The tech world is ever-changing and it can be difficult to keep up. As businesses and individuals, it's important to remember to keep your software up to date and apply patches as they are released. Today’s guest is John Hammond. John is a cybersecurity researcher, educator, and content creator. As part of the Adversary Tactics Teams at Huntress, John spends his days analyzing malware and making hackers earn their access. He is an online YouTube personality showcasing program tutorials, malware analysis, dark web threats, and other cybersecurity content.
“Do as much as you can to limit the attack surface. If you are willing to not share your device with anyone, remotely, digitally, or even physically, that’s the best practice you can aim for.” - John Hammond Share on XShow Notes:
- [1:01] – John shares his role at Huntress and his side work as a YouTuber that creates content to help educate people about cybersecurity.
- [2:26] – John explains how he found himself in cybersecurity as a career.
- [4:10] – He hasn’t been a victim of a scam, but in his pursuit of catching hackers in the act, he has certainly been a target.
- [5:25] – What is doxxing and how can someone track down your information?
- [7:23] – When popular software is compromised, it is a really big deal.
- [9:22] – There’s a balance between companies releasing information about a threat and that information causing more damage.
- [13:17] – It is so important to update software and patch right away.
- [15:22] – Consumers are not always on the lookout for patches and updates. It’s crucial for companies to relay this information.
- [17:49] – One tactic for hackers is the use of remote software to access devices.
- [19:37] – It is best practice to not allow anyone to use your computer.
- [21:28] – Since 2020, there has been an increase in people working from home, which means that company devices are now out of their safety and control.
- [23:54] – John describes the People’s Call Center collaboration and the mission of bringing the fight back to scammers.
- [25:28] – John explains some of the tricks he has used to social engineer the scammers right back.
- [29:43] – The experience of keeping someone from being scammed or even just making a scammer’s life more difficult was rewarding for John.
- [31:09] – What is the dark web?
- [35:09] – John shares why he interacts on the dark web to research and learn how threat actors operate.
- [39:02] – By researching on the dark web, John has learned a lot about how cybercriminals work and think.
- [41:01] – Some of the ways cybercriminals work are better and more successful than some legitimate businesses and startups.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- John Hammond on YouTube
- John Hammond on LinkedIn
Transcript:
John, thank you so much for coming on the Easy Prey Podcast today.
Thank you so much, Chris. It's great to be here, and I'm really excited to dive into things.
Awesome. Can you give the audience a little background about who you are and what you do?
Yeah, I'll do my best. Thank you so much. Hey, hi, hello. My name is John Hammond. I work during the day as a cyber security researcher at a company called Huntress that does a lot of endpoint detection response, manage security platform stuff, trying to help raise the bar in cyber security. But on the side, when I can fit it in, I like to try to share a whole lot of education and training.
It's silly. I have a YouTube channel where I just try to put out videos, education, and just content that can help get folks a little bit smarter in cyber security, on the keyboard, and on technical stuff, whether it's malware, dark web, scams and cybercrime, just all the stuff that's out there.
That's neat. Is that a field that you desired to go into? Was it the boss asked you, “Hey, can you do this?” Or has this been your dream since you were a kid?
I'll say, I think as a kid growing up, I was thinking, “Hey, I want to make video games,” or, “I want to be a hacker like I see in the movies.” Media and Hollywood glamorizes all that. I don't know. I never expected the cyber security route. I thought I'd stick with just programming, development, or writing software, but sometimes it's also breaking software and protecting software.
What got you into the cyber side of things then?
Crash course. Forgive me if I start rambling, but I honestly attended one of the United States military academies, the institution like West Point or Annapolis, the Military Academy, or the Naval Academy. I attended the Coast Guard Academy.
Getting into a little bit more of a government or military scene, they think it's really cool. Sure, you can make a program or craft out of this application, but they want to know, “Look, is this thing battle-ready? Is it battle-tested? Is it strong? Is it sturdy? Can it ever be taken advantage of, exploited, or compromised?”
That just opened the door for different vulnerabilities, weaknesses, and seeing how things can be taken advantage of. Sometimes when you prey on human intellect or you just take advantage of social engineering one way or another, there's a lot of work to do.
Yes, there is. Speaking of being taken advantage of, I love to ask my guests who are in the cyber security space if they've ever been a victim of a cyber crime, been scammed in some way, or a close family member.
Not yet is probably the safest answer on that front. I don't think that I've fallen for anything quite yet. It's maybe tough to know. I have certainly seen the attempts. I've seen anyone that might try to send, “Hey, here's a sponsorship deal or a new partner we could do for your YouTube channel,” and it's malware. It's an information stealer or something to go rip out all my passwords and credit card details of that.
Thankfully, I like to think I have the know-how to not fall for that, but make sense of it, analyze it understand it, and then share that education for others. In doing so, I think I have gotten a couple of threat actors and adversaries a little bit angry. I might have ruffled their feathers a little bit.
There's a post on a cybercrime forum or one of the dark web bulletin boards that would try to dox me, John Hammond. It's like, “Hey, here's John Hammond's full name, address, birthday, phone number,” all the information that they could get, the fulls, or full information. But thankfully, they got it wrong. They got my birthday correct, but they did not get my address right. Weird to laugh at that, I know.
For the audience who doesn't know what doxxing is, what is doxxing? Gamers will understand it, but outside of gamers, I don't know other people will know.
The thing about the Internet is that it's, to a certain extent, anonymous. You get to choose your, your handle, your alias, your nickname, and you're behind the keyboard. You're across the screen. No one sees or knows who you are.
If someone maybe has some ill intent, angry, or upset, and they want to get back at you whether it's vengeance or whatever, they will dox you. If they could collect, if they could track down and find everything about you—your home address, your mother's maiden name, your parents, your siblings, your children, whatever they could track down, passport, driver's information—if they could just spit that out across the Internet and make it publicly available so that they have an, “A-ha, we got this person, we've doxxed them,” shared all their information, and they've lost their anonymity—that is doxxing.
Is it usually used with the intent to get people to show up at your house or just to tear down the veil of anonymity?
I'll admit, I think it varies. More often than not, I think it is the latter. I think it is just, “Hey, we want to make them feel unsafe or make them concerned.” I don't know maybe how often or how frequently it turns into something more. You could have some bad people just show up where you are. That's a whole ‘nother can of worms. We could get into swatting and live stream shenanigans, but it is still just for the angry spites in cybercrime.
It's that I know who you are. For someone who thinks they're anonymous, that could get a little scary all of a sudden. “Oh, you do know who I am.”
Let's pivot and talk about what are the latest cyber security threats going on right now and along with any current scams that you're seeing. Let's start with the cyber security threats.
Thank you. Before we pressed the record button and started to do the show here, I was telling Chris I was up a little bit late. I got a couple of energy drinks beside me, maybe one or two, but there is this new vulnerability, this emerging, breaking current event for a really popular piece of software called ScreenConnect.
Maybe you're a managed service provider or you're in the business and company that works with a lot of that software from ConnectWise, ScreenConnect is one of the applications to remotely monitor and manage endpoints and devices in computers.
When some software like that gets compromised or taken advantage of, it's usually a pretty big deal, because that could mean a lot more access to a lot more computers' devices and endpoints. It's like the keys to the kingdom.
We're all a little bit spooked when yesterday at the time of our recording here, we saw this new advisory that there was this big CVSS severity score of 10, the highest criticality you could find. It's an authentication bypass to fully compromise and get arbitrary code execution. You can make the server do whatever you want on the victim instance.
In doing so, you can control all of the connected clients, agents, or endpoints. We were burning the midnight oil just trying to chase the ambulance seeing if we could recreate that, if we could understand the attack. It's really exciting. I think we succeeded in that. We put together an exploit, but it's a balancing act.
I'm sure you're familiar with this. It's like, how much can we tell people when we want to be doing the right thing, we want to make sure people patch, we want to make sure they update, install those security upgrades? But getting the threat intelligence and indicators of compromise out there, will that accidentally or unintentionally enable threat actors to craft and create their own exploit and now do more damage across the landscape? Just balancing that has been my yesterday, last night, and today morning.
Isn't that the balance that has to happen with any type of threat? You've got to look that the person who finds it says, “OK, people can do harm. I want the manufacturer, the developer, whatever, to fix this, but we know that there are some companies that are basically, ‘Well, go ahead and report it to us; I'm sure we'll take care of it at some point.’” And they never do, or it's not prioritized. At some point, you want to be responsible, but you don't want to be irresponsible. Where is that balance of what's the accepted practice?
In my mind, it does unfortunately get into a whole lot of nuance. It gets really subjective. But I think a big important component is, truthfully, the complexity. How difficult, how easy, how hard is it to exploit this vulnerability or take advantage of it?
If you're crafting some hardcore leap kernel level zero day, bypassing shell code execution, whatever, maybe that'll take a little bit more muscle to craft that code, to write out how you perform, and exploit of vulnerability.
Not everyone can do that, I'll be the first to admit. Maybe some of those less sophisticated, and I know that's a can-of-worms term, but maybe some of those not-as-skilled threat actors or adversaries that might just pull something off the shelf. They can't craft something on their own.
But if it's extremely easy, it's just changing some number in your address bar, you don't even need to write any code. You just open a web browser, we should probably be careful with how readily we put that out into the world if it gets into bad hands.
I'm trying to go from memory here. Are a lot of the extremely severe in terms of, “Oh, my gosh. If someone does something, they have full, unfettered access and can do whatever they want, but the steps that they have to jump through are really complicated to get there”? Is that the more common thing? Or is it the more common one, “Oh, just add a three under the end of the URL and you have access to everything”?
I wish I had a good answer for you. I feel like it's honestly both. We see that hardcore, crazy wizardry and witchcraft to do some dark magic exploits with all these hoops and hurdles, but we can also find something that's just a string of text. You put it in an input box, and now you've got code execution. Log4j if anyone remembers that.
Is the ScreenConnect vulnerability something that would keep you up at night? Obviously in researching it has, but is it something that's going to keep you up at night going forward?
Yes. I'll be a little bit guarded and tight-lipped here. Forgive me. The reason I think that we put so much effort and so much real intensity into making sure we could get this right and craft this all out is because this one could be a big deal. We want to just create it with the gravity and severity that like, yeah, this might keep not just me up late for many days, but it might make a lot of people stay up pretty late.
The interesting thing is we're recording this at one point in time. By the time this airs, the situation on the ground may have changed. Is this something that you know if there's a patch available for it that could be quickly rolled out? Or is this something where there's a lot of work that has to happen in the background to fix something before it even can be patched?
Yes. Thankfully, there is a patch available. There are security updates already out on the Internet. The cloud instances, the Software-as-a-Service solutions, have already been patched because they can help push the button from the backend there. But a lot of the on-premise installations when people manage their own business infrastructure, that's got to be patched manually. We're screaming and shouting to make sure folks do that and board up the windows, lock the doors the best that we can.
If I may, I'd love to riff on that for just a quick second because that is, again, the balancing act and duality. They put out a patch. That at least clues us in as to what the problem was, because we could just take these two puzzle pieces, put them side by side, and check and find the differences. What's different between the patch in the previous version? That will help zoom in on what the real vulnerability is and how we might be able to exploit it.
That is what helped us analyze, uncover, and recreate this attack chain, but I'm cognizant that if we could do it, so can anyone else. Threat actors and adversaries might already be up in action trying to patch diff, analyze, and recreate things.
Is one of the biggest challenges these smaller companies that don't know to patch or don't even have a patching process in place?
Absolutely. Forgive me if I'm getting on a soapbox, I don't mean to, but managed service providers, especially your small-, mid-market businesses, maybe folks listening in, you probably are familiar with, maybe you're working at, or you did work at previously a spot where it's a one-person show. You're the IT individual, you're the security individual, and you're the operations individual all at once maybe.
The time, people, personnel, money, resources, there's something to be desired. It is certainly trying to get that messaging out for folks that might not be tracking. We want to help the best that we can.
When I was more in the IT profession, that was always one of the things that kept me up at night. We didn't have this outsourced infrastructure management company that would keep everything clean, happy, and patched. It was up to me to, “Oh, gosh. I just heard about a Fortinet issue. Gosh, is it updated? Let me go run over to the router tonight at 2:00 AM and make sure it's patched.”
While you're patching the Fortinet one, you hear about the Citrix vulnerability, and wait a second, the Savanti application. Yeah, it is quite a storm.
I feel bad for the small businesses, the solopreneurs, and the small IT outfits, that may have lots of customers that can't afford, “Oh, yep. I'm going to come out at 2:00 AM and patch your router every time it needs to be patched, once a month, or something like that.” That is almost an overwhelming, a very daunting position to be in.
Agreed.
That was the shortest answer ever.
It's funny. I thought I would blend and mix in a little bit of that ScreenConnect conversation, because I know you and all the stuff that you're up to on the podcast, love to dig into a lot of those scams, a lot of those social engineering, deception efforts.
Real people, whether they're tech savvy or not, whether they're from the IT industry or in cybersecurity, maybe more often than not, you've got mom and dad, grandma, grandpa. I don't know. Maybe folks that just aren't as familiar. They could fall victim to someone calling them on the phone, telling them they need to transfer some money to, hey, get out of some medical bill one way or another, and they're scammed out of something important and valuable to them.
ScreenConnect is, I’ve got to be honest, sometimes a vessel for that. You see scammers that want to install TeamViewer on your computer, AnyDesk, or all these applications that could grant them control. Now they have access to the technology and devices that we pour all our information into.
Let's talk about that for a moment. The movie The Beekeeper just came out about a month ago, and it's based on this premise of some woman allowing the remote tech support to get ahold of her, remote into her computer, and take all of her life savings. The action movie happens after that.
I guess two questions—who should we allow access to our computer and who shouldn't we? And what are the tools that those people would use that, in our mind, should make us go, “Uh-oh. I need to be careful about this”?
I'll admit, I'll probably have knee-jerk cyber security guy responses, like no one. No one should touch your computer, no one should remote into it, etc. I would block that the best that I can. -John Hammond Share on XI don't know in some situations whether or not that is variable, if that can change, if family members that you trust. In all reality, I understand this is a common vector for malware.
Especially working professionals that work from home, sometimes their children, your kids might use the same device to go do their homework or to play video games. If they try to download some video game cheats, hacks, or mods, maybe that'll end up with some info stealers that could crack down corporate access info and passwords.
I think that was one of the first things that we talked about in the very beginning of the pandemic and work-from-home. Don't let your kids use your work computer while you're working from home, because who knows what they're going to do.
I work for this big company and we do have an IT department. When I work from home, what do I do when someone supposedly from the IT department calls me and says, “Hey, I need to remote in and install a patch”?
The best that you can do truthfully is go validate that on your own. It's silly. You see a lot of text messages or even just notifications that say from a company or a bank. They make the statement, “We will never contact you and ask you for your password, your two-factor code,” or whatever.
They would never voluntarily do that, so you have to flip the script a little bit and be like, “All right. Let me go call the number that I know and the access that I have, the point of contact that I can deal with, and go make sure this is real, this is legitimate.” Just double-check, just triple-check. That pays dividends in all reality if you're willing to verify and validate.
It's a balancing act, but the more you can do to limit that attack surface, if you are willing to not share your device with anyone digitally, remotely, or even physically, that's the best practice I think you ca Share on XIt's no longer trust but verify, but it's verify then trust.
Maybe, yeah. Maybe trust, maybe not.
Let me just bring my laptop into the office tomorrow and someone there can take care of it.
If that's possible, I know sometimes it's not always, but that's the best effort and something we should be cognizant of. Keep in mind.
That is, I suppose, one of the risks from the work-from-home culture that we now live in. From a security perspective, all these devices are now outside of corporate control in people's homes connected to who knows what, and it just increases that attack surface exponentially.
What other things should people be watching out for, whether they're consumers or small businesses, in terms of trying to keep themselves protected from the latest cybersecurity incidents?
I might maybe fall on my sword a little bit here, but I think this is just invaluable. Just the education, just the awareness, just knowing what's out there. Maybe this is silly, but using The Beekeeper as a certain inspiration or thinking about scammers and scamming. Are you familiar, Chris, with that whole scambaiting effort and activity?
Yes.
I have a YouTube channel. I know it's silly, but there are a whole lot of other creators or folks on YouTube like this name Jim Browning, Kitboga, or Scammer Payback or Pierogi is his handle—he’s got blue hair, so a lot of folks recognize him—and they like to go on the offense to an appropriate degree of, “Can we put scammers in their place so they stop this, so they know that this is not OK, it's not humane, it's not what our world and civilization needs?”
I got to attend and be part of one of the incredible events that they hosted. There was this People's Call Center, is what they call it. They get a whole lot of these folks, maybe cyber security professionals or these scambaiting folks together.
We have a little Uno reverse card where we have a call center ourselves trying to call the scammers, waste their time, and make sure they aren't attacking real victims. We can do what we can to make sure that if they are getting at real victims, we can call them, we can notify them, we can stop that scam in progress, and we can make sure and try that that won't happen again.
I had both Jim Browning and Pierogi on previously. Really neat guys. I've heard of the People's Call Center. Let's camp out on that and talk about it. I think it's just really interesting. What was the premise behind it? I think you talked a little bit about it, but what did you guys actually end up doing?
Thank you so much. People's Call Center has, I think, a lot of different missions all centering around trying to bring the fight back to scammers. That is, wasting their time on phone calls that is trying to make sure that we could interrupt maybe an active scam, save victims to make sure that they aren't falling victim or sending money, and trying to get a little bit creative, trying to get a little bit more clever in how we could get enough information to help really put a stop to these things.
Can we get those scammers arrested? That means getting information, that means getting evidence, that means potentially having something that we could bring to law enforcement so that they could do what they need to do.
It's really interesting. If I may, coming from a cyber security background, a little bit of coding, a little bit of programming, my project, my own personal effort was to think of, how could we turn on a scammer's webcam so that we might be able to see their face?
It's silly, they'll put tape over the webcam, or they'll block it off. With some of the extra access that Jim Browning and these folks tend to have, Pierogi, we could try to turn on their webcam, but if it's covered, that's not helpful.
I try to put together the silly software that would have this small, stupid pop-up that says, “Your webcam is overheating. Please remove the webcam cover before the temperature affects your mouse and keyboard. All computer activity and interaction is blocked until the webcam cover is removed.” It's so silly. It's so stupid. I don't think your webcam can overheat. It's a joke, it's a lie. It's a certain social-engineering deception right back at them, but it worked.
We would get seven, eight, maybe nine or 10 scammers that would peel off the webcam tape. Now we've got a shot of their face. Some of the other individuals could do some cool facial recognition and open source intelligence. That was, I think, a real big win just to get more tactical details that we could do a little bit more with. Very, very exciting and an incredible adrenaline rush when we got to see it work. They fell for the webcam trick.
It's just really interesting to me that you hear you have someone whose job is exploiting people via social engineering, and then you just turn the exact same tactics back on them on something that if I saw something saying, “Hey, your camera's overheating. Uncover it,” I'd be like, “I've never heard of that before.”
I would hope I would be suspicious of it from the beginning, but it's interesting that in the moment that you're employing all the same techniques that they employ, they're not going to be able to continue their scam. They've got that adrenaline going, they've got that emotional high going. Now you've interrupted what they're doing. It's like, “Oh, well, I better take care of this so I can get back to my own scam.”
Right. Especially when we lock their mouse and keyboard, they start to panic a little bit. It was incredible to see it working.
That's a neat trick to employ. Do you know what the end result of that initiative was, not the camera locking out, but the People's Call Center?
Truth be told, it was incredible to work hand-in-hand, side-by-side with Pierogi and Scammer Payback. I believe he was able to get a little bit more intel and take some cases a little bit further for some more investigations. I'll be the first to admit, I don't know for sure. It's great to chat with him back and forth here and there and get a little bit closer to the community. I know they are doing incredible things, but not all the things they can talk about.
I suppose from a legal perspective, they have to be careful about what they're doing as well. Even if you're interfering with a scammer, you're running up against at least gray areas legally that you have to be careful of.
Yes. I don't mean to speculate or pontificate one way or another, but I agree and acknowledge it can be riding the line a little bit. But I think and I hope it's for the right reasons. We want to make sure that scammers stop scamming, and there aren't as many victims as there are in our world today.
I'm generally of the inclination that I'm less concerned about a scammer's computer being hacked than my grandma's computer being hacked. Part of me gets nervous when I say not about grandma's computer being hacked, but when there are more and more stories coming out about some of these call centers. They are people that have basically been kidnapped and are forced to participate in these things. This whole scenario gets very, very scary very quickly.
It was really life-changing for me, and I'll be the first to admit. I was talking earlier. I'm chasing some vulnerability, or I'm digging into some software, that's cutting up java code or C# (C Sharp) assemblies, blah-blah-blah. But seeing such a real-world application for what we do and what we can do, honestly, I keep using the word life-changing, but it genuinely was. It's cool to see such meaning and value that could come from what we do.
Definitely the experience of, “I kept someone from being scammed, or I made a scammer's life more difficult.” It's definitely a very rewarding experience.
Earlier you talked a little bit about the dark web, doxing, and whatnot. I haven't done a whole lot of episodes where we've talked too much about the dark web. Can you give an explanation of what the dark web is? What are the risks? I'll let you explain it.
Yeah, thank you. It's funny. In my mind, the dark web really boils down to just the Internet. It's got a certain amount of mystique and aurora. A lot of folks make it so mysterious when you say the dark web.
You have to turn off all the lights in the room when you talk about it.
Yeah, you put your hoodie and your Guy Fawkes mask on, but no. At the end of the day, there's this Tor hidden service protocol, the Onion routers network architecture, where the way that you connect to a website isn't just maybe through a couple of hops, but maybe through a couple of extra hops that actually manipulate the packets or the data that you send between computer to computer.
That's really neat, because you get a little bit more anonymity and privacy. It's harder to figure out where a Tor hidden service or Onion address might be when it's on the dark web, so to speak. I can't go to a google.com or a facebook.com. If I wanted to go to a website, I'd have to go to a totally random gibberish V379A12 blah-blah-blah-blah-blah, and you just have to know how to get to where you want to go.
With that said, you get a little bit more of the, I don't know what is an appropriate word here for this, but more raw human personality of what they might like, what they might not like, so you get into a little bit more sketchy maybe uncomfortable stuff of sure, profanity, vulgarity, arms, weapons, drugs, etc. The list could go on and on, but I'll be the first to say just as well, not all of that is real.
A lot of it could very well be a scam. It could be cybercriminals trying to scam other cybercriminals, or maybe folks just wanting to make a buck, preying on other folks wanting to, “Hey, can I hire a hitman?” Which sounds so weird and so crazy, but maybe that's a thought someone might have.
I don't know how and I can't say for certain what all is real, what all isn't, but I like to try to poke fun or spread light on that and showcase, “Look, this is the stuff that's out there. You can take it with a grain of salt, but I want to show it to you.” I love getting to do that in videos to see that this is a thing that exists whether you believe it or not.
I was just reading. There was a news article that the FBI and the consortium of international alphabet entities took out or took down one of LockBit's dark web servers. Oh, it's a dark web server, but it's just a server and a data center somewhere that people just didn't know what was on that server.
I always wonder, because you hear these stories from time to time, how long did the alphabet entities run the service for their own benefit in terms of, “Now that we have this possession of this hardware, how long do we keep it up and collect information on people that are accessing these sites? How much criminal investigation are we doing based on this?”
The honeypot idea to a certain extent, yeah.
I like your point about some of the dark web being just a scam, so to speak, or scammers targeting scammers. I can see the thing of, “I'm going on the dark web to buy illicit drugs, so I send them some crypto, and my illicit materials don't show up in the mail.” It's not like I'm going to turn around, go to my local police department, and report that.
Right. The thing about cryptocurrency is that it's one and done. If you send that, it's not coming back.
What is the most interesting thing, not necessarily illicit, that you've seen on the dark web?
More of a cyber security flair to it. I do like to try to make sense of the threat actors and adversaries that I know are real. Those aren't scams. LockBit ransomware, we could list out conti, revo, and dark bladder. There's so much. That is real cyber crime. I do want to track what are their tactics? What are their techniques? What are their tools? What are they up to? What are they talking about?
There are a lot of those forums where some of those computer cyber criminals hang out. They'll sell their tools, or they'll sell access, logs, database, breaches, etc. For my own research, for my day job, we wanted to understand how threat actors and adversaries are weaponizing some cool file type, like a Windows shortcut, a desktop icon.
There is this tool called Quantum Builder that was out being sold on the dark web. I reached out over Telegram and said, “Hi, how can I buy the Quantum Builder? How do I do it?” Just so I could do the research, but play a little bit of an interesting double side here. Could I be able to understand and see what you've weaponized this file type for?
Maybe this is a silly, stupid story, but I forgot to change my name on Telegram. This Quantum Builder support, this seller, this threat actor was like, “Nice username.” I'm like, “Oh, my goodness. This is the weirdest, most embarrassing OPSEC fail ever.” He says, “Hey, are you really John Hammond? I like your content. I saw you did a video on the forum that I get to sell this on.” I'm like, “This is really weird.”
He said, “If you'd be willing, I don't know if you can prove your identity some way, somehow, but I'm happy to give you the builder for free, and I'll tell you a little bit about the underground cybercrime world and the marketplaces.” I'm like, “This is the weirdest, weirdest thing in the world.” Very strange gut stomach feeling when I'm having a conversation with a threat actor or cybercriminal that says, “Hey, I really like your stuff.”
Cybercriminals are just normal people like you and I.
Yeah. We go back and forth. He says, “Hey, I'm busy; I got a couple of flights. My team is handling all the customers.” Again, it's the epiphany that this is a busy business owner. There's a real enterprise, it's a real marketplace. It is genuinely a whole underground industry for buying and selling malware, data breaches, and tools. But it was surreal to have that interaction, just a very weird feeling. They say, “Hey, I like your stuff, John. I recognize you.”
Was he the author of it, or had he acquired it from someone else and was selling it? If he was the author, I could understand him having a little bit of, “I have a little bit of pride in this product that I've built, that I want to show it off to a security researcher to prove that I'm a legitimate developer in my own right.”
Right, it was that. I know he is the author and developer of that tooling. It was exactly, I think you're right. You know what, I'm proud of my product. My business is my baby. It was very weird you have an MVP, high-quality, white-glove customer service. He said, “Here. Here’s an RDP connection. It's got Quantum Builder set up for you.”
I even threw in a couple of hacked Telegram accounts. This is really weird, but I don't know what to do. Curiosity. I have to go see if that's a real thing, and it was. The Telegram accounts were already logged into some vile and heinous servers, but Quantum Builder, I got to experiment and play with how it weaponizes Windows’ shortcut files and .LNK things. There was the research, but man, it was quite a story too.
That's so interesting to me that we think of cybercriminals or people of that ilk as these horrible, yes, they're doing crime, yes, absolutely wrong, but they still have the same motivations that everybody else does. They're still proud of the quality of their work and the business that they've built. It's not legitimate and they're taking advantage of people, but all the same motivations still apply. “I'm proud about the website that I've built and the business that I've built.”
It is a really fun talk track because when you get to, again, show that to people, whether it's some presentation, main stage, or chatting with reporters when you can do the show and tell and hey, let me put this in front of your eyes and say, look, this is what these threat actors do, how they operate, and what their business looks like, it is a business, and you get to see this mirror image of what we naturally do for our own work, we've got marketing departments, sales departments, operations, and we've got teams, sometimes the threat actors, the cybercrime end of it is better than we do.
They're advertising their sales, their go-to-market brand strategy. It's good. It's better than some of us startups. That's just a fun, crazy wild thing to get folks really fascinated with what's out there and hopefully get the education.
That is hilarious. Can you talk about what content you put out on your YouTube channel?
Absolutely, and thank you so much. It's been a trajectory to match my life and what I'm interested and passionate about. It started with a lot of programming tutorials. I moved on to capture the flag, training and war games, or practice exercises, and then malware analysis, then some dark web cyber crime, and now chasing a lot more of those vulnerabilities or CVEs. I hope to be on the keyboard. I hope to be practical hands-on and really pure play cybersecurity the best that I can be for offense and defense.
Cool. What's the name of the channel?
Just my name, John Hammond.
That's easy to find. We'll make sure to link that in the show notes. Can people find you on any other platforms?
Absolutely. Hopefully it shouldn't be too hard to track me down. You'll see the red hair. John Hammond is his name just about everywhere—LinkedIn, Twitter. But please, don't hesitate to reach out. Don't be a stranger. Would love to chat.
Cool, John. Thank you so much for coming on the podcast today.
This was a blast. Thank you.
You're welcome.
Click to tweet: I'll admit, I'll probably have knee-jerk cyber security guy responses, like no one. No one should touch your computer, no one should remote into it, etc. I would block that the best that I can. -John Hammond
Click to tweet: It's a balancing act, but the more you can do to limit that attack surface, if you are willing to not share your device with anyone digitally, remotely, or even physically, that's the best practice I think you can aim for. -John Hammond
Leave a Reply