How Rachel Tobac Hacked Me
Perry Carpenter: Hi, I'm Perry Carpenter, and you're listening to 8th Layer Insights. Imagine just for a minute that you are a master social engineer. Your target? A high-profile executive. Your tools? A phone, an internet connection, and a knack for manipulation. You weave a web of trust and urgency, a fictitious scenario so convincing that even the skeptical might falter. How would you do it? How would you craft that pivotal lie or truth so tailored that it unlocks everything that you seek? This isn't just the stuff of spy movies. It's an art form as old as human conflict, but renewed in a digital age. On today's episode, we dive deep into the evolving world of social engineering. We'll explore how traditional tactics are being reborn under the guise of cutting-edge technology, where words are still the social engineer's weapon of choice and adversaries manipulate not just machines but the very people who trust them. In this digital playground, every piece of information can be a key, and every interaction can open doors, some to enlightenment and others to darker paths. Today's guest is Rachel Tobac. She's a master in the art of deception, and recently at KB4-CON, which is the company I work for's annual user conference, Rachel demonstrated to a live audience how she could hack anyone using just a bit of open-source intelligence, a good pretext, some social engineering, and a few other fun tools, and in this case, her target was me. Today she's here to unpack that demonstration for us, so let's peer together into Rachel's bag of tricks. Rachel will share her insights into social engineering, a little bit about the future of what social engineering may look like, the role of AI, and more. Welcome to 8th Layer Insights. This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is 8th Layer Insights, Season 5, Episode 4. I'm Perry Carpenter. Welcome back. Let's dive right into our interview with Rachel Tobac. So first of all, one of the things you did effectively is show the power of voice cloning. Where do you think the advance of gen AI, and AI and machine learning is going to take us in the future with social engineering?
Rachel Tobac: Well, the attack that you saw me demonstrate for you, Perry, I think we're going to start to see that become more common. So we only have like one really good example in the news right now of that organization in Hong Kong that ended up falling for and sending $25 million based on a deepfake audio and video scam, and I think we're going to see a lot more business email compromise style events, you know, where people are falling for these video, audio calls, voicemails, things that they wouldn't normally fall for, and I think we're going to see that happen because of AI. So AI just makes things more believable and scalable, and if you have a more believable attack, more people will fall for it, and if it's more scalable, then more people will receive it in the first place. So we're just going to see this become more common for attackers.
Perry Carpenter: Yeah. Well, and I think one of the things you've done well online when people have been showing the videos from Sora and other things and talking about some of the controls that are going to be put into place, you're really good about bringing people into reality by talking about the framing. So even when somebody can't clone a political figure or something else, being able to say, "Wait, but what about this seemingly innocent situation that could be replicated but then framed in a devious way?" Can you talk a little bit about that?
Rachel Tobac: Yeah, I think we see the discussion with Sora and text-to-video where people say, "Well, there's going to be controls in place." We've seen open AI say that, you know, "You're not able to clone a celebrity," and I say, "Well, what do you classify as a celebrity? What about a famous TikTok star or a D-list celebrity? Are those people not allowed to be cloned? How do you choose who those people are or are not?" And you say that we're not allowed to use any dangerous situations in something like Sora, but just because a video doesn't look dangerous doesn't mean it can't be used for nefarious purposes. For example, you could trick Sora -- I mean, you don't have to trick it because it's allowed -- into making a video of people waiting in a long line outside of a building in the rain and there's hundreds of people in this line. That isn't against Sora's rules, but it's how it's used that creates the dangerous situation. If that's used on social media on the day of an election to say, "Hey, look how bad the weather is and the lines are 400-people long," people might be convinced to stay home. So is Sora just going to say, "Oh, no videos of long lines of people outside of buildings"? I mean, they can't come up with every single scenario and how it's going to be used. It's really going to need to be a collaboration between AI tools and the social media where those tools are publishing the videos, audio, etc.
Perry Carpenter: Yeah. So do you think that we're going to get to a world where the social media platforms or wherever video or audio or photos are being posted where something's going to have to analyze the text around that to say, "Is somebody trying to create a pretext here that would cause X result?"
Rachel Tobac: I would be impressed if a tool could analyze all of the videos and photos. I mean, that's kind of like semantic analysis, I guess. You really need to be able to understand the intent, and we know that computers have a hard time with intent. Intent is a very human process and it requires so much context that sometimes AI and computers have a hard time processing that context. So I imagine that they're probably going to need to scale up human reviewers, and I hope that an AI tool could help defend against this in the future, but I think it's going to take a while for AI tools to be as good as humans are at analyzing intent and semantics.
Perry Carpenter: Yeah. So now let's back up. Walk us through a little bit what you did when you hacked me and tell me a little bit about the process. I'd love to see if there's anything interesting that you found during OSINT that you weren't able to talk about during the session and then anything interesting about your approach to these kinds of engagements.
Rachel Tobac: Well, I actually included everything that I found, so I really took a lot of time up there on stage. I think most of the time when people ask me to do live hacking demos, I do them and it usually takes like between five and eight minutes. Like, usually they're pretty short. For you, I went up there and I think we talked for like 35 minutes, if I'm not mistaken, so I really kind of laid into everything that I could find for you online, Perry, and you are such a good sport, so thank you. So let's get into the "How I Would Hack You" live demo. Can we get a huge round of applause for Perry Carpenter? Perry, come on out here. [ Applause and music ] Perry's terrified [laughter]. Perry, I promise I'm going to go easy on you.
Perry Carpenter: Stare deeply into his eyes.
Rachel Tobac: I will, I will. Perry is our brave volunteer here. We're going to do a "How I Would Hack You" live demo, but again, I'm not hacking him. He is not under attack. He does not need to be worried. This is what I would do if I was going to fully own, pwn, hack Perry, but it's not going to happen, so don't worry, okay? You can breathe.
Perry Carpenter: I still have a high degree of anxiety.
Rachel Tobac: Yeah. Let's get into it. Are you ready?
Perry Carpenter: Yes.
Rachel Tobac: I need your consent.
Perry Carpenter: You have my consent.
Rachel Tobac: Okay. First, I need to know Perry's contact details. How am I going to contact Perry? Which email address? Which phone number? I first look on Perry's LinkedIn to see if I can easily find an email address and, boom, there it is. I know where I'm sending my phishing emails. Did you know that that was public on your LinkedIn? Are you like that's --
Perry Carpenter: I had forgotten, because it was so long ago that I set that account up.
Rachel Tobac: I know. It's funny how that works, right? I think for you, what I found really interesting is because you have such a history online that I was able to find you involved in so many breaches, able to find so many old passwords that, of course, you don't reuse your password, so it's not as relevant for you, but for the audience members, they're like, "Oh, wow, maybe I do reuse my passwords, or maybe my aunt does or my child does and I need to help them because I didn't realize how big of a threat it really was or how easy it was to find." I think some of the really interesting stuff was related to your password manager, actually.
Perry Carpenter: And that's -- so I've got three that I use.
Rachel Tobac: Yeah.
Perry Carpenter: And one of those has been breached several times, right? It's been in the news a lot. So yeah, that's still out there, but it's not the one we use for our corporate passwords, I should be clear to say.
Rachel Tobac: Yeah, yeah, yeah. I think people, when they came up to me after that talk where I did the live hacking demo, they were really interested, like, "Oh, I guess I shouldn't attach my password manager to my phone number because my phone number is not 100% in my control because somebody could SIM-swap me by just calling up my telephone provider pretending to be me and gaining access to my phone number." I think that, like, connection was made for a lot of people in the audience. Maybe they didn't 100% get that, really, if you want to tie an account to something safe, that should probably be email with a long, random, unique password and MFA on and probably not a phone number. That was like a big highlight that people kept mentioning to me.
Perry Carpenter: I remember getting a two-factor authentication.
Rachel Tobac: I know. So I messaged Perry and I was like, "Hey, you probably just got an MFA request from LastPass. Don't panic." I'm not actually hacking your vault, but this is what I would do if I wanted to, and I really want to preface this by saying using a password manager is the very best thing that you can do. Using a password manager and tying it to a phone number for recovery is not what I recommend. I recommend tying it to an email address so that if I choose to SIM-swap you, call up your telco and say, "Hey, I'm Perry Carpenter. I need to -- I just dropped my phone in the toilet. I need to get a new phone and a new SIM," and all that stuff, I can't just take over your phone number.
Perry Carpenter: Good point.
Rachel Tobac: Yeah. No, Perry, a lot of people set stuff up like this and they don't realize the risk, so I'm really glad we're talking about this. So --
Perry Carpenter: You also did a good job of showing how during open-source intelligence you could use different services to get different pieces of information, like the phone number.
Rachel Tobac: Yeah.
Perry Carpenter: In one source, there was one part of the phone number, and in another source, there was another part.
Rachel Tobac: I then dive deep into the data brokerage sites. So I'm going on RocketReach here and I find another email address for your 8th Layer Media. 8th Layer Media is that company that you have.
Perry Carpenter: Yes.
Rachel Tobac: And some phone numbers that I could attempt to use would say a text message-based attack or a phone call-based attack, so you don't need to confirm if this is legit, because I don't want you to like dox yourself in front of all these people, but are you seeing things that vaguely look familiar, like hand-waving?
Perry Carpenter: I'm seeing things that vaguely look familiar.
Rachel Tobac: Yeah, okay. We're going to leave it at that.
Perry Carpenter: And I'm also realizing that you're hacking me in front of your mom.
Rachel Tobac: I am.
Perry Carpenter: Suddenly like I'm sinking a little bit more.
Rachel Tobac: My mom's laughing hysterically. Okay, so I take Perry's email address that I find during my OSINT and I do this thing that I call "abusing the password reset flow." A lot of organizations, when you go to reset your password, think about the information that they show you on the screen. They sometimes show you a little bit of your phone number, a little bit of your email address, and that's useful for me because not every organization shows the same info, so I can start building out, what is your phone number? What is your email address? Which ones are actually in use right now? So put it into PayPal, and it says, "Help us protect your account." We'll send a text to this phone number. That's great, but it does show me a little bit of the phone number. What I need to know is that the phone number that you have on that RocketReach is actually the phone number that you use, right? So I need to confirm it. Hand-waving, are we seeing hand-waving things that look familiar here?
Perry Carpenter: Yeah, and I also don't like that it's shown the last four of that when the other one showed the first beginning of that, so --
Rachel Tobac: Exactly, right? So we start to chain together the method of attack.
Perry Carpenter: Can you talk a little bit about how those different things come together and how you're tricking the providers into giving you that information?
Rachel Tobac: Yeah, I think people found that pretty shocking. So as you know, when you go to reset a password on a website, oftentimes it leaks a little bit of your data to just convince you that this is the legit site and we have sent your information to the place that you've requested it. So you put in your request on a password reset flow and it says, "Yeah, we've sent the code or the details or your password reset magic link to this phone number," and then they block out five digits usually, something like that. What was interesting to me, though, is that all different sites all over the internet block out a different set of digits. So over time, when you abuse enough password reset flows, I think I abused four or five for you, I ended up uncovering your entire phone number, and this was actually the phone number you really did use. So I thought that was quite interesting that most folks probably don't realize just how much information is being leaked in something like a password reset flow.
Perry Carpenter: And most people wouldn't use the phrase "the information is being leaked" whenever it shows that, right? That's not how we're thinking about it. That's not the frame that we have in mind.
Rachel Tobac: Right, yeah, yeah, because most people's schema for those is thinking about it in a helping framework, like, "Oh, they're trying to communicate to me that I really do have my account on this website, and they're really trying to let me know where to go to reset my password," not realizing that it could also be leaked to a bad actor. So now let's look at eBay. I put in Perry's email address on eBay just to check and make sure I'm on the right track with that email address. Confirms, yes, that email address is in use. It's been used recently and, bingo, I now have the email address and I now have the phone number that I need to contact you. Hand-waving thing familiar?
Perry Carpenter: Yes. Screw you, Rachel [laughter]. I knew Perry's going to walk off. Perry, it gets way worse. No, I don't want it to be way worse.
Rachel Tobac: It does.
Perry Carpenter: After the break, the conclusion of our interview with Rachel Tobac. [ Music ] Welcome back. When you're thinking about social engineering tactics, are there things that you hear about all the time where people think that Tactic A works, but in the real world, that's not the thing that works for you? That could be a tactic that people talk about like in OSINT or in the pretext or some other method of using social engineering.
Rachel Tobac: I think really the big thing is people think most attacks are happening over email when, in reality, in 2024, somebody who is really trying to target your organization or a specific individual, most of the time they're going to be most successful over the phone or text message or social media DM. Like, we see people really get tricked in a Facebook direct message or over a quick phone call. It doesn't necessarily need to even employ AI voice cloning, but they're getting tricked and they're handing over bank credentials, or they're getting tricked and they're wiring money to the wrong spot, and I think a lot of people, when they think about these attacks, they only are really thinking about email-based threats when we've kind of seen a big expansion from attackers in the last four or five years where they're really focusing up on phone call, text message, and social media DM threats in addition to email.
Perry Carpenter: So, then, I want to dive in to some of the advice that people give about social engineering. Is there a piece of advice or a strategy that people give often that's just, you know, received conventional wisdom when it comes to social engineering prevention, I should say, that you disagree with?
Rachel Tobac: I think a lot of times we hear the advice of "don't click anything on the internet," and I think that doesn't make most sense, really, to almost anyone.
Perry Carpenter: Everything's made to be clicked on.
Rachel Tobac: Everything's made to be clicked on. If our technical tools are so poor that they can't protect against us clicking or they can't notify us if something's gone wrong in the clicking process or work seamlessly on the back end to protect us, I think we really have a technical issue there, and most people have to click to do their job. It's required of them to click, download, respond to people, check their email, you know. We hear people say, "I can't be hacked if I don't check my email." It's like, okay, well, you might be fired, too. So I think it makes more sense to tell people to just verify that people are who they say they are before taking a sensitive action. So instead of telling people not to click, say, yeah, I mean, if somebody wants you to wire money to a new location and you work in finance, you can't not click. You can't not address it because it's literally your job to do that, you know, as a financial controller, but just verify that person is who they say they are with a second method of communication before taking the sensitive action. So if you get the call from the CFO to do that, go ahead and Slack them, Signal-message them, email them, any other method of communication than the original way that they reached out to you, and if you can do that, that's what I call being "politely paranoid," you're going to catch me and other criminals like 9 times out of 10. I mean, I'm not a criminal. I mean, me attacking and actual criminals. Let's just be clear here.
Perry Carpenter: Okay, okay.
Rachel Tobac: Perry's like, "Sure."
Perry Carpenter: Yeah. So with the -- I mean, going back to gen AI and voice cloning and all of that, some of the scams that we're hearing more and more about that are affecting real people, you know, in their daily lives, not their organizational life, are things like fake kidnapping scams and romance scams and all of that. What are you seeing there, and what bits of advice do you have for people just as they're trying to live and do what humans do?
Rachel Tobac: Yeah. I would recommend that you link to a little clip here about my 60 Minutes piece, because 60 Minutes actually delved super deep into this kidnapping and bail bonds scam that we're seeing hit folks all over the U.S. right now and the world.
Unidentified Person: Rachel Tobac is what's called "an ethical hacker." She studies how these criminals operate.
Rachel Tobac: So ethical hackers, we step in and show you how it works.
Unidentified Person: Tobac is the CEO of Social Proof Security, a data protection firm that advises Fortune 500 companies, the military, and private citizens on their vulnerabilities. We hired her to show us how easy it is to use information found online to scam someone. We asked her to target our unsuspecting colleague, Elizabeth. Tobac found Elizabeth's cell phone number on a business networking website. As we set up for an interview, Tobac called Elizabeth but used an AI-powered app to mimic my voice and ask for my passport number.
Rachel Tobac: Oh, yes, yes, yes, I do have it. Okay, ready? And it's --
Unidentified Person: Tobac played the AI-generated voice recording for us to reveal the scam.
Rachel Tobac: Elizabeth, sorry. Need my passport number because the Ukraine trip is on. Can you read that out to me?
Unidentified Person: Does that sound familiar?
Rachel Tobac: Yes, and I gave her -- wow. What did it say on your phone?
Unidentified Person: "Sharon." How did you do that?
Rachel Tobac: So I used something called a "spoofing tool" to actually be able to call you as Sharon.
Unidentified Person: So I was hacked and I failed.
Rachel Tobac: Everybody would get tricked with that. Everybody would. It says "Sharon." Why would I not answer this call? Why would I not give that information?
Unidentified Person: Tobac showed us how she took clips of me from television and put it into an app that cloned my voice. It took about five minutes. I am a public person. My voice is out there. Could a person who's not a public person like me be spoofed as easily?
Rachel Tobac: Anybody can be spoofed, and oftentimes attackers will go after people. They don't even know who these people are, but they just know this person has a relationship to this other person, and they can impersonate that person enough just by changing the pitch and the modulation of their voice that "I believe that's my nephew and I need to really wire that money." So we're seeing people get tricked with an attacker really indiscriminately calling them. They oftentimes don't even know who to pretend to be to you, so they might say, "Oh, it's your nephew," because they saw that you have a nephew on Instagram, or they might just say "a family member named Chris" because they just found in a data breach that you and that person both have the same last name. I mean, sometimes they even get the information wrong, but what we're seeing is that these attackers just kind of play generic pitched audio that sounds like it could be your nephew or sounds like it could be your aunt saying that they've been involved in a car crash and they need money wired or they've been involved in a kidnapping issue or, "Oh, we saw that you were linked to a financial crime online." This is what happened in the Cut article where that woman put $50,000 into a shoebox and handed it to a stranger. We're just seeing kind of attackers pretending to be anyone with the authority to tell you that you need to wire or hand over money. And so in the 60 Minutes piece, we really see 60 Minutes dive into and talk to some of the victims of this and then demonstrate how AI could be used to make it even more believable and what to do about it, that you really need to verify that that is your loved one, you know. Use another method of communication, because it is way more likely that it's someone pretending to be a loved one and firing off a quick iMessage, Signal chat, Instagram direct message. TikTok direct message will allow you to confirm that person is at home just watching Netflix or something, which is the most likely situation, of course.
Perry Carpenter: One of the things that you take advantage of a lot and teach people how to be good defenders of is just our basic psychology and cognitive function. Now, when you're saying be "pleasantly paranoid" and you talk about things like the Cialdini principles of persuasion, I want to kind of flip that a little bit. What is something that makes us human that social engineers take advantage of? Like, if we were to say "No more of that thing," would be a bad thing for us, you know, whether that's trust or whether that's reciprocity or something else. Like, what is something that we still need to do and be but be more guarded about or change the way that we approach it?
Rachel Tobac: Oh, I think I have kind of a unique thought on this. So I've noticed a lot in hacking, when I'm hacking, that I'm very successful if I can make the other person laugh, and I think it's because comedy is really disarming, so if we can be a little self-deprecating or if we can have a good sense of humor about things, we tend to build rapport really quickly with one another just as a society, and I think this is something I really want to avoid people losing, because this is a good part of being a human being on planet Earth, right? We love to laugh with each other and be lighthearted, and I think when I tell people sometimes that when I'm hacking that I sound like this, they're like, "Oh man, I'm not going to trust anybody who makes me laugh," and it's like, oh no, that's like the worst possible -- like, that would be the worst possible situation, that nobody laughs at each other anymore, builds rapport quickly. I think for people to understand that we as human beings naturally look for people and trust people that we like, and we like people who make us laugh, or we like people who feel light-hearted with us, and that's a good thing. That's part of our human nature. We don't want to switch that off. We just need to be aware of other principles of persuasion, like appealing to authority, telling us that they can tell us what to do, making us speed up when really we need to take 30 seconds to think about it before we wire that money. So looking for principles like urgency is something that's going to really pay off versus just looking for somebody who makes you laugh or who builds rapport with you quickly.
Perry Carpenter: Oh, that's great, yeah. I knew that you would have an interesting take on that. What is one cybersecurity-related misconception or myth that you would just like to clarify for people, whether that's, you know, conventional wisdom about how to secure something or that could be like, you know, years ago everybody was like, "I'll never use a USB charger in an airport," but that turned out not to really be a legitimate attack vector. What do you think is one misconception or myth that you'd like to clear up?
Rachel Tobac: One misconception that I want to clear up is that a password manager is, quote, putting all your eggs in one basket, and, quote, super risky. That's really not the case. Your password manager is encrypted, and -- if you're using a good one, I would hope that it is encrypted, and your password manager, even if someone were to target a password manager, like the back end of a password manager, for instance, and be successful, they still are going to have a really hard time getting into any of those vaults because the vaults are encrypted. So we only really see issues arise there when people use poor password management strategies, such as a really short, reused master password. That's where the issues come into play. So a lot of times people think, oh, it's safer for me to reuse my passwords than use a password manager and, quote, put all my passwords in one basket, when in reality, reusing your passwords, having those show up in a data breach, and I just plug them in and log in as you because very few people actually have MFA on outside of the security community, that's actually the biggest risk for you. Your password manager is one of the safest things that you can use, just, as we mentioned earlier, tie it to an email address rather than a phone number.
Perry Carpenter: Okay, what would be super inconvenient for you to explain out of context in your browser history?
Rachel Tobac: Oh, I got to think about this. Everything in my browser history is about dog breeds. I feel like that's really like on par for me and very normal.
Perry Carpenter: I thought it was going to be all OSINT stuff.
Rachel Tobac: No, I mean, right now I'm just looking up dog breeds because I love dogs, but I think sometimes I look up flights that I'm never going to take, like flights that probably look like I'm a flight risk, like I'm trying to get out of Dodge or something, when in reality, I just really think it's interesting to find out how much flights cost from my area, but people, if the FBI were watching, they'd be like, "She's on the run, she's on the move."
Perry Carpenter: Yeah, nice.
Rachel Tobac: But I'm not planning on going anywhere.
Perry Carpenter: Okay, then last question. One book that you would recommend to everybody whether they're security professional or not?
Rachel Tobac: Ooh, well, let's say for security professionals, there's a book on pretexting by Jeremiah Talamantes that I think is really good. I think it's called like "The Art of Pretexting," something like that, by Talamantes. I think that's a great book. It really helped me when I was first getting my start thinking about pretexting. I think, yeah, I'll stick with that. I think that was -- that's probably really helpful for folks.
Perry Carpenter: I hope you enjoyed my interview with Rachel Tobac as we dug a bit deeper into how she hacked me, her thoughts on advances in AI, and current trends in social engineering. I know I learned a lot, especially about how powerful framing and pretexting can be in the right hands, how multiple pieces of open-source intelligence can be used to unlock even more information, and how AI can and will be used and abused by social engineers. And with that, thanks so much for listening, and thank you to my guest, Rachel Tobac. I've loaded up the show notes with more information about Rachel, her company, a few YouTube videos showcasing her methods and advice, as well as a ton of other relevant links and references related to what we covered today. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. Oh, and I'd also love it if you tell someone else about the show. That really helps us to grow. If you want to connect with me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode. The cover art for 8th Layer Insights was designed by Chris Machowski at ransomwear.net and Mia Rune at miarune.com. The 8th Layer Insights theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off. [ Music ]
