PLI Podcast: Mike Murray, MAD Security

Posted on 30 March 2011 by


“The fundamental element of all of social engineering is to create a context in which whatever I want you to do is natural behavior for you.”
– Mike Murray

Mike Murray of MAD Security

As computer systems become more complex, criminals have analyzed the risk:rewards ratio for buying malware and creating specialized technical attacks. In a future podcast we’ll talk about the criminal malware market and how that is currently working, but today we’re speaking with Mike Murray of MadSecInc about phishing, spear-phishing and social engineering: exploiting weakness in people.

Download the podcastDownload via iTunes here

Mike has more than ten years of experience as a white-hat hacker, security product tester and security researcher at some very respected companies, and currently he develops training programs in system and application penetration testing and social engineering.

So we ask Mike, first of all, so that we can level-set, can you define phishing, spear-phishing and social engineering? His answer is fairly straightforward:

  • Social Engineering is running confidence games, manipulating people.
  • Phishing is sending wholesale, generic emails designed to trick a relatively small subset of a relatively large group of people
  • Spear-phishing is fraudulent email designed to con someone that is personally tailored for that person or a small group of people

We’ve talked on this blog and in the podcast before about the relationship between police officers and the technology they use, and also about the fact that budgets are so tight that it’s often challenging to maintain and grow our own internal networks.

As a detective, Henderson is used to getting complaints of people who have gotten scammed, been phished, or social engineered. Now we start to see what we can only call a trend of malware authors and social engineers criminally targeting police agencies and police officers.

For example, here’s an attack described in many places but described very well on the excellent website of the Terrel, TX Police Department. The cops get a message on their answering machine or pager, leaving an 809 area-code number and saying that it’s a son worried about his dad in town, or that a family member has died – etc. 809 is a Bahamian pay-per-call number, like our 900 numbers, so the agency incurs $20 charges each time an officer calls back.

The reason this is such a good scam is that it counts on both our human instincts and our police officer oath that we will return the call as soon as possible. It aligns your attack with the natural incentives of the target: it speaks directly to the fundamental mission of policing.

That kind of scam is also cheap and easy to mount and works immediately with a financial payoff. It also has the benefit of being international, making it a big pain in the ass to go after those responsible, especially if they only score a couple of thousand bucks. That is the kind of loophole that cyber criminals exploit a lot, essentially jurisdiction shopping and betting that the problems of going multi-jurisdictional or international over a relatively small amount will mean not just that they’re not caught, but that they’re not even pursued.

Some high points of the conversation:

  • While English has been a challenge for them, Nigerian scammers, Murray says, have started hiring psychology graduate students to help them write scam emails. This helps with the English and with the quality of the appeal of the scam itself. While only a tiny portion of those receiving phishing emails reply, they are work hundreds of millions of dollars annually, Murray said.
  • The “Help I’m stuck in London” scam (in which someone’s email is taken over and everyone in the email address book is sent a desperate note claiming to be that person, stuck in London and in need of $1500 or so to get home) has now morphed to a more targeted attack, targeting family and friends of servicemen overseas.
  • Attacks specifically targeting police are by their nature more sophisticated – no one casually attacks law enforcement. So if someone is attacking the police, assume they know what they’re after, they understand the risks, and are willing to take the risk to get to the specific target. The attacker will be motivated and generally much more skilled.
  • Any motivated and skilled criminal attacker won’t attack the cop directly – they’ll attack the family and friends, so they can send messages and malware from the accounts of trusted friends, family and spouse.
  • Social Media is a microcosm of the bigger problem: If Mike called me and claimed to be my wife, I’d probably not be fooled. But if he emails me, I’m more likely to fall for it. We haven’t yet developed the instincts to protect ourselves online, to realize that “something’s not right.” the way we do in real life.
  • We are highly attuned to signatures – how people sign emails. As you start to become more attuned to the way people sign and compose their emails, you will see similar patterns in the way people communicate. Awareness of these patterns can make you recognize when something doesn’t feel right.
  • To prepare to defend yourself, here is a homework assignment: go home and read five emails from your wife or husband, and five emails from a close friend, and read them side by side. Note the structural differences. Notice the patterns in one and then the other. It’s not natural for us to really think about what is the writing style of the people who communicate with us. In ten or 15 minutes we can begin to create that inner set of instincts that will serve us in the field.

Some links to things discussed during the podcast: