Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.
Late last year, a well-known ride share app and a gaming company were hacked using well-crafted social engineering attacks. Many organizations think they’re safe from attacks by employing top-of-the-line security practices, tools and systems. Those will help deter many types of attacks, but social engineering is a stealthy method savvy threat actors can use to circumvent those measures.
And they obviously do it successfully.
Social engineering involves a threat actor working directly with an individual target, manipulating them into doing something that helps the attacker reach their goals. Phishing emails, phone calls (vishing), and SMS messages are favored tactics. The goal — regardless of the vector — is almost always to get account credentials from the target.
Stephanie Caruthers — a professional hacker herself — has a solid working theory on how the ride share and gaming company attacks happened. The attacker in both cases was the same and is known as teapotuberhacker or Teapot. Stephanie’s take: Teapot may have purchased already stolen credentials of users off the dark web, used that data to research the target victims, and then combine those sources of information to engineer highly targeted attacks.
Which raises the question: Is your information out on the dark web, and how can it be used by a criminal?
In this episode of Into the Breach, we’ll get Stephanie’s take on how those attacks may have happened, what victims could have done differently to protect against them, and what the dark web landscape looks like in terms of whose information is available, how much it’s worth, and how criminals might use it to devise an attack.
Join me — and Stephanie — and together we’ll venture Into the Breach.
Listen to the episode
Transcript
MITCH
Late last year, a well- known ride- share app and a gaming company were hacked using well-crafted social engineering attacks. In September of last year, London police arrested a 17- year- old on suspicion of both hackings. The suspect in both cases is known as TeaPot, Uber hacker, or TeaPot. Social engineering involves a threat actor working directly with an individual target, manipulating them into doing something that helps the attacker reach their goals. Phishing emails, phone calls, known as vishing, and SMS messages are favored tactics. The goal, regardless of the vector, is almost always to get account credentials from the target. And these kind of attacks are often a very effective way to circumvent even the most robust security measures, like multifactor authentication. Today, we’re talking to a professional hacker known online as Snow, who has a solid working theory on how the ride-share and gaming company attacks happened. Snow’s take, TeaPot may have purchased already stolen credentials of users off the dark web, then used that data to research the target victims, and then combined both sources of information to engineer highly targeted attacks; which raises the question, is your information out on the dark web? If so, how valuable is it to criminals, and how can they use it? Let’s find out. Join me as we venture into the breach. Snow, thank you for joining the podcast. It is really good to have you on here today.
STEPHANIE
Thank you for having me. I’m excited to be speaking with you.
MITCH
Well, okay, so first and foremost, I have to know, and I don’t know if you’ve covered this in many of your copious interviews lately, but what is the genesis of your handle? What is the genesis of Snow?
STEPHANIE
Oh, that’s a good question. I actually don’t get asked that a lot, and I think it’s because people assume it has to do with the weather, which it doesn’t. I’ve had the nickname Snow since I was 16, before I even decided I wanted to be a hacker. So it was kind of handy when I decided I wanted to get into InfoSec, and everyone had handles. I’m like, ” Well, I already have one.” So it actually comes from my love of Disney, specifically Snow White, and it was just a trip to Disneyland with a bunch of friends, and somehow I got the nickname. Snow and it has just stuck with me since.
MITCH
Well, I like that story, actually. Cool that you’re a Disney fan and it’s stuck with you since then. My nickname in high school still sticks with me too, but it is Moose. And I don’t know that that’s a really good online handle. I think it’s just because I’m big and stupid.
STEPHANIE
Oh, no.
MITCH
Anyway, speaking of vocabulary questions, let’s start off with another one. And cue your 4th grade English teacher. When you describe what you do for people, do you say ethical hacker? Do you say white hat hacker? I know that’s kind of fallen off the radar as far as what’s appropriate to say. Do you prefer one or the other, and why?
STEPHANIE
That is a great question. So I don’t say white hat or ethical, I just say hacker. And the reason why is because when we think of any other profession, a veterinarian, someone who works at accounting, a lawyer, any of these roles, we don’t add the word ethical or white hat in front of it. It’s implied. It’s what they do, right? So I’m a hacker, it’s my job. If I were to do it unethically, I would be a criminal. So I’m not a fan of adding that verb in front, whatever that is. I’m just a hacker. That’s what I do.
MITCH
Yeah, I get it. Because if I saw somebody listed as an ethical doctor, I probably would be a little cautious about procuring that individual’s services.
STEPHANIE
Exactly.
MITCH
All right. So you’re a hacker.
STEPHANIE
Yes.
MITCH
And when you’re a party, I assume that’s tell what you tell people you do for work?
STEPHANIE
Well, I like to keep it a little provocative to keep the conversation fun. If someone asks me what I do, especially if they’re not in InfoSec or anything like that, I will say I break into buildings, or a lie to people for a living, which immediately has a million follow-up questions, which is so much fun. What’s funny too is when they have those follow-up questions, they always whisper. It’s like, ” Oh, shit, I’m talking to a bad guy.” But then I explain what they do and they’re like, ” Oh, okay, that’s cool. You can actually do that for a living?” So it’s a pretty fun way to answer what I do. I actually have a fun story. So I was sitting in the Amsterdam airport. I was just got done doing a physical security assessment. So I got done breaking into a building. And I was talking to the gentleman next to me, just small talk, talking about going back to the States. He’s like, ” So what do you do?” And I gave him that high-level answer, ” I break in the buildings.” And he pauses. He’s like, ” Oh, okay.” And I said, ” What do you do?” He’s like, ” I’m a pastor.” Without skipping a beat, he’s like, ” Can I pray for you?” I was like, ” Sure, I’ll take prayer.”
MITCH
Oh, wow. Yeah, that’s awesome.
STEPHANIE
Then I had to explain it, but yeah.
MITCH
So did his prayers change after you explained what you did?
STEPHANIE
Yeah. Yeah, actually it did. Yep.
MITCH
All right, all right. Well, we will not try to save your soul on this podcast.
STEPHANIE
There’s no hope.
MITCH
Well, and arguably for me as well. All right, so let’s talk about attacks and specific kinds of attacks. Spearfishing and social engineering are two types that I think people get a little bit confused about. So tell me what makes them different.
STEPHANIE
That is a good question, and especially if you go through looking at different media resources. Everyone uses different types of social engineering terms interchangeably, and they’re all very different. So I like to explain social engineering as an umbrella. That is the way that someone is attacking you, typically it’s either through remote or onsite. But when we look at the type of- ishings, so spearfishing is a type of phishing, an attack done via email, and that’s targeting someone or a very small group of people. And when I say targeting, I mean it’s very customized. Instead of sending out a mass phishing campaign, ” Your Office 365 password needs to be reset,” this is very customized. I know exactly what kinds of tools they’re using, what their interests are. And it’s very custom to that person. So that’s a type of social engineering attack. Then you also have vishing, or voice fishing, and that’s another one that we’re starting to see a little bit more of.
MITCH
And we are going to talk a little bit more about that too, because I want to know what you know about TeaPot. And that was the individual that was attributed to the Uber and Rockstar hacks. And you were in an article recently talking about both of those attacks. And I have followed up on the media a little bit. And the 17- year- old who was known as TeaPot, right, was apparently arrested in England back in September. But I can’t find any information on whether or not there was any actual prosecution on that. But you wrote this article about these attacks, and so tell me a little bit about what you know.
STEPHANIE
Yeah, so I think one of the biggest things inaudible they were 17 years old. And I’m going to go down a rabbit hole for a second. I think we’re going to see a huge increase of younger and younger people doing these types of… I’m going to call item criminal, right, because it’s not ethical… but these types of attacks. And I don’t know, I think that’s something we’re just going to see so much more of. But yeah, it was this young person who claimed to have hacked… I believe it was Uber and Rockstar. And the attacks were pretty similar, so I wouldn’t be surprised if it was the same person. But they utilized social engineering. It’s very smart, because I think a lot of people who do want to hack an organization, a lot of times they want to be able to sit behind their computer. They don’t want to interact with someone. And this individual did. They actually called people. And we could talk about that shortly too. But they were arrested. And I also haven’t seen what’s came of that. Every once in a while I look and see.
MITCH
Yeah, me too.
STEPHANIE
But nothing yet. So I’m curious what happens.
MITCH
Yeah, I haven’t read any follow-up. So I do want to talk about these attacks though, because in your article you mentioned something interesting. And you said that your assumption was that this individual TeaPot actually purchased credentials off the dark web for the person that they were targeting for this social engineering and spearfishing attack. What makes you think that?
STEPHANIE
So there’s a couple of different ways you can get those stolen credentials. One is you could steal them yourself. You can send them a phishing email and get them that way. I don’t believe that any of those two companies put out information that they had already been compromised that way. And so the other way to get those credentials is to buy stolen credentials. A lot of times we see them on the dark web. Unfortunately it’s pretty easy to buy. And I’m assuming they were going after very specific people based off their roles and what they had access to. That makes them so much more of a high value target, because you know that they have access to the things that you want. You don’t have to jump through all these hoops or just cross your fingers and hope they do. So my assumption is that they targeted an individual or a few individuals very specifically and then went on most likely the dark web and tried to find their credentials, and probably got lucky and got them.
MITCH
Well, that is a little spooky. Do you think that this is why these attacks worked so well, was because of this sort of background information that was alarmingly easy to get?
STEPHANIE
Yeah, I think that absolutely helps aid any type of attack. As I do these types of attacks, the more information I can find on a certain individual or even a company in general, the higher my odds are, because then you can really customize your attacks to that person. And again, those odds just go up tremendously the more that we know about someone. They also utilized social engineering in their attacks, which helps tremendously rather than just trying to get in through a vulnerability, or something like that. They targeted this person, they understood them, and then they used multiple levels of social engineering, which I thought was pretty smart.
MITCH
So when you use social engineering for your profession and you’re hired by company X to see if you can break into their systems, and you pick a couple targets inside that company that you want to go after you… Let’s say you’re picking on me. Let’s just pick me for an example. So you’re trying to get into X- Force and you pick Mitch Mayne. What would you look at from a social media perspective to find information on me?
STEPHANIE
Yeah, so I would probably start with LinkedIn. That’s a pretty big one. I would try to see who you’re connected with, to try to document those relationships so I know who you’re probably emailing with the most, just so I might want to impersonate them. But I’d also see what kinds of things you do in your day-to-day role. A lot of people like to put that on LinkedIn. So they might say they work with certain types of software or individuals or departments within their company. So that’s one of the places I start with the absolute first, because a lot of times tons of information there. And then from there, I spider into different social media, so your Facebook, Instagram, Twitters, things like that, because then you can understand a little bit more about the individual, what makes them tick. Do they have hobbies, have been traveling a lot, any little piece of information like that. So as I think about what I want from them, which might be your credentials, then I think about, ” Okay, if I was this individual and I received an email, what would I want to click on? Why would I want to give those credentials?” And being able to really get a peek at who they are through social media is really helpful.
MITCH
Wow, there’s a little scary application of psychology right there.
STEPHANIE
It is. Yep.
MITCH
So you talked about the dark web. Let’s talk about that specifically, and how much data is out there on everyday people. What percent of people do you think have information for sale on the dark web? And what kind is it?
STEPHANIE
So it’s really hard to put a percentage around it. However, I would say if you have signed up for multiple types of accounts, banking, social media, what have you, and that company gets breached, which happens all of the time, I would be willing to say that your information is somewhere on the dark web. So I don’t know, if I were to have to guess a percentage, probably at least 80. It has to be so high. I feel like every time I look at the news, there’s a new company getting breached, right? It’s insane how much that’s out there. Now, what kind of information, I think the biggest one that I see is credentials for either social media or bank accounts. And Social media accounts, those typically go for about $20 for credentials. But if we want to look at banking or PayPal, things like that, those can go typically around like $75 to $100.
MITCH
Which is still cheap.
STEPHANIE
It really is, right? If you think about that money that you have access to, albeit probably a short amount of time, $ 100 is pretty cheap if you’re getting a couple grand out of it, right?
MITCH
Not a bad ROI. So have you ever looked out there on the dark web to see what’s out there on you?
STEPHANIE
I have. So the dark web’s kind of tricky. It not like it’s just a Google where you can search for something and find it. You have to know specific sites that you want to go look for, or onion sites, they’re called. So it gets really, really tricky. There’s a good handful of paid- for services that make it a lot more convenient. But I have definitely tried to find myself on the dark web, on the regular web. And there’s absolutely things out there that I’m trying to find. A good place to start is… it’s called Have I Been Pwned, but that’s-
MITCH
Spell that. Spell that. It’s Have I Been Poned, P-O-N-E-D?
STEPHANIE
P- W- N- E- D. Pwned.
MITCH
Oh, okay.
STEPHANIE
But that’s a really good one. And that’s a free site. You just go to it and you give them your email address. And what it does is it tells you how many breaches that email address is. So the person, Tony Hunt, I believe his name is, who runs that website, he goes, and every time there’s a breach and he can get his hands on that data, he just has this huge database. So if you put in your email address, it will tell you not only how many breaches, but what breaches your email’s been in, which is pretty insane to see. So if that’s the case, You’re absolutely on the dark web. And most people have more than one email dress, so it’s kind of scary. I think the last time I looked, one of my email addresses was in like 12 breaches. It’s just insane how many it’s out there. Yep.
MITCH
Well, I mean, you raise a good point. You don’t really open your email these days or open the news and finding someone’s been breached. And I think for me personally, I can probably tell you six off the top of my head that I’ve been part of. And I’m probably a little higher than average computer user, but still, that’s a pretty scary stat. So if you have email out there, what else can people find out there? Let’s pick on you, though. Let’s go back to you.
STEPHANIE
Sure, yeah.
MITCH
So you’ve looked for yourself. And you probably have a more carefully crafted footprint than most of us do. What did you find out about yourself out there?
STEPHANIE
So other than being in data breaches, I also found my home address. I found phone numbers, which is terrifying, just having that out there. And what it comes down to is when I sign up for different services, maybe it’s a free service, but there’s no such thing as a free service, let me tell you, because then your data gets sold; or if I was in a data breach of some sort where the company that was breached had my information, my driver’s license, my phone number, my IP address, whatever they have, the attackers could get that information as well. So lots of information. And I think a lot of people, when they think of what information of theirs is online, I think a good handful of people are now wrapping their head around, ” Okay, maybe my username and password, from a breach.” But oftentimes we don’t think about our phone number and our address and driver’s license number and things like that are absolutely things that I’ve found online against myself.
MITCH
Driver’s license number is pretty spooky as well, because that, at least in the state of California, is linked to so many different things that you have to use. What about Social Security number? Have you ever found yours out there?
STEPHANIE
I’ve been lucky where I haven’t found mine yet. I’m sure it’s going to be out there eventually. But that is something that we find a lot. We’ll do these types of… we call them OSINT. It stands for open-source intelligence. But we’ll do these gatherings to really see what kind of digital footprint we can find either on a company or an executive. And oftentimes, we can find Socials and things like that, which is pretty scary actually.
MITCH
Well, yes, and cue the reminder to freeze your credit, folks.
STEPHANIE
Yes.
MITCH
It’s actually pretty easy. So if a layperson… And we don’t advise this, so we should preface that with that statement. If a layperson wanted to, I don’t know, surf out there on the dark web to see what information was available to them, how would they do that, or even should they do that?
STEPHANIE
Yeah, I would say don’t waste your time. Go to the website, Have I Been Pwned. It’s HaveIBeenPwned. com. And look up your email address. And that right there is going to tell you if you are or not. Another service that I like to use, it’s a paid- for service. I don’t get paid to promote them. I just really, really like them, but it’s called DeleteMe. And what they do, they’re constantly looking at different types of websites, people white pages, all kinds of places where your information might be listed at. And they will actually go and fight on your behalf to get that removed from online. So just because your have your address out there doesn’t necessarily mean you can’t remove it. So that service, DeleteMe, is one of my favorites and I highly recommend it. I actually give it as Christmas presents. It’s such a great service.
MITCH
Wow. That actually does sound pretty cool. So DeleteMe could actually go out to, say, my cell carrier and say, ” Remove Mitch Maynes’ number from his name,” blah, blah, blah, something like that?
STEPHANIE
Yeah, yeah. Or now a lot of times when people buy houses, their address will get put on different kinds of websites, or name and address. But what they’ll do is they’ll go and they search those websites, and if they find them, yeah, they just work on your behalf and say, ” We want you to remove this.” There are ways you can do it yourself, but it gets pretty tricky. But a lot of websites that have that, it’s convenient, right?
MITCH
Well, tricky and time-consuming, I would imagine-
STEPHANIE
Yes, very.
MITCH
…because there’s probably more than one out there with that name and address.
STEPHANIE
Yeah, absolutely.
MITCH
So talk to me about words of advice, from two perspectives. One, for companies like Uber and Rockstar, who have these extremely well- crafted social media attacks aimed at them, how can they of help avoid being victimized?
STEPHANIE
Yeah. So from that company perspective, I think paying more attention to social engineering. A lot of times organizations, when they think of getting hacked, they don’t put as much effort into social engineering. And when I say that, I mean they actually need to train their employees what that looks like. A lot of times when I review security awareness training, they’re not great. They’re really bad. And they’ll say things like, ” If someone calls you, don’t give them your password.” I’m like, ” Okay, cool. I’m not going to call and ask someone for their password.” I’m going to call and be like, ” Hey, I need you to go to this website and log in,” and then I get their password. There’s a lot of tricks that attackers are doing that aren’t covered in that training. And when organizations give their employees a once- a- year training for one hour, they can’t expect them to fight us every type of attack they’re going to get, because it’s going to be insane. But to really make sure that they’re investing into their employees to train them what these attack looks like and how to report them and making sure that they’re investing into their employees, I bet we’ll see a huge decrease of these type of attacks.
MITCH
So didn’t TeaPot, during the Uber attack, they actually combined a couple of different methodologies for social engineering, and one of them was spearfishing and the other was vishing, right?
STEPHANIE
Yeah.
MITCH
So talk to me about what happened there.
STEPHANIE
Yeah. So I might be getting the two attacks confused, but how one of them worked out is they had sent the phishing email to their target, to that employee. And they impersonated help desk or the IT. And that’s really smart because that builds trust right away. We’re used to seeing information from IT help desk. However, they needed to get that SMS code or that text message for the multifactor authentication. And so what they actually did is they called that employee after sending an email. So they’re also adding a little bit more credibility to themselves, like, ” Hey, I sent you that email.” But they got that code that way. Now in the other one, they did something pretty tricky too, and they called… it’s like push notification spamming. So while they had that username and password that they probably purchased, they had it, however they got to that next screen, it’s like, ” You need to approve.” And how that company had it set up was on the employee’s phone, they had to see, ” Oh, I’m trying to access this,” approve or deny. And so typically, if you do that over and over, it’s just going to annoy someone until they finally approve it. And that’s what happened, which is kind of terrifying. That’s another reason why I’m not a fan of push notifications for MFA. And sometimes you could accidentally hit the wrong one, too. I like more of being able to actually put that code in. So they use definitely different techniques for these attacks. And they layer them together, which again, from an attacker point of view, that’s brilliant and it’s smart. From a company point of view, it’s kind of scary that they can combine those types of attacks to make it more realistic.
MITCH
Well, it also does something else that I’m studying here thinking about, and that’s this sort of illusion that so many companies have that, ” We have MFA, so we’re safe.”
STEPHANIE
Yes. That one terrifies me, because we are able to bypass it all the time, especially our adversary simulation team. It’s candy to them. It’s easy, it’s fun. It’s nothing to hide behind. I think it’s a great tool to have, and absolutely everyone should do it. And it probably stops quite a few attacks, especially maybe attackers who are new to trying to bypass it. But it doesn’t mean that you’re 100% safe, by any means.
MITCH
Well, and cue the next question, back to the words of advice. What would you tell average citizens? So think about your mom. You already said you’re getting her a DeleteMe for Christmas. So think about your mom. What do you tell your mom to do or not to do?
STEPHANIE
So there’s two things that I tell her that she should always enable. That is MFA. I think that is a great tool, and everyone should have it. The other one is a password manager. And so that really lets you keep those long, complex passwords that are unique for every site. And that’s the key here, is that they’re unique for every site. Because if you think about it, if you are an attacker and you fish someone for their credentials, maybe for, let’s just say, their bank credentials. The average user uses the same password across multiple sites. That’s normal, especially for older folks. It’s easy to remember. And so what they can do is now they have their bank information, they go and try to log into your Facebook with the same username and password. And that works. And so that’s why it’s really important to have that password manager set up because then you have different passwords for each site. And if you have the MFA, that’s just a stop- gap to hopefully stop that attacker in their tracks.
MITCH
Well, password managers, I know so many people who don’t have them. You know these people too. And they’re the people with like, ” Oh, well, my passwords are in a locked Excel on my desktop, so I’m fine.” How difficult or easy are those to use?
STEPHANIE
I think they have came such a long way, and they’re really, really easy. I have an app on my phone now, so if I’m on the go and want to log into things, it’s super convenient. I have it on my computer. Really, it’s just setting it up. And it takes a while. As you start to log into all of your websites, you have to add it. And it doesn’t take long. Once you can get past the setup, it’s worth it to me. I think it’s not as much of a pain as most people think it’s going to be.
MITCH
All right. There you go, folks, two-factor authentication and passwords. I just want to end with, what has been your most interesting experience so far this calendar year with breaking into buildings and being prayed for in the airport?
STEPHANIE
Yeah, yeah. So my most interesting experience, I would have to say that was from a client who they had hired us to try to get into one of their new locations. And they were very confident that we weren’t going to be able to, because they spent a lot of money on their physical security controls. They had all of the latest and greatest. I’m talking millions of dollars to keep people who were not authorized out of their building. And within, I think, the first 15 minutes on site, we were just able to talk to someone and get right in. And to me, that’s still terrifying, because a lot of people put a lot of faith into the technology that they use, or they’ll see the amount of money they put into it. And that just goes to show we also need policies and training and procedures and all of these other things. We can’t just plug something in and think that it works. So I think to me, that’s been my most eye-opening thing, that there’s companies out there still doing that. And I think we’ll get there, but it’s just taking a while until we realize that we can’t put blind faith into products.
MITCH
Well, all this stuff sounds a lot like basic human error and humans trying to be nice. So it’s like you can’t buy that, right? That doesn’t come off a shelf from any software vendor.
STEPHANIE
Right.
MITCH
There you go. Well, Snow, thanks for joining. I really have enjoyed this conversation. This stuff is absolutely fascinating, so I appreciate you being on the show.
STEPHANIE
Yeah, thank you for having me.
MITCH
A special thanks to our guest Snow, or Stephanie Caruthers, for her time and insight for this episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You’ve been listening to Into the Breach, an IBM production. This episode was produced by Zack Ortega, and our music was composed by Jordane Wallace. Thanks for venturing into the breach.