Hacking Humans Podcast Summary
Episode Title: Beware the Boo-gus Giveaway
Date: October 30, 2025
Hosts: Dave Bittner, Joe Kerrigan, Maria Varmazes
Podcast: Hacking Humans by N2K CyberWire
Episode Overview
This episode delves into the persistent and evolving tactics of social engineering, focusing on phishing attacks, job scams leveraging fake AI recruiters, and the psychology behind why certain populations are more susceptible to scams. The hosts share recent scam stories making headlines, provide practical advice for staying safe, and pepper the conversation with humor and relatable anecdotes. Three core stories are discussed:
- A sophisticated fake AI recruiter job scam with malware-laden code.
- A phishing campaign masquerading as a Home Depot gorilla cart giveaway.
- An attempted scam targeting a tech journalist with a fake Dashlane breach warning.
Key Discussion Points & Insights
1. Scams Prey on Those in Need
- Listener Feedback: Randy, a listener, underscores why low-income households are disproportionately victimized by scams—desperation and hope drive riskier behavior.
- “Do billionaires buy lottery tickets? Poor people are more likely to pursue these avenues.” (00:41, Randy as quoted by Dave)
- Host Insight: The wealthy are targeted less as they have less need, more information, or are given things for promotional value.
- “It’s very expensive to be poor.” (02:06, Maria)
Humor Break:
- The hosts joke about “Billion Dollar Bittner” and Dave’s imaginary crypto fortune.
- Joe discusses lottery expected value and how he buys a ticket only when odds mathematically favor him, but admits it’s still a losing game in practice. (03:00–03:37)
2. Story #1: AI Job Offer Scam and Sophisticated Malware (06:20–16:28)
How the Scam Works
- The target receives a message stating they’ve been “shortlisted for an AI engineering role.”
- Scam company: "DL Mind – AI Driven Innovation Lab"
- Recruiter: “Tim Morent,” with a polished LinkedIn profile.
- The victim is told to collaborate on a GitHub repository:
- Provide their GitHub username
- Clone the repo
- Review the code
- Run the setup
- Share feedback
Technical Breakdown
- The critical malicious step: running the setup
- Installs multi-stage malware that:
- Steals browser logins and cookies
- Hijacks clipboard
- Drops multiple malware flavors (NodeJS, Python)
- Obfuscates the payload with complex 64-stage unpacking
- “If you get hit with this malware, just throw your entire online identity away and… light the [computer] on fire and walk away.” (14:28, Joe)
- Installs multi-stage malware that:
Key Recommendations
- Did you actually apply? Double-check unsolicited job offers.
- Never run code from unknown repositories.
- GitHub had already removed the malicious repository.
- Humor: “Just click the link!”—Maria ironically acknowledges user education pitfalls and how not to approach suspicious links. (15:34–16:09)
Notable Quote
“When you hear you’ve been shortlisted … ask yourself: did you apply for a job at this company? Right, that’s number one.” (14:45, Joe)
3. Story #2: The Home Depot Gorilla Cart Phishing Scam (16:38–26:14)
How the Scam Works
- Claim: “You’ve won a free Gorilla Cart from Home Depot!”
- Mechanics:
- Email contains a tracking pixel—attackers see opens/clicks.
- Clicking the link chains through several compromised (often legitimate) sites.
- The landing page asks for shipping/payment details, followed by an error message—data is harvested, not rewarded.
Red Flags
- No context or prior relationship needed; “everyone” wins.
- Urgency and big clickable image, little text.
- “Processing fee” is demanded for the free item.
Techniques
- Use of compromised schools/WordPress sites for link redirects.
- Attackers monitor drop-offs and optimize “funnel” like marketers.
- "Somebody worked in a marketing department who worked on this campaign." (19:35, Maria)
Advice & Takeaways
- Be skeptical of emails offering free stuff, especially those requiring personal/payment info and pushing urgency.
- Use email clients that block tracking pixels to evade these traps. Dave recommends “Mimestream” for Mac, which blocks trackers. (24:50, Dave)
Notable Quote
“If you get an email with a huge clickable image and no other text… that's a big old red flag.” (24:01, Maria)
4. Story #3: Tech Writer Nearly Fooled by a Fake Dashlane Breach Email (28:44–33:37)
Outline of the Attempt
- Subject line: “Dashlane have been hacked.”
- The email mimics alert language, peppered with technical jargon (“zero knowledge architecture”).
- Psychological tactic: Leverages fear, urgency, and technical credibility.
Journalist’s Experience
- Felt genuine panic. Began to worry that he’d recommended a compromised product.
- Quote: “The technical jargon makes you lower your guard because… specialist got me.” (30:06, Dave quoting Sean Captain)
Resolution & Recommendations
- Journalist double-checked company website, searched for news: no evidence of a breach.
- Takeaway: It can happen to anyone, even experts.
- “Pause, pause, pause. Unlike Maria, pause before you click.” (32:34, Dave)
- Always verify breach notices directly with the official company.
5. Catch of the Day: The ‘Aunt’ Victoria’s Secret SMS Scam (33:37–36:48)
The Text:
- Message from “your aunt” with a heart emoji, asking underwear sizing and style preference, referencing Victoria’s Secret with photos attached.
Panel Reaction:
- Universal discomfort and amusement.
- The scam’s goal is to draw recipients into a dialogue, likely to then phish for further personal data or distribute malware via the images.
Quotes & Banter:
“Who has a relationship like that with their aunt?” (34:36, Maria)
“I’m horrified at the thought of any of my aunties asking me any question even remotely like this.” (35:41, Maria)
Notable Quotes & Memorable Moments
- “It’s very expensive to be poor.” (02:06, Maria)
- "If you get hit with this malware, just throw your...computer...on fire and walk away." (14:28, Joe)
- “If you get an email with a huge clickable image and no other text...big old red flag.” (24:01, Maria)
- “Pause, pause, pause. Unlike Maria, pause before you click…” (32:34, Dave)
- “Who has a relationship like that with their aunt?” (34:36, Maria)
Important Timestamps
| Timestamp | Segment | |-----------|---------| | 00:41 | Listener Randy’s scam susceptibility insight | | 06:20 | Fake AI recruiter malware job scam story begins | | 16:38 | Home Depot gorilla cart phishing scam story starts | | 28:44 | Tech journalist nearly scammed with fake Dashlane breach | | 33:37 | “Catch of the Day” – SMS Aunt scam | | 35:41 | Panel reactions to the “Aunt” scam |
Tone and Style
The episode strikes a balance between light humor, technical precision, and practical advice. Hosts tease each other and share personal anecdotes, but all in service of illustrating social engineering dangers and best practices. They encourage skepticism, verification, and critical thinking—whether you’re dealing with high-tech malware or garden-variety phishing emails.
Summary for New Listeners:
If you or someone you know might fall for "too good to be true" job offers, surprise emails from big brands, or awkward family texts, this episode offers smart analysis, laughs, and actionable ways to "hack" the hackers—by thinking before you click.