 Welcome back to Think Tech. I'm Jay Fidel. It's a noon hour. We're doing Think Tech Tech Talks with an old friend of ours, Tila Suresse. He runs Cylandia. Hi, Tila. Thanks for joining us. Hey, thanks for having me, Jay. Hope you're staying safe. Well, you know, safe is a big word these days. We cannot be complacent, not about our health, not about anything. And one of the things, I get your news letters and I see your videos and I know that it's dangerous time. There are people out there that are nefarious who would take advantage and look for opportunities. You know, necessity is a mother of invention, I suppose. They had too much time in their hands, maybe. And so they're hacking and doing all kinds of bad things. And we have to protect ourselves because otherwise we will be victims not only of the risk of the virus, but of the people who are hacking and fishing and doing what have you. There's been a dramatic increase in the number of people who are doing that and what they're doing and the onslaught continues. Am I right? Yes. And the reason I think it's very timely and it's good that we're doing the show today is because over the past couple of weeks, Hawaii in particular has been under fire. There is a huge increase in business email compromise. We have to deal with it almost daily now. And what that specifically means is that there's a very sophisticated fishing attacks that are coming in and looking like they're coming from someone that you know, right? So it looks like a trusted resource. Folks are clicking on the links and they are essentially their Office 365 accounts are becoming compromised. So we actually have a video series that we're editing today and it's going to be released in the next two days. And that's going to have a step by step process for IT departments on how to remediate this issue because they're becoming overwhelmed. And there's a lot of ways to prevent this kind of stuff from happening, but right now we're just trying to stop the bleed and kick these hackers out of these customers accounts. And it's only happened in the past couple of weeks and it is targeting all industries of Hawaii businesses, regardless of what they're in. So we're seeing it in construction, retail, wholesale, legal, you name it, it's all across the board. And it's and it seems to be targeting Hawaii specifically. We reached out to the FBI for guidance. They're still trying to figure out what to tell us. You know, it's a big problem that they're dealing with all across the board all across the country. But you know, that doesn't help us from day to day, you know, all those phishing coming in. Yeah, where's it coming from? Is it coming from, I mean, do you think it's coming from Hawaii? Or could it be coming from far off land? The phishing comes from far off land. They always do, right? We have no way, we have no way to stop them. But there is a website called Notion.so. They're a service that does like, kind of like a, like an all in one kind of G Suite kind of thing where you can, everyone can collaborate. They got compromised. And so they've been sending out these, these emails. And the emails look like they're from someone that you know. So they have the email signature at the bottom. And they'll say something like, attached as a link to our OneDrive document for that, you know, for those items that we discussed. If you have any questions, don't share the link, just click on the link and download it. And what that does is it allows a malicious payload to show up onto that computer. When that happens, they can sit there and they can either ransom the computer or, you know, just do a straight up data exfiltration. So we'll steal all the files, sell them on the dark web. But what we've been seeing them do is they jump inside the Office 365 account, and then they repeat the process. So they start sending out thousands of emails, then it will also modify. Using the addresses in Office 365. For any previous correspondence. And that's going to give them a better chance of penetration as an attack vector, than just some random phishing email where you can easily identify that it's coming from someone that you don't know. This is someone that you don't know. Let me put my paranoid cap on for a moment. I think we all have to do that. So one of our hosts gets an email. And the from line says from J-FiDale. That's nice. Accepted that, you know, had no context. We hadn't spoken. There was nothing in there that reflected, you know, some, some actual event or conversation. Just flat effect email with a link. Okay. And he looked, he's a smart guy. He's a scientist. He looked, he looks at underneath the J-FiDale. You know, you can click and see, I do that more and more, right? You right click an address and you see who the sender is or the sending address right or wrong. Okay. And it's got, it's got a string of alphabet soup and then the extension FR for France. He says, I didn't, I didn't know that J had a French address. He moved up in the world. Moved up in the world. So he's, so he didn't click on anything. He sends it to me and he says, I didn't know you had a French address. Is he doing me a favor? What is, what is all this going on? I didn't click on it either, but I suspect, you know, that because I have grit on this sort of thing in the past. So if I clicked on it, it might have been quite silent. It might have not done anything. I said, gee, that was easy. That was not threatening. And yet that might have gone into my system to be propagated to my mailing list to other people around the world. I mean, what could happen from this kind of email that I'm telling you about, what's the paranoid look at it? So business email compromise is something that's, I mean, it's been the number one method of compromise for the past three years, I believe. So according to the FBI's IC3 report. So this is nothing new. But what they're doing is they're preying on people's fears, right? So you sent, you got probably would be considered a typical non pandemic type of email compromise request, right? You know, I'll come quick on this link and it comes from a French email address. That's fine. Now the human firewall is something that can be improved through employee education. Right. So if you have an ongoing employee education, they know how to identify, like you mentioned, you have that smart host knows how to identify a fraudulent email. That's fine. Now what we're starting to see, and you'll see this in the video I sent, I put up a couple weeks ago, and it's specifically about how they're using COVID, right? So the email will come from John Hopkins and they'll say, click on the attached Excel file, right? And that attached Excel file will show you the COVID cases over the past across the US over the past month. And if you're interested in that, right, you open that up and that comes some sort of janky Excel file, but it's specifically asked to enable a macro to be run. If that Excel macro script is run, then that infects your system and they move on from there. And you have to remember that, you know, back in the day, when I say back in the day, this is like six months ago, right? Before the world went on it, they would send out these emails and they just it ran somewhere in your computer and you'd restore it from a backup and off you go. No longer the case. Now they're doing data axe filtration. So they're interested in what files you have in your system, right? You have your files in Dropbox, OneDrive, whatever, they can still get inside your system and take those files out and put them out into the dark web. And if you have files that, you know, have employee information on there, employee payroll data, customer data that's confidential, personal healthcare data, I mean literally we can't keep up with the number of stories that are coming out that are so mean, right? You know, they're targeting healthcare workers, they're targeting law enforcement. And this stuff just doesn't even make the news. There's so much of it. There's just so much of it going on, police departments. So we just look it up. We go on, I say we're Krebs online, or just go on Google. I mean, this stuff is on CNN, but it gets kind of pushed to the bottom with all the other stories that are going on. So there's not much really we can do to kind of, you know, we don't want to be ringing the alarm bell because it's already ringing. There's no point. So what we're trying to do is talk about how you can actually protect yourself on a day-to-day basis from these kind of things, from ruining your business. You know, one thing you mentioned that is really a little scary is that, so this is a, it's a, this example you gave, it's a spreadsheet. And spreadsheets have scripts in them. You can write all kinds of scripts. You can use the native code for the spreadsheet to write the script. And a script can do anything, go anywhere. There's all these functions and effects that you can make that script do. So that script could actually be hacking script. And you don't even realize, am I right? You open the spreadsheet and now the script is running. This is a 12-year-old, a nine-year-old could do this, you know, out of Eastern Europe and there you go. All you're doing is opening a spreadsheet. Am I right? Well, they do have some smart nine-year-olds in Eastern Europe. I'll tell you that. So what they're starting to discover now, particularly with the, with the event that's occurring in Australia right now, I don't know if you know that, I mean, the whole country's under attack. It's under cyber attack. But that is, you know, those are funded attacks. So those are coming from third party nations. There's this kind of idea that cyber crime is perpetuated by, you know, really young, you know, teenagers working alone, siloed in their basement. And that's really not the case. And these are well-funded organized crime. These are smart people. And when you start thinking of them as, as not smart, that's where you're really getting into trouble. Because these guys are, are very smart, highly organized, well funded. Why do they do it? I mean, the funders, are they, are they getting, they're not, you know, from the ordinary Joe, they're not getting strategic information about, you know, government activities. They do it from money. They, I mean, short, I mean, beyond ransomware, which we can all understand, what else is there by which they can extort money from you? Well, you have to look at what the data is worth, and what the disruption could also be worth. So now they've been targeting critical infrastructure for about a year now. And what that means is power companies, why water, utilities, those kind of things. And if they disrupt that, then that could be, you know, it's, it's essentially, it's a lot easier to attack a country by attacking a critical infrastructure rather than, you know, try to send planes overhead. It doesn't make and put lives at risk, right? So there is some, I mean, let's be fair, we do this too. But in the state, you know, but we're also a target. So when I say we, I mean the United States, every country does. Well, I think what, you know, what you said a minute ago is a little chilling. It's that in the past, we have envisioned, you know, the nine-year-old or the 12-year-old, but we, we have also envisioned the state actor, like North Korea and Sony a few years ago. And the state has a building somewhere in the capital city. And, you know, say Moscow, say some other city in Russia. What's that city on the eastern edge of Russia? What is Ukraine? Is it Stonia? I mean, there's... Yeah. So anyway, what you have is you have, the government is, has got a building, a facility. The government has got a whole staff of people in there and they're doing like, you know, bad things. But when you, when you add this other dimension, the other dimension of third-party actors, contractors, if you will, who are not that, who are not part of that government, who are hired by that government and who knows the, you know, the amount of connection, then it gets more complicated because it's harder to track back and find that that government is directly responsible. It's only indirectly responsible. And there can be many of those people and they can appear to be very fragmented coming from various places in the world when in fact, there's one rogue government doing it and it's doing it for national purposes with a national agenda of some kind. This is troubling. You know, it's kind of funny. Do you know the story of when 2020 went into Nigeria to arrest those Nigerian hackers? Have you heard of that? So I'll tell you a quick story real quick. So 2020 didn't happen. So they finally tracked down all those Nigerian scheme, you know, for the past 10 years, we've been getting all the schemes from Nigerian scammers, you know, everything from from the tar-covered money to the inherent scams, all these, you know, really kind of silly scams. 2020 went in there and they found them. They said, okay, we're going to go there with the police, with local police. We're going to go arrest and stop these guys. And as they showed up to the village in Africa, Nigeria, where they were going to arrest these guys, the local people were all throwing stones at their cars and blocking where these guys were operating out of. And if that doesn't tell you something, this is a little bit about a human psyche here too. So maybe there's some manipulation going on. I'm not really sure. It was a job. It was a job that people in that facility were being paid. It was a nice job. And so they don't want to lose their jobs. Yeah. And it's supporting the community and it's doing other things down the flip side. They've shut down call centers in the past few months coming out of India. And those were legitimately, you know, sweatshops and they really did work them very hard. And there's a lot of mind games going on there. So it's all across the board. I would not say that the U.S. is unique in terms of its ability to go out and disrupt the world. But we living in the U.S. also don't want to have that same thing that us. But it gets out of control, though, because you have this whole tier of these companies. And there was a, you know, there was a company that was involved in the 2016 election in London. And this, they made a movie about it. It's a famous company. And when the British authorities got close to it, the Americans got close to it for their manipulation of voting and social media. They disappeared. They disappeared one day. All gone. And you went to the premises there that a whistleblower who made a movie about this, went to the premises and there wasn't a stick in there, nothing. And you know, and they took the computers, they took everything with them. And you know that they could open up again with a very sophisticated, well-healed, you know, high-tech operation anywhere in London, on the continent, in Africa, anywhere in Europe, Russia, what have you. So there's this tier of contractors out there that are working for states or working for, you know, rogue organizations of one kind or another who are, I don't say, it's not fly by night, but they evaporate and then they reform somewhere else. So this is pretty serious here. And if they want to target you or your organization, they can do it. They can and they do, but really a lot of this stuff is automated. So this particular script I was telling you about where you go back and you open up an email and in fact, your Office 365 account, I mean, that's an automated process. But at the end of it, they may have harvested some data that has some value on the dark web. So when you go and have your credit card info stolen and that gets put on the dark web, that goes for a couple dollars, two to three dollars. But that's because it's very cheap and easy for you to change your credit card number. And then it stops working or just imagine trying to change your blood type or a medical history or, you know, your business, the doctor for a chronic illness. These kind of things are difficult to change. So medical records go from $35 to $40 a difference. Kind of as a threat on you, that your private information would be revealed and you want to pay the extortion fee. Is that what it is? Exactly. And when we have to deal with the FBI out here and Homeland Security, that has to do with something that's more serious that affects critical infrastructure. So they could have, for example, a backdoor into a critical infrastructure network. Homeland Security could be monitoring that and they'll notify the local district office of the FBI that there is a real issue and they'll show up in person to let that organization know that yes, this is a credible threat and here's evidence indicating it. So they could be selling access to critical infrastructure. They could be selling the data that's there. They could be selling access to a specific individual within that organization. You know, like for instance, if someone got ahold of Jay's password and was able to access his email account from Estonia, they could sell that access to someone who might be interested and doing reputation damage, for example. Or just, you know, maybe using your position of influence to try to further their cause. You know, what if Jay was found to be a North Korea supporter? You never know. These things could happen. So this is happening more now in COVID. It strikes me that, you know, COVID, as they always say, everybody always says this, COVID presents opportunities. And the opportunities don't stop at making your business more efficient. They go all over the line, including to the hackers. Well, if the economists are correct, they're saying that we're in a direction from which we cannot change. So the economy is going to be different coming out of this than it was going in. A lot of that has to do with investments and automation. So everything from, you know, a script that ends up in your inbox that could propagate this infection automatically to a bread maker, right? That's something that's a durable good that otherwise would not sell in a down economy now is in higher demand because folks have changed their habits in such a way to accommodate for this pandemic. In the same way, folks are going to be more resistant to becoming close to others. And they're going to look at whether it's worth the risk of going to, you know, a physical location, like say a Walmart to pick up an item or ordering it from Amazon and waiting for it versus before they may not have done that. So in the same way, we're looking at that kind of change happening, you know, more permanently in terms of workforces. We have a lot of interest in remote work as being a more permanent solution as some of the challenges that it provides. To be fair, this remote working situation has only been going on a few months. All studies, all past studies have only indicated that working from remote only works about for about six months. And after that, there's a severe deterioration in productivity. So, I mean, people get, they stop being so efficient. They stop being so motivated and they go to the refrigerator instead. It's more along the lines of the mental capacity to be able to work and live from home in one place. And, you know, if you just want some proof to that, just talk to any single mom, or not single mom, any work from home, any mom that is a stay at home mom, you know, they have to work at taking care of the kids as well as everything else that involves running that household with little nets. So, yeah, that's the thing about that's the thing about not that we're getting too far off here, but that's the thing about working at home in an office, you have structure, you have somebody watching you and human nature, you know, tries to avoid being structured sometimes. And so you go home and then you wind up being less structured, you wind up being complacent about things and you're not so efficient after a while. And I think we're going to find out just a thought here. I think we're going to find out in the COVID experience, ways to motivate people from home, ways to achieve metrics on people, they're working their hours that they put in their product, their achievements at home, rather than just let them go home and do kind of an emulation of what they were doing in the office, but not as not as motivated. We'll see what happens. But I think I think the description, you know, the phenomenon that you described is absolutely right. Can we go to your last newsletter? This is a newsletter that I noticed where you had like eight or nine things that the average consumer, the average user at home, probably, these days would want to watch out for because these are all dangerous things. Can you take through some of them? Well, the idea is that in this last series, we're trying to help out the local community who has been unemployed, right? And there have been a series of unemployment scams that have been really targeting those who have, you know, perhaps not the greatest computer know-how and may fall for some scams that they wouldn't normally fall for, either because they're desperate or because they're really trying to get, you know, they're trying to get through that cluster that's all gummed up inside of the system. So we're seeing everything from unemployment scheme websites popping up that are promising, your ability to get that unemployment check and they'll take care of it for you for a fee. So don't fall for that. And we're seeing text messages. That could be legitimate. No, it could be legitimate. No, only you can file for unemployment gather, get that money. Okay. So if you see a third party stepping in and trying to be a middleman on getting any government benefit to help broker it somehow, that's a sign of fraud right there. Sign of fraud, text messaging, phone calling, they're not going to get in touch with you that way. Of course, you know, there's this temptation to try to take some shortcuts and start Googling. Don't do it. You got to go to your state's website. Now, in those videos, I also posted links. It will probably repose them as well to each of the state's websites that have, you know, they go through step by step on how to file for unemployment. You don't want to cut corners and try to do a third party that's not the way to do it. Let's see. I don't have the list in front of me. So maybe Jay, if you can help me out if you have, I see you clicking. Well, I think my recollection of the list, you know, I can probably find it here, but my recollection of the list is you're going to watch out for the email. You're going to watch out for the websites. You're not going to take third party things that you don't that you never heard of before. You're not going to take unofficial websites. And you're certainly going to be very watchful of unsolicited email that puts you, puts the sender in a brokerage position between you and something you need. You need to go direct. And if you don't go direct, you're going to find that there's a scammer out there who's going to get you into his web. Most of them had a lot to do with that. Because in fishing, and I guess we're talking largely about fishing, in fishing, you're the sucker. I mean, you should know better. They're trading on your fear, your psychology, your need to get something done to try to get through the bureaucracy somehow. And they're fooling you. But if you think about it, you can pretty much, my right to say this, you can pretty much always figure it out because it's no more than fooling you. It's you, it's your weakness, your weakness in the marketplace, your weakness on the web. But you can stop them if you put your brain on it. You can, but you have to remember that most of these folks, all of us in fact, are emotionally compromised by this. I mean, there's a lot that goes into suddenly have to change everything overnight. And so there's certain things that they're doing to take advantage of that. So they're doing it, but they're doing it a little bit differently. So for instance, they're asking for personal information over email or text message. And so this is good practice in general, right? So we worked with HR managers and other IT departments, and we'll see their email messages coming in from job applicants and fellow employees that have social security numbers being sent over Gmail, right? That's a big no, no, just in general. But you gotta remember these criminals, they know that people do this anyway, right? Remember, I told you they're not, they're smart guys. So they know that folks are comfortable sending out their personal identifiable information over on security email. So they're taking advantage of that. They're asking for that kind of information, right? Folks are used to buying gift cards and wiring money, right? So don't do that. And sometimes they'll even do that for a fee, right? To add insult to injury. Yeah, exactly. And they're going out, they're setting up a lot of fake websites. So just about three months ago, GoDaddy shut down something like 280,000 phishing websites that were sitting on their servers. That's just, you know, just a small amount compared to what's out there. So a lot of these websites that are asking for this information, they're compromised or WordPress sites that weren't built correctly, or they're not maintained correctly, and they end up becoming compromised. And then those kind of, you know, you'll Google it, it'll show up on the listing, and then they'll automatically install some sort of malicious software onto that system. So those are called drive buy downloads. I'm sure you've come across them even on mobile phones. We'll see them. Click on a link and I'll say like, you know, your phone's been compromised, click here to clean it out. And they're starting to have that, you know, more frequently on, not just on websites, but on advertising networks as well. So both Yahoo and CNN, they had their advertiser networks compromised. And what that means is you would go to CNN.com, which is a reputable site. But because there's some ads on the side there, and then that network that delivers those ads was compromised. Now, all of a sudden, you know, millions of computers are getting compromised because of this. So then one good rule to follow is don't click on an ad, period. And no matter how seductive it is, don't click on an ad. I mean, I think a lot of people, you know, are more cautious these days about anything that comes to you, so that asking you to buy something. And then you go back to that site, and you never saw the site in the world. It's very persuasive, but you never heard of it before. As soon as you buy it, you're giving them your credit card information. Mistake. And what happens at the end of the day, Attila, this is so interesting, is that you only for safety want to deal with the big guys. So how about Amazon? Amazon is a big guy. If you go to Amazon and you're on Amazon, the official site, you have a level of confidence. If you're on XYZ site that you never saw before, you know, like me, I'm not going to deal with that. And if Amazon costs more, that's okay. I want the reliability, you know, of Amazon. And this makes Amazon bigger and bigger and bigger. It makes it hard for anybody else to compete with Amazon because they're unknown in the marketplace and you're scared, I mean, I am, of dealing with anyone else. Isn't this what's happening? It's sort of a natural process of the bigger get bigger. It really depends on what you're doing. So Amazon also has the ability as a, I'm just a little bit kind of off topic, but they do have the ability to offer you a store for your goods. If you have goods, now if you have services, that's a little bit different story. So a lot of like third-party sellers will try to set up their own shops, maybe using GoDaddy's e-commerce solution to do things like handprints for your kids, right, using Plaster of Paris or something like that. So those kind of service-based organizations, they can try to compete directly by having their own specific website, right? But I guess kind of circling back to it by a reputation, right, so non-deliverable of goods that you paid for, that's number two and three on the FBI's most reported scam. So business email compromise is number one, but then right after that, you get all these, you know, non-deliverables. But you know, back to the scams, you know, I really want to make sure to talk about this one because this is big, job seeker scams, right? So let's say you're out of work, you're collecting unemployment, which is good, you know, we, I've received stories of folks that are having trouble bringing their employees back because at $600 a week is just so tempting so that you can sit there at home and watch that Netflix and that's fine, but you know, we're also doing job seeker scams and job seeker scams are nothing new. They've been around a long time, get a phone call, hey, we have a job that may match your description, we just need some more information from you and they'll draw it out, right? They'll draw it right out of you and what happens? You end up getting your, your identity stolen because of that whole thing. In fact, sometimes they'll even ask for a credit card and then they'll take your credit card number and then they'll perpetuate a scam right away. So they'll go out and they'll start buying a bunch of goods online with your credit card number and that's a real simple one, but these guys are getting bold and they, and part of that I think is maybe a little bit desperation and part of that is I think just a human nature to take advantage of, of a, of a situation, but we have folks that are, we've seen reports of them, you know, setting up COVID-19 testing centers and longs parking lots across the country or CVS, right? So they've set up these, these testing centers, right? It's obviously a fake because it's an actual, it's an actual tent or something in the parking lot. Yeah, in the parking lot. Nobody realizes it's phony. It's all phony. They just take some Q-tips to rub it up your nose and then $50 please. More and more. And people might get it and you know, you know, I don't know what's going to happen. You don't know what's going to happen, but I think we can both say with some degree of confidence that a vaccine is some time off and the virus is still out there. So we don't know how much more desperate people are going to get. We don't know what's going to come next. And that kind of feeling of uncertainty is why these folks and these scammers are getting right on it. They're just taking advantage of what they can't win. That's likely to increase and get more sophisticated. So you have to get more careful and as time goes on, the, you know, you can't, you want, you find out that you're not, you can't trust a whole lot of things. You could have reasonable trust in before. That's one of the casualties, if you will. It's this kind of marketplace trust that we used to have at least for some parts of the market. Well, well, I tell you, there's miles to go before we cover this. But the one thing you said that I think we can, we can count on is it's going to last for a while and the scamming end is going to get worse. So we have to have this discussion again when you can take off points of concern. And tell us the rest. Cylandia? Cylandia? Cylanda, cybersecurity. Yeah. Okay. Cyland. Cylanda. Cyland. It sounds kind of made up, doesn't it? I'm like a unicorn. What's the website? Cylandia.com. C-Y-L-A-N-D-A.com. Yeah. Feel free to check it out. Okay. Well, we're trying to get some of your videos on our system. That'd be great. So thank you. Thank you, Cyland. Great to talk to you. Talk to you again soon. Aloha. Be well. Stay safe out there. Stay safe.