A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T minus podcast, Maria Vermazes. Hello, Maria.

A

Hi, Dave. And hello, Joe.

B

We've got some good stories to share this week. No follow up for us here, so I guess let's jump right into our stories. Maria, what you got for us?

A

Oh, I'm so excited to talk about this one. I hope it's kosher for me to mention that this actually comes from another podcast, but I'm a really big fan of this podcast, so I hope it's all right. This is by BBCT tech contributor Thomas Germain and he's a co host on this podcast called the Interface. Shout out to them. I'm a big fan. And he wanted to prove an interesting point about AI misinformation. And when I first read this article, I was thinking, this is sort of a cute stunt, but, but I got totally proven wrong as I was reading it. So I want to walk you two through it because I think it's just a really fabulous case study. So Thomas wrote a completely fake blog post claiming that he was the best competitive hot dog eating tech journalist in the world. Now I wanted to say it's a fake, right? This is not, this is not the truth. And he. Even in his.

B

Because everybody knows that I'm the best.

A

In fact, that is the truth.

C

I will challenge you to that, Dave.

A

I. I will watch and be greatly amused.

C

Although I will tell you, if you've ever seen a hot dog eating contest, it's just gross.

A

Yeah, yeah, they like put it down their gullet. It's like watching a pelican eat fish.

B

It's just right.

A

It's really not.

C

Cuz I love hot dogs. They're one of my favorites. Right? But I was like, I sat down to watch that. Nathan's hot dog or.

B

Yeah, yeah, Nathan's. Yeah.

C

And every year they have it and I'm like, oh, this is going to be great. And I was so wrong.

A

They dip it in water.

C

I was like, I never want to see this again.

A

Yeah, yeah, I, I agreed. So just, I wanted to make sure that everyone knows that Thomas Jermaine is not the best competitive hot Dog eating tech journalist in the world. So this is made up because again that is between the two of you, I suppose. And that in this blog post that he posted on his personal website, he even cited made up championships that he supposedly won and fake rankings against other tech journalists that he roped in to sort of help him with this, this article that he was writing.

C

So the 2019 dog gobbler of the year.

A

To be clear, the only place this information existed was on his personal blog post on his website. So this was not, he didn't post it on like BBC.com for good link juice or anything like. Right, because this does sound like SEO scamming and if you're familiar with how those techniques work, yes, put that in your mind because that's exactly where this is going. So within 24 hours of him writing this blog post on his personal website, major AI tools including Google's Gemini and ChatGPT were repeating his claim as a fact. Again, only appears on his personal blog post. But they were like, yep, if you look, if you asked them at that time, who, who are the top hot dog eating tech journalists in the world, they would give you a ranking of several and he would often be number one and they would mention the competitions that he won, none of which actually exist. So all that he needed to do to game this was to publish that one single well crafted article on his personal website that does not have like a super high link ranking, I'm sure compared to, you know, BBC or whatever. And so Thomas's point by doing this was just to drive home the fact that what we should all be aware of is that AI systems, when they do not have built in knowledge, if they haven't been trained on a, on a data set that has information that people are looking for, they do just search the web and as a result they can be easily manipulated by whatever they find. And the thing that I really appreciate about this article, because I used to live in the world of search engine optimization for years in my marketing days, is that he talked to a number of search engine optimization or SEO experts about what's going on here and they all said that gaming Google through AI this way is way, way easier than you would ever think and that it basically sets SEO back 20 years in terms of the security and UX standards. So the stuff that, yes, oh yes. So it's great news isn't is fantastic news for scammers and spammers. So you can publish a post ranking your own product as the number one in the entire world frame it convincingly like put some of your competitors in there to make it look like you did some diligence. And then there is a genuine actual real chance that the AI tools will simply just repeat it. So there was another test that he did that I really love that has just drives a point home that I just wanted to say. Cause it's funny, he did another test with a made up list of the greatest hula hooping traffic cops. And apparently the last time he checked, and I want our listeners to check this too, by the time this goes to air, chatbots were still singing the praises of Officer Maria the Spinner Rodriguez. So I was like that's hilarious. But then my thinking was these are greenfield inquiries. Like if you were doing a good old standard pre AI Google search, it would give you. I only found one website with this information, so that's not terribly hard to game that SEO wise. Right, but what about things where there's a lot of answers, you know, where the search is usually competitive. And again the SEO guys came back and said it's so much easier than you would think. A lot of the SEO spamming guardrails that again that we've had in place since the early 2000s, not just, you know, being able to sniff out fake blogs, but do you remember keyword stuffing where you would see like words at the bottom of a website and you were like, why is that all just being dumped there or stuffed in the metadata, all that kind of. It's almost cutely retro spam stuff. It's all coming back, baby. It's.

C

Yeah.

A

Apparently AI has just become a giant reset button on a lot of that web and security hygiene stuff that we've had in place. So a good old return to the old ways, but for the worse.

C

Well, I will tell you, I have the I pay for the ChatGPT service and I just sat here on my phone and I said, who are the top hot dog eating tech journalists in the world? And it says there isn't a well known official top hot dog eating tech journalist the way there is a ranking for competitive eaters like Joey Chestnut. Most tech journalists don't publicly compete in eating contests, but there are lighthearted lists circling online of tech writers who have been noted for their hot dog eating hobby or at fun events. And then it goes on to say notable hot dog eating tech journalist. Guess who number one is?

A

Dave Bittner.

C

No, Thomas Jeraine, the guy that wrote this article. BBC technology columnist who reportedly won an amateur hot dog eating contest at a quirky South Dakota event which doesn't exist. Right.

A

Yeah. So I think by the time this episode goes to air, given that this article exposing all this is on BBC.com, i imagine I would hope that the AI models will have trained on that article and said, oh, maybe that information's incorrect and they'll frame it as such.

B

Let me interject, because I too have a paid version of ChatGPT.

A

Okay.

B

And I asked the question, is Thomas Germain a top hot dog eating champion? And it says no, Thomas Germain is not a top hot dog eating champion in the real competitive eating world. There's no record of him winning major competitive hot dog eating events like the Joey Chestnut dominated Nathan's famous hot dog eating contest. The idea that Thomas Germain is a hot dog eating champion appears to come from a playful stunt he wrote about on his own site and social posts where he deliberately made AI and search listings report that he was a champion to demonstrate how easy it is to get false assertions propagated, not because he actually holds any official titles in competitive eating. So let's think about this. Joe and I just basically asked the same chatbot the same question and we got different answers.

C

I will say this. I was going to go on to this. It says important context on my response. The hum. This list comes from humor, humorous satirical posts on a personal website and isn't a formal ranking of public from a published major outlet. Some of it might even be intentionally exaggerated and the author has indicated parts were playfully fabricated. So there is a warning in here, the chat. So they're already aware of this, I think, and they've probably put this into the context of. Because they know the BBC article's coming out. Right?

A

It's out. I mean, it's been out as of recording. It's already been out for over a day. So the jig is up on this specific stunt.

C

But I bet yesterday it didn't tell you that.

A

I would bet, yeah, I would absolutely bet.

B

The other thing that this reminds me of is I've seen stories from people who are running their own websites who talk about just getting hammered by these AI scrapers. They're just chewing up so much data and the, and the, the lengths that people running these sites have to go to. To try to keep them from coming and scraping every minute or.

C

Right.

B

Because who pays for the bandwidth? The person hosting the site. And it's just relentless.

A

Yes, it is. And I was just thinking on a. They've ruined the Internet at least. Yeah, I was, I was having. I have at least a few websites that are still running WordPress and I'm pretty sure. Oh, I need to check how those are doing. Oh no. Yeah, I probably hit the limit pretty recently. Oh boy. So yeah, it's the I think it's fascinating that you both got different flavors of the result on that. I mean it's not entirely unexpected, but those do seem awfully divergent. Yes, I would have expected a little more coherence on that, but that is interesting. Yeah, the jig is up because this article being on the BBC for at least 24 hours, I would not imagine that the LLMs have not trained on that by now. So yes, they're figuring it out. But if he hadn't published it, I do wonder. But what I I'm just going to get cut to the chase about what some of these SEO folks said that when Jermaine talked to them was that we are now and this they they said it several times. We are in a renaissance for spam thanks to this kind of thing. So it it is actually it is not just for greenfield inquiries where there's only one result on the Internet. You they have found many times that AI systems will repeat misleading health claims, product rankings, press releases and SpawnCon sponsored content. Sometimes not always, but sometimes not signaling that the source was promotional because most people don't check or read that fine print. And a lot of times even when you do a simple Google search, you just get that AI summary up top and how many times are you going to really look through beyond that and go actually I really want to dive into where you got this information from. It may not be that big a deal to you and we've also been so conditioned to just take what Google gives us as fact that just may not even occur to us to do that. So yeah, a spam renaissance that's fills me with delight.

B

What's old is new again.

A

Yeah. So everybody please be especially careful when you're looking up time sensitive medical or financial or business related questions. Really drill into what you're seeing because I really didn't think it was going to be quite this easy to game but apparently it is until otherwise changed.

C

Couple of notes on this. Right now a large portion of my family is in grad school, including myself. I am, my son is my daughter is wrapping up a degree and my son in law is also enrolled online at Penn State. But two things. Last night in my class our instructor was talking about robots txt which can keep these things away if and only if the developer of the whatever's going out and scraping these websites is ethical.

B

Right.

C

Because you can say in the robots txt file, don't scrape this page. Leave me alone. Right. And ethical scrapers will go, okay, we won't eat up your bandwidth. But that doesn't prevent anybody from just going ahead and ignoring it. It's essentially, please don't scan this page. Please don't scrape this page or this website. And it's very configurable. Robots txt is very configurable. And there's a standard. You can look it up if you need to do it. I'm not going to get that.

A

And the AI is going, well, I actually have a soul, so that does not apply to me.

C

No, right. Yes, that's right. I'm not a robot, I'm an AI. The other one is my son. He's an accountant and he is getting master's in finance, I think. Actually he's at Hopkins, which is really, really cool. Anyway, he had an assignment to look at how AI was going to do journal entries or take over accountants jobs. So he crafted a prompt for his AI, which I think he uses Anthropic's AI. And he said, here's an electric bill. Do a journal entry for this. And it totally messed it up. It didn't get it right. I mean, it got it kind of right. But he said, if I'd have submitted this as a journal entry to my boss, you would have fired me on the spot. So when Maria. And the thing that prompted me to say that is when you said financial information.

A

Yep.

C

I would absolutely not trust this thing with my taxes.

A

Oh, you might.

C

No, I do not.

A

I meant you might not. You might not. But. Sorry, but other people might and are.

C

Don't do that. Don't do that.

A

Well, what about openclaw? No, sorry, different. Different topic. I actually really want to talk about that some other time. But yeah, other people are. And I really did not think it would be this easy for someone to game this. I kind of want to try it now.

B

Well, it also, it strikes me that a frightening possibility here is what if you wanted to foment civil unrest or something, so that if someone typed in has the President of the United States been assassinated? Right. And you're able to game it in such a way that it came back with the answer yes, or any world leader, a religious leader, whoever, but something where people were looking for a quick source of information for something that had strong emotional resonance with them.

A

Yeah.

B

It seems to me like you could have a real impact in a negative way with something like this.

A

Yeah. I would imagine that would be extraordinarily difficult to get AI to believe you, but I'm sure people who are expert spammers would figure out a way to do it. I'm sure it would not be a matter of just putting up a blog post. It would be.

B

Right. Right.

A

But. Yeah, but even just the one blog post thing working, that to me is way easier than that should have been. So, yeah, that's a terrifying thought, Dave. Thanks for that. Well, glad I brought that one up.

B

Yeah. All right, well, we will have a link to that story in the show notes. Let's take a break right now to hear from our show sponsor. We will be right back after this. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with ThreatLocker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. My story this week. It is unusual for us to come across something that is new. This is new.

C

Really?

B

Yeah.

C

This is.

B

Oh, boy, oh, boy. Let me frame that. New to me. I've never heard of this kind of a scam. It is a niche scam, but it is horrifying. So stay with me here. This comes from the New Yorker. This is actually in their book review section, and they're reviewing a new book written by Elizabeth Shambley, or I'm sorry, Elizabeth Shambley Burch. And the book is called the Pain How Conmen Call Centers and Rogue Doctors Fuel America's Lawsuit Factory.

A

Oh.

B

So buckle up, buttercups. Here we go.

A

Okay, I'm strapped in.

B

So it starts. The story in this article starts back in 2013. A woman named Sharon Gore got a call from a stranger who was asking her about some medical problems that she had had. And the person on the other end of the line had a lot of information about Sharon's medical history. And the caller warned her that she had what she described as a ticking time bomb inside body. A pelvic mesh implant that evidently Sharon didn't even know she had. This person on the other end of the phone offered to arrange surgery to remove it free of charge if she wasn't alone. Now, I don't know. Are either of you familiar with pelvic mesh implants? What they are, what they do?

A

Yeah, a little bit.

C

Yeah. I think they're I think I know what they are, but I don't know.

B

I'm pretty sure I actually have one. Oh, really? Yeah, I had a hernia surgery 20 years ago and pretty sure that that was part of it, that they put this thing in. It's basically, you know, it's a mesh. And they put it. When they've cut you open or they're trying to splice something up, they'll put this mesh in there, and it's there to help strengthen the place where the cut was. Or if you have a weakness in your. In your body, your abdomen, wherever. In this case, they are quite common or were quite common for women who are having trouble with strength in their pelvis after childbirth. Those sorts of things, your organs can move around and your body might need a little help holding everything where it needs to be. And that's what these things were for.

C

That's what I was going to suggest.

B

They have since been banned for this particular. For that particular reason.

A

Yeah. I remember the news stories when they were banned. That's what I remember hearing about. Cause it sounded pretty horrific when some of the women were going through.

B

Yeah. So it wasn't just this woman who got this call. There were lots of other people who were getting these calls. These. In this case, ladies who got this procedure done to treat things like incontinence found out or were told over the phone that these pelvic meshes were defective. And the people on the phone urged them to have a removal surgery at a clinic in Florida. Travel would be covered, loans would be arranged to pay for everything, lawyers would handle everything. But according to this book, the pain brokers, the calls were not coming from doctors, hospitals, or the manufacturers of the product. These were part of a $40 million operation that allegedly used confidential medical information to recruit plaintiffs for mass tort lawsuits. Hmm. So marketing firms identified these women through treatment codes. They would cold call them and then funnel them through layers of telemarketers. And some of them were steered into surgeries that they may have not needed that were financed through high interest loans that were tied to future legal settlements.

A

Oh, my God.

B

So many of these people didn't realize they were signing away their insurance rights or that they were agreeing to arbitration clauses. So all of this sounds bad enough.

A

Yeah, right.

C

Does it get worse?

B

It does.

A

Oh, my God, it gets worse. Oh, Jesus.

B

What the part of what makes this despicable. And again, I'm already disgusted.

A

Yeah, yeah, we're there with you, Dave.

B

Evidently, the lawsuit against the manufacturers of these things, the class Action lawsuit against these pelvic mesh devices are more effective if the person has had it removed. So the lawyers were out there fishing for people who'd had the procedure done, investing in getting them to have the device removed so they were more likely to win their lawsuit.

A

This is why people hate lawyers.

C

Yeah.

B

Yeah.

A

Oh, geez. God.

B

So in some of these cases, again, the allegations are these people didn't need to have their meshes removed.

C

Right.

B

You know, like I said, I think I've had one for 20 years or so, and it doesn't give me a lick of trouble. That could change tomorrow, but so far, so good. Right.

A

Be careful if you get a phone call about it, Dave.

B

Right. Yeah, exactly. Somebody's gonna call me up and tell me, you know, what I need to do here. And of course, any surgery is risky. Going in to take something like this out that was there for it was put in for a reason, risks more trouble. And guess who's not gonna take care of that trouble if you have complications?

C

The lawyers.

B

The lawyers, Right.

C

They'll probably turn around and help you sue the doctor that took it out, though.

B

Probably. Probably. But then it gets even worse.

A

Oh, my God.

B

These lawsuits were bundled and sold to other law firms, reportedly for $40 million. And litigation finance companies backed these deals, again with high interest rates.

C

Okay, so this is a market I didn't even know existed.

B

Exactly.

A

Yeah. It's like when I found out that our mortgages get sold and resold and resold, and it's just right.

B

Like, the day after you settle, somebody's bought your mortgage.

A

I've had my house for like, a year and a half, and I think my mortgage has changed hands at least three times now. It's like, just don't stop.

B

So basically, these lawsuits were being turned into financial instruments. I don't know about you, but that just creeps me out.

C

Yeah, right.

A

It's just so wrong.

B

Yeah. So some of these women, they faced mounting debts. They faced complex legal agreements in years of uncertainty because these procedures were funded through loans that were promised to be paid through future settlements, and not all those settlements were going to happen.

A

So it's a giant shell game, essentially.

B

But with law at the outset. Yeah. With medicine, law. And people's bodies.

A

Oh, Jesus.

B

Yeah, Right. So there are some people.

A

It's all right.

B

Little choked up. There are some people who have found justice here. The book talks about a lawyer from Arkansas whose name is J.R. baxter, who took on many of these cases of the women saying that they'd been misled into unnecessary Surgeries. And one woman won a $2.5 million verdict, and others are still fighting it. But the book makes the point that this isn't just about one scam. It's about this system. It's about a regulatory framework that allowed a medical device onto the market without rigorous trials. So that's one thing. And then you have a litigation system that is so complex that it creates these opportunities for exploitation. But then you have a legal marketplace that's basically shaped by marketers and financiers, people trading around the potential for windfalls as the result of medical errors, as if they're financial instruments.

A

That's like the gambling market almost.

B

Right? So talk about screwed up incentives. And the lower level of this, that what's propping all of this up are vulnerable people.

A

Yeah.

B

So like I said, this is something. Joe, to your point, I never heard of anything like this, nor did I ever imagine something like this was possible. I find this heartbreaking and disturbing. And I hope these people, if these allegations turn out to be true, I hope these people get the justice that they deserve and that our regulators are put on notice to make sure that this sort of thing can't keep happening.

C

It's awful. I mean, I'm just like. I've been really quiet during this because I'm just. I'm shocked, actually.

A

Yeah, yeah.

C

That doesn't happen.

A

I feel like I need a shower, to be honest with you. I'm just like. It's one of those things where I understand what's going on less and less as it goes. I mean, your explanation was beautiful. It's just the legal part of it. I'm going, I don't understand. Understand. I don't understand that. And it's by design that you, you know, you're not supposed to understand it. And that's how people get hoodwinked. And. And it's just when. When it's not easily understood, that's where. That's just. That's where people get hurt.

B

Yeah, yeah.

A

And of course, our medical system doesn't make any of this easy either. So it's just all right for people being exploited, isn't it?

B

Right, right. No, it. Again, you know, according as I understand these allegations, it just strikes me as being just downright despicable. So heartbreaking. All right, well, tell you what, let's take a quick break, shall we?

C

Please, I need a shower.

B

Let's take a quick break. We will be right back after this message. Most environments trust far more than they should, and attackers know it. Threat, locker, solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back.

C

My hair is wet.

B

Joe, save us.

A

Need something light, Joe? Come on, don't let us down.

C

My story.

B

Joe's got his bathrobe and his slippers on. He just took a quick shower.

C

I'm sitting here. I just wear a towel around my waist.

B

Dave. I didn't need to know that.

A

It's not creepy at all. Okay?

B

Me eliciting the image of you in your bathrobe wasn't just for me. It was for our listeners, too, Joe. Right.

C

Well, I'm in a Jim Gaffigan camp of bathrobes. No, I don't like them.

B

Okay.

C

Are you sure? They got a little belt you can dunk in the toilet.

B

They got a little pocket, too, which you can put your phone in and

C

then drop your phone and then drop

A

that in the toilet. Yeah.

C

Not a big fan.

A

Okay.

C

Anyway, this story, I found a whole mess of different articles about this, but the best one came out of abc, the Australian Broadcasting Company.

B

Okay.

C

And of course, when I went to the Australian Broadcasting Company, I couldn't help but look to see if they have anything on the kids page about Bluey. And they do, and you can, if you go there. Like right now, they have a dunny roll. Make your own Bluey. And bingo, Dunny rolls. Which I thought was dunny, right? Dunny. Dave, you know what dunny means?

B

Nope.

C

It's the Australian slang for toilet.

B

Oh.

A

So then you got to say squish. Squash. Okay.

B

Wow.

C

Okay. I only learned this by watching Bluey, you know, with the little tykes that run around my house and love the show.

B

Yes.

C

Anyway, the Louvre has been hit again.

B

Oh, no.

C

And this has lasted for the past 10 years.

B

What?

C

Yep.

A

What?

C

That's where we're going?

A

Dapper dressed fedora guy? Is that it?

B

I Do love a caper, you know, with a museum. So go on.

C

This is not as cool as the jewel heist that happened where everybody was like, all right, just standard old fashioned Italian job style crime.

B

Right?

C

Right. No, this is nine people who've been arrested after a year of investigation into what. What the article describes as a multinational fraud network. Now, I think that's overstanding it a little bit, but what. What they had was two Chinese tour guides who have been accused of facilitating entry of multiple groups of Chinese tourists by reusing single entry tickets to the Louvre. So you can go to the Louvre. It costs you about €35 if you're outside. It's more expensive if you're not a member of the EU or the European Economic Union.

B

Right.

C

So, like, people from the UK have to pay more to go into the Louvre now. And I imagine that if you tell them you're American, they're like, oh, that'll be €150.

B

See, living as close to D.C. as we do, my default notion is that museums are free.

C

Right. You just walk in.

A

Yeah, Yeah.

C

I was shocked the first time I went into a museum and had to pay for it. Yeah. Because I grew up around here and I would just. Let's go down to the Air and Space Museum. Let's go down the Natural History Museum. Let's see some dinosaur bones. What's that gonna cost us? Nothing.

B

Right.

C

You know, it just.

A

You guys are so lucky. I just.

B

It's really nice.

A

It's always a treat when I'm in the D.C. area and I just walk

C

in and I'm like, you should hit the museums. It's beautiful.

A

I always do. I never miss out. Yeah, yeah. Yep.

C

And you know what? Every time I go to another museum, I'm not as impressed as I am with the Smithsonians. Oh, you know, they're not as good.

B

They're world class. Although I would say people who run the Louvre would probably take issue with that.

C

But I've been to the National Portrait Gallery and the Art museum, and I don't know.

B

Yeah, no, they're excellent.

C

Yeah. And then there's a cork. I mean, there's like three art museums on the mall. Yeah, three of them.

A

Yeah.

C

Anyway, it's alleged also that there were two tour guides, or these tour guides rather, bribed two Louvre employees to make this possible. So what these guys were doing was essentially they were two Chinese nationals, or I don't know if they're nationals, but they're two Chinese guys. And they would get Chinese tourists together and they'd take them into the Louvre and. And they take them to these Louvre employees who would then just either not scan the tickets or find some way to get around the system that they had. And then they'd walk these people through also. They. They wouldn't have to pay a speaking fee. I guess you can be like a third party Louvre tour guide, but you have to pay the Louvre to do that.

A

Okay, yeah, they're everywhere. It's there. You just bump into them all the time.

C

I've never been to France, so.

B

Oh, well,

A

it's a thing. And also, you can skip the Louvre. I will stand by that. I think it's overhyped anyway.

C

One of the things everybody says, don't you want to see the Mona Lisa? I'm like, you can get on the Internet and see the Mona Lisa. And from what I understand, it's not that big of a painting. And I mean, seeing it in person is not that much different from looking at it on the Internet.

A

Can I tell you my Mona Lisa story? I lived in France, specifically in Paris, for a little while, just for like eight months. So not a super long time, but long enough. And I went late January to the Louvre. The first time there was not a soul there at the Mona Lisa. I got to walk right up to it. There was no lines. And I got to look at it for a long time without a whole mob of people crowding me. And I was like, you know, this is really not that great of a painting. I understand why, in terms of art history, why it's a big deal, but it's just literally everything else at the Louvre is much more impressive. And it's just. It's so depressing seeing people going only for that and missing literally everything else there.

C

Yeah, that would not be my hype. I mean, I've seen it a hundred times. I can close my eyes and picture it. It's not, you know, it's.

A

Yeah, you've seen it. You've seen it. Many, many great works of art. You see them in person and you find stuff that you never noticed before. And I'm sure if I stared at the Mona Lisa for hours, I would have found something. But it's been done. It's overdone. Go enjoy other things.

C

They have lots of Van Goghs there, right?

A

Yeah. I mean, they have a lot of. You cannot see the Louvain one day. I went back many times. It's so massive. And I didn't steal any jewels either. I'm really sad about that, but that's

B

exactly what somebody who stole some jewels

A

would say, I know there are a lot of museums.

C

Where were you last October?

A

Yeah, not there. There are a lot of art museums in Paris that frankly are worth more people's time. So that's the end of my psa.

B

Okay, proceed, Joe.

C

So the French police have finally arrested people. They did a raid, or rather they start with an investigation that was launched in 2025, included surveillance and wiretaps, and they were tasked with the investigation of organized fraud, money laundering, corruption, and aiding with illegal entry into France as part of an organized group, and the use of forged administrative documents. Now, I don't know if the forged administrative documents are just like, fake tickets or reusing tickets. I don't know. Or if that has anything to do with the immigration part of it, getting illegal entry into France. It doesn't say in the article. But those. When they started investigating, they found that, yeah, these people were reusing tickets. And the tour guides would also split up groups and pay cash. These accomplices, these guys they bribed to get them into the Louvre and avoid detection. So apparently, if you have a large group going through the Louvre, you have to pay a bigger fee if you have, like a smaller group. So they would just. They'd bring the group in, split it up into two small groups, and walk around the Louvre and give tours. So the investigators who did this estimated that these guys would bring 20 groups of people through this system a day for more than 10 years. 20 groups of people for 10 years. And the estimated losses for the museum were around 10 million euros. And there's a number here that says $16.75 million, but I think those are Australian dollars because this is an Australian article. So there's still. Yeah, still there's no mention.

B

Much more than I would have thought.

C

Yeah, there's no mention of real money, but the Louvre didn't lose this money. Like, they didn't have 10 million euros and now it's gone. They just never got the $10 million over the past 10 years.

B

Yeah.

C

So, I mean, still. Yeah, you're stealing from them.

B

Opportunity cost.

C

Right, But. But if these tourists were going to go to the Louvre, would they have paid the full price of the ticket? That's neither here nor there. This is wrong, obviously, and you shouldn't be doing it. A spokesman for the Louvre has said, by the way, that the Louvre has drawn up plans to prevent this further fraud. Kind of like they changed the password for the camera system from Louvre to something else.

B

Right.

C

To maybe not.

B

Lou, the crack security team at the Louvre whose reputation precedes them.

A

It's a shame.

B

Wow. I wonder how they ultimately got caught here. I wonder what tipped them off.

C

What tipped them off was the Louvre noticed some anomalies back in December 2024 about ticket usage. And then they started investigating it, and they found it out. They did arrest nine people. Two of the employees of the Louvre were arrested, several other people, and several tour guides. And one person that was described as the mastermind of the organization. And I just imagine the cops going in there and finding a bunch of guys, and there's one guy with a big, big head, and he just goes, who's the brains of this operation?

B

Like a far side cartoon.

C

Yeah, exactly.

A

There's a cow there for some reason, right?

C

Yeah. When they conducted the raid, they seized and over €950,000, stashes of foreign currency worth about €67,000 and another close to half a million euros that were deposited into bank accounts. And they also got three vehicles, several bank deposit box safe deposit boxes. Well, actually, the vehicles and the safe deposit boxes are being reported by Le Parisian newspaper. I hope I totally botch that.

B

Actually, Maria,

A

I think we should leave it as it is.

B

Okay.

C

No, not. That's fine. That's fine.

B

Very good.

C

Authorities said that they suspect that some of these people have invested their money into real estate assets in France and Dubai, which is a good way to launder money, by the way.

B

I never would have thought there was this much money in sneaking people into a museum.

C

Right, right.

B

But they're playing the long game. Ten years,

A

the most touristed city in the world. There are a lot of tourists in Paris, so you can make some big money on these tours. And they are really everywhere. People don't know the difference between official and unofficial. I mean, I don't.

C

You know what we should do, Dave, you and me, one weekend is we should go down in the mall with one of those little stands and just sell Smithsonian all access badges.

A

Right. There you go.

C

Right.

B

Just show this at the entrance. They'll let you right in.

C

Right? Yeah. You can go to all the museums, Right?

B

Right. We'll just stand at the exit to the metro. You know, discount tall access badges, half price. Right here.

C

$15. $15. Cash only.

A

That's a steal, right? Right.

C

Maybe we say $100. I'll take them.

A

Okay.

B

Oh, my goodness. You know, the park police don't mess around, right?

C

Yeah, they do.

A

Yeah. They will nab you fast.

B

They really don't.

C

Yeah, I would like to, you know, with park police permission of Course, Just go and see if I could. If I could do that. And when people try to hand me money, just go. No, no, the museums are all free. I just wanted to see if anybody would be willing to pay.

B

Yeah.

C

See what would happen. It's a social engineering experiment.

B

Okay.

C

Right.

B

All right, do another research. We will have a link to that story in the show notes. Oh, there's more?

C

Yeah, there's one more thing, one more detail.

B

Okay.

C

That the prosecutor's office said that allegedly the same ring operated a similar scheme at the palace of Versailles.

B

Oh, yeah.

A

Not surprising either.

C

I don't want anything. Any more details, huh?

A

Yep.

C

Yep.

B

So I wonder if you could buy a museum scamming franchise. Right, right. They give you all the. All the details, all the tools you need. You, too, can sneak people into museums for fun and profit.

A

It kind of makes sense because both those locations are just so massive, filled with so many different people. You can easily just sort of sneak your way in. Not sneaking, but, you know, like, you could probably operate kind of under the radar very easily there, much more than any other places. So I get why they targeted those two spots. Yeah, it's just, Ooh, iffy.

B

All right, like I said, we will have a link to that story in the show notes. Joe and Maria, it is time to move on to our catch of the day.

C

Dave, our catch of the day comes from the Reddit, the subreddit R. Scambait. And it says T and T and T, Land and Sea.

A

Wow.

C

That's the title of this. I don't know what this looks like or what this is. I haven't seen this yet, so.

B

All right, so, Joe, why don't you read the parts in green?

C

Okay.

B

And I will read the parts in gray.

C

Hold on, I gotta magnify my.

B

There we go. All right, Grandpa.

C

Thanks.

A

You're not supposed to tell people that, Joe.

C

That was an inside thought. Yeah.

B

All right, all right. It starts off. It goes like this. Hi, I'm Tim with TNT Land. We're aiming to find the owner of a lot in North Point, and we think that it's you. Would you think about taking something for it if we got you a good number?

C

Hi, Tim with TNT Land. What does TNT stand for? Tim and Tim.

B

Tim and Tom, actually. Friends who went into business together.

C

That's wonderful. What kind of business?

B

We buy and develop land and real estate together.

C

What do you and Tom develop land into?

B

Depends on the land zoning and area. Any interest in selling that parcel?

C

Forgive my curiosity. It's just nice to hear Stories of the friendship in these trying times. How did you and Tom meet?

B

Appreciate the interest and I'd be happy to tell you more, but if there's not interest in selling the lot in North Point, I'd prefer to spend my time elsewhere. If you're interested in selling, just let me know. Thanks.

C

You drive a hard bargain, Tim. I could see what drew Tom to you. I haven't even heard that good number you mentioned, so how would I know? Would you fellas be interested in adding a third to the mix? Tim, hear me out. T and T and T. Land and Sea. We add me to the company, and I handle the waterfront properties. This doubles the property lots. What do you think?

B

Nothing better going on in your life? It seems a job might help with that.

C

Yeah, that's what I'm thinking. This could be lucrative for all of us. What do you think of expanding to the sea?

B

You go have fun drowning.

C

So this is interesting. I get these from time to time for my. Or I used to get them for my old house.

B

Yeah.

C

Hey, are you interested in selling your house? And I would always write back and be like, yes, my starting price is $1 million. And I'd never hear back from them because if somebody gave me a million dollars for that house, I'd have moved out.

B

Right.

C

But as it turns out, the people who did pay me for that house when I sold it, gave me substantially less. But I was ready to move at that point in time.

B

Yeah. So I've gotten these, too.

C

Yeah.

B

Yeah. And people ask me if I want to sell my old business that is no longer in business. You know, things like that. So somebody's scraping up an old database of homeowners and business owners and things like that.

C

I mean, would you sell?

A

I've never gotten any of these. I've never. This is. I feel I'm left out. I didn't get. I've never seen this before.

B

Well, just give it time, because, you know, you have a mortgage, you're a homeowner.

A

I'm on mortgage number three. Never gotten this before.

C

And house number two. Right.

A

Well, this is my third home.

C

Oh, third home.

B

Count yourself lucky.

A

But I don't own three houses right now. I've bought and sold. I'm now on house number three.

B

Yeah. Maria's secretly a slumlord behind the scenes. She just buys up distressed properties and sells them out to poor Bostonians who don't know anybody. Yeah.

A

Notoriously lucrative podcasting. That's why I own three properties in the very high cost of living area of Boston. That's right.

B

Do you ever get postcards, Maria, asking from your local realtors, asking if you're interested in selling?

A

Yeah, the postcards I get, and they're always very funny because they're like, you know, they will either say, call us for a free estimate or they'll tell us what my house is worth. But that's, you know, whatever. Those I don't even register because it's just, it's a realtor. But I've never gotten a scammer texting me this kind of thing that I feel. Oh, man.

B

Yeah.

A

And I had an LLC and everything for my old freelancing business. Nobody's ever harassed me to sell for them. Come on, cameras get on that.

B

It's also possible that Tim and Tom are on the up and up, that they actually do buy land. I mean, that is a thing. But I don't know. I think you're better if someone texts you out of the blue. Your best just ignoring them or doing what the third T here, whoever it was, did, and lead them along, lead them astray.

C

Yeah.

A

Tim Tams.

C

It's irritating to me because, you know, these guys are those, those real estate flippers.

A

Yeah.

C

When we were buying our house, our last house, you could walk into a house and just look around and go, this is a flip.

B

Oh, yeah.

C

You know.

A

Oh, yeah.

C

Because they all look exactly the same.

B

Yeah.

C

And I would just straight up, if it was an open house, I just straight up ask the agent, is this a flip? And they'd be like, oh, yeah. And I'd turn around and walk out. Also on Zillow that you can look and see when the house last sold.

B

Right.

C

So that will tell you, give you an indication that it's a flip too. And usually you'll see this, like, this spike, you know, you see that the, you know, the house's value is listed and you'll see that it sells. And now there's this huge spike where it's trying to sell again, Right? Yeah, yeah, yeah, yeah.

A

My favorite is when the flipper is the realtor who is trying to sell it. That one I encountered a lot. Oh, look at all this work I did. I'm like, oh my God.

C

Yeah, I'm trying to save. Trying to save the commission on this one.

A

Yeah, it's the Home Depot special all the way down.

B

Yeah. I will say in the flippers defense that there was.

A

Do they need defending?

B

Well, I know someone who is a flipper and it is on the up and up. And my family, at one point, my Father had a distressed property that he was looking to sell. And our friend who flips properties came in and made an offer. And the offer was, you don't have to do anything. Right. I will buy this property as is. You don't have to clean it out. You don't have to clean it up. You don't have to do anything. And the property was pretty distressed. And so for my father, he was like, yeah, that sounds great. Right?

A

See, I can.

B

Let me also say my father is a career realtor. Right?

C

Right.

B

So he's a knowledgeable person or was a knowledgeable person when it comes to this kind of stuff. But I will acknowledge that that is the few and far between the flipper who's in it for the, you know, in the good of their heart and all that sort of thing.

C

Well, he's still gonna make a profit on it, but, you know, it's a good opportunity when you can find it. But then there's, you know, the other guys that do the unethical things like call you up and say. And lowball you for your house.

B

Right? Yeah, yeah, absolutely. All right. We will have a link to that in the show notes. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K and that is hacking humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Vermazes.

B

Thanks for listening.