Dark Web Threats Against Individuals

(TC: 00:00:04) 

Aidan Murphy: Hello and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month we take a look at a different aspect of the dark web. A consistent theme on this podcast is the word ‘threats’. The dark web is full of threats, threats to businesses, threats to governments,...

(TC: 00:00:04) 

Aidan Murphy: Hello and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month we take a look at a different aspect of the dark web. A consistent theme on this podcast is the word ‘threats’. The dark web is full of threats, threats to businesses, threats to governments, threats to society, but today we’re going to talk about threats against individuals, cyber crime that zeros in on specific people, be them high net-worth VIPs, politicians or executives. We’re going to discuss exactly how these individuals are targeted and how these threats can be mitigated through assessment or maybe a reassessment of their digital footprint. Joining me to cover this topic is our very own chief executive, Ben Jones, CEO and co-founder of Searchlight Cyber. Welcome back to the podcast, Ben. 

(TC: 00:00:53) 

Ben Jones: Thank you. 

(TC: 00:00:54) 

Aidan Murphy: Our guest for this episode, Matt Hull, Global Head of Threat Intelligence at the NCC Group. Welcome, Matt. 

(TC: 00:01:00) 

Matt Hull: Thank you, thanks for having me. 

(TC: 00:01:02) 

Aidan Murphy: Before we get started I’m just going to ask you both to introduce yourself to the listeners. Ben, perhaps you could start by giving us a bit of a recap of you and your background. 

(TC: 00:01:10) 

Ben Jones: Hi, there. Ben Jones, the CEO and co-founder of Searchlight Cyber. I established the company in 2017 with Gareth, my co-founder, who’s the CTO. Before that I worked in defense and aerospace designing aircraft, and then moved over into the cyberspace and the dark web space to work with initially law enforcement, and now also with commercial organizations, helping them to protect their infrastructure. 

(TC: 00:01:34) 

Aidan Murphy: Matt, so you’re new to the podcast, so welcome. Can you just give the listeners a bit of an overview of yourself and also the NCC Group and your work there? 

(TC: 00:01:42) 

Matt Hull: Yes, of course, thank you. So, yes, Matt Hull, I’m the Global Head of Cyber Threat Intelligence at NCC Group. I’ve been with the organization just coming up to six years now. I was originally a pen tester, but then moved into the world of threat intelligence. Former life, was a detective in UK policing for best part of thirteen years. Most of that time was in intelligence operations, covert policing and things like that, but also doing a lot of other traditional-type detective work, so investigating serious organized crime and such like. Other stuff that I’m involved in, I guess I’ll touch on, so I’m the chair of the cyber threat intelligence focus group at CREST, which is an international accreditation body. I’m also involved in a bit of telly, so I lead on the digital investigations on Channel 4’s Hunted. I’ve done that for a number of years now as well. 

If I may touch on NCC Group really briefly as well, so NCC Group, we are a global cybersecurity company, we are probably known best for our pen testing, but we do a lot more than just that. We obviously do threat intelligence, which is the capability that I lead on, but we also do incident response, we have a large managed service where we run security operation centres for customers. We do a lot around governance, risk and compliance, and we also have an arm of our business that’s involved in software escrow as well, so much more than just pen testing. 

(TC: 00:03:09) 

Aidan Murphy: Brilliant, thanks, Matt. Well, one thing I just wanted to touch on was you mentioned your police background. I was watching a video that you’d done a few years ago now, and you talked in that about how you moved from traditional intelligence operations, so real-life, well, I was going to say bad guys, serious criminals, and how you transitioned to cyber operations basically when Facebook emerged and you realized you could grab data on organized criminals from Facebook rather than having, kind of, human intelligence. Maybe you could just talk a little bit about that transition and how that happened. 

(TC: 00:03:42) 

Matt Hull: Yes, of course and, you know, it wasn’t an overnight thing. It was certainly something that’s developed over time, so yes, when I was in the world of intelligence there was a lot of focus on HUMINT, so human intelligence. We’d have teams of individuals that would harvest sources, so harvest new covert human intelligence sources, or CHISs as they would call them in the police. Obviously, there are a lot of risks associated with human intelligence and managing the threat to those individuals and how they share the intelligence that they have. It wasn’t just myself, but across law enforcement in general there was a focus towards, ‘Well, how can we leverage intelligence sources through open sources?’ One of those big things at the time was the likes of Facebook and social media. 

You know, we all started telling everyone what we were doing in our lives on social media, and the bad guys, the heads of the organized crime groups, they wouldn’t necessarily put all of that information out there on Facebook about their dodgy dealings, but we could learn a lot about their movements and their activities and their networks through these social networks. We’d be able to look at what their partners were doing, what their family members were doing and, you know, the photos, the geo-location information, which was quite rife at the time as well. So, it just became another source of intelligence that we were able to harness, and law enforcement have developed that over time. 

(TC: 00:05:10) 

Aidan Murphy: In the way you described it in this video it was almost like you fell into that as your specialism by accident, just because you were slightly more technically savvy, and that was picked up on by your colleagues. 

(TC: 00:05:20) 

Matt Hull: Yes, there was a handful of us, so around that time there were a number of individuals in the force that I worked at, and also across the UK, who were more proficient, shall we say, with OSINT, just because we, sort of, understood the sort of things that you could find on Facebook. It was almost applying that investigative mind-set from traditional policing to, ‘Well, how do I find these things online?’ and fancy googling, essentially, and navigating your way through those open sources. Back in the day as well you were able to leverage those social networks and tweaking the URL, using the Graph API, for example, to get some real decent, juicy information out of those platforms. That’s a lot harder to do now, but yes, it was almost a case of, ‘Right, you know a little bit about computers, you must know about Facebook. What can we find out through this?’ A couple of us led the charge with that. 

(TC: 00:06:18) 

Aidan Murphy: It’s fascinating. I mean, Ben, on our side I think there’s a clear point of comparison. Maybe we came more at the tail end of this as such as a company, but you must have seen the same transition with our law enforcement partners, kind of, this move from more traditional intelligence sources into starting to look at, well, the first internet, social networks, but then the dark web. I guess that’s where we came in. 

(TC: 00:06:42) 

Ben Jones: Yes, so when we worked with the customers we knew that there was an issue with the dark web specifically where they were struggling to be able to attribute and police anything that was going on within the dark web, and so we looked to try and develop a tool set to help law enforcement with that. That was the genesis of the company was to try and help them protect society from the threats of the dark web. We built that tool set out, we worked with law enforcement to try and help them. The problem is that law enforcement is an extremely difficult job, and this is just an extra data source which they now have to worry about. It’s not like any other data sources or any other techniques have gone away, it’s just that this is an extra one they now have to worry about. So, the idea is that you build a tool set which doesn’t have a huge barrier to knowledge to use, to be able to use it. 

You try and make something which is intuitive, and then they can go in and find what they need, and then carry on doing the other elements of policing that they need to as well. So, quite often a case may touch the dark web, but they’re running a whole load of other cases for the rest of the year that don’t, and so not everybody can be an expert in it. So, we try and build that tool set out to allow them to get up and running on these fields very quickly, and to be able to run and scan these queries across the data set to see whether there’s anything in there they need or not. 

(TC: 00:08:03) 

Aidan Murphy: Yes, I couldn’t help by starting on the law enforcement stuff. The other thing I can’t help, I’m afraid, Matt, is I do have to just stop for a second on you working with Channel 4’s Hunted TV show. This is a very international podcast with people from around the world, so maybe people in England might be familiar, or the UK, sorry, be familiar with that show, but for anybody who hasn’t seen Hunted maybe you could just describe what that is. This isn’t just because TV is cool, but it actually dovetails into this topic quite nicely, so I just want to establish your role in that show. 

(TC: 00:08:34) 

Matt Hull: Yes, absolutely. It does dovetail nicely, and I do get a bit embarrassed about it, but here we go anyway, so yes, Hunted, it’s a TV program, it’s a competition, essentially, so pairs of fugitives, and I use that term in inverted commas, they go on the run. They’re on the run for a number of weeks, and we, the hunters, have to try and find them. So, the way we do that is we simulate the powers of the state, so to speak, so we leverage CCTV, ANPR, open-source research and such like, as well as boots on the ground. So, we’ve got ground hunters and then we’ve got hunters in HQ, so to speak. Yes, we, kind of, apply the same processes and techniques that would take place in a traditional major incident room, I guess, from a law enforcement point of view. We go out, we try and capture them, they try and evade us, and if they get to the end they win a prize, so we obviously don’t want them to do that. It’s a bit of a reputation thing that we make sure that we try and catch them as quickly as we can. 

(TC: 00:09:43) 

Aidan Murphy: So, again, in that show you’re working on more the technical side then, you’re the HQ part. 

(TC: 00:09:48) 

Matt Hull: Yes, exactly right, so myself and some other colleagues as well from NCC, we work in the HQ part. We support on the OSINT, so the open-source intelligence stuff, looking at people’s social media profiles and their networks, so who they might go and visit while they’re on the run, that sort of stuff, but we’re also involved in some of the mobile forensics. So, we get the fugitives’ devices and examine those to see if there’s any evidence or intelligence on them as to where they might go on the run, what sort of stuff that they might need to, you know, survive the weeks that they’re on the run. We also do little bits of hacking as well occasionally, so we will put trackers in people’s emails and things like that, so when they open an email we can do that. There have been some examples on previous shows where we’ve hacked into CCTV cameras and things like that, which is quite cool, but yes, that’s, kind of, our involvement. 

(TC: 00:10:47) 

Aidan Murphy: I guess it is relevant to this topic because what we’re going to be talking about is individuals being targeted by hackers, and they might use a lot of the same techniques that you’re using on the show, particularly gathering open-source intelligence from social media accounts and using that for targeted approaches. I mean, do you think about it like that in terms of playing the adversary sometimes when you’re dealing with customers or when you’re on the show? 

(TC: 00:11:11) 

Matt Hull: Yes, I think you have to. You know, we have most successes when we apply the same methodologies that malicious people will, so it’s a bit like going back to the law enforcement days. You know, the best way to prevent burglaries and advise people on how to prevent burglaries is by understanding how burglars burgle. So, back in the day it’s the whole case of, well, no locks on windows and doors, or leaving your windows and doors open. Well, naturally that’s how burglars are going to get in, so the advice then is to lock those windows and doors, but obviously there are going to be evolutions over time with new techniques that the burglars will use. You know, there’s the old hook and cane, which is an old technique where you’d stick a stick through the letter box and steal the car keys or the door keys and get in like that. We apply the exact same mind-set when we’re conducting open-source research or we’re doing pen testing or simulated attack stuff, because we might as well simulate the way the bad guys are doing it, because as defenders we need to know how to defend from the bad guys in the real world. 

(TC: 00:12:16) 

Aidan Murphy: Well, that leads me on quite nicely, because again, just before we got to the targeting of individuals, NCC Group, I know that you do do quite a lot of work with the dark web. So, just starting at, kind of, a high level then, as an organization that helps other organizations with their cybersecurity, how do you see the dark web? 

(TC: 00:12:33) 

Matt Hull: I mean, it forms quite a significant part. I mean, Ben and I, we’ve worked together for a good number of years now, certainly since the early days of me being at NCC. We use it in a number of ways, partly from an intelligence source. I mean, that’s the main thing, it is an intelligence source for us. The sort of stuff that we’re interested in particularly at the moment is the activities of cyber criminals who are operating in those, sort of, perceived anonymous places, so within TOR networks, within forums and markets. They’re talking about the criminality that they’re involved in, and by having an understanding of that criminality it means we have a better picture of what the threat landscape looks like. So, some of the things I can give examples on that we’re particularly keen on at the moment, and are big threats for organizations globally, will be things like infostealers, so there’s a type of malware that’s doing the rounds. It hasn’t done for a while, but it’s particularly rife at the moment, sits on our personal devices and harvests credentials and details about the activities that we have online. 

Those sorts of email addresses and passwords are obviously very valuable to cyber criminals. They can be used to, you know, compromise our accounts, in some cases they can be leveraged to compromise the organizations that we work for, which really increases that level of threat, but there are other things that are particularly useful. There’s a lot of activity in terms of hacktivism, and there are conversations taking place in closed forums about what certain hacktivist groups are up to, who they want to target, how they’re going to target them. Again, having a good insight into what they are doing allows us to preemptively put protections in place for certain organizations and sectors that might be targeted. Yes, I think in general it is just an intelligence source that enables us to help organizations and individuals understand what threats are posed to them, and of course some of the information that we find will be directly linked to a future attack or an ongoing attack or even a historic attack. You know, we leverage some of the tools that Searchlight have to help us conduct that type of research. 

(TC: 00:14:47) 

Aidan Murphy: Yes, because as you mentioned, we’ve been working together for quite some time now. Ben, obviously more managed security providers have picked up on the opportunity of the dark web, but I guess it’s fair to say that NCC Group were one of the first or at least one of the first we came across in leading the forefront in that, is that right? 

(TC: 00:15:06) 

Ben Jones: It was certainly our first commercial customer. Up until that point we were exclusively working with law enforcement, and I think even now there are a lot of service providers out there that aren’t really utilizing the dark web data as well as they could. Sometimes you’ll just have one element, so Matt mentioned infostealers, so sometimes they’ll just look at the infostealers, sometimes they’ll just look at stuff run across forums or across market. The reality is, and I guess this is a call-back to a previous podcast around some of the research that was done with Marsh, but you need to look at all of those different elements. It’s the cross-pollination between those different data types that really adds a lot of value as well, and so to just focus on one of them you really are missing a trick. 

You need to be able to look across the whole thing, and so NCC Group has been innovating in this space, and we’ve been along there with them on that journey, and they’ve been delivering some excellent services based around that. I think it’s becoming more and more popular now for service providers to start using this type of data, but not all data’s going to be created equal from that respect, and this is where you need to make sure that you’re covering all of those different aspects. So, that includes things like the traffic, it includes some of the more open sources which can be, sort of, sucked into that pool of attack surface management, now we’re around things like Gits and pastes and the other forums, and all of those elements are really important to bring it together. As attackers become more and more sophisticated, they have more and more tools at their disposal, your attack surface is growing larger and larger and you need to make sure that you keep pace with all of the different threats which are coming your way. So, that’s what we’ve been doing in terms of developing our products and that’s also what I believe NCC have been doing in terms of developing their services. 

(TC: 00:16:56) 

Aidan Murphy: Yes, brilliant, so I’m going to narrow down the conversation now because we have been talking quite broadly but we should get to the specific threat we’re talking about today, which is against individuals, and again, Matt, I know this is something that you’ve been looking at in the NCC Group. When we’re talking about threats against individuals, cybersecurity threats against individuals, that’s coming from the dark web, is there a profile of person that should be particularly concerned because, obviously, there are threats that we should all be concerned about, phishing attacks, malware, but are there people in particular who have to be worried, who have to more conscious of this stuff? 

(TC: 00:17:34) 

Matt Hull: So, I think there are different layers to it. So, I think each and every one of us has to be aware of it to a degree and have a good understanding of what our baseline level of online presence is. You know, if we expose loads of information about ourselves out in the public domain, we have to accept that, at some point, it’s going to be used against us, and whether that just be for social engineering, whether it ends up being in part of a spam collection, where we just get mithered to death by spam emails, or even looking at our future relationships, our future jobs. For example, if I knew I wanted to go into the world of covert policing or something like that, I wouldn’t want this huge back history of information that’s available about me online, so it’s about having that sort of awareness about ourselves as individuals. When it comes to organizations and specific people that we’re keen to put this sort of message across to, absolutely C-suite, you, know, CEOs, CFOs, those sorts of people in organizations that are key decision-makers. You know, they hold the keys to the critical assets, to the money, and through things like business email compromise and targeted fraud, we’re seeing huge volumes of that type of activity. Now, if you were a CEO or a CFO and you’re posting things like where you’re traveling to or the fact that you’re not going to be available on the phone for X number of hours and that’s on your Instagram, then that gives a window of opportunity to a social engineer or a criminal to use that point in time to be able to target you. 

We also, sort of, advise key role-holders, so sys admins and individuals like that who are technically privileged within an organization, that they may be targeted. So yes, I guess they’re the two main ones. There is another one that’s probably worth mentioning, is people like recruiters within organizations. So, we have seen a couple of examples in the press and we’ve seen some through the research that we’ve done at NCC Group around people pretending to be candidates for jobs and actually using cloned information about other people that they’ve found online, pretending to be other people, and then this is where the conversation of deep fakes comes into play as well. I’m sure we could go down that rabbit-hole. So yes, if I was to drill it down, it’s your C-suite level of people, key role-holders within organizations and then, sort of, critical roles, such as recruitment, HR and finance people particularly. 

(TC: 00:20:21) 

Aidan Murphy: So, I guess what you’re saying there is these people that hold special privileges within the organization, right? Like you say, they hold the keys, effectively. 

(TC: 00:20:28) 

Matt Hull: Exactly, yes. 

(TC: 00:20:30) 

Aidan Murphy: From specifically the C-suite perspective, is there another angle to it, in that they personally also are quite lucrative targets, potentially? So, it’s almost like double threat, in that, (1) yes, if someone compromises a CEO’s-, even just their email address and start pinging out emails to the company, they could probably do quite a lot of damage but the second element of, you know, they are a powerful person, probably quite a wealthy person and they have this added threat inherent in that as well? 

(TC: 00:21:01) 

Matt Hull: Yes, you’re absolutely right, yes, you know, high net worth individuals, aren’t they, to a degree and potentially vulnerable to extortion attempts. You know, there have been examples in history where CEOs and people like that have been kidnapped and there have also been threats to life on their family and friends, and burglaries taking place because of just who these people are as well. So yes, absolutely right and there’s also the, sort of, personal, reputational damage that could come from some of these types of attacks as well. You know, if someone says something daft on social media fifteen years ago and then it comes back to haunt them, there’s absolutely that as well. 

(TC: 00:21:42) 

Aidan Murphy: So, I’d like to drill down a little bit into exactly what each of these threats are, I guess, against these individuals. We’ll probably end up covering them both off but maybe, Ben, I’ll start with you. How can the individuals be targeted, again, kind of, above and beyond how everyone might be targeted by cyber criminals? 

(TC: 00:22:00) 

Ben Jones: Okay, I’ll go for some of the easier ones then. So, doxing is an obvious one, so there are websites out there which are dedicated towards doxing individuals and sometimes it could be from political motivation, sometimes it could be that somebody has a particular ax to grind against a particular organization. So, whether it’s in the US with healthcare or whether it’s in other parts of the world, where somebody has felt as if they’ve been dealt a bad hand and then they want to take it out on somebody, and so they then look at doxing the information of these individuals and encourage out the people to then target them. 

(TC: 00:22:36) 

Aidan Murphy: Yes, I think just to define the term doxing, I think a lot of people listening to this podcast will be familiar with it but just in case you aren’t, doxing is when someone’s personal information is leaked online against their will. So, this could be quite basic information, again, email addresses, very common but it can also be deeply personal information that you definitely wouldn’t want to be out there. So, it can be incredibly serious and I guess, Ben, from that perspective, you know, this is a real threat that people face, right? We’ve observed instances of this.

(TC: 00:23:09) 

Ben Jones: Yes, when people are looking to really cause damage, they will release the information of spouses and children and friends and relatives as well, and so this is where it’s not just down to the individual, it can be down to their family and their inner circle can also become targeted. I think, unfortunately, as people move their lives more and more online, there have been examples with other social media influencers, who otherwise wouldn’t really be regarded as high-profile figures at all, they have a number of followers and then people will start looking at doxing those individuals as well. So, I think it’s one of those problems which is going to grow. I don’t think it will just be exclusively targeting very high-profile individuals. I think you could end up, it could become a regular threat against just ordinary people, especially if you have some sort of online presence, and so where the opportunity to do this is increasing, it’s getting easier and easier. As Matt said, people have more and more of their lives online now, and when you combine it with other things, like facial recognition and all of the other sources of data which are out there for you, I think it will become a growing problem. It’s going to be a harder problem to defend against, which is why you should be proactive to try and defend against those things, remove anything out there which you don’t really want out there but it’s going to be impossible to remove everything. 

So, it’s also worthwhile monitoring these things as well if you think you could potentially become a target. There are different data sources you can use to monitor those but like I said, there are some dedicated sites which are there to host doxed information on individuals and then there are other people that take it upon themselves to then go and act on that information. 

(TC: 00:24:50) 

Aidan Murphy: I guess the way they act on that information, we could be talking about a range of threats. So, I guess, for example, if you get someone’s credit card information or the details of their car or their holidays, you can undertake fraud, e-crime kind of stuff but I guess, Ben, what you’re saying about families and kids, there’s almost an element, again, it’s not nice to think about, of physical threat as well. I know, again, when we’re talking about executives, this can be a real threat. 

(TC: 00:25:18) 

Ben Jones: The threats that could be out there could be anything from somebody going and harassing you and just hanging outside your house or making life difficult, intimidation, through to trying to steal money, or if you have influence, they may try to get access to some of your social media accounts or some other assets which could be considered valuable, it’s all fair game. 

(TC: 00:25:39) 

Aidan Murphy: Matt, is this something that you’ve seen on the NCC Group side as well? I guess this is one of the threats that you’re warning people against. 

(TC: 00:25:46) 

Matt Hull: Yes, absolutely, doxing is a big deal, particularly when we’re looking at things like the hacktivist threats at the moment as well. So, I know there are, obviously, things like distributed denial of service, so those sorts of attacks that inhibit a website from being able to run properly but any, sort of, politically damaging information, for example, that a hacktivist could get a hold of about an individual or their activities is something that they could really leverage. Exposing this sort of information can lead to all sorts of other things, you know, further threats or abuse and whatever else. So yes, it’s absolutely one of the things or the reasons that we do these types of assessments for, to reduce that, sort of, doxing threat, but building on some of the things that Ben was saying, the physical threats, not just to the individual but the individual’s family as well, all becomes really relevant. So, if we have individuals that are, sort of, over-exposing information about where their kids go to school, for example, of there are pictures of their kids in their school uniforms, it’s really quite trivial to eventually take that information or just that single picture and either geo-locate it or do some basic image recognition to try and identify what schools that individual’s children are going to. So yes, absolutely, doxing and the physical threats almost, kind of, come hand-in-hand when people’s information and personal information is exposed like that. 

(TC: 00:27:14) 

Aidan Murphy: I guess, well, kind of building on what Ben was saying in terms of it’s a growing threat, in terms of people are putting more information out there. Also, I guess, with this, kind of, AI recognition software and things, like you say, image recognition has become really, really good, location finding and that kind of stuff, again, it just helps the bad guys and makes this threat a little bit more scary. Would you agree with that, Matt? 

(TC: 00:27:41) 

Matt Hull: To a degree, yes, I mean, AI, large language models and things like this, they are enablers for criminality, and I’ve talked about the threats from AI systems quite a few times, and while it’s not, like, the Skynet that some people were expecting it to be, it is absolutely one of those things that reduces that entry level to criminality. It makes our lives quicker and easier to, sort of, gather this information, and even if it’s not helping us gather the information, once we have a set of information or data about a person’s online presence, it can certainly help us do some analysis of that data to try and, you know, garner further information about them or really zone in on certain bits of information that are relevant. 

(TC: 00:28:28) 

Aidan Murphy: So, doxing is one the main threats. Your turn, Matt, what else is on the list? 

(TC: 00:28:33) 

Matt Hull: Yes, so it’s certainly one of them. I think, as a, sort of, broader term, social engineering is a threat, in that it leads to all sorts of other types of activity. So, social engineering, for those that don’t know, is obviously the techniques that a criminal or an individual would use to convince us to do something that we probably wouldn’t ordinarily. The traditional, sort of, things that we expect to see on this are phishing emails, so those emails that come in and say, ‘Oh, you’ve won X amount of money,’ or dead relative over here is, all of a sudden, inheriting you with loads of money. We know they’re scams but that is a form of social engineering called phishing. We’re seeing more and more different variations of this, so we now have smishing, which is using social engineering through text messages. So, you may have had, you know, text messages from your bank, or purporting through your bank, saying, ‘We think your credit card’s been compromised. Please follow this link and deactivate your account.’ Well, that’s a type of smishing. We also have vishing, which is voice social engineering, so this is where individuals ring people and try and convince them to do certain things. We use vishing a lot in some of our simulated attack work, where we pretend to be from, like, IT services, for example, and say, ‘Oh, we believe your computer’s not running properly. Can you do X, Y and Z for us?’ and we’re actually telling the person on the other end of the phone to activate certain remote accesses that allows us to then get into the systems. 

(TC: 00:30:06) 

Aidan Murphy: Just to jump on in that, do you use that one in particular because there is more of a psychological pressure added when you’re talking to somebody and, you know, a text is easily ignorable? 

(TC: 00:30:19) 

Matt Hull: Yes. 

(TC: 00:30:19) 

Aidan Murphy: Again, maybe people are better educated now to not click on the dodgy link but when you’re hearing a voice down the end of the phone and they sound, you know, very helpful and very charming, you’re more likely to go along with what they’re-, or may be very scary and they’re telling you something’s gone wrong, that they’re more likely to go along with it? 

(TC: 00:30:36) 

Matt Hull: Yes, it’s very successful, it’s a successful technique because, ultimately, the majority of people who pick up the phone, they want to help. You know, they want to do what they need to do to help the person on the phone. So, if it is someone pretending to be from IT services, you know, there’s a good chance that we’ll get the individual to do what we need them to do but also, social engineering really does prey on things like urgency, the urgent email that comes in or says, ‘You must act now or do this now.’ Once you couple that with little bits of detail and context that really make it relatable to the person that you’re contacting, that’s where things like business email compromise and fraud come into play and this is where that whole digital footprint thing really takes shape as well. If I’m pretending to be an individual, if I can find out details about that individual that make it personable, then it adds context to the social engineering attempt that I’m making and it makes it easier for me to actually get the response from the person I’m contacting. 

(TC: 00:31:43) 

Aidan Murphy: Yes, no, I understand that. You mentioned business email compromise, you know, this is one of the main ones that I’d written down to touch on, can you just maybe explain that to the listeners? Is that a form of social engineering or is it set out on its own? 

(TC: 00:31:56) 

Matt Hull: Yes, so it’s a form of social engineering that leads to, normally, some sort of fraudulent transaction taking place within an organization. So, it’s sometimes referred to as invoice fraud or CEO fraud and these sorts of taglines it’s given. So, it’s the process by which a criminal will contact an organization and try and escalate, high within an organization, an invoice where there’s a mispayment or, ‘We need you to transfer some funds so we can complete this deal,’ and whatever else. And it normally takes the form of, ‘Your CFO has already agreed this or another member of the organization has already agreed this thing, so, can you make it happen because they’re actually on a plane at the moment and they can’t approve it.’ It’s that kind of activity which then leads to loss of money, essentially, from the target organization. 

(TC: 00:32:49) 

Aidan Murphy: I think we sometimes call this CEO fraud. So, Ben, you’re here as our dark web expert but you are also a CEO, so, maybe you better than anybody would be to-, if there are executives listening to this, maybe a bit worried about this, from your perspective, what’s the damage that could be done, you know, if this is done successfully in terms of someone impersonating you or putting pressure on other people with the idea that the CEO is going to be annoyed or you haven’t met your invoice? Is this something that you worry about personally? 

(TC: 00:33:19) 

Ben Jones: We have processes and checks and balance in place to try and protect ourselves but, I mean, I’ve definitely been targeted as well. So, a couple of times a week, somebody will try an email attack against somebody in my team. Usually somebody within finance trying to get money out of us. They know how we operate, we have processes in place, there are checks and balances to stop that happening. And so, we’ve never had a breach along those lines but it gets more and more sophisticated. I mean, they knew where I was. I was traveling and I was in another country. I hadn’t published it anywhere. I’m not sure how they knew where I was, whether it was a guess, but they got the right country but, yes, I’ve been targeted and I’m sure almost every company has had some level of targeting. 

(TC: 00:34:07) 

Aidan Murphy: I do appreciate you sharing that because I do think there will be people listening, and it is important, I think, for people to understand everybody is going to be targeted. And like you say, you know, you’re a CEO of a business, you’re just a target. That’s just the reality of things. There will be information out there. I mean, you know, the marketing team might be saying what event you’re going to be speaking at. That’s how they might know you’re in a particular country, so, this information is out there, I guess, and it is just worth being aware of and like you say, if you have the right processes in place, there’s things that can be done. 

(TC: 00:34:39) 

Ben Jones: I think just on that, I think people would be surprised how easy it is to pivot off of something. So, if you know that somebody work for a particular company and therefore, maybe you can guess what their email address is, if you then have malware on your system and it’s some sort of infostealer on there, it will steal everything off your system. So, you can then connect up different systems. Quite easily, from basically having your name, knowing where you work, you can then start getting access to private accounts and this is when it can actually start escalating pretty quickly because you may have your log-on details for your bank or a current cookie for your banking system or something like that. And so, if they act on it quickly, they may be able to get into your systems and maybe combine some social engineering in order to defeat 2FA and things like that. These things can escalate very quickly. I’m not just trying to scare people out there, but there are things that people need to be aware of. 

(TC: 00:35:36) 

Matt Hull Yes, absolutely, you know, and those pivots, they can be a bit more sophisticated. So, using things like infostealers and passwords and whatever else but they can be really basic. You know, you’re able to identify the names of someone’s children or their dog. You work out what their date of birth is through whatever mechanism and all of a sudden, you’ve started to develop an understanding of what their passwords might be. You know, even if their passwords haven’t been compromised in some way, shape or form, we’ve done loads of assessments where we’ve seen examples of ‘dog’s name, date of birth’, is that person’s password. And we know as well that people reuse their passwords. So, as soon as you’ve got that password, we can actually find links to all different online accounts. You know, if you’re able to identify a person’s hotmail account, for example, that’s all well and good, that’s one thing. But then you can actually pivot from a password to all of these other online accounts and that’s where we lead to, you know, these fraud and impersonation type attempts which we touched on earlier on. And it just really gets very easy to find out information about people online. There was a good example last year as well, wasn’t there, about things like Strava, you know, and public profiles on Strava. So, some of the big political players, Trump, Biden, Macron, it was revealed that some of their personal protection officers had unlocked Strava accounts. So, they weren’t allowed to use them while they were, obviously, working. They’re not allowed their phones and stuff like that but very quickly, you’re able to see, well, that person was in the Bahamas, or that person’s now in France or they’re here. And you can find out some quite detailed personal information about individual’s movements because of things like that. So, I think just having an awareness of the privacy settings that are available to us. You know, not reusing passwords and making sure that we protect our devices from things like infostealers. This is all that stuff that helps mitigate digital footprint risks. 

(TC: 00:37:37) 

Aidan Murphy: Well, this is what I was exactly just about to come onto, so, I think you’ve segued really well there. This is what you’re talking about, I guess, when you talk about the digital footprint. It’s all these things, a lot of them you wouldn’t even think about, that make up your online life, effectively, and what somebody could use to build this profile of you that they could exploit in several different ways. Have I got that concept correct, Matt? 

(TC: 00:37:59) 

Matt Hull: Yes, absolutely, and this doesn’t have to be the stuff that we deliberately put out there either. You know, it’s the stuff that’s accidentally out there or the stuff that are friends and family share about us which we’ve not really given permission about. Yes, it’s not necessarily always the things that we do deliberately that ends up out in the public domain. It’s that network around us as well. So, a key part of the, sort of, messaging around reducing your digital footprint is not just what you do for yourself, but encouraging your friends and family to lock theirs down as well. 

(TC: 00:38:32) 

Aidan Murphy: So, the NCC Group have launched this service, the Digital Footprint Review Service. Maybe you could just talk to us about that a little bit, Matt. I guess this is what you would recommend people to do to, kind of, get this information under control and to mitigate the risk of these, you know, business email compromise, fraud, doxing. What exactly does that look like? What should people be doing? What should they be thinking about to reduce that risk? 

(TC: 00:38:59) 

Matt Hull: Yes, so, it’s a service that we’ve actually had for quite a while but given the increased volume of these targeted acts, we’re, kind of, relaunching it, really. Just to make people aware that this is a threat, this is a challenge to individuals. And even if we get people saying to us, ‘Well, who is going to look at me? What cyber-criminal possibly wants to look at my Facebook account?’. Well, the challenge back to those people is, ‘Well, it depends where you work, doesn’t it?’. You know, if you’re working for government or if you’re working within a financial team, there’s a possibility that you will be targeted simply as a conduit into the organization that you work for. So, yes, the assessment basically puts the hat of those hackers on, those cyber-criminals, those fraudsters and we try to identify as much detail as we can about the target individual through their online presence. I tongue and cheek refer to it as a black metal pack. You know, every single bit of detail that we can find out about that person and then the most important thing is saying, ‘Okay, well, now we’ve found this information, so what? Why is that relevant? What does that actually mean?’. So, these things that we’ve found could lead to an attack over here or it could lead to risks associated with your family over there. So, it’s all about identifying those things, adding some context as to why this stuff that’s online is important and how it can be used by the bad guys but more importantly, how do you then mitigate it? So, are there things you can do to prevent that piece of information being available online. And Ben rightly said, you know, all of this stuff is out there and it’s not so much a case of our digital footprints, these are digital tattoos, aren’t they? You know, they’re really hard to get rid of once they’re online. It’s all about finding what we can, telling people why this stuff is bad to be where it is i.e. online, and then how do we actually reduce the impact and reduce a person’s digital footprint in terms of its volume. 

(TC: 00:40:59) 

Aidan Murphy: And I guess I just want to make it clear how the dark web forms part of that, because I think as you alluded to, Ben, with the doxing, there is areas of the Internet that are worse than others, I guess. And if your information is out on those areas, you may be at increased risk. I don’t know, Matt, if you could talk about that a little bit in terms of, well, are you going to go out, you know, into the dark web and have a look there as well? 

(TC: 00:41:22) 

Matt Hull: Yes, absolutely. I mean, we obviously rely on clear web. So, things that are on Google and social media. But we’ve mentioned it a few times now, you know, things like infostealers and other forums and places where people are talking about these sorts of key targets or want to target an organization over here. That information, we are going to find on the dark web or in closed Telegram channels and places like that. So, we use Cerberus, which is obviously one of Searchlight’s tools to help us do that. It helps us do it safely. So, from an Op Sec point of view, it makes our lives a little bit easier but the cool thing with how we leverage Cerberus is the historic data set. So, it allows us to look for changes over time about individuals as well. So, through some of the incident response work that we do at NCC, we can see that compromises take place months, if not years, before the actual impact of an incident. And that doesn’t just apply to an organization but that applies to the people as well, you know? So, it might be an individual developer who has had their details exposed on a dark web forum or marketplace. Someone then comes along six months later and buys access to that data and then leverages it to target the organization. So, yes, it’s that, sort of, holistic view. It’s not just looking at the clear web, it’s not just looking at the dark web, it’s that compound collection of these data sources that is what we leverage. 

(TC: 00:42:49) 

Aidan Murphy: Yes, absolutely. Well, Ben, obviously, our specialism is the dark web, so, from your perspective, if you’re in an organization and maybe you’re concerned about your executives or as Matt said, maybe the finance team or even recruiters, anyone who has, kind of, privileged access, what could they be monitoring the dark web for? What kind of assets should they be looking for? 

(TC: 00:43:08) 

Ben Jones: The types of assets that we use as an input to our, sort of, tax service management or digital risk protection tool, Dark IQ, you can be putting in their names. You can even put in things like your social security numbers if you’re in the US or passport numbers. You could put in addresses. You could put in email addresses. So, the company domain and all of the emails associated with the company’s domain and that will alert you to everybody across the company but also, if they have other private email accounts which they want to monitor as part of that as well, they can also add that into there. And then, like I said, we monitor the doxing sites, we monitor the forums. We also monitor markets and so, as well as pay sites and the other things which may be not quite so relevant to the personal protection stuff. But by putting in those elements and searching across all of those different databases, it does give you a better chance of trying to find these things. And as Matt said, the clear net, so, social media and things like that, should be monitored as well. So, we do monitor some of that as part of what we do. So, we have Telegram channels which have been useful in a number of ways. So, there was, unfortunately, a couple of stabbings at schools in Brazil and so, we helped with the aftermath of that but we also helped to prevent further stabbings in other schools because of the data that we had there. And so, there were lives saved off the back of that and that was monitoring some of these Telegram channels and some other dark web channels. And so, you should really be doing both in order to be able to protect yourself from those things. And like I said, those doxing sites, paste bins, things like that. I mean, if somebody just wants to cause you damage, they don’t necessarily want to sell the data, they’ll just pull it everywhere. 

(TC: 00:44:52) 

Aidan Murphy: I guess even the sold data as well, there is still that risk though. So, for example, like you say, if you’re searching forums and marketplaces, you could pick up, for example, on CEO credentials being sold in bulk, you know, as part of your organization’s credentials but it’s that recognition, as we’ve been talking about, that, you know, maybe someone lower down in a company, their credentials may be valued less, there’s less harm they could do with it but if the CEO’s credentials are out there or if finance credentials are out there or an admin account, this could be more damaging and you should maybe-, exactly like you say, Ben, you have to be aware of it and then you’re going to have to take some action against it. 

(TC: 00:45:29) 

Ben Jones: Yes, I mean, you should be monitoring everyone’s, really, but assist admin is something that can cause an awful lot of pain for an organization if somebody gets their accounts breached. Well, they should know better than having simple passwords and not having things like 2FA and stuff in place but we’re all human, we all-, it’s always a compromise between security and convenience and if you’re having to log into a lot of services a lot of the time, then sometimes, you may share passwords across servers and people make mistakes and put these things out on open buckets, open git repositories and things like that. This is why it’s always good to have a backstop. I don’t think you should ever just rely on one source or just think that your Op Sec is good enough, that you never have to worry about these things. Reality is, people can either get you through somebody else’s data, as Matt was saying. Like, it could be a relative or another colleague or somebody who inadvertently put some of that data out there, which has led them towards you. It could be that you’ve used the machine one time, which has an infostealer on it and now, suddenly, your stuff’s out there. There’s all sorts of things that can cause it. So, having this backstop and having somebody watching your back for you is worthwhile. 

(TC: 00:46:35) 

Aidan Murphy: Matt, you’re the guest on the podcast, so, I want to give you the last word. Is there any one thing, I guess, you would like people to take away from this? Is it what you were saying before in terms of even if you think this doesn’t apply to you, maybe think critically about what somebody could do with your information and what information is out there? But I’ll let you choose your one thing. What would you want people to take away? 

(TC: 00:46:57) 

Matt Hull: Yes, so, in very simple terms, I wouldn’t walk down the road with a piece of paper that says, ‘Here’s my home address. Here’s where my children go to school. Here’s where I work’, and all of that sort of detail. So, I would advise and urge people to apply the same logic online where possible. Now, I know there are social media sites where you want to do those things. So, like, LinkedIn, you of course want to tell people about your jobs and your experiences but I’m not going to share the project name of the secret thing that I’ve been doing in work, you know what I mean? So, it’s just making yourself aware that this information is out there, it is public, it’s not going anywhere but it could be leveraged against you at some point. And even if you don’t think it’s going to be leveraged against you, it might be to target someone else because you’re part of that chain. So, go away and google yourself and see what you can find out. You know, just give it half an hour or if you’re really bored, Friday night, go and do some googling and see what you can find out about yourself and try and lock some of it down. 

(TC: 00:48:00) 

Aidan Murphy: Brilliant. That’s a great note to draw a line under this episode of The Dark Dive. I’d like to thank Matt and Ben for joining me and a reminder that you can find out more about the NCC Group at NCCGroup.com and Searchlight Cyber at SLCyber.io. We have an exciting lineup of episodes to come on The Dark Dive, so, make sure you don’t miss anything by following us for free on Apple Podcasts, Spotify, YouTube or wherever you listen to podcasts. And if you have a question for us, a guest or a topic you’d like us to cover, please get in touch with us through the contact details in the show notes. Until next time, stay safe.