image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 179. Scamily Matters

Coming up this week on Breaking Badness: And That’s How I Got Scammed, You’re Not My Typo, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

And That’s How I Got Scammed

  • Cory Doctorow shares of how he was phished once, and how the scammers tried to scam him again days later
  • We start by discussing that anyone can get scammed – it doesn’t matter how long you’ve been in the industry. Even our pal @nullcookies has said it on the podcast before that anyone is susceptible to falling for a scam
    • Ian has indirectly been part of scams. He spent the better part of a decade as a police dispatcher, so he saw his fair share of people report fraud, embarrassed and shaked 
    • He’s spent time helping relatives sort through things after becoming fraud victims and it makes him furious every time at the fraudsters 
    • He admits he’s also not immune from it and could get roped in just as Doctorow had
    • He sent this article to a few people who got scammed with a preface that he hopes it makes them feel a little less ashamed, because it can happen to anyone 
  • Who is Cory Doctorow?
    • We’ve discussed his work on the podcast before – in our first Book Club episode
    • Cory Doctorow is a hacker’s hacker, in a lot of ways. He’s a fiction and nonfiction writer now, but he’s also a longtime technologist, and immerses himself in culture and social impact instead of trying to pretend the technology is separate from it
    • Ian’s first experience of him was a great short story about an apocalypse, titled “When Sysadmins Ruled The World.” It presented a really unique vantage point of the end of the world from both a systems and system administrator point of view, and really caught his imagination
    • He’s also written whole fiction books about fraud, scams, red-teaming, and with similarly-themed topics. He’s a regular attendee of Defcon, especially the Social Engineering village, which covers person-to-person fraud activity
    • One of the things that draws Ian to Cory Doctorow the most is his consistent position that people should and do matter more than just about anything else. He doesn’t know if he describes himself as such but he’s definitely a humanist, and being a humanist is messy – it takes a lot of gray-area thinking and understanding and wondering, discarding absolutes. Systems administration is the same way in some cases once you get past the simple stuff. Cory proves regularly that he’s ears-deep in the gray areas of both people and systems, and that’s where you find the gaps and liminal spaces and opportunities for fraud
  • A summary of the attack against Doctorow:
    • A poor-quality, after-hours fraud department call was the first he knew of trouble. He was traveling and in a bit of a disheveled scramble, as most of us get mid-travel. He provided what information he could, then hung up and concentrated on getting where he was going
    • But when he showed up at the credit union a few days later with paperwork, which Ian’s sure wasn’t fun to begin with, he learned that the initial call had really enabled the fraud. Doctorow provided the last seven digits of his card when it was asked, rather than four. He was in a rush, his nerves were shot between travel stress and the emotional response to the call, and gave all seven last digits. Since the first nine digits of a card are uniform across an institution’s issued cards, if a scammer has that information, those last seven digits mean they now have the full card
    • The caller tried to keep Doctorow on the phone for as long as possible and was either frustrated or pretended frustration when Doctorow cut the call short, which sounds pretty convincing. But by that point they had enough to do eight thousand dollars worth of fraud on the card
  • Will we see scammers use timing more to their benefit rather than a “spray and pray” approach to cast the widest possible net?
    • In this case, the timing seems coincidental for the threat actor, but it was worst-case scenario for Doctorow
      • He just published two big articles that were getting traffic, he had just wiped and reinstalled his phone operating system, had just gotten phished on social media over that, and more. He describes it as swiss-cheese security:
        • “Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!”
      • That’s those gray areas Ian was talking about above, and how those gaps and liminal spaces line up to present opportunity can be maddening and unexpected.  A lot of that is made easier by data brokers, what he (rightly) calls nonconsensual doxing giants. The amount of information you can find by open-source intelligence techniques is surprising; the amount of info you can get by spending thirty bucks a month with a data broker is damning and terrifying
  • How will artificial intelligence (AI) make these scams worse?
    • This is another one of those cases where you can see those liminal spaces between people and systems lining up to present opportunity to bad actors. Doctorow talks about banks and other institutions grooming us to accept the poorly-implemented, poorly-executing AI systems that those bad actors could use to automate and vastly upscale their campaigns. AI also allows those bad actors to easily and endlessly iterate their campaigns – microsecond A/B testing to determine which scam workflow works best
    • Doug Seven has a great blogpost about an early machine-learning implementation fail; Knight Capital’s 2012 self-destruction due to the failed deployment of a high-speed algorithmic trading update. Once trading started, Knight Capital knew quickly that something was wrong, but it took them 45 minutes to pull the plug. In that 45 minutes, the algorithmic system accounted for $460 million dollars in losses; at the time, Knight boasted $365 million dollars in cash and assets
    • Another early implementation of AIML is systems that learned to play the game Go, particularly AlphaGo and AlphaZero. AlphaGo took several years and thirty million games of Go to reach mastery level; but no human can play thirty million games in that time. Its next iteration, AlphaZero, used one-twelfth the electricity, and reached mastery level in 4.9 million games, one-sixth of AlphaGo. The new AlphaZero learned to beat its predecessor in three days
    • Last Ian checked, OpenAI’s DOTA2 bot was 1923-9 against humans, thanks to amassing 45,000 years of experience in ten months time. Not only can we not do that, we can’t really properly conceive of the fundamental, developmental differences it causes in decision-making systems
    • So he agrees with Doctorow wholeheartedly; every implementation he’s seen of large language models and other generative AI has been half-conceived, poorly implemented, and thrown headlong into production without any responsible approach towards possible social impact. Ian’s good friend and Philosophy of Technology professor Damien Williams does a great job of covering this issue by showing the interrelationships of capitalism, politics, race, and human fallibility and how they come together to make AI implementations an exponentially dangerous amplifier of inequality, fraud, systemic bias, and stress. He encourages folks to look up his piece in American Scientist, titled “Bias Optimizers.” 
    • It’s a problem of incentives, and good old-fashioned human betterment hasn’t been a primary incentive in most tech deployments for ages, maybe ever. The most recent one Ian can think of is the automobile seat belt, and some vaccines. Now we’re leaning on systems that can upscale exploitation not in human-time and human-brain cycles, but in distributed or concentrated ways that give the systems and those that design them much more time-per-second to learn or exploit or extract from us
    • An exploitative system that works in femtoseconds means it can make those holes in swiss-cheese security much bigger, and line them up much easier, than we can predict or consider in the moment

You’re Not My Typo

  • For the past decade, millions of emails destined for .mil US military addresses were actually directed at .ml addresses, that being the top-level domain (TLD) for the African nation of Mali
  • This has been going on for so long, so how was it unearthed?
    • This is a bit of a shaggy dog story – there were several top level country codes that belonged to small developing nations that include .ml for Mali – they were contracted by a company called Freenom
    • You would use Freenom for free domains, which was free if you were testing website, but if you are trying to phish or spam where you know the domain is going to be blocked quickly, it was a perfect application 
    • It was about a year ago in March 2023, Meta sued Freenom because they said they facilitated abuse like phishing and scams
      • Meta basically put Freenom out of business with this law suit 
      • When this happened, the ownership of the country codes went back to the countries 
    • But there was a man who managed the .ml registry and contracted it out to Freenom and Mali decided not to renew his contract
      • When that happened, he shared that he was receiving mail for .mil domains, which is the TLD for the US military 
      • .mil and .ml is also not far off from .nl, which is registered to the Netherlands 
      • When the contract expired and Mali said they wouldn’t renew it, that’s when he spilled the beans on this and it caused a great deal of consternation 
  • What are the consequences of a typo like that?
    • They can be dire, but a lot of the mail is likely junk mail – you can look at your own email to see the ratio between useful emails and junk emails 
    • However, it only takes one email for it to be an issue 
    • One of the biggest concerns about this is Mail is currently aligned with Russia 
    • Now that the domain has been repatriated, there’s no telling who has access 
  • The Pentagon said there are controls in place that prevent users sending to the wrong place, but how did this happen even with controls in place?
    • Kelly has experience with email and has trouble believing that’s likely 
    • There are likely some measures for safety and privacy to reduce the possibility of spearphishing and social engineering, but more than that she’s unsure how else they could prevent that 
  • What has transpired since the contract expired on who’s managing that TLD?
    • Right now, it looks like it’s being operated by the government of Mali 
  • Freenom shared a press release this past week on changes they’ve made to their organization
    • They stated they resolved the Meta lawsuit and the terms were confidential 
    • They recognize Meta’s interest in protecting their users from fraud
    • They are now saying they have exited the domain business including the operation of registries 
    • Freenom said while they wind down that part of the business, they create a block list to monitor DNS abuse, phishing, etc. – the things they were accused of doing 
    • Does this mean that Meta will take them up on this?
      • It’s unlikely especially when there are others with much more experience with block lists out there that can address these issues 

This Week’s Hoodie/Goodie Scale

And That’s How I Got Scammed

[Ian]: 8/10 Hoodies
[Kelly]: 7/10 Hoodies

You’re Not My Typo

[Ian]: 5/10 Hoodies
[Kelly]: 5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!