Back to the office, back to the threats. - Hacking Humans

Summary7 min read

Podcast Summary: Hacking Humans Episode: Back to the Office, Back to the Threats
Host/Author: N2K Networks
Release Date: January 23, 2025

Introduction

In the episode titled "Back to the Office, Back to the Threats," hosts Dave Buettner, Joe Kerrigan, and Maria Varmazes delve into the evolving landscape of social engineering and cyber threats in the context of the workforce returning to physical offices. Released on January 23, 2025, this episode from N2K Networks' "Hacking Humans" podcast provides insightful discussions on the challenges and security vulnerabilities that accompany the shift from remote to in-office work environments.

Segment 1: The Return to Office and Security Implications

Timestamp: [01:18]

The episode opens with Dave elaborating on the recent trends in companies mandating a return to the office after extended periods of remote work. He references a Boston Globe article shared by Bishop Fox, highlighting that many employees are struggling to adapt to in-office protocols not just socially but also in terms of security practices. Dave emphasizes the importance of revisiting security awareness training to address both digital and physical security measures.

Key Points:

Red Teaming and Penetration Testing: Dave explains red teaming as a more comprehensive form of pen testing that includes attempts to breach both digital and physical security.
Employee Readiness: He questions whether employees remember their security training, such as identifying phishing attempts and adhering to badging etiquette.
Management Buy-In: Dave stresses the difficulty security teams face in securing management support for robust security practices.

Notable Quote:

"Do you remember things like badging etiquette, things like that?" – Dave Buettner [01:30]

Segment 2: Personal Experiences with Security Challenges

Timestamp: [04:05]

Maria shares her experience working at Accuvant (now part of Optiv) where physical penetration tests were a standard part of their security assessments. She recounts instances where coworkers enforced strict badging protocols, ensuring that unauthorized individuals could not access sensitive areas.

Key Points:

Corporate Culture in Security: Maria highlights how a culture of vigilance and mutual support enhances security measures.
Physical Security Enforcement: She provides examples of colleagues stopping unauthorized access attempts, reinforcing the importance of adherence to security policies.

Notable Quote:

"You're probably gonna know if you set yourself up for red teaming." – Maria Varmazes [04:10]

Personal Anecdote: Dave shares a harrowing experience where a colleague attempted to bypass badging protocols, illustrating the real-world challenges of maintaining physical security in the workplace.

Notable Quote:

"I was like, no, I can't do that. That goes against corporate policy." – Dave Buettner [04:51]

Segment 3: Green Mirage Scam – Mortgage-Related Fraud

Timestamp: [12:53]

Maria introduces a concerning scam identified by the FCC, named "Green Mirage." This group targets individuals in financial distress by impersonating mortgage lenders. They exploit information potentially obtained through insider threats or data breaches to deceive homeowners.

Key Points:

Targeted Victims: The scammers specifically target individuals who have contacted their mortgage companies due to financial difficulties.
Method of Fraud: They call victims posing as mortgage representatives and instruct them to send payments to fraudulent accounts, often using methods like money orders or third-party transfers.
Impact: Over $400,000 has been reportedly siphoned off, with actual losses likely being higher due to underreporting.

Notable Quote:

"They're calling people posing as their mortgage lenders... they have information and one of the more interesting pieces I'll get to in a minute is actually pretty scary." – Maria Varmazes [13:54]

Discussion: The hosts discuss potential sources of this threat, hypothesizing insider involvement given the precision of targeting individuals experiencing financial distress. They also explore the motivations behind targeting such an audience, balancing between the emotional vulnerability of victims and the monetary gains for scammers.

Notable Quote:

"I would hope so." – Dave Buettner [19:58]

Conclusion: The episode underscores the importance of vigilance and verification when receiving unsolicited communications, especially those requesting financial transactions. The hosts advise maintaining direct contact with official mortgage companies and avoiding sharing sensitive information through non-secure channels.

Segment 4: Airbnb Scam – Red Flags and Prevention

Timestamp: [22:29]

Joe shares an anonymous listener's story from the Airbnb Hosts subreddit, detailing a sophisticated scam targeting Airbnb hosts. The scam involves creating fake rental inquiries, requesting off-platform communications, and manipulating hosts into sending payments to fraudulent accounts.

Key Points:

Initial Contact: Scammers create new Airbnb accounts and request video walkthroughs of properties, then push for communication outside Airbnb’s platform.
Red Flags: Immediate requests to move conversations to platforms like WhatsApp and unusually high rental offers compared to market rates signal potential scams.
Potential Scam Types:
- Overpayment Scam: Victims receive payments exceeding the rental amount and are asked to refund the difference, leading to financial loss when the initial payment is reversed.
- Fake Rental Listings: Scam artists use genuine property visuals to create fake listings, deceiving future renters.
- Pig Butchering Scheme: Long-term grooming of hosts through rapport-building to extract significant funds under false pretenses.

Notable Quote:

"They are calling people posing as their mortgage lenders because they're in some kind of financial distress." – Maria Varmazes [17:07]

Discussion: The hosts analyze the scam mechanics, emphasizing the importance of adhering to platform policies and recognizing suspicious behaviors. They discuss the use of AI in enhancing scam effectiveness and speculate on the psychological tactics employed by scammers, such as leveraging universally appealing personas to maximize engagement.

Notable Quote:

"Why do these scammers always use young, attractive Asian women? It seems like an image that works around the world." – Joe Kerrigan [32:25]

Conclusion: Hosts advise Airbnb hosts to remain within the platform’s communication channels, verify all rental inquiries, and report suspicious activities to prevent falling victim to such scams.

Segment 5: Crypto Scam Alert – Seed Phrase Vulnerability

Timestamp: [34:56]

The hosts present an alert about a prevalent crypto scam involving fraudulent emails that threaten the security of users' seed phrases. These emails claim that vulnerabilities could lead to unauthorized access and fund withdrawal, urging recipients to generate new seed phrases via provided QR codes.

Key Points:

Scam Mechanics: Recipients are tricked into scanning QR codes that generate new, compromised seed phrases, granting scammers access to their crypto wallets.
Target Audience: Even individuals without crypto holdings are targeted, indicating the broad reach and deceptive tactics of scammers.
Awareness and Prevention: Hosts stress the importance of recognizing unsolicited requests for sensitive information and understanding secure practices for handling crypto assets.

Notable Quote:

"Unsolicited QR codes immediately suspicious, which is good." – Maria Varmazes [36:29]

Explanation: Maria clarifies the difference between seed phrases and recovery phrases, explaining how scammers exploit misunderstandings to gain unauthorized access to crypto wallets.

Notable Quote:

"They are trying to get you to use a different private key, one that they have knowledge of by going to this website." – Maria Varmazes [38:13]

Conclusion: The hosts recommend never sharing seed phrases or recovery information, using trusted platforms for crypto transactions, and remaining skeptical of unsolicited security alerts. They also highlight the importance of educating oneself about secure crypto practices to mitigate the risk of falling victim to such scams.

Final Thoughts and Takeaways

Throughout the episode, the hosts emphasize the necessity of maintaining robust security practices as the workforce transitions back to office environments. They highlight the multifaceted nature of modern scams, ranging from financial fraud targeting homeowners to sophisticated phishing schemes in the crypto space. The discussions underscore the importance of continual security training, adherence to corporate policies, and vigilance against evolving social engineering tactics.

Key Takeaways:

Vigilance in Security Practices: Both digital and physical security measures are crucial, especially during organizational transitions.
Recognizing Red Flags: Understanding and identifying common scam indicators can prevent financial and personal loss.
Adherence to Policies: Following established security protocols, such as badging etiquette and platform-specific communication guidelines, enhances overall security.
Continuous Education: Staying informed about the latest scam tactics and security best practices is essential for both individuals and organizations.

Closing Quote:

"We always say you kind of take things in your own hands is very risky because the people you're up against here do this every day, and chances are they're better at it than you are." – Joe Kerrigan [30:56]

Conclusion

"Back to the Office, Back to the Threats" provides a comprehensive examination of the security challenges emerging as organizations navigate the complexities of returning to physical workplaces. By sharing personal experiences, listener stories, and expert insights, the hosts offer valuable guidance on safeguarding against sophisticated social engineering and cybercrime tactics. This episode serves as a critical resource for understanding and mitigating the evolving threats in the modern workplace.

For More Information:

Visit: hackinghumans2k.com
Contact: Email the hosts with stories or questions at hackinghumans2k.com
Sponsor: ThreatLocker – Visit threatlocker.com/HH for Zero Trust Endpoint Protection.

Loading summary

Transcript227 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Joe Kerrigan
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. Dave I'm Dave Buettner and joining me is Joe Kerrigan. Hi, Joe.
[00:31]
Maria Varmazes
Hi, Dave.
[00:32]
Joe Kerrigan
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes.
[00:37]
Dave Buettner
Maria hi, Dave. And hi, Joe.
[00:40]
Joe Kerrigan
We've got some good stories to share this week and we will be right back after this message from our show sponsor.
[00:51]
ThreatLocker Sponsor
And now a few thoughts from our sponsors. At ThreatLocker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back.
[01:18]
Joe Kerrigan
All right, we do not have any follow up this week, so why don't we jump right into our stories. Maria, you want to kick things off for us here?
[01:26]
Dave Buettner
Yeah, less of a story, more of a comment, a really long comment, really.
[01:31]
Joe Kerrigan
What are you, like in the audience of a lecture or something?
[01:34]
Dave Buettner
We all love that guy. We love that guy. It's my turn to be that guy today. I was reading this morning on the Boston Globe, my local newspaper, about the big return to office mandates that are happening not so much at our company tape because I am remote, but I know a lot of my friends are four to five times a week back in the office now after several years of being fully remote. And then this story pops up in our inbox from our friends at Bishop Fox about. Basically, a lot of us are rusty at what it means to be sort of a good corporate employee in a physical office in terms of not just being aware. Well, I mean, please bathe, please wear, wear real pants. But also, do you remember your security awareness training? Not just in terms of can you identify phishing or vishing. I hate that word, but you know what I mean, the phone phishing. But also, do you remember things like badging etiquette, things like that? So the person who wrote this blog post is by Elise Dennis, or Dunny, if I want to do the French pronunciation, who is a DEFCON black badge holder from DEFCON 27. So good for her. Honestly, she won the social engineering capture the flag. It's pretty cool. And so this is the point that she's making is, you know, Bishop Fox and many other companies offer red teaming, which is like pen testing, but more basically they come in to your company and they go, I'm going to try all sorts of ways to get into your company to get certain information, capture some sort of designated info by whatever means we've agreed upon and I'll take the time that it's going to take. I'm summarizing this very poorly, but it's a really fascinating exercise for a company to opt into because it then exposes all of your weaknesses, not just digitally, but also physically. And I feel like security teams know this, but it can be hard for them to get management to buy in. So I wanted to stop there and just ask. Have either of you ever been knowingly on the receiving end of like a red teaming exercise or a pen test?
[03:31]
Maria Varmazes
Not, not, not. No, I, I have not been knowingly on this, but I have worked with people who have done this.
[03:39]
Dave Buettner
Yes.
[03:39]
Maria Varmazes
When I was working at Accuvant, one of our organizations, now it's part of a company called Optiv, but we had an organization that did penetration testing and one of the things they offered was physical penetration tests. Like this.
[03:53]
Dave Buettner
Yep.
[03:54]
Joe Kerrigan
Yeah. I spent the vast majority of my career being self employed, so. And co owning a company with my wife. So I'm just gonna leave it there.
[04:05]
Dave Buettner
Different challenges.
[04:06]
Maria Varmazes
You're probably gonna know if you set yourself up for red teaming.
[04:10]
Dave Buettner
Yeah, a whole other set of challenges with that one. That's fair enough. I don't know about my time when I was at Sophos, but certainly I know at Rapid seven when I worked there, we were basically constantly under some kind of an assessment, either self imposed or a competitor. Presumably somebody was trying to get access to what we were doing. And the only time that I know of where I was pretty damn sure that somebody was trying to get past me through the doors, going past the badging etiquette, it was a really harrowing experience because I was working in the marketing department and we are target number one when you're in marketing, cybersecurity, it's like marketing and hr. Yeah, Soft target.
[04:51]
Joe Kerrigan
Because women, it's a department full of pleasers.
[04:55]
Dave Buettner
Full of pleasers. Usually full of women, like people who like to be nice. And I basically got yelled at in one of the sort of more hidden elevator shaft entrances to the office by a guy I could have sworn I recognized who looked like he worked in our sales bullpen. But I wasn't totally sure and he wanted me to badge him in. And I was like, no, I can't do that. That goes against corporate policy. And this guy yelled at me like, he just yelled at me like, what are you talking about? I'm gonna be late for my thing. And I was like this guy's pen testing me. Like the look of me right now. That or he's an asshole. But either way, it goes against me.
[05:33]
Joe Kerrigan
Either way.
[05:34]
Maria Varmazes
Either way, I'm not letting you in.
[05:35]
Joe Kerrigan
That's right.
[05:36]
Dave Buettner
Yeah. And just I think part of the thing that empowered me to feel that way, aside from that he was an asshole to me, was also that I knew that the company had my back because it was part of sort of the corporate culture that we would have regular check ins about. You know, are you writing your password down and putting it under your keyboard like everybody else? You can't do that here. Don't do that. That's not a good idea. And you know that. I knew that if I had to be late for a meeting because I forgot my badge and I had to go through the front door and check in, that, you know, my C level would have my back. She understood that this was like you had to do that. And I think at companies where that's not clear, people just think of these kinds of physical security measures as a pain in the rear end. But if people know that they've got that all the way up to the top, they've got your back, then they're much more successful. So I don't know, this is just my opportunity to go. Being on the receiving end of that really stinks. But I recognize it's important and I.
[06:28]
Joe Kerrigan
Can hear how that one ended. Like who the guy really? Like, did you have an awkward run in with him in the lunchroom, know, a week later, oh, you do work here.
[06:38]
Dave Buettner
You know what, he definitely did work there, but we off as, as. But again, it was part of corporate policy that we didn't let anybody and we didn't. I don't know, there's different terms for this, but like if your colleague just goes in with you and on your badge, like you hold the door open for them. Tailgating, I've heard. Yeah, tailgating. Thank you. I couldn't remember the term for that. We that was explicitly not allowed. Even if they had their hands full or whatever, you just could not do it. And I know people who work at like defense contractors, this is really standard procedure for them. I've seen it. But I think for those of us in the software corporate world, we often forget that it's a bad idea. But yeah, he definitely worked at the company but we were self assessing all the time, just part of us making sure that we were on top of things. And it was a very valuable exercise. So it may have been that he was legit, but it also may have been that he was working with the security team. I don't know. I will never know how that ended up, but I'm pretty sure it was a pen test. Yeah.
[07:31]
Joe Kerrigan
Trust no one. Trust no one.
[07:33]
Dave Buettner
Honestly?
[07:34]
Joe Kerrigan
Yes. Well, I mean, Joe, you've worked in some secure places. I mean, the place you're working at now is pretty secure.
[07:40]
Maria Varmazes
Yes.
[07:41]
Joe Kerrigan
And so what's the.
[07:43]
Dave Buettner
Don't test the assertion.
[07:46]
Joe Kerrigan
What's the situation there?
[07:48]
Maria Varmazes
Well, it's a different situation because it is mandated in these kind of environments. Not just like, hey, it would be really great. It's like, hey, there's real consequences if you don't do this. So when that's the case, if you're. I have seen people try to tailgate, but I haven't seen anybody even try to tailgate in 20 years. Okay, wow. But I was working with a friend of mine. We were at this, we were working at a defense contractor and we were coming in, um, and I badged in. He badged in. Somebody behind him did not badge in. And my friend stopped him and said, you have to badge in. Like, like put a hand up, like physically and, and said, no, you have to badge in. The guy's like, really? And he's like, yeah, really?
[08:39]
Dave Buettner
Yes.
[08:40]
Maria Varmazes
He had no qualms about telling him that. And at that same contractor, at one point in time, we were in the, the vending room and one of the women that I worked with saw somebody and she said, hey, where's your badge? And the guy goes, I left it at my desk. And he was, he was, he's like, I need, can, can somebody escort me back to my desk? So he was like, immediately like, I gotta correct this.
[09:00]
Joe Kerrigan
Yeah.
[09:01]
Maria Varmazes
So it was, it was, it, it was like, it wasn't like, come on, just let me slide. He's like, no, you're right. And she said, I'm sorry, I had to stop. He goes, no, you did the exact right thing. I'm supposed to have my badge on me at all times. So it was, it's a different culture in that kind of environment where you know, you know, you help each other out when, when, when you like by escorting them back to the, back to the desk to get the badge and also reminding everybody and, and people, when people realize they violated the policy, they, they quickly, they quickly correct the problem. They don't try to pass it off as a. As a minor thing.
[09:37]
Dave Buettner
Yeah. You model the correct thing, and that's. That lets everyone else feel safe to do the same thing. And not like I'm the dork. The one dork who's following security policy. And nobody else does this.
[09:45]
Maria Varmazes
But in the defense world, that is, if not following that policy can have remarkably bad and dire consequences. Like, everybody could be out of a job. Right.
[09:58]
Joe Kerrigan
Yeah.
[09:58]
Dave Buettner
Yeah. So I would hope so.
[10:00]
Maria Varmazes
Yeah. So it's not something that gets taken, like, lightly in defense.
[10:04]
Joe Kerrigan
Actually, you know, I do recall now that we're talking about it, there was one incident that I was involved with sort of along the side of. I was. I. I was actually working at the Newseum in Washington, D.C. which is no longer there. RIP in fact, Johns Hopkins bought their building.
[10:20]
Maria Varmazes
Yes, we. Yes, they did. I'm still in the Wii part of that.
[10:28]
Joe Kerrigan
So for those who aren't familiar with the Newseum, they had quite a substantial broadcast studio facility there. And that's where I was working. I was working on a TV show there. And it was not uncommon for the chief engineer, the person who was responsible for getting us on the air, who had to go to a part of the facility called Master Control, which is where all of the devices that put you on the air are when you got to a satellite or. Yeah, I know Master Control, but they're the ones who are actually lighting the candle to get on the satellite, to send your signal places. Anyway, like, if I needed something from. Like, I needed a cable or something from Master Control, I'd go to Dennis, and I'd say, dennis, I need a cable. He'd go, here, take my ID badge and go get it. Because I didn't have access to Master Control, he didn't want to go with me to Master Control because it was on a different floor. So I would go, and he can me his ID badge. I'd go get what I need, come back, give him his ID badge. Turns out security at the Newseum was such that when you badged yourself into the elevator, your picture would come up in front of the security folks downstairs. Actually, the picture of the person who that ID belonged to would come up in front of the security team, and when you got in the elevator, they would cross check your picture with the picture on the ID.
[12:00]
Dave Buettner
Nice.
[12:01]
Joe Kerrigan
Dennis was about 20 years older than me, 100 pounds heavier than me, and completely bald. No, Right, exactly. There's no resemblance whatsoever. So Dennis and I got a little talking, too, about the loose use of sharing of security badges. But actually the other thing came out with it is that they made it so that I had access to master control because I had to get in there from time to time.
[12:30]
Dave Buettner
So there you go.
[12:31]
Maria Varmazes
Anyway, that's the right way to handle things, Dave.
[12:34]
Joe Kerrigan
Well, lucky, fortunately nobody got fired. Right. You know, we were totally operating in easier to apologize than get permission mode.
[12:42]
Dave Buettner
Which sometimes you got to do. Yeah, that often happens. Yeah.
[12:45]
Maria Varmazes
Yeah.
[12:46]
Joe Kerrigan
Right. All right, well, interesting story, Maria. Thanks for bringing that to our attention there. Joe, you are up next. What do you have for us this week?
[12:54]
Maria Varmazes
Dave? I got a story that I first saw on cbsnews.com and then I went to the primary source, which actually comes from FCC.gov and we'll put links to both of these in the show notes. But the FCC is warning about a group. I love how governments and other security organizations in general love to name these kind of threat actor groups. So they're calling this group Green Mirage. And it's the enforcement bureau from the FCC is saying you need to watch out for these guys. Cuz what they're doing is they're calling people posing as their mortgage lenders. Oh, okay. So these guys have information and one of the more interesting pieces I'll get to in a minute is actually pretty scary. But they know who your mortgage company is and they know maybe who your past mortgage company is. So like if you've done a refinance, they have that information as well.
[13:54]
Dave Buettner
It's all public, isn't it?
[13:56]
Maria Varmazes
I don't know that it's public. That's a good question. I know that you buying a house is public.
[14:01]
Joe Kerrigan
Yeah.
[14:02]
Maria Varmazes
Cause I've recently been through this. Maria, you and I have recently both bought houses.
[14:06]
Dave Buettner
I want to say that that info is public because I got so much junk mail with my mortgage lender's name on it from third parties that were pretending to be helpful but weren't. I want to say.
[14:17]
Maria Varmazes
Yes, that's a good point because when I refinanced my house, my last house, I refinanced that probably, I don't know, 10 years ago, maybe, maybe not, maybe more recently than that. But I started getting those kind of emails or kind of mails as well, looking like they were coming from the bank and they were not. They were coming from somebody else. So maybe it is public information. Maybe it's out there on. No, it shouldn't be. I mean the fact that you buy the real estate, okay, that has to be public information. How you go about financing it privately, that's nobody else's Business.
[14:48]
Dave Buettner
Yeah, it feels icky.
[14:49]
Maria Varmazes
Yeah, it does.
[14:50]
Dave Buettner
I'm sure a listener can tell us why it should be public, though I actually would be very curious to learn what the good reason is for that.
[14:55]
Maria Varmazes
Anyway, now, what's the email address? Dave hackinghumans2k.com.
[14:59]
Joe Kerrigan
That's it.
[14:59]
Maria Varmazes
Send it to us. Let us know if you know why. Anyway, these guys are. One of the things that's really interesting about them is that they are calling people who have called their mortgage company because they're in some kind of financial distress. Okay. So if you are in financial distress, one of the things that the mortgage company wants to know is they want to know as soon as possible that you're not going to be able to make your mortgage payment. Right, Right. And they want to know that for a couple of reasons. One, because they have to manage their own risk. But two, they really don't want to foreclose on your house. That's right. They don't want to do that. And the reason they don't want to do that is because they don't want your house. What they want is the money.
[15:41]
Dave Buettner
Right, Right.
[15:42]
Maria Varmazes
And that's how these mortgage lenders work. And going through the foreclosure process is very expensive. And they know they're probably going to lose money doing it, especially if you're very early on in the mortgage. Right. So they don't want foreclosure. They want to work with you and to negotiate and to come up with some kind of solution to do it. So you can call your mortgage company, you tell them what's going on, maybe they'll work with you. But what these guys are doing, this Green Mirage group, is they're calling people back posing as the mortgage company and then having them send. Send mortgage payment stuff to, like, real money, sending it to third parties that are like in this thing it says in quotes, attorneys or representatives, or they're having these people upload funds to a Walmart Green Dot money card account, which to me would be a red flag. Right. But maybe it wouldn't be to somebody else. But the hardest part of this is many victims are not learning that they've been defrauded until the lender starts foreclosure proceedings because the lender hasn't been paid. And they think they're paying the lender, but they're not. They're paying these scammers. And my question is, it seems odd to me that these scammers are calling people who've called the mortgage company because they're in distress and Then they're getting hit with this scam.
[17:07]
Joe Kerrigan
Right.
[17:08]
Maria Varmazes
I mean, first off, let's set aside the reprehensibleness of this particular scam. This is one of those scams where you're like, okay, you're a really terrible person for doing this. But my question is, how are they doing that? How are they getting in there? How are they hitting these people who are in distress? And it seems from my reading of this warning from the FCC that it's disproportionately large in terms of who's getting hit with this, that they're the people who are in distress in calling the mortgage company first.
[17:44]
Joe Kerrigan
Well, I mean, I would. To me, it points to an insider.
[17:47]
Maria Varmazes
That was the first thing I thought, too.
[17:49]
Dave Buettner
Insider threat. Yep.
[17:51]
Joe Kerrigan
It also seems strange to me that the scammers would be targeting people who are already in financial distress. Like, not a big payday if you have somebody who already can't pay their mortgage. I mean, obviously you're hitting someone who's in a emotional state.
[18:08]
Maria Varmazes
Right.
[18:08]
Joe Kerrigan
So I guess you increase your odds there. And I don't know, let's say you're. I'm thinking this through in real time, so apologies, but, you know, if Your mortgage is $1,000 a month and these folks can get. I know, right? These folks can get $100 from you, because that's what you have, then maybe that's still a win for them.
[18:25]
Maria Varmazes
Yeah, well, I mean, I think it might be closer to. I think it's very much like that, but I think it's closer to. Your mortgage is like $2,500, $3,000 a month, and they're getting $1,1500 out of you.
[18:35]
Joe Kerrigan
Yeah.
[18:37]
Maria Varmazes
So, I mean. Cause I could see where that would look feasible.
[18:40]
Joe Kerrigan
Right.
[18:40]
Maria Varmazes
How much money can you afford to pay us this month? Okay, well, I'm going to have you send that to an attorney, and we're going to make sure that that gets tracked, send a money order to this person, and then the money's just gone. So, I mean, it's. They have to be able to find out where this money's going as well. I imagine that the FCC is working on that end of it, and they might be involving other law enforcement or. Well, FCC is not really a law enforcement organization. They're a commission, and they're responsible for the communication Systems throughout the U.S. including the phone system.
[19:15]
Joe Kerrigan
They can levy fines, though.
[19:16]
Maria Varmazes
They can levy fines. That's true. They do have that capability. But they can't criminally prosecute somebody, can they? Criminally no, they're levying fines because I'm thinking about a recent case where somebody was broadcasting incorrectly. Maybe you saw this in one of the ham radio things. Dave, you're a ham radio operator?
[19:32]
Joe Kerrigan
I am. There was a guy who recently got like a 32,000 doll fine because he was improperly interfering with firefighters.
[19:39]
Maria Varmazes
Correct. That's exactly the case I'm thinking of.
[19:41]
Dave Buettner
They take that very seriously. Yep.
[19:43]
Maria Varmazes
Yeah, they do. But that was a financial, like a fine crime. What he's doing is criminal, but he's not going to do any jail time. He just had to pay a fine.
[19:53]
Joe Kerrigan
No, but I suspect that the fcc, if need be, they will simply refer you to one of the law enforcement agencies with whom they partner.
[20:01]
Maria Varmazes
Yeah.
[20:02]
Joe Kerrigan
If criminal charges are in order.
[20:04]
Maria Varmazes
Yes. So they can levy fines, but they can't put you in jail, but somebody else can. And some of this stuff is illegal. Some of this stuff. All of this stuff is illegal. It's all wire fraud and money laundering.
[20:13]
Joe Kerrigan
Right.
[20:14]
Maria Varmazes
So, I mean, those things the Justice Department is very interested in prosecuting.
[20:18]
Joe Kerrigan
Yeah.
[20:19]
Maria Varmazes
So make sure, make sure. If you're, if you're, if you're in distress for a mortgage, make sure that you make the calls. And unfortunately, that's the only thing that I can tell you to do here, is don't trust any inbound calls because these guys are spoofing the caller ID of your lender Right. When they call. And somehow they know. It seems that they know when people are in distress. Looks like they've already gotten away with $400,000.
[20:46]
Dave Buettner
Yeah.
[20:46]
Maria Varmazes
Over the last two years. And, and of course, this is saying that this is likely underreported and it is. Much more than $400,000 has been taken.
[20:56]
Joe Kerrigan
Wow. All right, well, we will have a link to that in the show notes, and of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com we're going to take a quick break to hear a message from our show sponsor.
[21:19]
ThreatLocker Sponsor
So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't want to run, Threat Locker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker, allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
[22:29]
Joe Kerrigan
All right, we are back. And my story this week is actually from a listener who has asked that we keep them anonymous. So we are going to respect that request. But this is an interesting story that came from a Reddit group, a subreddit, and this is the Airbnb hosts subreddit. And yes, and I have to say, it is not complete yet, but it's far enough along that I feel as though we can talk about it here. So this is the story of an Airbnb host who got an inquiry from a new account on Airbnb. Red flag.
[23:13]
Maria Varmazes
Right.
[23:14]
Joe Kerrigan
Asking for a video of the place that they are renting and also asking to take the communication off of Airbnb and over to WhatsApp. Red flag.
[23:26]
Maria Varmazes
Yes, that's the red flag. That's a bigger red flag.
[23:29]
Dave Buettner
Taking you to a second location.
[23:30]
Joe Kerrigan
Yep. By the way, some folks pointed out in this Reddit thread that that itself is a violation of Airbnb's terms.
[23:39]
Maria Varmazes
Is it really?
[23:39]
Joe Kerrigan
Mm.
[23:40]
Maria Varmazes
Okay.
[23:40]
Dave Buettner
Yeah.
[23:41]
Joe Kerrigan
All Airbnb negotiations are required to take place on Airbnb's platform.
[23:47]
Maria Varmazes
That is a good policy to have. I think what Airbnb needs to do here is to reinforce that policy and remind everybody of that policy.
[23:56]
Joe Kerrigan
Yeah.
[23:56]
Maria Varmazes
At all times. Like with some periodicity. Remember, if you're conducting a. Conducting any negotiations, it is against our policy for you to take that to another platform. And then, I don't know, maybe I'm just getting too in the weeds here like I normally do.
[24:13]
Dave Buettner
I feel like AI could actually help here. If they've got an AI running and they notice someone says, let's take this offline, why couldn't they just pop up and say, don't do that?
[24:22]
Joe Kerrigan
Right. Right. Well, in this case, I'm gonna sort of paraphrase what the person wrote here. They said, I agreed to take the chat to WhatsApp. They sent their number cryptically. They're now rapport building like crazy. It seems like I'm talking to a LLM bot, but I can't know for sure. They're asking for a six month rental off Airbnb. I sent them to a video walkthrough that we did during the photo session. I gave them a price close to the price that would be for a booking, which is like five times what Zillow says my rental rate would be. And they agreed without hesitation.
[24:58]
Maria Varmazes
Really? So let me see if I got this right. So they're doing an Airbnb, which is usually like $150 a night or something like that.
[25:06]
Joe Kerrigan
I mean, I don't know, some places.
[25:10]
Dave Buettner
It can vary hugely, but sure, there's a wide range.
[25:12]
Maria Varmazes
And this guy's just saying, I'll charge you whatever that nightly rate is for six months. And that turns out that if you fully rent that place for a month, you're gonna pay way more than you would just by renting it with a lease.
[25:27]
Joe Kerrigan
Right, right.
[25:28]
Maria Varmazes
Okay, Right.
[25:30]
Joe Kerrigan
So before we dig into any more of the story here, any speculation as to if this is indeed a scam, what is the scam?
[25:38]
Maria Varmazes
Okay, so I'm going to go first here. I'm going to say the fact that the guy agrees, or the scammer agrees instantaneously to something that is obviously ridiculous in terms of how much money he's going to have to pay, tells me, yes, I'm dealing with a scammer. You know, that is the biggest indicator right there. This is way too good to be true. Okay, but what's the scam that I'm not sure of, Maria.
[26:06]
Dave Buettner
Overpayment is my thinking that rug pull just feels like it's about to happen. But I don't know. I know very little about Airbnb scams.
[26:17]
Joe Kerrigan
Well, Maria, that is an excellent guess. The responders in this thread have said that perhaps it is an overpayment scam. Which just a reminder, what that means is someone will send you way more money for something than they should. And chances are that they are sending you that money using a stolen credit card or some other ill gotten gains. Then they reach out to you and they say, oh my gosh, I'm so sorry I overpaid you. Can you please refund the difference of what I owe you? And so you send them the difference using your real money out of your real account. Some time passes, it's discovered that the credit card was stolen, that money gets clawed back from you, so you're out the total amount of the initial payment that came on the credit card and the money that you refunded them out of your own account. So that's how an overpayment scam works.
[27:15]
Maria Varmazes
And it can work that way with checks as well, right?
[27:18]
Dave Buettner
Yes, sure can.
[27:21]
Joe Kerrigan
This person has provided a few updates. The first one said that they sent the person an invoice for two months rent up front and they didn't get any response. But then things went to the next level. This person got a WhatsApp video call from the people I'm going to quote here. It says it was a very beautiful Asian girl sitting at her desk using her computer to call. It was a short call. She wasn't quite as friendly as her messages are. She said she's coming to my town to visit and wants to meet up to sign the contract and make the payment. After the call, she keeps sending very friendly rapport building messages and now videos of her playing golf. So now we've gone from a so now we've gone from a check overpayment scam to a hot Asian girl catfishing scam. Lol.
[28:11]
Maria Varmazes
You're gonna get snatched up in a bag. That's what's gonna happen.
[28:16]
Dave Buettner
As an Airbnb host want to see you playing golf. I couldn't care less, lady. I mean, seriously, what?
[28:21]
Joe Kerrigan
They are investing a lot of time in this, so it's definitely going somewhere. But the cards have yet to be laid on the table, so we press on. All right, so the other scam possibility that was suggested here was the fact that the folks asked for a video of the place is indicative of a fake rental scam.
[28:42]
Maria Varmazes
Right? That actually did occur to me that they're gonna take pictures out of that video and then make their own Airbnb host account and try to rent out a fake property or maybe even this guy's property.
[28:58]
Joe Kerrigan
Right, Exactly.
[28:59]
Dave Buettner
User Generated Content Scam edition.
[29:03]
Joe Kerrigan
So this happens. Places like Craigslist or Facebook marketplaces, these happen in particular because there's little oversight compared to Airbnb. But Joe's exactly right. They'll take the video that you send them. Then they create their own rental ad. Then strangers look at this place. They say, oh, I want to rent this place. They send a deposit, they show up to get their keys. There's nobody there. Perhaps there's someone living there who is very confused as to why someone has knocked on their front door looking to rent the place.
[29:36]
Maria Varmazes
Or perhaps somebody has already rented this Airbnb from somebody else.
[29:40]
Joe Kerrigan
Yeah, and very often they target folks who are moving from out of town so they don't have the opportunity to visit the place place in person ahead of time. So that was proposed as one of the scams. The third and final update on this refers to a YouTuber who goes by the name Pleasant Green, who did a video on pig butchering. And the person writing this story says, this is most certainly a pig butchering scheme. The person is following all the methods in that script, except for two things. First, they've gotten much more sophisticated. Making a WhatsApp video call with an AI filter and AI voice changer was very convincing. Secondly, they aren't using a crypto investment scam yet.
[30:25]
Maria Varmazes
Right.
[30:26]
Joe Kerrigan
But this might be heading towards some other business investment scam because she keeps talking about her medical device sales business, the YouTube. Pleasant Green said the fattening part of the scheme lasts about a week. So I'll have to endure her daily love letters a few more days to see what the slaughterhouse looks like.
[30:46]
Dave Buettner
Just be careful butchering liturgical counsel.
[30:48]
Maria Varmazes
It is a slaughterhouse and you are the pig. So just, yeah, be very, very careful here.
[30:56]
Joe Kerrigan
I mean, it's an interesting story. We always say you kind of take things in your own hands is very risky because the people you're up against here do this every day, and chances are they're better at it than you are. But in this case, seems like this person has a village of airbnb folks behind them. So they're onto it and hopefully all things will end up well. But it's an interesting tale and hopefully comes to a good outcome. So I'm really glad our listener sent this to us. This is one I hadn't really heard of before.
[31:32]
Maria Varmazes
I have not heard of it either. It's kind of new to me. But, you know, these guys are going to find ways to scam everything. It looks to me like they're doing, like, three or four different things here.
[31:41]
Joe Kerrigan
Could be.
[31:42]
Maria Varmazes
It could be that they're doing all of it, right? Like, they're setting up the fake rental. They're also, hey, while I got you here, why don't I try to lure you with the young, attractive Asian girl? And it's always in everything I've seen, for some reason, it's young, attractive Asian women.
[31:59]
Joe Kerrigan
Yeah.
[32:00]
Maria Varmazes
And I'm still trying to figure out why that is.
[32:02]
Joe Kerrigan
You know, I'm gonna get in trouble for thinking about this, but I was thinking about this. I was trying to ponder, like, why. Because you're right. The fact of the matter is, it is always on these global scams, it is always young, attractive Asian women.
[32:19]
Maria Varmazes
Right.
[32:19]
Joe Kerrigan
So here's my question that is wrong. And, Maria, please tell me if I'm stepping out of bounds Here.
[32:26]
Dave Buettner
I'm probably the last person to say so, Dave, but.
[32:28]
Joe Kerrigan
Okay, is the young, attractive Asian woman, the universal, beautiful woman around the globe. Right. Do you see where I'm getting here?
[32:40]
Maria Varmazes
You're saying maybe that has the broadest appeal.
[32:44]
Joe Kerrigan
Like, what is it? Type O blood is the universal donor. Right. To all people of all races, colors and creeds around the globe. Is a young Asian woman considered universally attractive? I don't know the answer to that, but it seems like a plausible explanation for why it always is. Because if they don't, in other words, if these scammers aren't getting any pushback, you know, that's saying, oh, sorry, you're not my type. Right. Very quickly they're going to learn that this is an image that works around the world.
[33:19]
Maria Varmazes
Right.
[33:19]
Joe Kerrigan
And so I wonder about that. I don't have a good answer. I could be completely wrong and it could be something else. What's that, Brian?
[33:28]
Dave Buettner
I think that type is in the top 10, but I mean, it's certainly. If they've been doing it this long, it's working for some reason. So, um, I was going more with. If these put pig butchering scams are originating in Asia, it may be an impersonation that is closer to home.
[33:46]
Joe Kerrigan
Right?
[33:47]
Dave Buettner
Yeah, Also.
[33:48]
Maria Varmazes
But that is also a good possibility. Also, the. The region, the Asian region is. Is densely. Pop.
[33:54]
Dave Buettner
Huge as well. Yeah, yeah, yeah.
[33:56]
Maria Varmazes
A lot of the world's population now, not all of them are Asians. Like. Like we're, you know, discussing, you know, people of Chinese, Japanese, Korean, Vietnamese descent. You know, they're.
[34:06]
Joe Kerrigan
Asia is a big place.
[34:07]
Maria Varmazes
Asia is a big place.
[34:09]
Dave Buettner
Yes.
[34:10]
Maria Varmazes
And people, look, their people are very diverse from that area. Yeah. So. But the. The question. The question still sticks in the back of my mind. Why is it. I mean, why is it like that?
[34:20]
Joe Kerrigan
Yeah.
[34:21]
Maria Varmazes
And it's. I don't know that there's. That there's a valid reason for it or. Or maybe there is.
[34:28]
Dave Buettner
I guarantee you they did, like, rudimentary AB testing and they found that that is what works the best, I'm sure.
[34:33]
Maria Varmazes
What works? What has the highest success rate?
[34:35]
Dave Buettner
Y.
[34:38]
Joe Kerrigan
All right, well, we will have a link to that Reddit thread in the show notes. Joe, Maria, it is time to move on to our catch of the day.
[34:57]
Maria Varmazes
Dave, Our catch of the day comes from William, and it's. It's alleging to be an email that was automatically generated. But it's a crypto scam, Dave.
[35:10]
Joe Kerrigan
Oh, all right.
[35:11]
Dave Buettner
Spoiler alert.
[35:12]
Joe Kerrigan
Yeah. All right, it goes like this. Dear User Action required. We have Detected a critical security vulnerability affecting the integrity of your seed phrases. Your funds are at risk and could be withdrawn at any time without your authorization. Taking prompt action is mandatory to secure your digital assets. What? You must generate a new seed phrase. Use the secure QR code below to generate a new seed phrase unique to your account. This process is critical to ensuring your funds are protected. Scan the QR code to begin the process. Maintain vigilance. Regularly monitor your accounts for unusual activity and ensure you follow best practices for securing your wallets. Why this is important. Failure to update your seed phrase immediately may result in unauthorized access and potential loss of your digital assets. This update is mandatory to safeguard your holdings. And then it has contact information.
[36:07]
Maria Varmazes
Right. So William says, two things stood out to me because of this one, I consider solicited, unsolicited QR codes immediately suspicious, which is good. As do I. And the other thing is, William says I don't have any crypto. So sending me this message that my cryptocurrency is at risk, it shows me it must be some kind of. Some kind of scam.
[36:30]
Dave Buettner
Stands to reason.
[36:31]
Maria Varmazes
I mean, it is.
[36:33]
Joe Kerrigan
Can either of you help explain this to me? Because I don't have any crypto, and I've never used any crypto. Obviously, I know crypto uses things like seed phrases.
[36:41]
Maria Varmazes
No, it doesn't. Actually, Dave, that's a misnomer.
[36:43]
Joe Kerrigan
Oh.
[36:43]
Maria Varmazes
So I was going to ask you.
[36:44]
Joe Kerrigan
Guys, am I going to regret asking you this?
[36:46]
Maria Varmazes
No.
[36:47]
Dave Buettner
As I've often said, everything I know is against my will.
[36:50]
Joe Kerrigan
All right, buckle it. Here we go.
[36:54]
Maria Varmazes
First off, there are two ways you can hold cryptocurrency. You can hold it yourself in some kind of crypto wallet, or you can hold it at some kind of exchange.
[37:03]
Joe Kerrigan
Right.
[37:03]
Maria Varmazes
Now, if you hold it at an exchange, you don't have a wallet. You have an account that's vastly different. So you won't have what this guy is calling a seed phrase, but it's actually not a seed phrase. A seed in cryptography is something different from what this is, but what they're referencing is your recovery phrase.
[37:23]
Joe Kerrigan
Oh.
[37:24]
Maria Varmazes
So you. If you have a wallet, like, I have a wallet with a small amount of crypto on my phone.
[37:30]
Joe Kerrigan
Yeah.
[37:31]
Maria Varmazes
Just so I can show people how much Bitcoin Z I have, which is essentially worthless, but anyway, they go, who? Really? That much? Yeah. I'm a crypto millionaire, baby. And how much is that worth? About $9. So that wallet has a recovery phrase that is just a bunch of words that you can write down.
[37:54]
Joe Kerrigan
Okay.
[37:55]
Maria Varmazes
But those Words map to bits of your private key. Okay, so what this is. Is. Is they're trying to get you to use. I'm guessing here, but it looks like they're trying to get you to use a different private key, one that they have knowledge of by going to this. This. This website.
[38:13]
Joe Kerrigan
I see.
[38:14]
Maria Varmazes
Right. So they're going to tell you, here's your new. Here's your new seed phrase. And all that's going to do is give you a new private key on a wallet.
[38:22]
Joe Kerrigan
Right.
[38:22]
Maria Varmazes
And then you. Then they say, transfer all of your. Your crypto to the. To the wallet with the new seed phrase. But they. Because they have this recovery. It's not a seed phrase at all, but because they have this. The same private keys, as soon as you do that, they have access to it, and then they snatch it and it goes away.
[38:37]
Joe Kerrigan
I see.
[38:38]
Maria Varmazes
And that's it. That's. I think that's the scam here.
[38:41]
Joe Kerrigan
All right, well, very good. So beware.
[38:44]
Maria Varmazes
I'm sure Everybody absolutely understands 100% of what I just said.
[38:48]
Joe Kerrigan
I'm just.
[38:49]
Dave Buettner
I got to tell you, I. I was given some crypto some years ago, and I'm sure it's worth a ton more than it was when I sold it. But, like, the first thing I did was sell it.
[38:57]
Maria Varmazes
Oh, really?
[38:58]
Dave Buettner
Like, I cannot be bothered. I just cannot be bothered. And it was worth a decent amount of money at the time. It was actually given to me as a gift when my daughter was born. And again, so it was some time ago, and I'm sure it was worth a ton.
[39:11]
Maria Varmazes
Somebody offered to give me a bitcoin back in 2016 when it was like, $600. And I was like, no, I'll just do this out of the goodness of my heart. I should have taken the bitcoin.
[39:22]
Joe Kerrigan
Yeah.
[39:22]
Maria Varmazes
Because that would now be worth 100 grand or something.
[39:24]
Dave Buettner
No, I still have the open dime. I was just looking for it as you were telling this. I was.
[39:28]
Joe Kerrigan
I have.
[39:29]
Dave Buettner
I still have the actual physical device they gave me the bitcoin on, like, the. You know what I mean? It's like the. It's the open dime device.
[39:35]
Maria Varmazes
Yeah.
[39:35]
Dave Buettner
Yeah, I still have it. It probably still has a few cents on it. And I'm just like, no, I'm wondering, but I just. I couldn't be bothered to learn all this that you were describing. I'm just going. I don't. I bear. I hate even knowing what I know about regular mutual funds and index funds, to my knowledge.
[39:53]
Maria Varmazes
I just don't want it. I don't know, maybe growing up in a financing household, I just, you know, we used to talk about money at, at the dinner table.
[40:02]
Joe Kerrigan
Yeah, that explains a lot.
[40:03]
Maria Varmazes
Yeah, we would have conversations about bonds and coupons and, and, you know, the value of these things, you know, because that's what my dad did for a living. So that's all, you know, that was dinner table conversation.
[40:15]
Joe Kerrigan
Well, all right. All right. Well, thank you, William, for sending that in. We do appreciate, appreciate it. And again, if you have something you'd like us to consider for the show, you can email us. It's hacking humans2k.com and of course, we.
[40:35]
ThreatLocker Sponsor
Want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.
[41:02]
Joe Kerrigan
And that is Hacking Humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Buettner.
[41:35]
Maria Varmazes
I'm Joe Kerrigan.
[41:36]
Dave Buettner
And I'm Maria Varmazes.
[41:38]
Joe Kerrigan
Thanks for listening. Name.