What the smish!?

hey everybody Welcome to Steven Hatfield's presentation what the Smith 's a technology and cyber risk leader who currently serves as a manager of incident response and threat intelligence for loan Depot Stevens directly contributed to the success of financial services companies including Hilton worldwide and most recently sent tender Consumer USA or he managed an incident response team 's got an extensive background enhancing organization cyber response capabilities while reducing their risk posture thanks for the talk globally we're seeing a drastic increase in submission attempts this will cover Lessons Learned while trying to identify methods of takedown attempting to work with Telco providers to internet and identify the groups behind this and best practices for presentation y'all gonna give it up for Stephen thanks everyone for coming out I know it's slate and last Talk of the day but we'll get through it um so a little bit about me I've been working in it since 2008 uh before that I was just tinkering on my own 08's when the Army formally trained me uh I did eight years active duty did a couple of deployments my last year in I was able to manage the uh AK arnos which is the fancy way of saying the Alaska remote Network Operations Security Center which is just a fancy way of saying the Alaska sock um but yeah I was able to manage that my last year in the army controlled three bases throughout the state of Alaska working with Hawaii who managed us so it was a lot of uh interesting interesting work as I said I currently manage the incident response team and co-manager of threat intelligence for loan Depot I complain a lot on Twitter mainly at companies when their security sucks I like to yell at like when we find phishing pages that are blatantly obvious like Outlook things like that I post those iocs out um random fun fact about me I do pro wrestling referees like WWE style uh if you've been to any of the shows locally across Texas you might have seen me before the last few years um and then I actually own a 15 acre horse ranch so quick outline for today uh generally cover what smithing is show some real world smithing examples uh go up the prevalence of Smashing vendor Reach Out attempt that we made the best practices we'll talk about a group called The Industry traceback Group some ways that telcos and the government can help and have a q a at the end so legal disclaimer loan Depot allowed me to speak here I'm not speaking for loan Depot got it got it thank you all right so show hands who has never gotten a smish everybody's got a smash awesome so uh we all know it's when you get a malicious intent of a text message um so they can be pretending to be companies they can pretend to be loved ones they can pretend to be Joe schmoe doesn't matter uh the intent behind it is malicious it counts as smesh a few examples that we've seen at loan Depot the one on the left is actually a employee who was smushed or attempted to be smushed by their quote-unquote manager um reached out saying hey I'm in a webinar can't talk let me know if you can if you got this didn't come from a no number of theirs didn't uh wasn't their boss's direct number so it was pretty easy giveaway um the one on the right here was actually sent to a customer of ours and this one is kind of interesting because it mentions rocket mortgage who's direct competition to us mentions loan Depot and mentions Experian which is a totally outside entity from the two of us but basically it's somebody reaching out saying hey I'm partnered with both of these companies we realize that your your credit was so good we can give you wholesale pricing that's never happened that I've heard of you don't transition from like I want to buy a house for myself to wholesale pricing um so another easy dead giveaway uh but they were looking for some basic information uh estimated value of the home how much cash you're looking to take out to try and further get more information possibly steal money from them a couple more um both of these are the same general outcome wanting gift cards a grocery store doesn't matter where Apple Google you name it they try to get the gift cards and they steal all the money off of it if they can and ultimately the person left buying the gift cards and holding them is typically not able to get any compensation back a couple more real world ones so top left here uh impersonating the CEO of Target bottom left is uh did you attempt a 750 purchase at Walgreens if not click this super secure link it's called 53 secure.me and secure is spelled with one three um pending package by DHL another common one uh and then hey we noticed a weird uh banking transaction so if you don't think this is you uh call this number that won't match the fraud department or your Bank's number IRS everybody's probably seen and heard the IRS ones um Amazon bottom left here is another kind of newer one uh it's been coming out the last few years and then on the far right we have one that everybody's kind of talked about today uh Uber hack so how the Uber hack happened was uh 18 year old hacker social engineered an Uber employee for their password and then spam the crap out of their MFA and the employee finally got tired of it we assume hit accept and blindly let them in they were able to scan the internet found Global admin and a Powershell script went on the slack said I'm a hacker y'all got owned um made the news pretty sure you all know so this says CEO technically Anthony is now our executive chairman he's not the CEO anymore um but these are direct impersonations of our uh executive chairman Anthony Shea these go to they've gone to legal which is hilarious when our legal team gets hey can you help me it's the CEO um they've gone to his direct assistance they've gone to other employees um you name it and it's always the same pretty much pre-text uh almost the same identical uh verbiage and most of these as well so Pig butchering scam this isn't directly smashing this entails social media this will entail phone calls sometimes Skyping video chats um but it's basically an in-depth romance an investment scam the victims lured into a false pretense uh tying in emotional and professional relationships typically and then the criminals convince the targets to invest in crypto via fake apps fake sites sending them money to help them move to the country there's all kinds of different things this one's typically crypto though um so as the warning says here it's only for educational purpose and they the machine 404 is the person who coded this Tool uh it's called fake SMS and he says he won't be responsible for your so but basically uh this is kind of a updated version of the social engineering toolkits SMS feature that they had if you will um Dave took that out a while back because it was extremely dangerous this one is actually using a specific website and it only lets you send one text for free but you have the ability to curl the website and if you pay for API access you can curl it start sending as many as you want so you can send them personally you can impersonate whatever number you want send it to whatever number send whatever text you want easy pay and go submission scheme so a little bit more about the prevalence of excuse me smushing in September alone there was about 15.6 billion spam texts sent um Texas we do things bigger and better we're leading uh 1.3 billion in September alone 66 billion are ex have already been received this year um and it's about 28 billion or more that's expected in the financial losses this year so this is a company called Windstream that my team reached out to directly their Telco provider yes or did Texas ZIP code at least as far as I know just Texas ZIP code or Texas destination um so response provided uh this is a company called Windstream they do telecommunications um one of the submissions we received uh my team basically hunted down where the originally originating uh number was we then tried taking it direct to the Telco because it was a landline supposedly um they're very long result was we can't help you nobody can help you basically which is pretty interesting um because they go into detail it's an industry issue we're all trying to tackle this there's no real way that any Telco can do this but if the person who received it calls and reports it then they might be able to do something and trace it down which is varied 180 from what they're telling me directly so it's kind of interesting when you hear that also there is an anti-robo call uh principle agreement with the government that Windstream services and other telcos signed on to and all of our attorney generals to provide this type of assistance so best practices to try and stop this iOS 16 just recently came out they included a new junk sms forwarding feature so you don't have to forward to any four-digit numbers or anything if you aren't using an iPhone you can forward it to 7726 which spells out spam on your phone the FTC and wireless providers telcos created this to try and tackle the problem a bit uh we've recently on the loan Depot team added this to our Playbook as a step if we get this machine we'll have the employee whoever gets it do that and uh from what I understand the uh all the have really sent back so far has been confirmed the number that it was sent from and like a few details and then they handle it on the back end there and then reporting directly to the FTC that's technically that and the the 7726 are going to be your your best methods if you will the FTC reporting covers more than just submission it covers a whole laundry list of things so weight loss Health scams and if you're getting fake service offers or job offers if they're impersonating anybody you can report all of that goes pretty in depth on the reporting so if you got scammed how much money did you give the scammer um how many times you might have given it to him and then they want all identifying information and things that you can give about the situation and the interaction without obviously posting pii and sensitive information and then it gives a space to actually report on behalf of someone else so as a company if you're having to report a smesh you can report it on behalf of your employees which is really tedious and annoying but it's helpful supposedly um best practices so U.S cellular offer offers a free call Guardian application T-Mobile Sprint which is who I have offers scam Shield I switched over to scam Shield to two and a half weeks back uh and I've received maybe one or two phone calls that I didn't know the number of and it wound up they just didn't leave a voicemail so it was probably spam of some sort I haven't received any submission at all so I can't say 100 if it's due to scam Shield but it seems like it when I was using Robo or excuse me True caller previous to scam Shield I was still getting submission I was still getting uh fishing coals things like that but I was using the free version so maybe the paid is different ATT offers active armor Verizon offers call filter there's the Do Not Call Registry which obviously you can put yourself on but it's not necessarily going to stop malicious people from trying to call you and do things and then a whole bunch of others so true caller Robo Shield Robo killer Nomo Robo High uh YouMail firewall call here on call app I can't I can only talk to Truecaller that's the one I've used so uh just a couple weeks ago the amazing Rachel tobac uh gave out information on ways to take down like doxing information so specifically in this case if your phone number's out there if any piis out there about you and you want to take it off Google search results you want to take enough what you can there's now a new way to request that so I wanted to make sure since she announced this I and it surrounds phone numbers I included this because if you're like me you've been doxxed at least once and ask you why you want it to be removed so shake and stir and stir shaken stir is secured telephony identity Revisited it's the name of the standard of a standardization working group um and it adds uh it's what's used to label the cryptographic cryptographic signatures excuse me um shaken is signature based handling of asserted information using tokens which is a really big stretch to get all that in there um but it's the industry standard that's defining how the voice service providers should implement the stir technology specifically and Then star shaken is the set of technical standards and operating procedures for implementing the call authentication for Internet Protocol based calls um so stir shaken framework uh it enables originating voice service providers to attest the validity of asserted caller IDs and sign them with a secure signature so it helps the telcos track these things down if they have it implemented properly um The Industry traceback Group I mentioned uh want to talk about them so this group was created by us Telecom and the Broadband Association and stood up with the US government um it works for Telco providers and isps and whatnot it works for governments works for Enterprises the only downside to this is they only target robocalls why they're not included um first mission I don't know but they did specifically State they aren't doing submission yet probably that whole technology thing again that nobody knows how to do enforce but we have standards for uh so the ways telcos and governments can help right now um if the FTC was able to do some follow-up with people for at least the scammed ones financially they're following up with them to try and let them know wherever they are with takedowns things like that there's legislation right now in the Senate called the robocall traceback enhancement that's tied to the industry traceback group that specifically is to protect the telcos and protect the Industry traceback Group Company um Telco is actually using the stir shaken solution expanding industry Trace back groups capabilities would greatly enhance this as well and then Telco is being able to work with employees on behalf of their customer or like our employee who's getting smashed and might have our brand being impersonated CEO impersonation things like that if telcos are able to work with the actual security team rather than the employee it helps the employee by not having to be taken away from work especially if they're hourly or they're compensation based they don't want to spend hour two hours three hours talking to a customer service rep trying to explain I just got a smidge from this number and going through all the steps there any questions yes sir in the back uh it was a landline that we were trying to have them help us trace and we gave them the originating number the time of the incident the number that received it that the fact that they're a customer of theirs we tried giving them all the information up front and that's what they responded with thank you and some of your submission ones did you see where they had spoofed a real number that really did belong to a boss or a manager or was it always it was so far we've been lucky that it hasn't been a direct number impersonation um it's always been some random number that doesn't associate to them contact Steeler candidate yeah it will so yeah so being in the industry I'm in my mortgage people need to be able to be known on the internet to everybody so they can try and make sales they can try and make deals so you when you try and tell people who live their life by word of mouth and social media to cut it out and try and keep it down a little bit you're met with resistance understandably so you have to find the fine line but yeah thankfully so far it's not been a direct impersonation you got me honestly yeah that's a toughie just because it could be somebody word of mouthing and overhearing in the shop um that's probably the most likely scenario um but yeah I that's a really difficult one I'm sorry definitely um so kind of both um so in our playbooks ourselves we annotated it as a step that we need to ensure we follow so when we're going through okay somebody got a smash here's all the steps we do with one of the last things sure of is uh did we have them do that basically yeah when it gets to things like uh 7726 you can't do it on their behalf but you can still report to the FTC on their behalf for instance so it we we try to get them with 7726b newer I don't think we'll get much resistance because it's really simple if they don't know how to hold it down and forward the message we can always jump on a phone call show them real quick doesn't take very long or Google how to do it and send them a link to do that um but yeah it's very helpful when we can do it on our behalf it's just tedious yeah any other questions yes I can't speak to that just because I've never seen it um been in multiple companies but I don't know of any company that gives all their employees that type of protection I if it's a reputable company and they're they have a proven track record I want to see why it wouldn't be terrible T-Mobile whatever protection like the one offered by the members provider oh those are all free honestly but uh enroll in it right you have to sign up for it uh you just download the app yeah you just download the app in the play whatever Play Store you have and uh do it that way no other questions thank you all right thank you everyone [Applause]