned company-wide happy hours on Zoom, or streaming from home concerts on Twitch or Telegram or takeout food or grocery delivery, which is often being executed by sort of new secure payment options or restaurants that didnât have takeout options before, sort of throwing them together the last moment. What are some security issues or red flags that we should be watching out for not just on our work account, but in our newly shifted leisure time?
[32:28] AC: Again, I donât like to pick on any particular companies, but I think we all know that Zoom has got dinged for a bunch of things in this area. In general, and we use Zoom, like Iâm talking on it now. A lot of these problems such as inappropriate people joining parties and being able to then subsequently join work meetings and so on. A lot of that is just simply configuration of the tools. Iâm already a little bit frustrated by the term new normal, but if this is going to be our new normal, then become familiar with these tools. This is something youâre going to be using on a regular basis, set up a password for â I actually recommend that you set up a regular personal meeting so that you can switch one on whenever you want instead of having to set up schedule in a number different number and all that sort of thing, but put a password on it and donât let people that are unauthorized join it. You can set up things like waiting rooms and so on. Thatâs probably the most important thing, making sure that you control whoâs able to join those.
The next thing, and itâs not as much social as â Well, itâs actually just general good hygiene. These applications gain access to your microphone and your camera and so on. Be careful when youâre having social interactions that you use tools that you know off. If you get a meeting request where you can have a happy hour with some obscure conferencing tool that youâve never heard off before thatâs asking for your access to your microphone and your camera and so on, question that. Try and stick to at least the tools that you now, and that can be very regional and you might come across once if you havenât seen because itâs original party or whatever it is. But bear in mind that one of the attack vectors is to gain access to your microphone and your camera and so on by installing software specifically for surveillance and pretending to be socially interaction where youâre going to send this or whatever it is. An attack vector weâve seen and itâs something that is pretty open to bad actors given that weâre all trying to do interesting new social engagements.
[35:09] CS: Yeah. Are there any particularly unusual phishing attacks youâve heard of that seemed insane, but actually worked, like either before the pandemic, but especially now?
[35:19] AC: I just want to think of any of those. Iâm always surprised at how simple they can be to effective. Probably the most telling one that I think was sort of funny, you can actually refer to it on our Lookout website. Itâs called ViperRAT. Itâs dated now, but it was targeted at a particular forces group, which letâs say are typically male, and that was one of the first ones where I saw â Like pretend ladies sending pictures and saying, âHey, if you want to have a more intimate interaction, install this software and so on.â Itâs amazing to me that we watched the people that got kicked by that literally on one of the important borders on the wall where all of the armed forces were deployed.
[36:15] CS: Yeah.
[36:16] AC: Very, very successful and very rudimentary. From an obscure perspective, most of the obscure ones tend to come through email with a convoluted story and then you get tied up in the story. I guess just for everyone listening, thereâs one other one that I forgot to mention, which is â And itâs particularly bad for people that are not as experienced with IT and often the elder community, which is let me help you. Youâve got a problem with your computer or your phone and stuff like that. It always amazes me how effective those ones are as well.
[36:57] CS: Yeah. Expanding out from your company to companies that you might work with, are there any best practices for ensuring that any third-party vendors that you work with who might need access to secure information are less likely to accidentally or intentionally compromise your network and your information?
[37:15] AC: That hasnât really changed in the COVID scenario. The way youâre sort of using digital rights management, control of intellectual properties, those tools with. For us, that hasnât changed, because everyoneâs accessing things the same way. This is about implementing the right DLB, the right potential digital rights management on content. Not allowing sharing outside of mobile containers, that sort of thing.
For us, that hasnât changed a great deal maybe with the exception of the fact that itâs not for us. But companies that are using comprehensive use of VPNs, it tends to make that a little bit more difficult, especially if theyâre perimeter-based tools. Keep that in mind. If youâre data protection is all revolved around your perimeter, hence youâre having been connecting from VPNs. Thatâs going to make your life more problematic from managing intellectual perspective.
Thereâs a related thing that I wanted to raise though, and this is especially in the healthcare area, which is thereâs â Healthcare, everyone in the healthcare industry in the moment, weâre all indebted to. Theyâre doing amazing job.
[38:36] CS: Of course, absolutely.
[38:38] AC: With the added pressure, and weâve actually got a few friends that work in this space. Theyâre having to come up with new and unique ways to solve problems. Like weâve heard of people building ventilators and all that sort of stuff. Itâs troublesome â Well, how do I put this? The healthcare regulations as it relate to things like digital protection of peopleâs information, HIPAA, that doesnât go away of the pandemic. I try and make sure that people in the healthcare industry are using tools that do encryption of data when theyâre transmitting government sort of thing. Thatâs a big challenge right now.
Educating doctors and that sort of thing on how to use tools that are not compromising individuals and their private health information is sort of important as well. But making that easy for them is what I would focus on from an IT perspective right now. We want it to be possible for them to work as fast as they can and focus on the patient and whatâs happening rather than IT. Forcing them to do unnatural things is not the right approach right now. Making it easy as possible is where you want to go.
[39:59] CS: Okay. Where do you see phishing going in 5 to 10 years from now? Is this just going to be a constant arms race where itâs phishing, counter-phishing, phishing, counter-phishing, and is there a way â Is there a way to keep it from getting worst. Is this something that we think of like spam, like we still get spam, but spam filters have effectively sort of like removed spam as a thing that you experience more or less on a day-to-day basis. Is there any similar track for phishing or is it just going to be part of our life from now until forever?
[40:30] AC: I donât have good news here. It is going to be a constant arms race. Let me give you an example. I think that itâs going to be a wonderful revolution when weâre able to get rid of passwords and we can do, letâs say, for example, not picking on any particular company or standard or anything, but the FIDO Alliance with FIDO UAF2 â FIDO 2 Universal indication is a great step in eliminating the type of phishing that Iâve talked about before, which is where you steal a password and then steal data from a person. Thatâs great. But you can guarantee that the bad guys are going â Once that problem is solved, then they just attack a different vector.
I donât think that thatâs going to go away, and I really like that movie, Catch Me If You Can, and Iâve actually been lucky enough to meet the original Frank and he talked to our company about the future of cyber security and what he sees and itâs not a rosy picture. The way that he described it is if you looked at time to do today what he did back then, to create â He purchased an entire printing press to print checks of a significant quality to give it a high enough quality that they could pass them as checks. He literally took ever an entire printing thing in Europe. You can go down to Office Depot and buy everything you need to set up shoppers. Itâs actually easier today in many respects to socially engineer and attack people.
[42:23] CS: Sure, and thereâs enough kind of hacking as a service things out there where you can just pay someone a fee and then they do either the hacking thing for you or they give you the whole phishing template and set you up and everything. Yeah.
[42:33] AC: On the dark web, you can buy for 30 bucks a phishing kit that will give you the ability to perfectly represent a website like itâs a financial institution for that customer, with all logos and everything, looks perfect. You can buy the domain that will look just like the right domain. You can get a certificate for it, so it can be SSL. The kits include things like one-time link. I send you the link, you click on it and youâre phished, but the secured gateway thatâs doing analysis on that same link sees a regular website. The techniques are very advanced and the cost of entry is very low. We see thousands of new kits a week.
Iâm sorry, not good news, but I think that â We always talk about this as part of what should be good digital hygiene. People need to be made more aware of it. The whole education, there is not going to be a technology panacea that solves this problem. Itâs going to be an arms race and weâre going to have to increasingly teach people about it. Itâs a shame, but itâs just going to be part of our lives.
[43:55] CS: Okay. Letâs start to wrap on that. Any final tips or tricks to keep yourself from this next wave of phishing deceptions?
[44:04] AC: The first thing that we mentioned, thatâs an obvious tell. Think twice about whenever youâre sharing personal information. As recently as yesterday, my wife â We changed healthcare provider. Not to get into my personal detail, but the company called us and said â And started asking questions for personal information. What was great, my wife said, âIâm not answering. You called me. Iâm not going to start giving out personal information unless I called you.â
Think of that equally in an SMS, email type world. If youâre getting inbound questions for personal information or corporate information or anything like that, be very wary, and thatâs part of the problem of email, because you send people questions in email. Unless you know that this is a verified interaction and youâre pretty confident whoâs on the other end, if you get unsolicited questions in an email, in SMS over the phone, anything thatâs unsolicited asking for your personal information, be weary. Think of what youâre giving up and to whom.
[45:22] CS: Yeah. Okay. Yeah, I just like to wrap up today, tell us about some of the work that you do at Lookout. What are some projects youâre doing right now that youâre especially excited about?
[45:32] AC: I think probably the thing, and I know weâve talked a lot about it, but probably the thing Iâm most excited about is actually the phishing petition, because itâs quite unique. We recognized some time ago that as people start to work outside the perimeter, and this before COVID, itâs increasingly common that people work from home or work on the road and weâre more and more mobile and things like 5G and so on and the more advanced templates and things are just going to make that increase.
As people start moving out on to these devices and working from outside of their corporate environment, that protection of what they can click on and not link to malicious sites or phishing sites is going to be critical and I think that thatâs really exciting to me, because weâre taking a different approach even. Weâre taking a different approach and that we block no the endpoint, which is somewhat unique.
The other thing that weâre taking a different approach on is how we catch the bad guys. Iâm not going to divulge exactly how we catch them, because thatâs part of our secret sauce.
[46:41] CS: Oh! Come on. Tell us. You can tell me. Canât tell anybody. All right.
[46:48] AC: We donât analyze links. We hunt for new kits, new sites, new sort of â Weâll block âFrequently, on our website, thereâs actually an interesting article. Itâs a bit dated now, but how weâre protected against hacks against the DNC. We are able to take that phishing site down before they even got live, before they got live to be able to steal data.
We are very focused on how to catch these bad actors before they do any real damage, and I think that thatâs quite unique. Iâm excited by that. Iâd say that other thing that Iâm excited about, what weâre doing at Lookout, is weâre increasingly providing solutions for companies to protect data on these devices. That scenario of research for us at the moment. Thatâs interesting to me, because a couple of reasons. Firstly, people are increasingly working on those tablets and that type of things, that tablets is a big focus for us right now because theyâre such a common tool for working, intellectual property and so on.
The way that you do security on these types of devices, whether itâs a tablet or any modern operating system needs to change, as in on your work PC, these security tools can be very invasive and everything gets sent over the wire and look at what process is running, all that sort of stuff. Whether thatâs an iPad or an Android tablet or whatever, firstly, the operating system doesnât let you do that. Secondly, youâre getting texts from your wife and all sorts of things on that. There will be an invasion of privacy. Iâm very focused from a research perspective on how to do protection of data in the context of this being a personal device, because we see almost all companies having a proportionate BYO devices and a proportionate managed devices, and itâs BYO proportion because of COVID. Just like, âPoof!â
[49:05] CS: Oh yeah. Yeah. Yeah. Yeah, for sure. Okay. One last question. If our listeners want to know more about Aaron Cockerill or Lookout, where they can go online?
[49:13] AC: The best place is lookout.com. Thereâs a really awesome blog that we have, all about security in the mobile space. About Aaron Cockerill⌠your bio is more comprehensive I think than the one now.
[49:29] CS: Just go back and listen to the beginning of the video again.
[49:32] AC: Then the one other place that Iâll encourage listeners, especially that are focused on mobile phishing, is to subscribe to the Phishing AI, which is â
[49:43] CS: Could you say that again? You sort of squelched for a second there digitally. What was it again?
[49:48] AC: Phishing AI.
[49:51] CS: Phishing AI. Okay.
[49:52] AC: Thatâs like PHI, phishing. Thatâs a Twitter feed of all of the latest things that we find, or not all, that many of the latest interesting finds that we find specifically targeting mobile phishing, for example, and unique novel kits and novel threats and so on. Weâre sort of providing that as a service. We provide a lot more data obviously to customers and so on, but thatâs a really interesting feed if you want to get up-to-date on the most recent phishing attacks that weâre finding.
[50:26] CS: Very cool. Aaron, thank you so much for joining us today. This was a really, really informative talk. I appreciate it.
[50:31] AC: Thank you. Yeah, thatâs fun.
[50:32] CS: Thank you all as usual for watching and listening. If you enjoyed todayâs video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If youâd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. If you wouldnât mind, please give us a 5-star rating and a review wherever you listen to us.
For a free month of the Infosec skills platform that you heard at the into at todayâs show, go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type cyberwork, all one word, all small letters, no spaces, and youâll get one free month. You can also use our free election security training resources to educate poll workers and volunteers on the cybersecurity threats they might face during this election season. For information on how to download your training packet, visit infosecinstitute.com/iq/election-security-training or click the link in the description.
Thank you once again to Aaron Cockerill and you thank you all for watching and listening, and we will speak to you next week.
-
Cyber Work listeners get a free month of Infosec Skills!
Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill â and show you how that skill applies to real-world scenarios.

Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.