Episode 19: Phishing is the APT You’re Probably Doing Nothing About
Listen to the Podcast
Read the Transcript
With Erick back in the saddle after a two-episode absence, he and Rich discuss the importance of N-able’s recent decision to build a cutting-edge ecosystem of cross-app integration partners. Then Erick walks you through how to use cyber insurance requirements as a tool for getting tight-fisted clients to say yes to an enhanced cybersecurity stack.
That’s followed by an interview with the fascinating Jesse and Reese Tuttle, of AP2T and Compliology, to discuss deepfakes and other next-gen phishing risks, why many security awareness training solutions fail to address them, and what MSPs should do to better protect their customers. And finally, one last thing: a contest that inspired a crowd of Parisian waiters to move fast for a change.
Discussed in this episode:
Hurry up and wait: Servers speed-walk through Paris, reviving a century-old race
Transcript:
Rich: [00:00:00] And three, two, one, blast off, ladies and gentlemen. Welcome to another episode of the MSP Chat Podcast, your weekly visit with two talking heads, talking with you about the services, strategies, and success tips you need to make it big and manage services. My name is Rich Freeman. I am chief content officer at Channel Mastered, which is the organization responsible for this podcast.
I’m joined this week as I am every week, or normally almost every week.
Erick: I’m back. I’m back and ready to go. Rich,
Rich: fantastic. Fantastic. We’ve missed you, sir. For those who don’t know Erick, he is our chief strategist at channel mastered. My friend, my colleague, my business partner. I missed you buddy, but it’s it’s good to have you back.
Erick: Yeah, I’m glad to be back.
Glad to be easing back in to Spinning all the plates. All the plates. Let’s spin some plates
Jesse: now. Let’s get
Rich: spinning. As we are recording this This is just for me, it’s just hours after I got home from Enable’s Empower Partner Conference. As folks are listening to this episode that will have happened last week, but here’s my hot take on that show.
And this is something I’m going to be writing about in my blog, Channelholic in a post that will go out on Friday March 29th actually. And actually this kind of goes back to something that I wrote about in Channelholic late last year, I was musing at one point about the difference between Kaseya’s go to market strategy and ConnectWise’s go to market strategy.
Kaseya famously. Wants to sell you everything. And they incentivize you to buy everything from them, partly by offering to or selling it all to you at very discounted rates. If you sign up for a three year contract, but also by integrating those products very closely and in ways that they don’t integrate those products with systems from third parties.
So they do integrate with products from other companies, but not nearly as deeply or as well. Other end of the spectrum is ConnectWise their go to market strategy is all about building this whole ecosystem of software makers and going out together with an integrated bunch of products.
And they are so committed to being a level playing field with all of those alliance partners that they have this internal policy over there that forbids their own developers at ConnectWise from Integrating their products using any API that a third party developer doesn’t have access to. It has to be no cheating, no home field advantage.
Basically, enable traditionally has weaned in the direction of the Kaseya approach. They really haven’t. Taken integrations with outsiders all that seriously. They have and have for years had all sorts of PSA integrations. Everybody has to have that kind of integration basically, but that’s really been about it.
The big news from this year’s Enable show is the launch of what Enable is calling their Ecoverse vision. So they’re going in hard on ecosystem, Erick. And basically what they’d done is begin rolling out a series. Of APIs. Now everybody out there has got APIs, these APIs according to enable, and this is hard for me to verify or falsify, but they’re saying.
These are absolutely state-of-the-art APIs that go deeper and integrate much, much more closely with other companies than APIs from Kaseya, ConnectWise or anyone else can handle right now. And the idea is and they an a enable has a whole portfolio of products. And they would very much like for you to use all of those products.
But the typical MSP is using a stack of solutions these days. There might be 15, 16, 17 different products that they’re relying on. Enable is never going to play in all of those different categories. And even if they did, you might have vendors you prefer in some of those categories. And so they know that in order.
To remain relevant to MSPs out there, they need to be able to tie in to all of those different systems and do it in a very deep kind of way so that these products are all working as one big product for you. And that is, they’re calling it their Ecoverse Vision. They’re the first to admit it as a vision right now.
There are two launch partners out of the gate. Halo PSA and Roost which does RPA. Those folks are using the the new APIs right now to coordinate [00:05:00] automations and activities with the Enable product set already. You’re going to see more and more vendors taking advantage of these APIs as well, Enable says.
And the idea is that at some point down the road, your Enable RMMs Are going to be trading information uploading scripts, downloading actions from other products as if these other products basically were enabled products. So a whole new level of coordination and a whole new connect wise style commitment to ecosystem, Erick, from
Erick: enable.
Oh, rich. This is a big step forward for enable. This is big news. This is This will have MSPs taking a strong look at enable if they’re not already enabled partners. What I gleaned from the reporting so far was, were a couple of really interesting tidbits. And one of them was that, when we, you mentioned, there’s no real way for us to verify or falsify or whatever.
What’s being said about the way that they are exposing these APIs at a very deep level into enable. But one comment from Halo, PSC, or Rooster, or both of them, which struck me was, in traditional integrations with these platforms, what we typically see is a, a push update.
Type of a scenario so that if some activity happens in one platform they’re because of, the cost of data transmission and the cost of burden on the platforms themselves, these pushes of updates can be scheduled within some within minutes with some, during off hours with those and things like that.
And what I gleaned from the reporting was that. This is like real time updates. If something happens in one of these integrated platform partners with enable, it’s going to update the enable platform immediately and vice versa, which I thought was, wow. That is something that I’ve not seen before.
It may be out there and may exist, but I’ve not seen it from the typical platforms that the MSPs are using. So I, that really caught my eye. What are your thoughts on that?
Rich: No, that’s exactly right. Actually that there, there is real time synchronization across products. Produced by these APIs.
And again, Halo and Roost and Enable, they’re all, they’re the three companies that are taking advantage of this right now. You could have something in, in the Halo PSA, go out to Roost, Roost can upload an entire automation, entire script basically into the Enable RMM and immediately.
Activate that automation, and when the automation is done you, it reports back to the RMM, it reports back to the PSA, and all of this is happening automatically, but in real time as well. And yeah, it we’re not talking about interval based or push based coordination across products like you normally do with these APIs.
Erick: Yeah, Rich, that is and then that’s, that really gives you the sense of a tightly integrated ecosystem as you were talking about it. And it is a very unique and different approach than what we’ve seen so far from, the other big players in the space that are trying to, aggregate, integrate, acquire and integrate these different platforms.
So it does give more of that feel of. of close collaboration, close partnership between these organizations, which all benefits the MSP at the end of the day.
Rich: Now, the last word on this, before we move on, I’ll just point out, I did spend a little time in the expo hall at the enable event.
I was talking to some of the sponsors there because I was curious to see their thoughts about these APIs. And quite honestly, most of them Hadn’t heard much about it. Hadn’t really thought much about it yet. Enable knows they’ve got a lot of work ahead of them right now to educate the vendor community about this new technology that they’re introducing and get people on board.
But it’s going to be interesting to watch that evolve over the course of, I’m sure it’s going to be the next, year, 18 months, two years, Erick, before they’ve really tied a lot of products in, but it will be something to watch. So with that, let’s move on to your tip of the week Erick.
Now it’s interesting. There was a lot of talk about cybersecurity at the Enable event. They didn’t announce very much in that realm. But you’ve got some thoughts about cybersecurity this
Erick: week. I do, Rich, and again, a lot of my tips come from, actual real world scenarios that I’m helping MSPs work through.
And, a lot of the conversations that I have with my MSP clients, Are [00:10:00] around adjusting their services and solutions to, to meet the needs of today’s modern business owners, right? So we’re past the pandemic. We are now fully in the cloud movement. We are fully into cybersecurity moving forward.
We’re fully into, hybrid support. Maybe it’s not full remote support as it was during the pandemic, but we’re seeing these new challenges crop up and new threats. AI, while it delivers the great promise, there’s also opens up a lot of vulnerabilities. Even VPNs now are being attacked.
So what we thought was a secure way to, access company data now is also a point of vulnerability because, these cybercriminals just getting so much better at what they’re doing. And so in having these conversations with these MSPs, Rich, they’re. They’re trying to solve for how do I get my clients, notwithstanding I want to sell them all my other stuff too, but how do I get them just to say yes to enhanced or strengthened cyber security so that I can at least get them to where I feel we can manage it and we can sleep good at night or better at night knowing that they have subscribed to these services because as rich, it’s not a matter of if it’s a matter of when there is going to be somebody clicking on some phishing email or some, data gets caught up in some kind of a breach passwords are being, bandied about and given away now on dark websites.
So this is a real scenario where the MSPs feel like, boy, my clients got me, got me hamstringed here. They won’t. Allow me to deploy the services that I know that they need. And I’m just waiting for the shoe to drop when we have to come in and remediate and then figure out how the client’s going to pay for it.
Because we are not aligning these services to demonstrate compliance against the client’s cyber liability insurance policy. And as which we’ve talked about this a lot on the program, Cyber liability, these carriers. Are looking for ways to deny claims and even cancel policies because I think they got in a little bit too far, too fast.
And now we’re doing a reset here. So my tip of the week is all about how to get your clients to say yes, to enhance cybersecurity, not because you beg and plead them to.
Jesse: And because
Erick: you’re trying, because you want them to trust you and do it, but because of the fact that their cyber liability insurance policy requires them to demonstrate compliance.
In these six, seven or eight categories, which include things like backup and disaster recovery, that include things like end user security awareness training, include things like multi factor authentication and all the other things that we want small business owners to incorporate into their cybersecurity awareness and make sure that they are bought in and focused on this, just like MSPs and MSSPs.
And solution providers want them to be. So the conversation simply goes like this, rich. Hey, can we sit down and take a look at your cyber liability insurance policy, Mr. Mrs. Client,
Jesse: that’s it. It’s once you
Erick: look at the cyber liability insurance policy, you can say to them you know that this is like car insurance, right?
If don’t maintain your vehicle or if it’s out of compliance or if you don’t, renew your tax, whatever, and you get an accident, whether it’s your fault or not, you’re going to have to fight. With your insurance carrier about them paying your claims. Who hasn’t had that pleasure in life, rich, right?
So now it becomes even more scary because it’s a business and there are customers involved in their employees involved in lots of lives that can be impacted. Because that client is simply not connecting the dots to say, Oh, wow, I have to do these things. So in
Jesse: case something happens, I
Erick: shouldn’t have a lot of struggle getting the carrier to approve my claims and help me through this difficult time.
That’s the approach, Rich. We’re helping them understand that, hey, you’re paying for this policy. It isn’t cheap, but how would you feel if you’re paying for this policy? It’s not cheap. You have an incident. And the bill comes to tens of thousands of dollars and the insurance company will not pay for it.
That’s the no win scenario. The Kobayashi Maru for our Star Trek fans out there. And
Rich: the bill is gonna be more than tens of thousands of dollars. You look at the average damages in an incident it’s way north of that. I’ve had this conversation with a number of MSPs in the last year year and a half or so.
I think there’s universal agreement. Among MSPs that cyber insurance is a pain [00:15:00] in the you know what. Let’s say Erick. The questionnaires and the whole thing nobody enjoys it But the really smart ones understand that it is both a burden and an opportunity for exactly the reason that you just explained so if you’re dealing with a client that doesn’t yet have insurance and but understands that they need it then that the application process is going to make clear to them, you’ve got to be doing these eight things or you’re not going to get insurance.
And that becomes an opportunity to get them to do things that you’ve been wanting them to do for a while. And they’ve perhaps been resisting. There is also the opportunity, I was just at a A Parker panel at this enable event yesterday. And these were some pretty big, sophisticated MSPs we’re talking about.
But a lot of, all of them basically had experience with clients. They would come into a new client, the client would tell them, yeah, we’ve already got cyber insurance. They would ask the client who helped you fill out the form? And the answer would sometimes be, Oh, our agent did that.
You don’t know what the agent said. If any of it was accurate, and if there were any inaccuracies, you’re not going to get paid when a claim is filed. And so there too, there’s not an opportunity to look at what they’re doing, compare that to what they should be doing, and close those gaps. And the client should thank you for that as well as pay you for it.
Erick: You’re not going to get any disagreement from me on that, Rich. So it’s a thing that we have to educate these clients about in order to get them to do the right thing. And what I like best about this approach, which is, Hey, it’s not us telling them that they have to do it. It’s their carrier who they’re paying lots of money to, and probably have a lot of other insurance, business insurance, and, E and O and all that stuff wrapped into this thing.
It is more, much more compelling when you say you’re not doing these things. We can help. Here’s our enhanced security package. Sign here. Let’s get it going. So we don’t, lose a lick of sleep over this.
Rich: All right. Great stuff. So folks, we are going to take a break here.
When we come back on the other side though, we’re going to have an interview with Jesse and Reese Tuttle. Of Summit Solutions. I won’t spoil it. I’ll just let you know we’re going to be talking about Phishing Risk. This is a cybersecurity company. Jesse Tuttle is a actually a very well known white hat hacker.
He is the chief hacking officer at Summit Solutions. Recy is his daughter. And as you will find out she is frighteningly accomplished for someone of a very young age. So you are really going to enjoy this conversation for a number of different reasons folks stick around. We’re going to be back with Jesse and Recy Tuttle in just a few moments.
And welcome back to part two of this episode of the MSP chat podcast our spotlight interview segment and Erick I’ve been looking forward to this For weeks. Because we have two both extremely experienced, informed, insightful guests who also happen to be fascinating guests. And so this should be a really great conversation.
We’re going to dive into them to talk a little bit about phishing and security challenges around phishing. MSPs might not fully appreciate. But first we’re going to spend a little time getting to know our guests. They are Jesse and Recy Tuttle, a father and daughter. They work together actually on two different security related businesses, one of which is called Compliology and the other is called AP2T.
Which is the fishing business. That I’m sure we’ll come up now and again as we talk here. But first off, Jesse, Recy, welcome to the show. Yeah. Thank you for having
Jesse: us. Thank you for having us very much.
Rich: Like I said, you both have fascinating backstories for somewhat different reasons. I almost wish we could spend the whole interview just talking about that.
We really can’t. So I’ll have to keep it quick, but Jesse, give us the super summarized version of your background.
Jesse: That’s. 1994 got involved into the pirated software scene, got quickly into reverse engineering. By 1996, got into hacking by finding zero day exploits and backdoors in web application software like FTP and web server.
By 2000, In 1999, I started defacing. In 2000 I joined a group called Hackwiser, which was one of the early advanced persistent threat groups. I started two cyber wars ended up working for law enforcement for a couple of years. And When I first started working with law enforcement, that’s when I found out that I was a world’s most wanted hacker at the time by the FBI Department of Defense, NASA Office of Inspector General.
Interpol in a more than a dozen other countries.
Rich: And your handle, I believe was Hacker Jack.
Jesse: Hacker Jack.
Rich: Now Rizzi I told your [00:20:00] father this when he and I were first introduced to one another. Anyone in our audience who thinks they work hard and are good at what they do they’re going to come away from your story feeling like slackers.
And really not very accomplished. So tell folks a little bit, first of all, how old are you? But then,
Reese: yeah, I just turned 19.
Rich: And Recy, how many college degrees do you have?
Reese: I’m coming up on my sixth. That will be in May.
Rich: And you I believe your father told me you’re pursuing a master’s as well, right?
Reese: Yeah, currently I’m pursuing a master’s. I’m going to be going to Harvard in the fall for my master’s in computer science as well, so that’s going to be very exciting.
Rich: You also wrote the software, the platform that AP2T uses,
Reese: correct? Yes, yeah, and I can actually dive a bit into that too. So when I obviously grew up shadowing my dad, he was like my best friend and I got to know a lot of his friends from his past.
And I had a thing for computer science and technology. And so when I was 13, I started college, then through high school, got five different degrees. And because I had so many different degrees, I had a lot of different senior projects that I had the opportunity to build. platforms on.
And so one of the senior projects that I did, which was the most recent degree was the AP2T phishing. It was basically V1 of
Rich: it. So, and before we move on, I will quickly note, cause this is something I didn’t know about you until just a few minutes ago off the air. Your father mentioned that the reason you’re limping around the office today is because you were hanging out with some of your friends.
You, you are a, an all American lacrosse player on top of everything else.
Reese: Yes, sir. Yes,
Jesse: I am. I’m gonna be the snitch here for a minute. So she has her black belt in mixed martial arts. She’s first team, all state girls, lacrosse goalie, all academic, all American us lacrosse. And she’s a certified encryption specialist.
Reese: Yeah, I got really bored during COVID.
Erick: So you’ve lived many lifetimes. What’s your secret?
Reese: I’ve always had big distraction problems, but I guess realizing your weaknesses and then trying to figure out how to not eliminate them, but turn them into a lot of your strengths. So like my distraction problems and things like that.
I like hyper fixate, I used to hyper fixate on the wrong things and now I just direct my focus a lot more. Huh. And that’s how I’ve been able to be a whole lot more productive
Erick: with my
Jesse: time. I will say I’ve also seen her because at I, it amazes me watching her, how she functions. But she’s also a violinist and I’ve seen her sit there and practice a piece of music.
And then she has that aha moment. She’ll throw down her violin and throw it,
Reese: but yeah.
Jesse: And then she like goes to her computer and starts, diagramming and coding and building database structures. And it’s just so fun to watch.
Erick: What a dynamic. Amazing. Thank you. So team, you both have been at the very, Jesse, you’ve been at the very forefront, like the very beginnings of kind of this whole cybersecurity thing.
I like to say, look, I was at the tip of the spear at the MSP movement. You were definitely at the tip of the spear, like in the nineties, when a lot of, a lot of our devices. And appliances weren’t really even connected to the internet and
Jesse: I got started with dial up bbs, dial up bulletin board services and I was in high school and wanted to learn more about hacking, more about hacking the school’s network.
So I had a friend that ran a dial up BBS and so he got me really introduced to that. I ended up running my own and while be on dial up BBSs, I discovered, after dark screensavers was like a big thing for me. It was my gateway drug because, who did not love after dark screensavers?
So they started downloading that, putting them on floppy disk for other people. And then, it just kept moving in that direction until by 1995 I was being introduced to a software cracking and software reverse engineering. And that was really the cusp because windows 95. Just came out.
The start of the internet. com boom was just happening. The internet just moved at the beginning of 1995 from ran by the national science foundation to what is, what we have today is defined as the commercial internet. And so it was at that moment in time is when I really got introduced. It’s when IRC chat was being [00:25:00] birthed.
F net, which helped start IRC started in what? Like 1994 down net was a spinoff. And I think 1995, maybe a year off, but I was very fortunate to be right there at the cusp of that transition. And my entire experience of hacking was all the way up through 2003, just months before the birth of anonymous.
So, the history of. Hacking and website defacing and the entire concept of advanced persistent threats. I was there at the birth of it. Pre anonymous. So you’ve
Erick: seen this evolution of all the way back to, I would dare say what, 2400 baud modems. We’re aging ourselves now, right?
Let’s keep navigating.
Jesse: Yes. Yes, 56k is much better.
Erick: Yeah. So, what are your thoughts on how phishing has evolved and gotten worse over the recent years? And how do you see AI, like making this a much bigger problem? Because I think You know, we understand that there are things that we can do, there are actions that we can take to secure the perimeter, to secure devices, to monitor, things like that, and alert, but it’s the human resources, it’s, it, that’s humans that are potentially the biggest threat to security.
Wouldn’t you agree? So how do we see AI playing into phishing and how big is this problem going to get in your opinion?
Jesse: The, so I think it’s important if people understand the history of phishing, that’s something, and I’ve actually spent some time, and I don’t see much documented on the internet about it, I was there when phishing was basically birthed.
Now if you understand what, where phishing was birthed out of, it was birthed out of the wars the wares groups, the software pirating groups on AOL, America Online. I was there. I was the distributor for one of the top three groups. And I was one of the people that helped crack the software for UPS, UPSS, which was one of the three largest, most successful groups in the nineties.
And I remember because I did fishing in the nineties, the whole idea was fishing people’s AOL accounts to help distribute software. And the term, the actually the it was in the AOL software pirating community is where the term phishing was coined. So it’s not the first human attack vector.
That definitely predates, the concept and the term of phishing, but phishing to get people’s accounts. And the term of it was all birthed right there in the mid nineties. And there’s a big misconception that phishing is just email based. Of course, there’s more technical terms for, the types of fishing, whaling, and spearfishing, and then, a text message of smishing, and, all these things, but it’s more important that people really understand the concepts, where it originated, the goal of it, and how to start spotting and identifying it.
Thankfully, I know this is recorded. What was your question again? How does AI affect
Erick: 15? How has it evolved now? And how big is the problem? And do you see it getting bigger? And how does AI exacerbate it? And, or maybe even in addressing it,
Reese: I could also help touch on this as well. Cause I was going to get into the phone call situation that we’ve discussed a lot, if you’d like to touch on that.
Erick: Yeah. It’s like social engineering with AI,
Jesse: some of it. Yeah. Yeah. I, As it’s growing up out of the 90s, people really started looking at how to utilize phishing for profit and we’re coming into the 2000s and that’s where it comes to, because phishing started out as not a for profit thing.
It was to distribute pirated software. But as it’s become a more of a for profit thing, people are putting more tools and technologies into it, such as A. I. And I think A. I. Is going to it’s I don’t see a huge depends on how you define A. I. But in the way I would define A. I. Is a a full learning platform, not just something that’s automated based on commands.
Because I wrote tools 25 years ago. That was, That would have been considered AI then for most people. Recy might be able to speak to some of the concepts there about how AI will impact phishing and I’ll chime in some. Okay.
Reese: Yeah. One of the big things that I’ve been researching a lot recently is there’s been a lot of companies coming out with technology where you can record your voice or take a video of your, like audio Voice, and it will use AI [00:30:00] to learn your dialect, learn how your voice fluctuates.
And you can actually use that. So when you, if you’re like a personal owned business it can, you can take calls on behalf of yourself, but it’s actually AI and I see that being utilized. But in a more malicious matter, when it comes to getting the, getting calls from people that, getting calls from your parents, getting calls from your boss, getting calls from just people that, because they’re using so much OSINT to train up these AIs that are already being utilized for businesses and small businesses to use.
And I think they’re going to use that technology. To learn people’s voices, learn the way people even talk online and things of that sort and use that to make things a lot more real. And that’s what I think, because it’s going to become less of, this seems like what would be a good phishing email, this is something somebody would fall for, it’s, we’re now basically duplicating and mocking something that they’re already familiar with, so it’s almost guaranteed that they’re going to fall for it, and I think that’s going to be huge now.
Erick: Deep fake, deep faking the voice and then having the AI, the large language model that learns and adapts to be able to get someone to do something, change their behavior, take a call to action, which could be malicious. Yeah.
Jesse: And to chime in there a little bit, the as we have been, Reesey has done massive amounts of research.
As I’ve tapped connections that I still have in I guess the best way to say is the underground community the dark web community and acts, groups that I still connect with and people I still connect with have been analyzing a lot of the phishing platforms that are currently available on the market, and a number of them are starting to advertise that they have AI built in.
And I think most of them are missing the mark, because I think what Risi was just speaking to is the actual direction AI is moving when we, when she shared with me her university level research research. Where she’s pulled, thesis papers from others all around the world at different universities and what she found in her own research.
And then what I find in the interconnected channels and communications that I have is that AI is going to be lever used to leverage advanced level attacks against people. It’s going to be used to gather OSINT open source intelligence to, scrape people’s social media and LinkedIn and Facebook and gather as much details about them to ingest that, then, that would be vector of one attack vectors using that OSINT technology that it’s gathered.
To then leverage custom attacks against people. Very spear phishing. Spear phishing is a directed attack instead of just. Spray and pray deal. Second kind of attack vector is where you’re going to have. Your boss, your wife, your husband, your mom contacting you and, talking to you, over the phone, you’re going to think it’s them, their voice flexion their how they speak, their mannerisms can be cloned by AI.
I was just playing with a tool I just collected. From a a friend off the dark web. Within about the right 15 to 30 seconds of a phone call where you call someone up and Hey, is Bob there? Nope. No, I’m pretty sure this is the right number. And you get them to talk just enough for about 15 to 30 seconds.
I can almost clean their voice to an 85 percent accuracy. Now imagine I just gathered that tool off the dark web. That is what’s coming when it comes AI. Most of the phishing companies out there are using AI to craft custom emails so that, everyone in your organization gets a different email.
So it’s harder to spot, but that’s not what I’m finding from the dark web community. That’s not where Reese’s finding in her research. And there, there may be the question that an ethical boundary of training, at what point do you. Deliver a training platform that is so realistic that it may even cross ethical bounds because telling you the dark web community that’s delivering these things their moral compass isn’t always pointed north, if
Rich: I got to jump in there too, because as we’re recording this folks at just yesterday, open AI announced that they have a technology. You give it 15 seconds of audio and it can. Imitate anyone’s voice and I read that and thought to myself and by the way, they announced they do this, but they’re not releasing it because it’s too dangerous and I thought that’s not going to keep it out of, and I did it.
It’s already out there. It’s not even an inevitability that sooner or later people are going to get their black hats are going to get their hands on this. Anyway, they’re [00:35:00] already
Jesse: out. Yeah, actually, my buddy that passed it to me, he’s been playing with it for a month. He has like 20 Bitcoin mining rig set up, full of Nvidia cards arm processors.
And that’s what he’s been playing with it on. And I was telling him that I was looking to set up a mining rig. And he goes, Hey, I got something you can run on it. It’s optimized for it here. Give it a go and play with it. I didn’t even notice that news from OpenAI yesterday, but I didn’t know
Reese: either.
That’s actually really interesting. Another thing I would actually say is a lot of scam callers now when they call you, it’s not actually to scam you. It’s to get you to talk to them so they can use your voice. When you ca when they call you and you answer and you know it’s a scam call and you’re like, Hello?
Hello? Don’t call me again. That’s enough for them to be able to duplicate your voice and that’s all they were calling you for. So half the time when you answer those scam calls, you need to either answer, And like a deep voice. That’s not, that doesn’t sound like you or something silly. It’s going to sound stupid, but it’ll really CYA
Jesse: for you.
So my buddy was showing me examples where, you know, answering the front and saying hello, stop calling me. Don’t call again. And he can clone your voice up to a 72 percent accuracy
Erick: from, I know. Yeah, we’re all, with great power comes great responsibility, right? This AI. thing just opens up, tremendous potential, but tremendous risk as well.
And Hey, even me as a consumer, I didn’t know about the open AI announcement, just shared right now, rich until you just shared it. But I’ve been using another application that’s out that anybody can get that allows you to basically train the system. So you read a bunch of, and pages of stuff, and it’s not quite as, advanced as what’s coming.
It can train your voice. So I could really, if I wanted to write a script for a a training course and have the audio created for me, and then just move the slides and record a PowerPoint presentation, for instance, it’s not perfect. I don’t really, it’s not there yet, but this is where we’re heading.
So separating the AI conversation for a second is something else that I’m seeing a lot of that I’d love to get your feedback on. Is this pig butchering stuff that’s going on. And, me just saying that for folks that don’t understand what is what that is why don’t you share your perspective on what this is and how.
It’s like really taking fire and what can people what can we do about it? Because it this is a people are losing a lot of money with this particular scam, right?
Jesse: B and c business email compromise was huge Man pig butchering is taking it over. I’ll let Recy start. Go ahead. I was
Reese: going to say, I’m, I can go ahead and give a little explanation and example.
And then I’m going to let father talk about how we can protect against it because he’s the one who is pretty experienced in that field of technology. So when it comes to pig butchering scams, now it’s called pig butcher, because the whole concept is when you find a pig up and you get it like ready to be butchered and then you go, and then finally, when it’s fat enough, you slaughter the pig.
That’s where it all comes from. Use case scenario, because that’s how I typically comprehend stuff. The best is you get reached out saying, Hey,
Jesse: here’s a great opportunity. And hold on, give that real world example from the guy that contacted us, lost over 600, 000. That’s
Reese: the example I’m giving. I just didn’t include the part that it’s actually happened.
There’s somebody that we worked with. So he got contacted and said, Hey, there’s this bank really great opportunity for you. You can get, it was like, like how, what was the percentage you make back?
Jesse: 10 and 15 percent returns weekly compounded. Yeah.
Reese: It was like 10 percent return rate. And he was like, almost seems too good to be true.
But you know what, let me throw he was a very well off man. So he put in about a hundred, 200 bucks in
Rich: No, he
Jesse: put in 10 grand is what he started with. Yeah. It was 10 grand. Because he figured he, and his concept was, is, Hey, when I go to the casino, 10 grand is my fun money. That’s true. That’s true. You’re correct.
That is, he’s as his entire retirement saved up, planning to retire at the end of this year. So 10, 000 was not a big deal for him.
Reese: So he threw 10, 000 in there. And he started seeing, he came back a week later, saw that his money had doubled. And the thing was, is the fact that not only could he put money in, he was watching it grow, he could also take it out.
It was a fully functioning platform. There was a whole support service. There was a whole Completely functioning bank. And he got about nine months deep into this and he literally ended up investing his whole life [00:40:00] savings into it, his entire retirement, everything he put into that. And eventually. He had put so much money into it that one day he was like, why can’t I access it anymore?
Why is it gone? What happened? He tried to do a large, he tried to do a large withdrawal. And that was when they cut, that’s when they butchered the pig, him being a pig, and he lost literally his entire retirement over it. This
Erick: scam required a lot of forethought planning, they built a platform, they built, it was, it looked very legit.
And this is how we’re getting folks into these kinds of scams. I’m reading about it. Crypto currency. I’m reading about it with like gold. Like I read a story lady bringing, buying gold and giving gold to some, somebody, and they were going to do, it was just, it’s getting crazy.
So how do we look out for something like this? What are the telltale signs? What are the like red flags that. Anyone that’s, that can get lured in by just, and this is really insidious because it’s a long game, right? They’ll wait and wait until, somebody is like, Oh man, this is working, I’m completely trusted.
I’m going to go all in now. And then they clean them out and they’re gone.
Jesse: Yeah. Pig butchering and BC and four 19s, these are all big. Different types of scams and that’s just touching on the tip of it. But when you’re getting into the pig butchering, it is a very long played con. It is, it typically starts with, you’re, someone’s on, looking for a passion on the internet, looking for a new friend, a lot of them start out from dating websites.
That’s actually more than 50 percent of them start from dating websites or chat websites a large portion of them start on gambling forums and gambling chat places and you will make a friend they will chat with you it will Seemed like that normal online relationship, friendship that, it could be your, it could be a bromance, two guys into sports betting.
It could be a a girl or a guy looking for romance. I know a number of women we’ve had customers that are women that has come to us. This is what can I do now?
Erick: Like I’m thinking now back to the Russian bride scams and things like that.
Jesse: Yeah. Oh yeah. And that that’s a perfect lead into it.
It could be any sort of social situation and after a while the conversation typically Hey, and it could be a week, a day, a month later, Hey, what do you do? I’m a former world’s most wanted hacker. Whatever your job is chief hacking officer. And the conversation, they’ll show a lot of interesting you people like to talk about themselves, which is scary because you’re putting out more information out there that they can use against you.
People will say, Oh, here’s my Facebook. Add me on Facebook, add me on LinkedIn, add me on, all these social media platforms. Now, when they’re on your Facebook You’re letting them see who your spouse is, who your family is, maybe who your coworkers are. Now here’s even more leverage that they can use against you.
So that’s open source intelligence. And this gets really scary later on. They’re going to collect this over time. Now, if you’re. In this gaming or sports betting or casual conversation, it may not go to a a romantic situation if it’s a romantic thing, which more than 50 percent of them are, it may turn to we’ll say explicit photos being exchanged between adults.
It’s very common. Even if you’re not putting your face in them, most people do still, but it’s, you are still sharing that content and that other person is going to have that content. Now, remember that I just pointed out that they now know who you work with. They know your kids, they know your spouse, they know your parents all because of your Facebook connections.
They’re not going to expose the ship. They’re going to keep playing the con. You’ll eventually go, Hey, what do you do? And they may do something. Eventually they may lead into I am a day trader. I’m an investor. I work for a bank. I know something along those lines somewhere that you’re probably going to invest some money.
Once you do that, you’re going to typically open up a bank account, a financial firm account, whatever you’re going to put in money. And most people, the tingly feeling of something doesn’t seem right typically kicks in, but they proceed anyways. And they put in a small amount, 100, 200, 500, 10 grand.
Everyone has a different comfort level. So they put it in, they wait to see what happens. They’ll take out part. And the whole, the scammer knows this. [00:45:00] So they just play along. They send you back the, the money you withdraw. And as you build up the level of trust over the coming months, you end up investing more and more.
When they realize that you’re done investing, that you’re going to withdraw. That’s when they cut you off. They butcher the pig. They may actually just tell you, you fell for a scam. How stupid do you feel? Do you want your family to know how stupid you are? That’s really popular. Do you want your friends and your co workers to know how stupid you are?
Do you want them to know the kind of pictures you’ve sent me? Do you want me to post this? Now I have all this content on you. Send me an extra hundred thousand dollars, mortgage your house, do these kinds of things. Very common. That has become the number one financial loss in the last, I think, two years overtaking business email compromise.
And that’s even some of the worst stuff out there going on.
Reese: No. And another thing I would say is like. Just for like normal safeguards when it comes to things like that is don’t have implied trust on the internet in life in real life is a different thing if you want to have implied trust off the bat that’s your own decision but on the internet it’s completely different because you might not be trusting who you think you are and that’s one thing and then the second thing is this is actually more of a technical thing that you I would recommend doing, cause it’s what I do is if you’re sent a link, if you’re in really deep with this, if you’re talking to somebody and they’re like, yes, I own a bank, invest some money, obviously you have to go to these websites.
You have to go do your research on it. Do go and utilize the way back machine. See how long that domain’s been established. Go see the history of it. When did it really start becoming a website? If it’s only become an actual website, that’s been running traffic for even a year. I don’t know if I’d really be investing that much money into it.
Actually, think about the name brands of what you’re putting your money into. If it’s, if it seems off, it probably
Jesse: is off. Yeah, one of the top it’s building up. It’s a style of pig butcher. And it’s, fake university degrees. And there’s a a company I won’t name drop, but I listened to a dark web diaries episode about it.
And I was vaguely familiar with it before that, but they set up their own websites to establish accreditation to look like these universities are accredited, they’re scammers. It’s running pig butchering for financial firms. It’s setting up, fake sites to make it look like these places are Established, do your due diligence, make phone calls, check third party resources, check, it’s called Who is, it’s a in our it’s a tool called who is Google Search, GoDaddy.
Who is just any who is service? See how long that domain’s been registered. It’s any, anyone would fall for these. These attacks are so sophisticated. One of the other problems that I’ve I keep seeing in the entire tech industry is when I. T. Directors or cyber security directors or the managers of these departments.
Or the owners of a company fall for a fish or some sort of attack, they get, they’re the cause of the ransomware or, ransom hack. And they go into the state of denial. And there’s a lot of blame and shame. And, I’ve even seen where You know, some of the the competitors that RISI will have in the platform that’s going to launch here shortly.
Um, it’s in it just went to public beta. They, there’s a lot of blame in it. And I don’t know if RISI is going to go here, but. I think these are some crucial key points that people need to realize is, when you apply the blame gain you add, people denying it because They’re scared of their embarrassment.
It actually all plays directly into the scammer’s hand. That’s exactly what they want. And they want to capitalize on that. I, we have a customer that we’ve worked with and literally they got a ransom hack they, and the. We have a training video that we just finished and it talks about, the, how cyber crime organizations work, the, and believe it or not, typically they are set up much like most sales offices.
You wouldn’t know the difference between most cybercrime organizations and a professional sales office. They operate almost exactly the same and the owner of this company. So actually they got hacked because one of their people in their sales department was doing some online gambling, got hooked up with this chat group, got chatting with someone sound familiar.
What we just talked about was going down that whole path. But instead of taking the route to pick butchering, they took the route of dropping malware. Got a backdoor into the system and exfiltrated their entire lair cause it was [00:50:00] not properly segmented and set up. Um, the this, the closer of this, contacts the company and says, Hey, I demand 5, 000 Bitcoin actually, it started out 5, 000 Russian rubles.
And then you look and they’re like, Oh, that’s 70 bucks. No big deal. And then the guy goes no. I am in 5, 000 Bitcoin. So then they look and they go, that’s not even feasible. So he goes no. 5, 000 us dollar. He just kept changing track. I think it was new on the job. I seen the chat, but because it was done over text message.
When he made it clear, 5, 000 us dollars, the owner of this business goes. I can pay that, but I know I’m going to have to report this to my insurance. I’m going to have to report it to these places. And so then the closer that most people call the hacker, I call it the closer because he’s closing the financial deal.
He starts saying, Hey, you should be lucky. You got me, you pay me. And I won’t tell anyone about this. You won’t be embarrassed. I won’t, your business won’t be embarrassed. Imagine if I report you to the the attorney general of the state, what if I report you to the FTC or what if I report you to the other regulatory agencies, literally planting fear, that fear, that embarrassment, that shame that typically comes along with, a lot of phish training and cyber security, people don’t realize that plays big into their hand of the attacker.
So I think that’s something that. More platforms, more MSPs, more IT professionals really need to pay mind to and, as I’ve been I brought my experience and I’ve looked at what Reese’s been researching and building. That’s why we’re talking to these things is because it is literally what’s going into our platform because it is the most relevant things.
That no one is talking about. It’s some of the scariest stuff too. No, no fishing platforms talk about pig butchering. If and I’ve tested the waters on this when we were just at a conference in Fort Lauderdale, I was talking about four 19s, pig butchering watering hole attacks, all these different things in most of the.
Um, other phishing and cybersecurity training companies there. Not sure it was their sales staff, but I felt anyone in the company really should have a good concept of some of these terms, at least. I wouldn’t say most MSPs, but people that are going to specialize in delivering attack training and cybersecurity awareness.
These are important how but in terms, not just bees.
Rich: Yeah, I this is actually a perfect segue to something I’ve been itching to ask you about. Because when we first met, you said something about the way that MSPs need to be thinking about phishing versus the way they typically are right now.
And you said, They really need to be approaching it as an advanced persistent threat essentially. So tell folks a little bit about what do you mean by that? What does it mean for an MSP to approach fishing as an advanced persistent threat? And how is that kind of approach or mindset going to help them with things like deep fakes and pig butchering?
Jesse: Hey, can I take this Risi? Because I know that you have a lot to say on it, but I’m a little bit, I’m hyped up on the subject right now. Most MSPs look at it as, I’ve talked to so many MSPs with Reese’s startup coming. And they’re all like, Hey, I take December. I schedule all my fishing training, maybe once a year, once a quarter, try to knock out in January or like the first week of each quarter.
And it’s a very regimented routine thing. And most of the time they’re sitting out, they’re flipping through templates. They’re trying to find the right template that they think is going to be good. Okay. Hey, I’ll send that or some of the platforms now have AI. They’re using a chat, custom craft, some email.
So it’s unique and it’s not branded as a big name brand. That’s going to entice you to click on. And that is what most people think is appropriate because that is what is on the market. The, sorry, I got distracted with that message. That’s what most people think is appropriate because that’s what’s on the market.
In reality, it should be more of a blind automated situation where you opt in. And, experience a real experience, real world, real attacks that, if you’re not getting a phishing email once a week, how are you really learning anything? If you don’t fail. You can’t learn I’ve heard so I’ve read so many I’ve heard so many other people talk about hey our phishing platform We’ll get you under 24 percent open rate.
Hey my phishing platform I had one of them go we’ll get you under 15 had another one brag that they showed me stats [00:55:00] Because they knew we were building something and they wanted us to instead of build it which Reese was already well along the way from two years worth of work, said, Hey, instead of that, why don’t you look at ours and we can basically guarantee that we’ll get all your customers under a 5 percent 4.
9 or lower percent open rate. And I, that’s when I finally, I drew the line in the sand. I said, how is anyone learning anything? Children learn by failing. They rebalance themselves. AI learned by failing. It will output something. You tell it no bad. Don’t do that. This is what I expected, and we’re humans.
That’s how we learn. It’s my, the goal is to have a hundred percent fail rate on the first of the attack vector that you’re giving. And then repeat that attack vector and watch the numbers go down and repeat it again and on the third, fourth and fifth time of them being this attack vector.
Yeah, you should be at a low percentage, but if you’re not getting, the first time you launch a financial based pig butcher attack, or you’re launching a new 419 or, you’re developing a watering hole attack within your own platform to, Teach people that, even if it’s a trusted website, you can’t trust every portion of it.
It could have been hacked. You need to do these things and have everyone fail. That’s the goal is total failure because that’s how they learn. And then they get better over time. One really good example that I can share from that. Is the move it hack that came out about a year ago. I, we actually, we used Reese’s platform automated AI call to the owner of a a company I’ve worked with for years agreed to participate in this.
So the AI called the the manager of the company, the general manager and said, Hey, this is an automated call, but you are a client. Of one of our partners, as you may have seen some news the company move has been act. There was massive data breach. We used to move. Please make your staff aware watching.
It gave some really good tips and bets. And I talked to the office manager later. She didn’t realize that and told her it was automated. She thought it was a real person. It was really nice. So she did exactly as the call said and called a company meeting and it was an office of 15, 20 people and said, Hey, as you all may have seen in the news, a company called movie got hacked, watch for weird logins to like your, Netflix, Facebook, get contact like Experian or Equifax, any of them, put locks on your credit reports, gave some really good advice.
This was on a Thursday. Thursday morning, she called the meeting Thursday afternoon, the following week on Wednesday. At 11 45 a. m. Now, what does everyone do at noon? They go to lunch at 11 45. What is everyone? Hangry. They want lunch. All of a sudden we, our system started dropping anywhere from 5 to 25 emails on every single employee.
Verify your Chase bank account was just logged into. Verify your Facebook was logged into. Verify if this was you on Netflix. Verify if this was you on Amazon. People started flipping out. The whole office was hit all at one time, 100 percent success. We modified that in the second one that happened a week later, very low success rate, just some really unique custom crafted situations that by the way, we didn’t actually author any of these from our own thoughts.
We have literally mirrored how other attack vectors have worked and how some of the. The packages you can go purchase on the dark web of bots and email systems to do this automation work for you. Literally you can go buy pay for a bot network to rent it to literally do these same exact things.
So we want to deliver real world attacks and that’s what most people’s missing is. You have to simulate that real world attack. That was just one of about a dozen really unique examples
Rich: I could provide. Amazing stuff, guys. Really frightening and eye opening for me Jesse and Reesey tell, thank you so much for joining us here on the show for folks in the audience who want to get in touch with you or want to learn more about your two companies, comp biology and AP, AP2T where should they go?
Jesse: Go to Complyology. com and or, We’re looking on
Reese: the APQT Labs website right now, but you can also contact us on LinkedIn.
Jesse: LinkedIn is the best way to hit us both up. Feel free to send both of us a friend request, a connection on LinkedIn. I think you’re going to be providing those links.
And then complyology. [01:00:00] com. I’m sure we’ll be in the notes somewhere. That’s going to be the best way to. Find out more about any of our product offerings from AP2T, Honeypots, and everything.
Rich: And that will absolutely be in the show notes, folks, so you can look that up there. Once again, we thank Jesse and Rhys and Tuttle for this really interesting conversation.
Folks, we’re gonna take a break now when Erick and I come back on the other side, after having had a couple of stiff drinks to, regain our our poise and our nerves here a little bit. We’ll share some final thoughts on the interview Maybe have a little bit of fun and wrap up the show.
So stick around We are going to be right
Jesse: back
Rich: and welcome back to part three of this episode of the msp chat podcast Erick, I really enjoyed speaking with jesse and reesey i’ve got a thought or two about that conversation, but i’ll i’ll give you first shot. What do you think? You
Erick: Boy I’m very impressed with their story, number one, and what qualifies them to do what they do.
What a fascinating story that Jesse, took a few moments to share with us. There’s a lot more to it than that. And I’ve got to say, Rich, I know the joy. of working and the challenges of working with, uh, children. Jesse works with his daughter, Risi, and I work. And so do you with my sons, Connor and Riley.
So it’s a very interesting dynamic. What’s really interesting about their relationship that I came away with was, they both understand where their lanes are and. And they both execute in those lanes. During the interview, you get the sense that, he was, deferring the Reesey and Reesey was deferring the Jesse to answer different parts.
Now there were times when they both had something to say about it. But it was really interesting to, peek behind the curtains to see how, a family business works and operates and, very impressed with both of their accomplishments. And looking forward to, keeping an eye on, on, their growth and what they do in the future.
It’s going to be exciting.
Rich: I’ll add just one quick wrinkle to what you were talking about there. And it occurs to me, I don’t know this actually came up during the interview we spoke about. All of the many impressive things that Risi is up to. She didn’t just write the AP2T platform. She doesn’t just work at Complyology.
On top of everything else she does, she’s the CEO of both of those companies. Both of them. Which means that her dad works for her. her, strictly speaking. Which would be interesting as opposed to Riley and Connor working for you Erick. Yeah, that’s a very healthy relationship, which is just a nice thing to see see from the sidelines.
Erick: Further, further evidence of, how intelligent Jesse is. I wish that, I could hand over the reins and just, take a back seat and let, let Riley and Connor lead and things like that. And, maybe one day that’ll happen. Fingers crossed, but yeah, I did not I did not pick up on that.
Good on them. Again, and again, that’s just the understanding. Look, I, you, you can manage all this stuff so that I can do things that only I could, leverage each other’s strengths.
Rich: And then I’ll just quickly leave people with the thought I was really struck by the place where we more or less ended the conversation, in which Jesse was talking about phishing as an advanced persistent threat, and you really have to pick that apart, so it’s an advanced threat now, when, in the era of deepfakes, unlike before, and a persistent one in the sense that it’s not only coming at you all the time, but coming at you in new ways all the time, and so I really like that, idea that you need to treat this as a more sophisticated technique than it was in the past and always be mindful of how it is evolving and and adapting to security protections all the time.
Erick: Yeah. Constantly evolving. Yep.
Jesse: Yep.
Rich: Folks, that leaves us with time for one last thing on this episode of the show, and I don’t know Erick, if you or how many people in the audience here have had the pleasure of visiting Paris. I love Paris, it’s it’s one of my favorite places to visit.
I will say, the the Service, the attitude you’re going to encounter from the waiters there is not necessarily my favorite part about going to Paris. They, generally speaking in that city, know know you, identify you quickly as an American tourist and might affect the speed and the quality of the service a little bit there.
So I was interested and a little bit intrigued to read about a competition that took place. In Paris not too long ago it is called the Course des Cafés this is actually a revival of something that they did or started doing like a century ago in, in [01:05:00] Paris, but they had 200 waiters and waitresses from Paris Compete in this competition and they walk 1.
2 miles, a 1. 2 mile loop in the city of Paris holding, dressed up for work, holding a tray with a full glass of water, a croissant. And an empty coffee cup on it, and the idea is to complete the 1. 2 miles it’s a race, whoever completes it first wins, but you can’t drop anything, you can’t spill a drop of the water, you have to deliver that order perfectly after 1.
2 miles. The winner was a, or the men’s winner at least is named Samuel Amrou. He finished in 13 minutes and 30 seconds. Not bad, actually, for 1. 2 miles with a tray full of stuff. But what I enjoyed about this story, Erick, is we finally figured out what it takes to get a bunch of Parisian waiters to move quickly, move with some alacrity, just put them in a competition, give them a prize to go after.
And that’ll motivate him a little
Erick: bit. Yeah, I wonder how the post pandemic era has impacted the service industry in Paris the way it’s impacted here in North America, at least, where I’m at, we’ve had a lot of service staff basically leave the industry and go on to other professions.
Something tells me that, putting on a, a competition like this might not be quite the big draw here in the States as it may be in France.
Rich: I have a hunch you’re right. I have a particularly I don’t actually know what the prize is if you won that contest in Paris, but I know there was no tipping involved.
Yeah. No, no financial reward, certainly, if you were going to do it in this country. And yeah, I doubt people would be lining up to be a part of it. Folks, that is all the time we’ve got this week for you on the MSP Chat podcast. We thank you so much for joining us here. We’re going to be back again in a week with another episode for you.
In the meantime, if you are listening to us on audio, but you’re curious to check us out on video, we are available on YouTube. Look us up under MSP chat. If you’re watching us on YouTube, but you’re also into audio podcasts, then wherever it is, you go to get those look around, cause you’re going to find MSP chat there.
Either way, please subscribe, rate, review. It’s going to help other folks. Find the show. This program is produced by the great Russ Johns. He can produce a podcast for you, too. If you want to learn more about Russ, go to russjohns. com You want to learn more about Channel Mastered the program responsible for this podcast, go to www.
channelmastered. com so once again, thank you very much for joining us. We’re going to see you again in a week, folks. Until then, please remember Yet Quintsville Channel without MSP.
