How COVID-19 is changing phishing, social engineering and security
Individuals and organizations are shifting routines to accommodate Coronavirus health concerns, and bad actors are updating their strategies to capitalize on the new opportunities. Aaron Cockerill, CSO of Lookout, discusses how cybercriminals are looking to cash in or otherwise disrupt organizations during the pandemic, as well how workplace security is evolving with so many individuals now working from home.
Aaron Cockerill joined Lookout with nearly 20 years of software product management experience. As the Chief Strategy Officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world. Most recently, he served as VP of Mobile Technologies at Citrix, where he and his team were responsible for the development of Citrix’s mobile apps and container technology, while driving the acquisition of Zenprise. Prior to working on mobile technologies, Aaron drove the creation of Citrix’s desktop virtualization product, XenDesktop, which grew into more than $1 billion yearly revenue for Citrix during his five years of leadership. Before joining Citrix, Aaron worked for Akamai leading product management on their enterprise content delivery solution as well as working on the development and deployment of many of Akamai’s advanced content delivery networking technologies. Prior to that, Aaron led product management for OneSoft’s e-commerce system, and he held multiple positions at BHP Billiton in Australia. He holds a BE Materials (Honors) from Wollongong University, Australia.
[00:00] Chris Sienko: It’s celebration here in the studio, because the Cyber Work With Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.
To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
Enough of that, let’s begin the episode.
[01:04] CS: Welcome to this week’s episode of the Cyber Work With Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
We hear in every other TV commercial, email ad, Facebook, promo post, etc., we’re living in unprecedented times. The modern age of sheltering-in-place has changed huge swaths for societal interactions or lack thereof and has led to new strategies for everything from work from home methods, to life concerts streaming live and often build on platforms not built for the purposes they’re currently supporting.
With so much instability in our day-to-day routine, there’re plenty of opportunities for phishers and other bad actors to target the constantly-shifting nature of our online routines. That means new and different attack vectors for phishing and other types of social engineering. Today’s guest, Aaron Cockerill of Lookout is going to tell us about some of these new COVID-19 and lockout-related phishing attack patterns that are showing up and how it help us continue to stay safe and secure from online attacks.
Aaron Cockerill joined Lookout with nearly 20 years of software product management experience. As the chief strategy officer, Aaron is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world. Most recently, he served as VP of mobile technologies at Citrix, where he and his team were responsible for the development of Citrix’s mobile app and container technology while driving the acquisition of Zenprice.
Prior to working on mobile technologies, Aaron drove the creation of Citrix’s desktop virtualization project, product, XenDesktop, which grew into more than 1 billion yearly revenue for Citrix during its five years of leadership. Before joining Citrix, Aaron worked for Akamai leading product management on their enterprise content delivery solution as well as working on the development and deployment of many of Akamai’s advance content delivery network technologies.
Prior to that, Aaron led product management OneSoft’s ecommerce system and he held multiple positions at BHP Billiton in Australia. He holds a BE material’s honors from Wollongong University in Australia. Aaron, welcome to Cyber Work.
[03:17] Aaron Cockerill: Thanks. That was very thorough.
[03:20] CS: Yeah. I like to let people know what we’re getting into. Yeah. I mean, we got a little bit on your work background, but tell me about your sort of life background. Where did you first get interested in computers and tech and when did you get into cybersecurity as a job and a calling?
[03:36] AC: Well, from a… getting to computer’s perspective, I was pretty young. I guess I’m just telling everyone my age on here. My first computer was a Commodore 64.
[03:47] CS: Same here. Yup. We’re the same age.
[03:50] AC: Yeah.
[03:53] AC: Yeah. That’s when I first got involved, got into some computers. I guess I didn’t take a direct routing to computer science, but ended up being materials engineering, as you mentioned, working for BHP Billiton. But it’s a really interesting learning experience. I’ve worked a lot with robotics systems and PLCs, back then, and programming in Fortran to operate giant machines, like a cold mill that squashes steel and working in crazy environments like they used Halon gas systems to make sure that the computers that we were working on didn’t catch on fire, wouldn’t lose everything.
It was a really interesting time back then and things have changed dramatically obviously, but that really got me interested in computers. I think the transition to cybersecurity, I didn’t actually pursue a career in cybersecurity. Every time I got involved in solving customer problems in general in IT, I would say, everything Akamai onwards, one of the primary issues that we kept facing was addressing cybersecurity.
Especially like, for example, in Citrix. Citrix is not specifically a security company, but their products are frequently used in high-security environments. I was always adjacent to it and customers always seemed to be frustrated that they were having trouble solving – I mean, so differently. That was their biggest problem. It was great to be able to help them with things like what we did in Akamai and what we did at Citrix and the great companies, that I want to get closer to solving what seemed to be the biggest problem, which I think still today is cybersecurity unfortunately.
[05:45] CS: Right. Yeah. Let’s jump in to sort of present day. How, if at all, has your day-to-day work routine changed in the last few months? I mean, assuming it’s changed somewhat. Were you a work from home person before? If not, what changes, or concessions, or maybe even improvements have been implemented in these emergency measures?
[06:02] AC: I would say at Lookout, we’ve always had the ability to work from home entirely online, but we used online services for more productivity, apps and so on and elsewhere and services are online. We’re very cloud-oriented company and relatively modern from that perspective.
Though, personally, I wasn’t originally a work from home employee. I would spend a lot of time in all of our offices. I did spend a lot of time on the road traditionally. I spend a lot of time on the road talking to customers and presenting and talking to people like yourself, which – I don’t know, we would have probably still done this virtual, but I do a lot of them in studios, labs, all that thing. The big change has been staying at home.
There are a couple of challenges. In fact, we had a discussion right before I joined. I think I need to invest in a better microphone and setup for my home office. You could see it here. I don’t know if the audio is okay, but I hope everyone can hear me. I will be investing in another mic in the future. But that’s the biggest change. I think how that’s impacted us, especially at Lookout for me, we do a lot of – What we’ve been doing is really pushing the edge of innovation in mobile technologies, mobile security. I’m really proud of that. I love doing what I do. It’s more difficult to do cutting edge innovation, brainstorming. That type of interactivity… I love that we’re talking on Zoom right now. I’ve used most of the tools for virtualized meetings, and there are whiteboards that you can share and that sort of thing, but it doesn’t feel actually being in a same room with a bunch of smart people and coming up with brilliant ideas. At least I’ve not been able to recreate that environment. For me, that’s probably the biggest impact. That and my dogs keep barking during interviews.
[08:20] CS: Yeah, we’re all seeing a lot of everyone’s life during these things. It’s kind of nice. I mean, do you think that’s something that people will eventually get used to in terms of being able to interactive over a computer space versus – We talked about e-reading 10 years ago. People were saying, “Oh, it’s never going to replace paper books and things like that,” but do you think that there’s just a learning curve here and that people eventually get it or is there just no substitute for in-person collaboration?
[08:48] AC: I think that two things will happen. I definitely think that there’s an opportunity for improvement, and I do think that we will learn how to do it, but I think it will take changes in the tools that we use. I mean, when you look at the tools that we use today, they’re mostly focused on this type of engagement or more a formal meeting. If you think about what you do in a design context where you’re taking lots of post-it notes and sticking it on a wall and trying to categorize a particular idea and that sort of thing. I’m sure that we’ll be able to solve these problems virtually and I look forward to seeing innovative companies that do that. Just something we’re quite there yet.
[09:33] CS: Not there yet. Okay. As I mentioned at the top of the show, we want to talk specifically phishing and how it’s sort of – The social engineering and attack vector nature of it has changed in this present time. We’ve had a few guests in the past and I’m thinking way back, I think it was episode 13. We had a guy named Pedram Amini from InQuest who talked about the latest phishing trends. That’s back in 2018 at this point. Based on your own research, how is the nature of phishing changed since this first major shelter-in-place order back in March? Has there been an increase, decrease, similar number?
[10:10] AC: No. Significant increase – Well, let me put it this way. There is a significant increase in the targeted phishing that is leveraging the whole COVID pandemic as a tool for social engineering. Whether there’s been a specifically an increase in generalized phishing as a result of that incremental step in COVID, I think that the numbers are a little bit too early to say but it does look like that from where I sit.
But you’ve got to understand, when I talk about phishing, I actually am talking about something slightly different that I probably should explain, and what I’m about to explain is sort of being on a curve like this for months now, like the start of 2018 and 2019. What I’m referring to is less about the email that you get from some long lost uncle in Nigeria that left you a million dollars or whatever. Actually not even necessary email, but someone sending you a personalized message that has a link in it that you click on.
In the mobile world, that tends to be is an SMS, or I’m not picking on any platforms, but Facebook Messenger message or WhatsApp or could be telegraph or it could be any type of social media where they can send you a link and say, “Hey, if you click on this, you’ll get something for free or you’ll be able to see awesome pictures of someone or something, or even more troubling, which is what’s happening in the current pandemic, we found that someone has COVID-19 in your office. Click on this link for more information.
That type of social engineering attack where you click on a link now, most often then the link is geared towards stealing information for further espionage or direct attacks. Anything like your credentials for online banking, your credentials for company access to your productivity tools like Office 365 of Gsuite or whatever, which we see huge amounts of examples like Salesforce, but also your personal details and personal credentials. No one ever uses the same password for both services obviously. That wouldn’t be safe.
[12:33] CS: Yeah. Oh, yeah. Yeah, that’s definitely never happened ever. Yeah, we’re sort of getting into that, but let me just sort of talk on a larger scale here. What are the most common types at the moment of phishing types? You said that there are links within emails and things like that and that sort of like the sort of text story-based things might not be as prevalent these days. Along with click this link for more information, what are some of the primary sort of like phishing types to watch for? I mean, are attachment URLs big? Are fake invoices, docs, PDFs? What are you seeing?
[13:22] AC: In the mobile space specifically, lots around someone has COVID-19 in your office. Click here for more information. That type of thing. I’ll put them all in a category similar to attacks where we see horrible ones that say like your daughter has been injured at her elementary school with the parent name and the school name. Click on this link for more information. Yeah, I wouldn’t click on that. Put them all in a sort of health accident type scenario.
There’s a bunch that we’ve seen around this is how you get your COVID-19 check.
[13:59] CS: Stimulus check. Yeah.
[13:59] AC: — from the government. Anything from enter your credit details here. We’ll send you the money. That type of thing. That’s directly relating to COVID, but you see in a financial context you’ll see frequently a link to, say, this is – You’ll receive this check. Authorize the deposit here, or there’s been untoward activity on your account, and this is all financial. So there’s been untoward activity on your account. Click here to change your password. Of course, then they capture your password. Verify this transfer or someone’s trying to send you money. Click on this link. They’re the types of financial ones, and they do a relatively good job of putting it in the correct context. They’ll often know what your bank, who your bank is and that type of thing.
[14:59] CS: Yeah. So there’s some research involved.
[15:02] AC: Yes. Then the next category are along the lines of getting you to do something that you probably shouldn’t do, and a lot of that involves business email compromise and impersonation. Sending a message to an executive assistant to say, “Please send me all of the companies W2s. I need them for some random reason.” Then the bad guys file all the ones that have got a return and that type of thing, or send me the HR database for this reason, or send me corporate information of some sort.
I would make a distinction. They’re the general categories that we see. Financial intellectual property or some sort of company theft, financial and the ones that are around healthcare or personal information. Those categories exist actually in email and PCs. There’s one that I would talk a little bit more about, which is business email compromise, where you’re impersonating someone else to get something. In mobile, that – Mobile is impacted equally by emails, since everyone reads their email on their phone. But there’s also impersonation of like the SMS sender and that sort of thing you have to worry about on mobile, because that’s relatively easier to pretend you’re someone else when you’re sending an SMS message.
There’s another category which is less applicable on mobile. It’s not completely – It does exist, but it’s more frequent that the attack on mobile devices tends to be click on a link, and that link, more of often than not, tries to extract information rather than on PCs. Frequently, that link, or more appropriately, an attachment in email for us to get you to open package to install software, to do something on those lines.
That’s not where Lookout is focused or the tools that are existing email phishing tools today. Very good helping in that sort of area. But because mobile operating systems are less focused on processing of attachments and…
[17:29] CS: Right. For sure.
[17:31] AC: It tends to be more focused on click on this link and then steal info.
[17:35] CS: Right. Got it. Now, thinking of phishing attacks that are happening specifically within a work context, last couple of months have been a lot of – As we said, people have been kind of improvising their new work spaces or clearing space out on the kitchen table or a card table or whatever. There’s a lot of sort of like just general instability especially those first couple of weeks. Now, did you find that people were more likely to sort of succumb to phishing attacks during that because everything was so in free fall or was it maybe that everything was sort of uncertain that everything that came across your desk looked more suspicious?
[18:15] AC: No. Phishing attacks were far more successful than that period for a couple of reasons. I wouldn’t say that that period has ended. It’s continuing today.
[18:24] CS: No. Yeah, of course. We’re all still figuring this out.
[18:29] AC: Two big things that we noticed. The first and sort of the most obvious is everyone’s working from home. Unless you’re operating 100% of the time through a fat VPN tunnel back into your work infrastructure, you’re outside, which by the way has its own issues, because then all of a sudden your home network and everything on it becomes part of the corporate network, which is IT security nightmare.
[18:58] CS: Yeah.
[18:59] AC: If you’re not using a big fat VPN pipe like that, then you’re outside the corporate perimeter. The corporate perimeter has traditionally had things like secured gateways and advanced firewalls and so on that are able to protect you from these sub-sufficient links and these types of content in general.
Right now, people are working from home and their access to the internet is completely unfiltered. They don’t have the advanced security infrastructure that’s available when they’re on-premise using the corporate network. That applies to, as I mentioned, the secured gateways and advanced firewalls and that, but even things like data loss protection and UEFI and all those types of tools that we used for monitoring for things like insider threats or data loss. They’re all sort of out-windowed. I would put all of that in the same bucket as these phishing links. That’s the first problem.
The second problem is when you’re at home and you have an 8-year-old that you got to go teach how to use Zoom because they’re talking to a teacher and a 13-year-old that has an algebra problem and you’ve got work trying to go on and that’s got to work as well and you’ve got one office, maybe, in your house. You start working in not normal working environments. To be honest, and I actually sort of brought this here. Your tablet, your iPad, I found becomes a much more convenient working tool than sitting in an office to a desktop – I think Citrix used this term, time slicing.
Like I’ve got sort of an hour focused on you right now, but as soon as I get done with this, if I’m not on a dedicated call with a customer, I’ll be replying to email then doing an algebraic question for a 13-year-old math and then trying to solve an audio problem on Zoom. It’s just crazy like that. I found tablets are far more convenient than sitting down glued to sort of a work environment.
[21:13] CS: You’re kind of taking it place-to-place.
[21:15] AC: And they are not – In most cases, they’re not company supplied. They’re typically BYO. They typically are managed. That’s a whole new –
[21:28] CS: Yeah. Do you have any tips for sort of securing these sort of rogue devices like that?
[21:35] AC: I mean, because of the company I work for and because of my beliefs, I think the most important thing is to have mobile security. IPad is no different to a phone for us, tablet. Android tablet is no different to a Pixel. For us, it’s all the same thing. You can install Lookout or other security software for mobile operating systems from app stores. Of course, I recommend ours. But it’s a good start to have that on your device if your company doesn’t provide it.
Many of our customers though are quickly rolling out protection for more devices as a result of this sort of – We’ve seen a significant uptick in that sort of deployment recently. If your company it, try and put the protection on the devices you use for work is something that I recommend. If your company doesn’t, go get something from the app stores.
[22:35] CS: Yeah. Let’s sort of break down into – I mean, we talked about some of the main sort of appeals, especially things like your coworker has COVID. Click here to find out more or whatever. Can we sort of go sort of syntactically and talk about like some of the language that’s getting people to click in these types of emails? What are some of like the emergency search term, or the emergency sort of like hot button terms that make people sort of. Social engineering is all about getting you to act before you think. What are you seeing that are some of the sort of like successful sort of writing stream? You can tell a bad phish when you see it, if the language is garbled or just weird formatting or whatever. But what are some of the things that they’re doing effectively that we should be watching out for?
[23:25] AC: I think I want to highlight something that you said there, which is to protect yourself, you should not click on links or take seriously emails with grammatical errors.
[23:40] CS: Yeah, absolutely.
[23:42] AC: Just throw those away. That’s a really good start, because they are frequently originating from non-English speaking countries. English tends to be limited in many cases. That’s a really good tell that most people should take close aware of.
The ones that are most effective tend to fall into two categories. The first one is initiating that, I guess you could almost call it fight or flight, my daughter is being injured, like we talked about before or someone’s got sick in the office like we talked about before. Anything that can – Your financial, your bank account is under attacked for fraud. Your password has been stolen. Any of those things that would be a shock. Passwords stolen, even your order has been rejected, the credit card was rejected. There was an issue with your delivery, which is a big thing right now.
[24:45] CS: Everyone’s getting so many deliveries right now. Yeah, there’s an issue with your delivery, or your order is on its way and it’s something really expensive that you didn’t order or something like that.
[24:54] AC: Yeah, that’s a good one too. Yeah. Like I said, something really expensive and your credit card was declined. Those types would make you typically uncomfortable. That’s the one category. The one I laugh, it’s a little funny and it probably affects males more than females, because we’re very visual. But we’re all stuck at home and especially people that are dating online or something, there’s a lot of these fix to say click on this link or install this app to have a more intimate interaction with me, so to say. That’s a common one as well.
[25:36] CS: Okay. We mentioned it with the tablet and stuff, but could you give me some sort of overall sort of requirements or guidelines that employees or IT departments or companies could do to make these altered working environments more safe against phishing and other social engineering attacks? Obviously, we want to put the right defense on the BYOD devices and stuff, but like what it in your mind is sort of like a really good kind of plan of attack that IT departments should be doing to sort of keep the endpoints safe and so forth?
[26:13] AC: That’s a tough one to be honest, because – I don’t want to seem self-serving, because we’re one of the unique companies that solves this problem. But the challenge that IT departments have is that the devices that they’re needing to connect, sort of protect right now, are outside their network. So, there are a lot of tools that allow you to extend the corporate network into the home like VPNs, and if you’re being attacked consistency through these types of phishing attacks, it may be worthwhile extending your VPN into your employees homes. That might be their approach.
That’s really the only alternative other than having effectively the secured gateway type technology, which is what our phishing protection does, which is blocking links, blocking URLs that are inappropriate on the endpoint. Unfortunately, right now, there’re only those two solutions available. Of course, we recommend the one being deployed on the endpoint because it means that the device is safe no matter what network it’s connected to, but extending your network protections out to your users if you don’t have something available like Lookout might be the right way to do.
In that scenario where you’re extending the VPN apps, the home network – Actually, there is one other solution which I’ll come back to. But if you’re extending your corporate network out to home computers or whatever, I would try and encourage your employees to have it on a singular device that’s dedicated for work and make sure that obviously that your operating system is up-to-date and all the applications are up-to-date and that they have some form of security on the device. In fact, most companies these days have some sort of Mac setup, so that if the VPN is going be running on that device it does some rudimentary checks as to whether the device is safe before that connection is made. If you don’t have that, I would encourage to set that up. That’s one solution.
Obviously, deploying something like Lookout’s phishing and contact protection recommend that as well. The last scenario having come from Citrix, solutions like VDI are amazingly effective in this type of environment. I’ve gotten off the phone recently with a number of customers that reminded me that I met you back when you’re working for Citrix and Zendesk help saved us in this scenario because we’re able to remote everyone’s desktop out to them.
That’s a great solution if you have it in place. It’s pretty difficult to spin it up quickly, although there are service providers that provide that type of capability. But what that allows you to do is have a full work desktop running on a device that you don’t really have to worry too much about when it comes to the underlying operating system and so on because it’s completely virtualized. They’re the, I guess, three scenarios that the VDI tends to come with a fair bit of custom implementations set up if you haven’t got it or operating so the VPN wiring and mobile threat protection on your endpoints is probably faster and more productive solution for most companies.
[29:46] CS: Okay. I want to sort of move. You’re talking about time slicing and sort of the way that people are working now, especially for people who are working at home. It seems like work time and leisure type time for a lot of people might be increasingly blending together. Do you have any advice for people who find themselves who are sort of always sort of at work? You might be watching TV with your family but you’re checking email or slack on a tablet or going over reports while everyone’s hanging out in the living for family time, and I feel like that not only is a technical and mechanical risk waiting to happen, but also the fact that you’re sort of your mind is everywhere. You’re less likely to check in on these things. A friend of mind just said that he got hit with ransomware because he was checking his work email at 12:30 at night. With some of us having more forced barrier between personal time and work time, what can we do to sort of be less susceptible to these kind of attacks than if we would be during work hours?
[30:44] AC: I think I should stop by saying that if my wife is listening in on this call, she would say that I’m not the right person to be giving that advice.
[30:52] CS: Okay. I’m speaking of a hypothetical person out there. Yeah. All right.
[30:59] AC: Exactly. It’s really good advice to try, especially if it’s even vaguely important, try and keep it to not so much work hours, but when you have the opportunity to think particularly about what you’re doing.
[31:16] CS: Focused time anyway. Yeah.
[31:18] AC: Yeah. I try, not that I’m very successful at this, but I try and deal with the more focused work stuff earlier in the morning and then I tend to try and have a lot more social engagements type things over Zoom in the afternoon, which is work related for me, and lately might go until later at night. Wine and security don’t mix very well either.
[31:48] CS: No. Sadly no. We’ve all tried it. Yeah. Okay. Well, that sort of brings me nicely to my next question. With so many work in social events currently being hosted by platforms that weren’t meant to support them, whether it’s the aforementioned company-wide happy hours on Zoom, or streaming from home concerts on Twitch or Telegram or takeout food or grocery delivery, which is often being executed by sort of new secure payment options or restaurants that didn’t have takeout options before, sort of throwing them together the last moment. What are some security issues or red flags that we should be watching out for not just on our work account, but in our newly shifted leisure time?
[32:28] AC: Again, I don’t like to pick on any particular companies, but I think we all know that Zoom has got dinged for a bunch of things in this area. In general, and we use Zoom, like I’m talking on it now. A lot of these problems such as inappropriate people joining parties and being able to then subsequently join work meetings and so on. A lot of that is just simply configuration of the tools. I’m already a little bit frustrated by the term new normal, but if this is going to be our new normal, then become familiar with these tools. This is something you’re going to be using on a regular basis, set up a password for – I actually recommend that you set up a regular personal meeting so that you can switch one on whenever you want instead of having to set up schedule in a number different number and all that sort of thing, but put a password on it and don’t let people that are unauthorized join it. You can set up things like waiting rooms and so on. That’s probably the most important thing, making sure that you control who’s able to join those.
The next thing, and it’s not as much social as – Well, it’s actually just general good hygiene. These applications gain access to your microphone and your camera and so on. Be careful when you’re having social interactions that you use tools that you know off. If you get a meeting request where you can have a happy hour with some obscure conferencing tool that you’ve never heard off before that’s asking for your access to your microphone and your camera and so on, question that. Try and stick to at least the tools that you now, and that can be very regional and you might come across once if you haven’t seen because it’s original party or whatever it is. But bear in mind that one of the attack vectors is to gain access to your microphone and your camera and so on by installing software specifically for surveillance and pretending to be socially interaction where you’re going to send this or whatever it is. An attack vector we’ve seen and it’s something that is pretty open to bad actors given that we’re all trying to do interesting new social engagements.
[35:09] CS: Yeah. Are there any particularly unusual phishing attacks you’ve heard of that seemed insane, but actually worked, like either before the pandemic, but especially now?
[35:19] AC: I just want to think of any of those. I’m always surprised at how simple they can be to effective. Probably the most telling one that I think was sort of funny, you can actually refer to it on our Lookout website. It’s called ViperRAT. It’s dated now, but it was targeted at a particular forces group, which let’s say are typically male, and that was one of the first ones where I saw – Like pretend ladies sending pictures and saying, “Hey, if you want to have a more intimate interaction, install this software and so on.” It’s amazing to me that we watched the people that got kicked by that literally on one of the important borders on the wall where all of the armed forces were deployed.
[36:15] CS: Yeah.
[36:16] AC: Very, very successful and very rudimentary. From an obscure perspective, most of the obscure ones tend to come through email with a convoluted story and then you get tied up in the story. I guess just for everyone listening, there’s one other one that I forgot to mention, which is – And it’s particularly bad for people that are not as experienced with IT and often the elder community, which is let me help you. You’ve got a problem with your computer or your phone and stuff like that. It always amazes me how effective those ones are as well.
[36:57] CS: Yeah. Expanding out from your company to companies that you might work with, are there any best practices for ensuring that any third-party vendors that you work with who might need access to secure information are less likely to accidentally or intentionally compromise your network and your information?
[37:15] AC: That hasn’t really changed in the COVID scenario. The way you’re sort of using digital rights management, control of intellectual properties, those tools with. For us, that hasn’t changed, because everyone’s accessing things the same way. This is about implementing the right DLB, the right potential digital rights management on content. Not allowing sharing outside of mobile containers, that sort of thing.
For us, that hasn’t changed a great deal maybe with the exception of the fact that it’s not for us. But companies that are using comprehensive use of VPNs, it tends to make that a little bit more difficult, especially if they’re perimeter-based tools. Keep that in mind. If you’re data protection is all revolved around your perimeter, hence you’re having been connecting from VPNs. That’s going to make your life more problematic from managing intellectual perspective.
There’s a related thing that I wanted to raise though, and this is especially in the healthcare area, which is there’s – Healthcare, everyone in the healthcare industry in the moment, we’re all indebted to. They’re doing amazing job.
[38:36] CS: Of course, absolutely.
[38:38] AC: With the added pressure, and we’ve actually got a few friends that work in this space. They’re having to come up with new and unique ways to solve problems. Like we’ve heard of people building ventilators and all that sort of stuff. It’s troublesome – Well, how do I put this? The healthcare regulations as it relate to things like digital protection of people’s information, HIPAA, that doesn’t go away of the pandemic. I try and make sure that people in the healthcare industry are using tools that do encryption of data when they’re transmitting government sort of thing. That’s a big challenge right now.
Educating doctors and that sort of thing on how to use tools that are not compromising individuals and their private health information is sort of important as well. But making that easy for them is what I would focus on from an IT perspective right now. We want it to be possible for them to work as fast as they can and focus on the patient and what’s happening rather than IT. Forcing them to do unnatural things is not the right approach right now. Making it easy as possible is where you want to go.
[39:59] CS: Okay. Where do you see phishing going in 5 to 10 years from now? Is this just going to be a constant arms race where it’s phishing, counter-phishing, phishing, counter-phishing, and is there a way – Is there a way to keep it from getting worst. Is this something that we think of like spam, like we still get spam, but spam filters have effectively sort of like removed spam as a thing that you experience more or less on a day-to-day basis. Is there any similar track for phishing or is it just going to be part of our life from now until forever?
[40:30] AC: I don’t have good news here. It is going to be a constant arms race. Let me give you an example. I think that it’s going to be a wonderful revolution when we’re able to get rid of passwords and we can do, let’s say, for example, not picking on any particular company or standard or anything, but the FIDO Alliance with FIDO UAF2 – FIDO 2 Universal indication is a great step in eliminating the type of phishing that I’ve talked about before, which is where you steal a password and then steal data from a person. That’s great. But you can guarantee that the bad guys are going – Once that problem is solved, then they just attack a different vector.
I don’t think that that’s going to go away, and I really like that movie, Catch Me If You Can, and I’ve actually been lucky enough to meet the original Frank and he talked to our company about the future of cyber security and what he sees and it’s not a rosy picture. The way that he described it is if you looked at time to do today what he did back then, to create – He purchased an entire printing press to print checks of a significant quality to give it a high enough quality that they could pass them as checks. He literally took ever an entire printing thing in Europe. You can go down to Office Depot and buy everything you need to set up shoppers. It’s actually easier today in many respects to socially engineer and attack people.
[42:23] CS: Sure, and there’s enough kind of hacking as a service things out there where you can just pay someone a fee and then they do either the hacking thing for you or they give you the whole phishing template and set you up and everything. Yeah.
[42:33] AC: On the dark web, you can buy for 30 bucks a phishing kit that will give you the ability to perfectly represent a website like it’s a financial institution for that customer, with all logos and everything, looks perfect. You can buy the domain that will look just like the right domain. You can get a certificate for it, so it can be SSL. The kits include things like one-time link. I send you the link, you click on it and you’re phished, but the secured gateway that’s doing analysis on that same link sees a regular website. The techniques are very advanced and the cost of entry is very low. We see thousands of new kits a week.
I’m sorry, not good news, but I think that – We always talk about this as part of what should be good digital hygiene. People need to be made more aware of it. The whole education, there is not going to be a technology panacea that solves this problem. It’s going to be an arms race and we’re going to have to increasingly teach people about it. It’s a shame, but it’s just going to be part of our lives.
[43:55] CS: Okay. Let’s start to wrap on that. Any final tips or tricks to keep yourself from this next wave of phishing deceptions?
[44:04] AC: The first thing that we mentioned, that’s an obvious tell. Think twice about whenever you’re sharing personal information. As recently as yesterday, my wife – We changed healthcare provider. Not to get into my personal detail, but the company called us and said – And started asking questions for personal information. What was great, my wife said, “I’m not answering. You called me. I’m not going to start giving out personal information unless I called you.”
Think of that equally in an SMS, email type world. If you’re getting inbound questions for personal information or corporate information or anything like that, be very wary, and that’s part of the problem of email, because you send people questions in email. Unless you know that this is a verified interaction and you’re pretty confident who’s on the other end, if you get unsolicited questions in an email, in SMS over the phone, anything that’s unsolicited asking for your personal information, be weary. Think of what you’re giving up and to whom.
[45:22] CS: Yeah. Okay. Yeah, I just like to wrap up today, tell us about some of the work that you do at Lookout. What are some projects you’re doing right now that you’re especially excited about?
[45:32] AC: I think probably the thing, and I know we’ve talked a lot about it, but probably the thing I’m most excited about is actually the phishing petition, because it’s quite unique. We recognized some time ago that as people start to work outside the perimeter, and this before COVID, it’s increasingly common that people work from home or work on the road and we’re more and more mobile and things like 5G and so on and the more advanced templates and things are just going to make that increase.
As people start moving out on to these devices and working from outside of their corporate environment, that protection of what they can click on and not link to malicious sites or phishing sites is going to be critical and I think that that’s really exciting to me, because we’re taking a different approach even. We’re taking a different approach and that we block no the endpoint, which is somewhat unique.
The other thing that we’re taking a different approach on is how we catch the bad guys. I’m not going to divulge exactly how we catch them, because that’s part of our secret sauce.
[46:41] CS: Oh! Come on. Tell us. You can tell me. Can’t tell anybody. All right.
[46:48] AC: We don’t analyze links. We hunt for new kits, new sites, new sort of – We’ll block –Frequently, on our website, there’s actually an interesting article. It’s a bit dated now, but how we’re protected against hacks against the DNC. We are able to take that phishing site down before they even got live, before they got live to be able to steal data.
We are very focused on how to catch these bad actors before they do any real damage, and I think that that’s quite unique. I’m excited by that. I’d say that other thing that I’m excited about, what we’re doing at Lookout, is we’re increasingly providing solutions for companies to protect data on these devices. That scenario of research for us at the moment. That’s interesting to me, because a couple of reasons. Firstly, people are increasingly working on those tablets and that type of things, that tablets is a big focus for us right now because they’re such a common tool for working, intellectual property and so on.
The way that you do security on these types of devices, whether it’s a tablet or any modern operating system needs to change, as in on your work PC, these security tools can be very invasive and everything gets sent over the wire and look at what process is running, all that sort of stuff. Whether that’s an iPad or an Android tablet or whatever, firstly, the operating system doesn’t let you do that. Secondly, you’re getting texts from your wife and all sorts of things on that. There will be an invasion of privacy. I’m very focused from a research perspective on how to do protection of data in the context of this being a personal device, because we see almost all companies having a proportionate BYO devices and a proportionate managed devices, and it’s BYO proportion because of COVID. Just like, “Poof!”
[49:05] CS: Oh yeah. Yeah. Yeah. Yeah, for sure. Okay. One last question. If our listeners want to know more about Aaron Cockerill or Lookout, where they can go online?
[49:13] AC: The best place is lookout.com. There’s a really awesome blog that we have, all about security in the mobile space. About Aaron Cockerill… your bio is more comprehensive I think than the one now.
[49:29] CS: Just go back and listen to the beginning of the video again.
[49:32] AC: Then the one other place that I’ll encourage listeners, especially that are focused on mobile phishing, is to subscribe to the Phishing AI, which is –
[49:43] CS: Could you say that again? You sort of squelched for a second there digitally. What was it again?
[49:48] AC: Phishing AI.
[49:51] CS: Phishing AI. Okay.
[49:52] AC: That’s like PHI, phishing. That’s a Twitter feed of all of the latest things that we find, or not all, that many of the latest interesting finds that we find specifically targeting mobile phishing, for example, and unique novel kits and novel threats and so on. We’re sort of providing that as a service. We provide a lot more data obviously to customers and so on, but that’s a really interesting feed if you want to get up-to-date on the most recent phishing attacks that we’re finding.
[50:26] CS: Very cool. Aaron, thank you so much for joining us today. This was a really, really informative talk. I appreciate it.
[50:31] AC: Thank you. Yeah, that’s fun.
[50:32] CS: Thank you all as usual for watching and listening. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. If you wouldn’t mind, please give us a 5-star rating and a review wherever you listen to us.
For a free month of the Infosec skills platform that you heard at the into at today’s show, go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type cyberwork, all one word, all small letters, no spaces, and you’ll get one free month. You can also use our free election security training resources to educate poll workers and volunteers on the cybersecurity threats they might face during this election season. For information on how to download your training packet, visit infosecinstitute.com/iq/election-security-training or click the link in the description.
Thank you once again to Aaron Cockerill and you thank you all for watching and listening, and we will speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to hundreds of IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.