Root Causes 238: Tim's Big Phishing Adventure

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

August 15, 2022

In a personally unprecedented occurrence, Tim's identity as a Sectigo executive is being used in a "waterholing" phishing scam intended to raid job seekers' bank accounts. We describe what is going on, how we found out, and the challenges in combatting such an attack.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanThere’s a thing that’s been going on for a little over a week now, which is that there is a persistent of phishing attack that is occurring that is using my personal name, my identity as a Sectigo executive and the Sectigo brand name in order to perpetuate this phishing attack. And I’ve never been in this situation before, and it’s really weird, so we thought we’d tell you guys about it.

Jason SorokoI obviously have a lot of interest in social engineering and a lot of interesting cybersecurity. It’s something we talk about a lot in conjunction with PKI and other topics we have here on this podcast. So, there are so many ways we could start with this, but one thing I know about cybersecurity issues is it’s tough to quite often detect a problem like that yourself, especially if the phishing attack is purely external. So the compound question here is this something that you discovered, that you were told about?

Tim CallanHow do I even know this has happening? Somebody is going to job boards and they’re finding people who are looking for work, and they appear to be targeting graphic designers in particular. Don’t know why. And they are reaching out to them, and those people have their contact info. They have an e-mail. So they’re reaching out them by way of their contact info, and saying that they are me as an executive for Sectigo and that they are hiring a graphic designer. And they put these people through some kind of interview process, and I’m not sure if that involves actually like speaking to a person or not, but at the end of it, we say, congratulations, you got the job. And they send them a form to fill out, and the form includes PII and banking details. So that’s the scam. Because that’s how we’re going to pay you. See. So that’s the scam, and what they do is they’re trading on these people’s desire to have a job, cause we know that social engineering phishing in particular creates urgency. So in this case, I want work, and presumably this is exciting work. It’s work they consider to be good, and so I take action cause I got that urgency. We know that isn’t really right. That’s not a real employer. So, how did I find out? Well, fortunately, or some subset of people at least are informed enough at this late day and age that some of them said this smells fishy to me, no pun intended, and they contacted - - So starting about a little of week ago, they started to come in through multiple formats. Some people would contact Sectigo. They’d contact our customer service or our press was another one and they’d just say, I’m being contacted by this guy, Tim Callan, I can see him right there on your website. Is this real? And then those people contacted me, whoever got that mailbox, contacted me and said, is this real, and I said, no. Tell them no. And then I also got people finding me directly on LinkedIn. That was actually the most common one. And contacting me directly on LinkedIn cause it’s easy to find me – Tim Callan, Sectigo, boom, there you go, and sending me direct In-mail messages saying, I’m supposed to be interviewing with you tomorrow at 3:00. Is that real? And so in all those cases, we said no, but of course, the problem is what about the people who never reached out? They don’t know.

Jason SorokoThis is a problem. Obviously, I would categorize this as almost like a water holing scam, isn’t it? It sounds like there’s a particular niche of people that they are going after with a particular set of skills and utilizing a legitimate name, a known name in the industry, and I can see how this would be very effective social engineering. That was my next question. Is what ultimately was the mechanism here that they are going after the target, and it looks like it is fraud, which is, that’s just, it’s terrible.

Tim CallanIt seems to be good old fashion banking fraud. I don’t understand why they seem to have chosen graphic designers in particular. Maybe they’ve got their routine worked out for how to “interview” somebody. Maybe you don’t really need to have an interview. Maybe you say send me your portfolio and oh, I love your portfolio, write a little paragraph about how you did this. Maybe there’s a way to avoid the human to human contact and have it still be a plausible story.

Jason SorokoIsn’t that interesting? Because I think there’s probably a lot of truth in that because this is why you hear about water holing so much. There’s obviously a lot of generic social engineering there.

Tim CallanJust define for the listeners what you’re, as you like to tease me about - your pithy definition, Jay, of water holing.

Jason SorokoWater holing is essentially when you as the social engineering bad guy are targeting a very specific niche, specific group of people who have some kind of common interest. And that common interest could be you are a CEO or you are a CFO, you are going to be hanging around financial services, financial boards. Quite often that common interest could be a developer in C-language, and you might have a favorite message board that you look at. And the reason why you use that term water holing is because people with like interests are coming to a water hole.

Tim CallanYou imagine a predator at the water hole waiting for them to come to the water hole and get them. That’s metaphor there.

Jason SorokoSo I think that term, that water holing attack in terms of just being a variation on phishing seems to be what’s happening here, and I think it is exactly what you’ve just said. They probably have the routine down. They’ve got their words down just right for the kinds of things that a graphics designer, a graphics artist might be very familiar and comfortable with being asked, send me your portfolio. I think you're exactly right, Tim. I think you're on to something there.

I just think it is terribly unfortunate, and the main reason for bringing it up on this podcast is, my goodness, if you're being asked for your banking information, I think first of all you should question it straight up. There’s so many other ways to make payment for things that are legitimate, but as well, for anybody who might be coming across Tim’s name with this intent for phishing, I think it's very good, Tim, for you to have been explaining here what’s going. What a terrible thing to happen.

Tim CallanIf you happen to be a listener of this podcast, know I am not hiring any graphic designers, so don’t worry about that. I think the other thing that was interesting here for me, Jay, is and I know this, in the abstract but you see it illustrated in real life, is how difficult it is for the brand that is being targeted to combat this thing. Like an unknown person somewhere in the world is contacting other unknown people somewhere in the world and spoofing my identity. How do I detect them? How do I know? What do I do about it? It is very difficult.

Jason SorokoTim, it’s interesting in that at the corporate level there are reputation services that go out there and scan for things. I think a lot of those services simply came out of scraping for headlines. That was something that was common, just look for headlines within an industry, and you could subscribe to that service, and that morphed into looking at various websites, looking at forums, looking even in the dark web. Where is my name showing up? Where are my employees’ credentials showing up? I think that this even needs to go further in perhaps in other forms. Anything that would public.

Tim CallanNow this goes to the DMARC conversation. So one of the things you can do is you can use DMARC to control the senders that popular mailboxes will accept with your domain. So I prove that I am whatever domain.com, and then I can put in the DNS that only these senders are allowed to actually give you an e-mail, and if you are DMARC compliant e-mail receiver, which all the popular webmail ones are Google and Apple and Hotmail and Yahoo, and Outlook is, and the major ones will all honor that. So if you’re not an approved sender you will not be able to send something that appears to come in with the exact same domain. So that’s a good tool, and that’s something that the brand can control. In our case, I won’t say what it is I guess, but they had a spoof, they had a Sectigo attached to another word domain that somebody might credibly think is Sectigo and yet is not a domain name that Sectigo actually owns and controls because we do use DMARC for exactly that purpose. But it doesn’t do any good if it’s not your domain and you don’t control the DNS. So DMARC helps, but it’s not perfect.

Jason SorokoTim, something that is interesting to me and this something we can explore in future podcasts – let’s say you were talking to somebody who was legitimate and you really wanted to prove that. For example, if you were a dissident in a country that you were in opposition to and you wanted to get messages out to a journalist New York Times, something like that, there are mechanisms to do that and to actually be able to verify who a person is, and that’s something that I think you and I can explore. This is probably beyond what a person would do if they’re simply looking for a job. But on the other hand, I think that we will exist in the future at some point, especially with distributed computing systems, the ability to share verified credentials with each other.

That’s probably not something that exists today in massive scale, but I think it will be something with distributed identities and as that kind of world develops, that, in conjunction with, as you say, DMARC just for standard e-mail communications, I think those are things to be aware of in the future. And if you’re a real sharp person who is looking for a job and you want to really know if it’s Tim Callan, I mean just going out to LinkedIn and saying, Tim - that’s probably your best bet because you know Tim’s a good guy, and he will set you straight, but on the other hand, if you really were in need of verifying somebody, there are ways of doing it, and it’s something for us to talk about down road.

Tim CallanWell, now you’ve got me thinking about things like eIDAS certificates. I can get a certificate as an individual in Europe that identifies me as an individual, and I prove who I am and that I have that digital certificate that’s yoked to me and so we’re taking steps in that direction, and, I agree with you, you gotta imagine in the long run this is where we’re gonna wind up. The question is how long is the long run and what has to happen between here and there. And then the other thing just to unpack, you were talking about this to some degree, is and I think you hit an important point, is to some degree it matters how high valued the interaction is – like you and I did a podcast some time ago about how people have had some very expensive errors. We talked about the $3 billion contract that was lost because they didn’t do things right, and under those circumstances you can see putting a great deal of resource into this. On the other hand, if you're talking about a consultant graphic designer who is probably early in their career who probably doesn’t have vast resources to spend, who probably doesn’t have a lawyer on retainer, then for that sort of thing to work in that sort of circumstances, it’s got to be just simple and foolproof and ubiquitous.

Jason SorokoAbsolutely. It really has to be something that is – especially into the future – something that you can just pull up an app and there it is. It just works. I agree, and I think that in the long run, that is the goal. I think you’re asking the right question, which is how long is that going to be. I don’t think it’s going to be decades. I do think it’s going to be more than a few years though. That’s for sure.

Tim CallanI agree with you on both those points.

Jason SorokoTim, I’ve got one last question on this, just because I think it’s the natural question that anybody would ask, but what did it feel like to have your name associated with something like this?

Tim CallanIt’s rotten. It’s not so bad for the people who contact me because I get back to them, and I say no, that’s not me, I’m so glad you didn’t give them any information. I’m so glad you asked. And those people are rescued, and they don’t have a bad day, and that makes you feel good, but then you think, well, if I knew for a fact that that was 100% of them, that would be just fine, but if that were 100% of them, then this person wouldn’t be doing this because it wouldn’t be a revenue-generating activity, which means that somebody is falling for it. And those somebodies who are falling for it I feel bad. I feel bad for them, and I also feel to some degree like my name and my reputation are being damaged, and that’s rotten.

Again, you understand all this intellectually, but now, all of sudden you start saying, okay, I know what it feels like to be somebody in the branding team at FedEx or PayPal or Bank of America watching their brand being used in phishing attacks and being upset and being angry and feeling violated and not being able to solve it. Obviously, those brands are much bigger and more important than my little name but, it is weird and it makes you feel, it makes you feel bad. It’s a bad thing. Even though I’ve met some nice people out of this and some nice people who are smart and savvy, and that’s good, but it would be better it this just wasn’t happening at all.

Jason SorokoNo kidding. Tim, my own reaction when I first heard about it was, stop using Tim’s good name. He’s a good guy. So for heaven sakes, I know that so’s naïve in terms of the way the world works, but it’s just that was the first reaction.

Tim CallanAnd then where my little mind goes, my mind goes, the next thing, I thought, this would make an interesting podcast. And now we’re doing it.

Jason SorokoIt certainly was good to bring it up publicly. It’s worth maybe a blog, but in podcast format, it’s a good one, and I’m glad we got to air this out and hopefully make everybody think twice about if somebody’s asking you, I think it’s perfectly, perfectly not strange to hear from a corporate executive that I’m looking for people and then responding to it, but whenever somebody – even if you miss some of the signs that you might pick up such as the wrong domain - -

Tim CallanThe banking information - -

Jason SorokoThe DMARC pickups and that banking information, that is your tip and I’ll tell you something. This is the second one this week where I’ve heard people have given up their banking information. Folks, don’t do it. Don’t do it. You absolutely must verify before you do that to the point where, get to know the bank manager. Get to know the people that you are really are speaking to one way or the other, cause its – I’m hearing this just way too often, and as you’ve said, Tim, this is very effective social engineering, and it’s hard to catch.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!