WEBINAR
The evolution of cybercrime cartels
In this episode of And Security For All, host Kim Hakim talks with Tom Kellermann, Senior VP of Cyber Strategy at Contrast Security, and Derek Booth, Supervisory Special Agent at the U.S. Secret Service ATSAIC. They discussed the evolution of cybercrime cartels and cybersecurity conspiracies. Insight was also provided around trends in e-fraud and novel cyberattacks, as well as shocking, destructive attacks, cloud jacking, AI’s dark passenger, Kronos attacks and more.
About the show:
And Security For All airs every Friday at 12 Noon Pacific Time on VoiceAmerica Business Channel. Each show details specific points in history and provides guidance and insights of both a technical and societal nature to help you understand and address cyber security issues more effectively.
Full video transcript
The following transcript was automatically generated.
Intro:
You probably don't put much thought into cybersecurity. You know, your network connections, the pages you visit, the files you download. You should be thinking about these all the time. Welcome to And Security For All. Your host is Kim Hakam. We're here to help you understand, in general terms, how and why your cybersecurity should be kept in check.
Now here is Kim Hakim.
Kim Hakim:
Hello, everyone. Happy Friday. Welcome to another episode of And Security for All. I’m Kim Hakim, your host. I just got back super late last night from our Columbus cybersecurity conference, which was just an absolutely amazing event. A big shout out to Connie Matthews who is the president of Raycon Technology. It's a training company. She's actually gonna be my guest next Friday on the show. She is great. She makes my life so much easier.
Every time we come to Columbus, she brings me, probably about eight great speakers from the community. Yesterday, we had the CSO from the state of Ohio, from Incoba Insurance, the CSO from Cardinal Health. We had all kinds of people. We had the CSO from the medical center at Ohio State.
Anyway, big shout out to her. We had the CSO from Electric Power. I'm a little tired today. When we run our events, it's pretty crazy.
You know, we're there from 6am and ends probably at 6pm. And it's very rare that we can find a flight back to our home city that night, and I was so excited because my plan was that I was gonna be home and then at 10pm because my flight was supposed to get in to St. Louis at 9:20, and it ended up getting in about 2:30am. So feeling rough today, but excited about our show. I have two great guests today.
Very excited. I met them at our Salt Lake City cybersecurity conference. And for anyone out there that doesn't know who we are, you can check out FutureCon events. We do about 30 different events all over North America, and we have some of the greatest speakers that come to our events.
And you definitely don't wanna miss an event if we're coming to a city near you. Today, we're gonna talk about the evolution of cybercrime cartels. I have two guests today. I have Tom Kellermann, who is the senior vice president of cyberstrategy at Contrast Security.
And we're gonna talk to him about how he is involved with Derek Booth, who is from the US Secret Service, the ATSAIC. He's the founding member of the Mountain West Cyber Fraud Task Force, which consists of three hundred members.
Very excited to talk to them both today. So welcome to the show, Tom and Derek.
Tom Kellermann:
Thank you for having us.
Derek Booth:
Thanks, Kim.
Kim:
Yeah. Thanks for being here.
One of the best things about my job are the people I meet when I'm out on the road. So I was very fortunate to meet you all out in Salt Lake City, which happens to be one of my favorite places. We have a mountain house up there. So are you both from Utah?
Tom:
No.
Kim:
No. Neither one of you are?
Derek:
No. I actually am, Kim. I'm from Southern Utah originally.
Kim:
Okay. Awesome. Well, tell us a little bit.
I'll try to kinda keep this in order so we don't talk over each other. But, Tom, why don't you start Contrast Security? They do pretty much all of our events all around North America. How are you connected with Derek?
And it was very surprising to me because when I got there, I was like, wow. We have a special agent from the CIA. That's super cool. So why don't we start with you and let us know your connection with Derek and what you all are doing?
Tom:
So I've been collaborating with the Secret Service for decades ever since I was the CISO for the World Bank and IMF Treasury. The Secret Service is a very important mission in defending the financial sector, and I'm a proud member of the cyber fraud task force for the mountain west.
Kim:
Tell us a little bit about what you're doing with the Secret Service. I have no idea. Like, this was the first time. We have all kinds of FBI, people from Homeland Security. We have never had anyone from the Secret Service. So this is gonna be just as educational for me as it's going to be for our listeners today.
Tom:
It's a public private partnership that's been around for decades. Actually, one of the longest standing ones out there. Derek, why don't you shed some light on the Secret Service and the task forces?
Derek:
Yeah. Proud to, and thank you so much for this opportunity. Kim, to talk about it. So we started the task force here in the Rocky Mountain region in 2012
We started with zero. We're up to over 320 members. About 120 of those are law enforcement partners, detectives, analysts, technicians from all over Colorado, Utah, Idaho and Wyoming. But then also we've got about 180+ private partners, people like Tom, CISOs and network managers and business owners, people that just wanna know, hey, what's going on in the cyber world? What's going on in the Rocky Mountain region? And we try to meet a few times a year, and then we push out training opportunities. We push out intelligence we get from some of our other cyber partners from all over the world.
And then, of course, anything that the Secret Service brings in, we can push out to our partners. So we're very proud of that partnership. We have a lot of great members there, a lot to share, you know, back and forth. I spend a lot of time just on email, relaying information back and forth, and we're excited to grow.
And if anybody wants to join us, let us know. Part of our mission, part of the Secret Service, and some people ask, why is the Secret Service involved in this? We started as an investigative agency back in the 1800s, and part of our mission is still to protect the infrastructure and the financial systems of this country. And then that evolved into protecting the President and the Vice President and our dignitaries, but we still carry our mission, our investigative mission, and that has evolved into electronic crimes.
Just the way the world has evolved, that's the way we have evolved. So that's where we are today.
Kim:
Well, let's, kinda dive in and talk a little bit about the cybercrime cartels.
And, I mean, let's talk about how it's evolved over the past decade. I mean, it's a lot going on that, you know, makes a lot of us not feel as safe as we used to feel. So tell me, tell us a little bit about that and, you know, what I hate to use this cliche, but what's really keeping you guys up at night and what's going, how could you shed some light on that?
Tom:
Sure. Look, cybercrime has been around since basically the eighties, but it really became more organized in 1995 when money became digital. But what's changed is that they've become cartels who enjoy a protection racket from the Russian regime. And that really changed in 2013 when General Gerasimov, the head of strategic command for Russia, gave a famous speech. And he stated that basically the west had two Achilles heels, this dependence on technology and and this dependence on public opinion. And so he basically challenged the cyber criminals to work for the state to enjoy that protection racket and to hack the west.
Kim:
And then what about you, Derek?
Derek:
No. It's amazing how much has changed. And I got involved in this in 2012, so about that same time. And, you know, it started out, you know, credit cards.
You know, it started in network breaches, who could grab the most credit cards. And, you know, as Tom already referred to, it started in Russia and the Eastern Europe area, and that has just evolved into, we'll talk more in in-depth about some of the attacks that we're seeing today, but it's just expanded. It's more than just credit cards now. It's money, how the bad guy can get the money and in what shape and what form.
So that's evolved into business email compromise, into ransomware, into romance scams. You name it. And it's just it's amazing to watch and and it's sad to see, actually.
Tom:
To that point, I think it's important to understand and underscore here that the cyber criminals of Russia are untouchable basically from Western law enforcement unless they make the mistake of going to a nation that has an extradition treaty with the US. And the reason why they enjoy that untouchable status is they gotta abide by the three rules. You never hack anything that's in Russia. You share access to systems that you've compromised with the intelligence services. And when called upon to be patriotic, you do so against specific targets. And so you have these multiplicities, these actors that act as cyber militias part time for the Russian regime, but basically run the dark web, 60% of the dark web is run by these actors.
Kim:
Well, let's talk about the dark web and let's talk about, you know, because we just came from the state of Ohio and Columbus just had an attack this summer. So, you know, a lot of talk was going on about that yesterday. It was a ransomware attack, and I was talking to the CIO for the steps for the whole state and just talking about some of the counties that don't even have money to pay for these ransoms.
So what are some of the newest tactics that we're seeing cyber criminals doing to exploit businesses and even counties and cities? And what are you doing when these people, you know, when some of the infrastructures don't have the money to pay the ransom, where where what's leaving us? What do we do?
Tom:
So when you think about ransomware, you have to remember that most of the ransomware is actually developed in dark web forums in Eastern Europe.
Most ransomware won't even detonate on any keyboard that has a Cyrillic setting or basically Russian language setting. Most ransomware will deploy a secret passageway, a RAT, into the system. And so it's very important that beyond getting rid of the ransomware, you identify that secret passageway when you're conducting your incident response. And most ransomware that's leveraged is leveraged through affiliates, people that basically lease these platforms from the major cybercrime cartels who develop the platforms. And the reason why the cartels don't uniquely use their own capabilities is that they know that when I go around launching ransomware attacks with their platform, they can essentially teleport themselves, I mean that, into the infrastructure I've compromised because of that backdoor that I've described.
You should not pay the rent. You shouldn't because you're contributing to the economy of scale of the dark web, which is the excess of $1.5 trilliam, and you're evading sanctions.
You're assisting in the evasion of sanctions by the Russian oligarchs who protect these Russian cybercriminals.
Kim:
Well, what is your thought on that, Derek? When we hear, Tom I mean, we hear that all the time, don't pay the ransom. But some people feel like they just don't have a choice.
Derek:
No. I totally agree with Tom. And I also understand, you know, where the people come from. They get it, they need to keep the business rolling.
They need to keep putting food on the table, and they need to keep their business in operation. So we stress more than anything, don't pay the ransom. Make sure you have good backups and get those backups offline. Because we've come across companies and municipalities that had backups, but they were still connected to the network, and so it does no good.
On top of that, many of their backups are unencrypted. So they're still open to the bad guy, and then they go home at night and they can sleep, and they think, oh, I've got backups. We're good to go. We stress, make sure your backups are, one, are encrypted, they're offline, and you are prepared.
We've seen a couple organizations here in Colorado in the last few years. One was very well prepared. They had backups. So when ransomware hit, they didn't care.
They were able to tell the bad guy to take a hike, and they're able to jump in and or get their business up and running again. We've also seen some municipalities that were hit hard, and they shut down all kinds of services, you know, physical services or social services, you know, jails and water, sewer, trash pickup, those kinds of services. And so they felt very desperate, and so they end up paying the money. So our biggest thing is one, education, and two, you know, know what's going on around you.
And that's one thing we try to do in our task force is when people call us, we'll come in, we'll step in, we'll try to stop the bleeding, number one, and try to help them recover their systems as quickly as possible, as quickly as they can.
We'll help them just give them some guidance because most of the time, you know, it's ransomware that we've already seen. You know, lock lock pit three point o was a big one this last year, the year before. So the decryption codes most likely are out there now that they're available. And so we can share that with our partners, share that with the victims, and they can recover a lot more quickly.
Tom:
And if I can add to that, please rely on your partners in the Secret Service and the FBI because they will share the decryption codes for you to unlock that ransomware, number one. Number two, remember that ransomware is delivered primarily through two ways, spear phishing attacks, which we've heard about ad nauseam. Right?
But also through the exploitations of vulnerabilities and applications, which means you must do a better job of defending your applications, of patching your systems when critical vulnerabilities arise, and really implement things like runtime security for your business to defend the applications from being exploited that would allow the adversary to actually then encrypt your systems.
Kim:
Well, how do you think these hackers are leveraging AI now to bypass security systems and what do you think is gonna happen with the future as AI evolves? And, you know, we're seeing all kinds of newer deep fakes. I mean, what are both of your opinions on that?
Derek:
So, you know, Tom already hit on one of them, the spear phishing.
AI is gonna clean that up. A lot of spear phishing in the past was pretty easy to identify. But with the AI, it cleans that up, and now you don't have bad English. You don't have improper English. And AI is able to trick or con the victim into thinking, hey. This is legit, whether it's an invoice or a receipt or something that has, you know, a link to it, and that's how that's how they're able to get in. So I would say number one, that's how they're gonna make phishing a lot harder to identify.
And then number two is just the creativity of that AI, the creativity of the emails that are being sent, and then also voice opportunities, trying to con the victims.
You know, bad guys can use AI streaming, voice services to try to con, you know, a CFO or a COO into, you know, voice mails or something where they feel like they're talking to somebody legitimate in their business.
Tom:
Good points. And I would add, though, that we need to remember something about AI. Not only will it be used to develop more customized malware that can evade traditional cybersecurity defenses, but we need to pay attention to the security of AI. Large language models that are the foundation of AI can be poisoned. They can be corrupted. And if you're using AI as a business, you should know where you're using AI and understand the security provisions by the provider vis a vis protecting the large language model because hackers are moving into the space, particularly cyber spies affiliated with rogue nation states, into attempting to corrupt the AI, thus corrupt the operations of the business or government agency that's dependent upon it.
Kim:
Well, what can these incident response teams do to adapt, to be better prepared and, you know, implement some better response strategies?
Tom:
Well, you know, the Secret Service, the FBI, the NSA have really up leveled their information sharing, unprecedented declassification of threat information and telemetry associated with these advanced adversaries, these what's called APT groups, these advanced persistent threat groups. You should pay attention to the information that they share on a regular basis, whether it's through their Twitter/X feeds or on LinkedIn or participating in the cyber fraud task forces to be aware of what's coming or what is already occurring in the environment. I would suggest, though, that expanded threat hunting in your environment is fundamental. And so threat hunting from an example versus incident response is different. Incident response is law enforcement shows up when the bank alarms are going off because it's being rough.
Threat hunting is, like, making sure no one's in the vault when you close the bank for the day, if that makes any sense. So you're looking for anomalies on systems across the networks, across your endpoints, across your cloud and across your applications. And so identify those behavioral anomalies essentially, much like the Secret Service would when they're defending the President, protecting the President. Identify those behavioral anomalies before they manifest into something worse and suppressing them.
It's quintessentially important. And lastly, I would just say this. When conducting incident response, you should already have a provider that you're partnered with or a managed detection response firm that you're partnered with as a business who can assist you, the immediacy of the moment in a 24/7 kind of response system. You shouldn't have to wait until the event happens to then hire a firm, as you might be too late.
Kim:
So Tom just kinda gave us the technical side of that. What would your response be, Derek, on the human side?
Derek:
No. And I get it. And the human side is hard to get through because it's a matter of trust. Right?
We need them to trust us before they're gonna call us. But that's the million dollar question, that's the biggest challenge right now for us. We need to gain their trust, and that's why we try to get out there and try to make people aware in this kind of forum and other forums that, hey, we're here to help you.
We're not the jackbooted thugs of the 1800s that you think that we that you think we are and in this the stereotypes that federal agents have. We're here to help you just like in years past, you know, when Butch Cassidy robbed a bank, who was the first person they called? They called the sheriff to try to figure out what happened, where is he, and let's track him down. The challenge for us is for those to call us.
So we want them to. We want them to trust us. We want them to build a relationship with us just as Tom has been preaching for the last 10 years to trust us, build a partnership, build it with the Secret Service, build it with the FBI, build it with CISA. Whoever it is you feel comfortable with, call them.
And you should call us now. Don't call when an incident happens. I mean, call us when an incident happens, but you should call us ahead of time. Build a relationship with us. And we can sit down and we can, you know, we can figure it out with you on game day when it happens.
But most importantly, let's sit down ahead of time and let's build a relationship and let's talk about it. Let's talk about, hey, what if it happens? What are your guidelines?
What are your thoughts? We might have some great ideas to share with them, things that we've seen in the past. And so that's the human side of it. And more than anything, we just want to peep, we need people to trust us.
We're not gonna shut your business down. That's the biggest, probably the biggest misconception. Well, there's two big ones. One, we're not gonna shut your business down, and two, we're not gonna share it with the press.
There's nobody in the world that hates the American media more than the US Secret Service. Maybe the FBI hates them more. But we're not gonna share them, we're not gonna share the information. We're gonna share the information, but not the company.
And we're not gonna share, hey, this is what so and so is going through. We're gonna share this is the attack vector that the bad guys came through over here last week in this area. And by sharing that, hopefully, we can shut down the next attack.
And so I think it's kind of a neighborly thing. Right? You by sharing your information with us, you're helping the guy down the road. So that's our biggest challenge, and that's what we're trying to do.
That's what we're trying to overcome.
Tom:
And I would script in there that's really important.
We need to appreciate what's changed. The adversary of today doesn't just want to burglarize you or extort you. The adversary of today, not they do want to achieve that goal, but more importantly, the cybercrime cartels themselves want to hijack your digital environment, whether as an individual or a corporation, and then use it to attack everything that trusts you, whether it's your customers, your friends, or your families. Even for the listeners out there that don't own a business, who are like, I don't have enough money or whatever. I'm not a target for cybercrime cartels. Wrong. Think about the most powerful people and organizations that you communicate with, and that's why they'll attempt to hijack your digital presence and use it to attack that constituency.
So it's very important that you participate in the community of defenders and participate in these fraud task forces, which exist in every major city, by the way, including overseas, and share information as it happens in real time.
Kim:
So, being the devil's advocate a little bit and nothing against the government, I spent about 10 years in the navy. So, you know, there is this general consensus, and we see it on social media. We see it on TV that you call the government, they're never going to help you. You have to go through 50 different people to get to the person that you want.
I experienced it a long time ago when my identity was stolen. When I was in this industry, that was probably 15 years ago, but it was daunting. You know the loopholes I had to go through times have changed and I'm just talking about me as an individual so say a huge corporation wants to call on the Secret Service. How are they gonna do that? Do you just pick up the phone and call the Secret Service?
Derek:
Literally. Like, Google our office. If you, as Tom said, if you haven't built a relationship with us ahead of time, then do that. Google the Secret Service, find the local office that is closest to you, and there'll be somebody that will answer your call.
If somebody doesn't call you back right that very second, keep calling. You know, if we're not answering that very second, that means probably the President's in town and we just need to just take a time out for half a second. But we've set up our task force now that we try to have somebody available 24/7, and that's what we're there for. And a lot of these calls, a lot of these attacks happen on the weekends, they happen on holidays.
And, yeah, Google the number. Call the number. We have a 24-hour phone service. They'll get a hold of us.
We'll get answers to you as quickly as we can. We'll try to have somebody boots on the ground as quickly as we can. And as Tom said, we've got them all over the world. We've got London, Rome, every state in North America. We've got somebody there ready to go. So that's exactly it, Kim. It's it's it's it sounds pretty simple, and it is.
Kim:
Well, that's good news to hear. I mean, I think it has to be with the way, you know, cybersecurity, you know, just the breaches, how they've evolved that they're not getting any better. But there are good stories out there too. So let's talk about that for a minute. Let's talk about some of the positive things that you're seeing out there, what you guys are stopping, what you guys have collaborated together on, and, tell us some of the positives because we just always hear about the negative.
Tom:
So I would, again, underscore what I said earlier. The unprecedented information sharing and collaboration by the Secret Service, FBI, CISA, and the NSA has really been historically significant in us dealing with the cyber siege that's been leveraged against us by the Russians, the Chinese, the Iranians, and North Koreans. Had there not been unprecedented declassification of the attacker's information, of the attacks being leveraged, we would be dealing with massive failures of critical infrastructure and perhaps kinetic events that would have led to the death of people in the U.S. So I think that's a huge success. The challenge that we're facing though is you have four rogue nation states that literally treat their cyber criminals as cyber militias, and they enjoy this protection racket from Western law enforcement. And that's something that needs to be dealt with at an international level, which is why the cyber fraud task forces have expanded overseas as well.
Kim:
And, Derek, I'll let you take it from there.
Derek:
Yeah. Absolutely. So we've had some really good success in shutting down business email compromise attacks, BEC attacks. And that's when bad guy's able to get into your system. He manipulates your email system, and then he cons somebody along your your chain of money, either your bank or your escrow company, your insurance company, your attorney's office, whoever it might be, and conning in you sending money in large amounts to a false bank, you know, to a new bank account and, basically, a man in the middle attack. And we've had some great success and people notifying us within that 72-hour window, which we've talked about in the past.
Seventy two hours is not a hard and fast rule, but that's kind of the general rule. If you can notify us once you've been hit with a BEC attack or business email compromise, we can shut that down, And we can reverse that wire and get that back to you. We've had some great success even just this year. We had one back in May.
A company here in Colorado was hit, through a construction company. It was somewhere around $900,000, and they had wired the money on a Friday afternoon. They realized, hey, we made a mistake or the CFO got involved and realized somebody hadn't followed internal controls.
So they called us on Monday morning, and we were able to reverse that attack. So that was a huge win, and we've had multiple of those just in BEC attacks alone just this year.
There's been also a couple news stories that have hit. Our New York field office was able to indict four gentlemen, of West African descent. They had attacked the country around for about $50 million in business email compromise attacks. They indicted those gentlemen. I believe three of the four were arrested immediately. The fourth is, I believe overseas, and so I'm not sure exactly his status right now. But that's good to know because, you know, in the past, we've heard of if once the money goes overseas or once they go overseas, it's pretty much gone, and it's not always the case.
We've been able to, with our partners in Europe and around the world, put hands on some of these guys. I also will mention, you know, one of the other ones I mentioned a lot is, you know, sextortion. That's another talk about evolution and attacks, especially with teenage boys. That's been a huge one these last two years.
And there's been a lot of notoriety in the media because of some of the things. There was a young man, I believe, in Michigan that actually commit suicide over this because he was so distraught. The FBI went over to Nigeria and arrested the two gentlemen they could connect to. So, again, that's another huge bonus for the good guys and another myth buster that once you're overseas, you're untouchable.
But so those are just some of the highlights that stick out in my head. We could dive into a few more if you want.
Kim:
Yeah. I would love to.
Tom:
Can I add to that?
I think the recent prisoner exchange with Russia illustrated the effectiveness of Western law enforcement. But sadly, Putin prioritized the release of two prolific cyber criminals, both of which were, essentially, prosecuted by the Secret Service. One of which was a was the son of a very powerful and significantly connected Duma member, and the other one who was famous for hacking banks and the SEC conducting digital insider trading. But because of the fact that these cyber criminals are part of these prisoner exchanges, I think it actually highlights the importance of the work and the successes that we've had regardless of the end result, I would say. Also, technologically, I would say this. We, as a community of defenders, have been faster to detect and respond to cyber incidents. It's gone from hundreds of days to realizing a system's been compromised or a network's been compromised, okay, to a couple months.
I know that doesn't sound great, but it's getting better. And, also, most of these cybercrime cartels, the ultimate way they get in and out of systems is what's called is through a zero day attack, which is the exploitation of a vulnerability in an application that's never been seen before. We actually have technology now that can defend and stop that type of exploitation at the application there through what's called ADR. So I do think technologically we've had successes, and we have made them feel pain, but we need to appreciate the fact that this is a systemic problem and it's very organized.
Kim:
So we actually have a couple of comments from some of our LinkedIn Live people. And just so you all know, we have, in our community, knows we have two different listeners. One side is on, and security for all through Voice America.
So we have our listeners on their radio show, which is, any place you listen to your podcast, and then we have people on LinkedIn Live. But Josh Jackson, thanks for being here today. He said, with cyber attacks becoming more frequent and targeting critical sectors like health care and municipalities, what are some of the practical steps and strategies you think organizations can take to better protect themselves? Any specific tools or approaches you found effective. So I'll let both of you weigh in on that question.
Tom:
Yeah. You know, and this is a red line to me, hospitals being targeted and, you know, EMS services being targeted. The Russians have done this quite frequently, and I'm surprised that the U.S. government, forgive me, Derek. It's not on you, hasn't launched a proportion of attacks against the Russians for doing this because it does inhibit response times as well as, you know, quality of care in hospitals.
So I would say, in general, obviously, backup, have immutable backup, Leverage micro segmentation to limit the path the capacity of the adversary to move freely through the environment once they're in. Deploy runtime security to defend your applications, which is how they're getting in from being exploited in the first place, and expand your threat hunting. Conduct regular threat hunting across your environment to look for those behavioral anomalies because many times, they sit there and they linger and they're conducting reconnaissance from within your environment on you, the victim. And then lastly, you know, participate in these task forces.
Collaborate, engage and pay attention to the information being shared.
Kim:
Derek, I'll let you take your input on that question. It's a lot.
Derek:
Yeah. Absolutely. Let me and I'm going to plug Tom's company in here because Contrast Security is one of the best companies out there. They've actually pushed zero day attacks or intel to our task force before.
So, you know, be involved. Make sure you're with a good company. You know, use their software. Use the tools that they have.
CISA is a great organization out there, part of DHS, and we're partners with them. The regional managers here are fantastic in Colorado.
They're one of our biggest advocates, and they actually recruit better than I do personally. And so go to them. CISA will come in, and they'll proactively scan your systems.
Part of that is you're going to build a relationship just as we talked about. So down the road, if your incident response teams are looking for a contact, they're right there. You've got them in your back pocket. So get involved with CISA.
Reach out to them. You can go to cisa.gov, and they've got all kinds of tools and resources that you can dive into. On top of that, Tom, you know, Tom hit some of the more advanced. I'm going to take a step back and just go back to some of the more basic ones.
You know, he mentioned the micro segment of your network. You know, clean up your admin users. It's amazing how many times we step in a network intrusion attack, and you've got the old admin administrator that's still in the system, and they have full rights. And bad guy was able to get a hold of that user account and do anything he wanted.
The other thing I think we mentioned is the ransomware attack. One of the big hits we had here was, one of the organizations had a Windows 7 machine over in the corner. I think the administrator was surfing fantasy football or something with it, and that's how bad guy got in. So just do a basic cleaning of your system and make sure the little things that you think, oh, there's no way that would ever happen, make sure they don't happen.
Kim:
Okay. And then we had, I have to look over at my other computer because there's an engine that pops up here.
Jake Hedgecock said, I agree. Utilize the attack the attaches in other countries and kill chains that become successful reversing the fraudulent wire transfers. Well, I want to have your input on that and maybe give us some examples of how did that happen. I mean, how are we stil,l how is the CFL still wiring this when it's fraudulent?
Tom:
As the son of a foreign service officer, I love the fact that they're pointing out that the attaches overseas, cyber attaches that now exist, thanks to the modernization of the State Department, are quintessentially important in garnering cooperation from local law enforcement and the financial sector therein. But, Derek, you can highlight here that it's very possible to unwind fraudulent transactions within a certain period of time as long as you're coordinating with the Secret Service and FBI. Do you mind describing that?
Derek:
Yeah. One hundred percent. And that goes back to that kill chain we talked about, which is if you can get notification to us and then we can get out to the Financial Crimes Enforcement Network, which is a network of financial institutions, most of those can be reversed, especially if they're within 72 hours. Again, it's not a hard and fast rule because we've had examples.
We had one here in Colorado where the organization sent $250,000 to an organization. They didn't actually wire the money. They wrote a paper check and mailed it. And because the mail service wasn't working as efficiently as we all think it should, it took a week or so to get there.
And they mailed the letter here to the United States to a bank or somebody here in the United States. We were able to retrieve that. But we've had multiple attacks like this, most of them business email compromise, but even some romance scams where people will send large amounts through wire transfers, to these banks. So one of the big hits right now is just a simple attack.
Bad guy gets into your computer. He will manipulate your email forwarding rules. So, basically, any email that I say I sent to Tom, if a bad guy were to get into Tom's system, he could forward those emails to the bad guy. And then I could get in the middle, and let's say let's say Tom and Kim exchange money every Friday afternoon.
And if I know that and I'm in Tom's system and I can con Kim into changing, hey, Kim. This is my new bank account. Instead of wiring the money to my account here on Friday afternoon, we've changed banks. We've changed bank account numbers.
Just why are you transferring here? And you would think that that's such and it's such a simple concept, but that's exactly what's happening. And a lot of CFOs are finding this out on the tail end when they realize they've been attacked because people, accounts, project managers, whoever it is that controls the money didn't follow those internal controls and didn't verify. And a simple phone call could be your multifactor authentication. So your person to person on a phone becomes that second authentication.
And so that's an example of what we're seeing, quite a few of those right now. In fact, 25% of the attacks the Secret Service were called on this year were business email compromises. And a lot of those do go overseas, but a lot of them stay here and we're able to reverse those. We had another perfect example. I'm thinking it is a big company here in Colorado, wired a large chunk of money to, I believe it was Ohio.
An older gentleman who lives in rural Ohio walks into his bank and asks to wire $250,000 each. And the bank teller was struck and became very suspicious because she knows this customer and realizes, hey. This guy shouldn't be having this kind of money, and he was a money mule. He was basically the middleman for the bad guys overseas, and he was trying to wire that money, I believe, to West Africa.
And so that bank was able to get involved. They froze the money. They called us. They called the FBI, and we were able to reverse that money and get it back to the victims here in Colorado.
So it works, and we've had some great success with it.
Tom:
With the verification bit, I think it's important also that people realize that Signal is a great application to use to send encrypted, secure, text for verification.
I don't work for Signal. I don't invest in Signal. It just is. It's widely used by law enforcement and by CISOs around the world.
Signal is a great way to communicate and verify. And I think that even with family members, I have an elderly mother. Okay? I have a password with her, in case someone tries to deep fake me and tell her to send me money or I'm kidnapped or something.
And I think we should all develop that sort of system within our families and particularly with our heads of finance or anyone that has the ability to move our money.
Kim:
Do you think we're becoming too comfortable with Venmo? I mean, simple little things like my house keeper or somebody that does a small task, you know? And then people out there that are showing who they're Venmo-ing, like, at least my account's private, and I have a security code on it. But what do you think of like, and these are the small people. These aren't the big people, but it's almost just like easy targets.
What's your thoughts on those, like PayPal's and Venmo's and these new things that just the everyday person is using?
Tom:
I wouldn't perpetually link your Venmo account to your bank account. It's safer to link it to a credit card or to load up money specifically when using it.
Venmo's probably more secure than most, as is PayPal, but, you know, fraud does happen. So limit the amount of money that they could actually steal from you in that regard. Obviously, yes, definitely make things private. I would also make sure they're using two factor authentication, right, on a regular basis. One thing that people aren't aware of, though, that the most sophisticated criminals out there can compromise your device by cloning your SIM card, which is like the brain of your phone. And all you have to do is to call your phone carrier and lock your SIM.
Okay? And then if it's locked, they can't clone it. And the reason why that's important is, you know, sometimes you get those texts that send you the random number generation to verify who you are when you want to access something. They can't get in the middle there, as Derek described, to compromise that. The only time you want to unlock your SIM is when you're getting a new phone or you want to basically exchange devices.
Derek:
And I agree. Tom hit on a couple things. Number one, having a great having a password with this elderly mother. Man, that's huge.
And I do that with my kids. And we mentioned AI. Kim mentioned AI at the beginning. AI is going to make that harder and harder, and we've seen that already with the, you know, I don't I'm trying to think what the term is.
Grandma gets a phone call and an AI says, hey, your grandson has been arrested. If you send us, wire some money and we'll release him, that's a tool, AI is stepping in and making it harder for us to detect. Is that bogus or not?
So for example, I've told my kids, we have a password. I have a running password with my own kids. Hey, if you get a text, you get a phone call, you know, challenge them.
Challenge that person, challenge who owns that, who's on that other line, and ask them for that password. I think that's just a simple, common sense thing that can go a long way.
And Tom also mentioned Venmo, private, public. It's amazing. I still chuckle when I exchange some money with my family members in other states through Venmo, and then their accounts are not private. I can see exactly what they're doing in all shapes and forms.
The one challenge, compared to the old system with, say, a credit card with Venmo, Zelle, is if I use my credit card, I've got 30 to 60 days, right, through my bank account. If somebody does charge me fraudulently, I've got a buffer there. I can check my bank account or my credit card account every day online, or I know I'm going to get a statement at the end of the 30 days. You at least have a little bit of a buffer there.
So be careful with some of those electronic payment systems, especially if you're not using it privately, and then also if you're not doing that multifactor authentication that you're just exposing yourself dramatically.
Tom:
That's a great point.
You know, to the credit card comment, which is spot on, everyone needs to realize that you shouldn't be using their debit card anywhere. You're liable for losses on your debit card. You're not liable for losses on your credit card.
And don't ask me why that is. It's just the reality of life. So don't use your debit card anymore. Switch over to your credit card.
Also, again, I don't own Apple. I don't invest in Apple, but I'll say this. Apple Pay, what they do there is basically when you add your credit card to that, it will automatically create a random number associated with each transaction so your card can never be compromised when used with Apple Pay.
Kim:
Yeah. I'm a big believer in American Express because we're Futurecon. We travel all over, and they're just great. I mean, I feel like they're texting you if they think it's fraud, you know, and your debit card, your bank's not texting you if they think it's fraud.
So, people should be really careful because unlike you, Derek, when I, maybe I'll send something to one of my daughters and it's private, and I can even see, you know, her friends exchanging things for Starbucks or something? I'm like, oh my gosh. You guys need to stop that. You know?
It's crazy.
But, again, that's just some low hanging fruit out there and, you know, I don't. I tell my kids, do not connect any of that stuff to your bank account because that's your money, and I'm not going to refund your money if you get frauded.
That's going be a good lesson for you.
Tom:
Kim, can I highlight something, though, that a lot of people think, you know, Macs are not vulnerable to cyberattacks? That's a myth. You definitely need cybersecurity on all Apple devices.
In addition, we all have routers at home. Those routers have multiple networks. You should dedicate one network to anything you do that's sensitive, like finance or work. I call that digital distancing.
And then lastly, I mean, obviously, we're using multifactor authentication, hopefully. But on Tuesdays, the major technology companies issue their patches, their critical updates, which are like steel plates in your basement that stop a tunnel that's been created by a hacker metaphorically.
Those updates are literally more important than anything that you're doing. So make sure you update all your devices, all your applications, everything on Tuesdays to make sure that you put those steel plates down.
Kim:
I'm sure there's a lot of people going, wow, how am I gonna do that? You know, especially if you're not technical.
Tom:
You can put it on auto update, frankly. And then when your computer or your device notifies me that there's an update, trust me, it's more important than whatever you're doing. Because, basically, you're now exposed to the dark web if you don't apply it.
Kim:
Yeah. I mean, that's great advice, and there probably should be a whole show in and of itself of, you know, just the things that we have. You know, it's funny. I was pulling prizes yesterday at our Columbus event, and one was, you know, one of those digital photos, you know, that little AI thing in your house that you just upload your photos on now.
And I just had someone on the show saying we were talking about the different AI things in your home that are making you vulnerable. I mean, now ovens, your fridge, everything is AI. So what's your advice to all of that? But going back to the but, you know, the little photo thing that, you know, it just rolls.
Yeah. I think I got one from Christmas, and I just don't have it plugged. I haven't used it. Because I haven't wanted to figure out how to use it. It wasn't because of security yet, so it's probably good.
Tom:
No. I get it. I hear you, and you can't really avoid that given modern technology. But look, obviously, update those devices regularly or set them to auto update. Definitely create passwords for those devices, like sentences versus passwords themselves.
And then most importantly, put them on that other network. Consider it a dirty network. That digital distancing that I referenced, dedicate one network to all the smart devices in your house. Dedicate one network to that computer that you use for the purposes of work or finance. That way, even if those devices get corrupted, they can't pollute the computer that does the most sensitive things.
Kim:
So we have probably less than, about 10 minutes left. Derek, kind of go back to some of the Secret Service, some of your insight, advice, you know, maybe something that you've witnessed that might be a little chilling to you that could have been avoided? And let's just kind of focus on that for the last 10 minutes.
Derek:
Yeah. Absolutely. Love to.
I think I'm still amazed every day at the simplicity of some of the attacks that people are falling for. It is the old crown prince from Nigeria trying to get out of that country. We used to get those emails. We used to get those letters in the mail saying, hey, give me $500, and it will get me out of this country. I'm being held ransom. You know? And we used to laugh.
We laughed then. We still laugh now if somebody falls for that. It's amazing, and I see three numbers, Internet Crime Complaint Center from the FBI. If you go read their numbers, the numbers don't lie.
Besides business email compromise, the number one attack in the country in the last year cyber wise is investment scam. And you're talking four I think it was $4 billion of investment scams, and most of those are just pure false advertising, fall for a romance scam, fall for an elderly scam, fall for whatever it might be. So I think, number one, take care of yourself. Be uber careful.
When you think about sending money to anybody, make sure you do some due diligence. Make sure you're using multifactor authentication, but maybe even more, talk to somebody. You know, I give the alarm or I try to give a warning, and Tom mentioned his elderly mom. I have an elderly mom, and I give her the warning that, hey, you are now a new target. You're, especially when you're a widow or you're a widower. You don't have that partner there with you to bounce off ideas. So it's amazing how many people fall for these scams.
We had a woman not too far from our office right here who fell for one, $3.4 million. And some of that is going through crypto, the crypto world, but a lot of that is just going through wire transfer. So I would just go back to that, to be careful of what you're doing amongst you in your world, like Tom's saying, your own network. Be careful what's going on your own phone, and then start expanding out.
Look at your family, and that's kind of a natural thing. Right? Look at your family, your kids. And then but also if you don't have any kids or you're older, look at your parents, look at your grandparents, look at your uncles and aunts, those who might be susceptible to these things.
And then we've kind of skipped over a little bit of the kids. Teenagers. Teenagers are so susceptible, especially to – we mentioned sextortion for a minute. So many young men are falling for that because they get on the hook and they're desperate.
And it they're just they're they're literally committing suicide over that, because they're in such a world of desperation.
So be careful. But also kids that aren't falling for that are falling for other scams. And you'd be amazed how many young kids fall for just they'll send $50 to a bad guy through Venmo or through Zelle or something, and then bad guy has him on the hook, and he'll try to milk as much out of him as he can. So I'd say, number one, look out for yourself, look out for your own world, your own network, look out for your family, and then start looking out for your partnerships. And that's where that's where we step in. You know? If you need a partner, reach out to us, and we'll try to help you as much as we can.
Kim:
Well, when you're talking about some of the extortion, I mean, what has, I mean, with OnlyFans out there now, you know, I mean, that's exploded. Are you seeing issues with that now? Because I would imagine there is a lot of extortion going through that.
Derek:
I don't know if we've seen OnlyFans or not. We've seen a lot of extortion cases where kids fall for just that and it's usually just that first step. Once they get him on the hook, then they've then they've got him and they can manipulate that poor kid because now he's desperate. He's scared to death.
He's embarrassed. He doesn't want mom and dad to find out. He doesn't want girlfriend or boyfriend to find out. And so they just make some really rash decisions.
And if they just had someone they could trust, even for just 30 seconds to a minute, just say, what do I do here? And that's what we try, that's what we try to preach and say, hey. Try to try to be that person to help that kid, whether your mom and dad or friend, law enforcement, you know, network security people, whoever it might be. You know, try to be a safe place for that kid.
And then, again but make sure you watch out for your own, number one.
Kim:
Well, Teresa Gerke, thanks for tuning in today.
Looks like she is the founder of, I may be saying it wrong, Popsicle. And she said it's addressing kids online safety.
So please use a trusted source. And we actually had a sixteen year old girl yesterday that was a volunteer in Columbus, Ohio, and she's yeah. I mean, I can't believe the things she's doing, helping the little kids out there because we need more of her because, I mean, my kids are now adults, but I do have grandkids that are little now. And I'm more worried about them than I was for my own kids growing up just because of the online, what's happening online.
Tom:
You know, cyber self defense extends to everyone in your life. So the tips we've given here today as an individual, you should make sure that your family members and friends are also adopting those tips because if they get compromised, more than likely, you'll get compromised because you're going to implicitly trust communications from them.
One last point on this. Smishing, spear phishing via text message is huge, obviously. You should not click on links in random text messages. I don't care if it's UPS or the US Postal Service telling you that some order or something that you may or may not have paid for is coming and when it's coming, please don't.
It's quintessentially important that you don't because you can be compromised immediately, and that's how they'll hijack your SIM.
Kim:
And it's still fascinating to me when Derek was talking, you were using the scenario of me and Tom having a conversation and him, you know, being the CFO. The CFO would actually really trust that or maybe the other user would trust that the CFO said, hey. We have a new bank wired to this, that person would not pick up the phone and call and say, are you sure this is right? But, I mean, I hear this.
You see what I do. I'm listening to cybersecurity experts all the time every couple weeks. So it's just baffling to me that something as simple as that is still happening.
Derek:
No. Absolutely, Kim. And that's what we're trying to do. We're just trying to bring, if we can just bring it to the forefront of your mind even for a split second and make you hesitate just for even just a second and just run it by somebody else.
Hey. You wanna look at this look at this email I got. Look at this text I got. Does this look legitimate?
Even just that half a minute, 30 seconds of looking at that, hopefully, will save who knows how many millions of dollars. And then I think finally, just the last thing I want to say and Tom's already mentioned it. Take care of your own network, take care of those around you. It's a different world.
2024 is different than 2022. And the bad guy's getting in your system, and he wants to take everything. They can be ruthless. They don't care how they get it, or they don't care what they do to your company.
They can damage you in all kinds of shapes and forms, even more than just monetarily.
And so be careful out there because that's what the bad guy wants to do.
Tom:
And they will stay in. Remember this. They will stay in until you get them out. So, for example, when your antivirus or security software finds something and it kills it or cleans it or quarantines it, that means you got to change all your passwords immediately because that thing's already taking your passwords. What's changed since 26 years ago when I began in cybersecurity is it's gone from burglary to home invasion. They want to use your digital persona and presence to attack your constituency.
So you don't want that to happen.
Kim:
Well, we have, if you guys want to take about 30 seconds and just remind everyone how they can get a hold of you guys. And, one final thought. We have about two minutes.
We'll start with you, Tom.
Tom:
Yeah. Look. I'm here to help. I'm passionate about, you know, trying to civilize cyberspace, although it's probably a futile endeavor.
You can find me on x or Twitter, TAKellerman.
And look, in general, we need to expect more from businesses. Governments need to invest more in cybersecurity. It's a functionality of doing business, not an expense.
And I would recommend that all of you who heard me today, who actually appreciate what I have to say, educate your family members and your colleagues on best practices to protect organizations and yourselves from what is an ongoing siege.
Kim:
And Derek?
Derek:
Yeah. Glad to glad thanks for the opportunity, Kim and Tom. This has been great. I can be found on LinkedIn as well, but you can also just Google Secret Service, and call whatever local field office, wherever is closest to you.
I'm in the Denver field office. If you want to get a hold of me, you can call our office here, and I'm happy to help. The scariest words in the English language are I'm from the government and I'm here to help.
We're trying to change that. We're trying to be helpful to you as much as we can through our partnerships, through, through our friends that are out there that are willing to help. And there's so many. There's so many like Tom, like Kim, so many detectives and technicians who just wanna wanna shut down, the bleeding from things that you're going through or attacks that you're going through.
And the education is getting greater and greater out there, so law enforcement is getting smarter and smarter. So we're just trying to help.
Kim:
Well, great. Thank you, Tom and Derek. Thanks for spending this past hour with us. Hope to see you.
I know Contrast Security has signed up for about a year of our show. So hopefully, we'll see you both together at our shows and love to get the Secret Service more involved in some of our keynotes throughout North America. So thank you guys for being here today. And, for all of our listeners, thank you so much for joining us today.
I hope you guys have a fantastic weekend wherever you are. Stay safe and stay secure. Use this information to have conversations with your family this weekend. Thanks, everyone, and we'll see you next Friday.
Speaker bios:
Derek Booth
Assistant to the Special-Agent-in-Charge, U.S. Secret Service, Head of the Mountain West Cyber Fraud Task Force
U.S. Secret Service ATSAIC Derek Booth is one of the founding members of the Mountain West Cyber Fraud Task Force (MWCFTF) which consists of 200+ members of federal, state and local law enforcement, network security personnel, private business owners, and academia partners in the Rocky Mountain Region. The MWCFTF’s mission is to stop, deter, and investigate cybercrime in the Mountain West States while supporting task force partners in investigations including Ransomware, Network Intrusion, ATM & Gas Pump Skimming, Business Email Compromise, and Computer/Cellphone Forensics. Derek became a Forensic Examiner in 2012 after spending his first 13 years on the job protecting a plethora of dignitaries including President George W. Bush and family full-time. Derek graduated from Southern Utah University with a Master’s in Accounting and is originally from St. George, Utah.
Tom Kellermann
Senior Vice President of Cyber Strategy at Contrast Security
Tom Kellermann is the Senior Vice President of Cyber Strategy at Contrast Security, Inc. Previously, Tom held the positions of Head of Cybersecurity Strategy for VMware, Inc. and Chief Cybersecurity Officer for Carbon Black, Inc., wherein he authored the “Modern Bank Heist Report” for the past six years. In 2020, he was appointed to the Cyber Investigation Advisory Board for the United States Secret Service. On Jan. 19, 2017, Tom was appointed the Wilson Center’s Global Fellow for Cybersecurity Policy. Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro, Inc., Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Center for Strategic & International Studies' (CSIS’) Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the Book “Electronic Safety and Soundness: Securing Finance in a New Age.”
Secure your apps and APIs from within
Schedule a one-to-one demo to see what Contrast Runtime Security can do for you.