A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello everyone and welcome to N2K CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations all over the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Maria, hello.

A

Hello and welcome back.

B

We've got some good stories to share this week, but first of all, we have a little bit of follow up here. So this actually goes back a couple weeks because I was out last week and this came to me. So this is from a listener who goes by the name Randy, who said listening to Hacking Humans with Bittner and the stats given about how low income households lose more money to scams than do higher income households. What wasn't mentioned as an explanation is the need for money and the hope that claims of windfalls might be true. Do billionaires buy lottery tickets? Poor people are more likely to pursue these avenues. Unfortunately, they may not have anyone around to advise them against gambling and probably don't listen to Hacking humans. That's true.

C

I thought we did. Maybe I'm thinking of a different episode, but I thought we did mention that something.

A

I thought so too, but maybe we're both thinking of something else.

C

Yeah. Because I know we've talked about this and Maria, last week you and I had a similar story and maybe you talked about it then.

A

Maybe the streams are getting crossed in my mind because I was listening to you, Dave, and I'm going, I thought we did say that. But in also typical me fashion, maybe I thought it and then didn't say it. But it's a great point. And a point well taken.

B

Yeah, absolutely. I think the more desperate you are in your day to day, the more likely you are to reach for something that perhaps is unreasonable.

C

I don't.

A

It's very expensive to be poor. Yes.

C

Any billionaires?

B

You don't know any billionaires?

A

Well, I mean, why not, Joe?

C

I've met a couple. At least one.

A

Are you sure, Joe? Are you sure?

C

You never sure know me. I do know you. That's right. Billion dollar Dave. Yeah, right.

A

There you go. Billion dollar Bittner.

C

Billion dollar Bittner.

B

Yeah, with my Bittner coin.

C

He's a crypto billionaire. He's got a billion of those of bitcoins.

A

And by bitcoins I mean Bittner coins.

B

Yeah.

C

So I do not buy lottery tickets even though. Well, I mean, I actually do buy lottery tickets. When I do a calculation, the expected value goes over the cost of the lottery ticket. I buy one lottery ticket, okay. And I calculate the expected cost, the expected value of the lottery ticket. And yes, mathematicians, I do take into account the number of ticket sales and how likely it is to make. To split the jackpot with somebody.

B

Okay?

C

So when that gets above the expected value, I buy one lottery ticket.

B

All right, you pay your tax, I pay my. Against math.

C

Right, my tax against math. But actually, when the expected value is greater than the price of the ticket, it's a tax format.

B

Okay?

C

Right. You're dumb if you play before that happens. You're dumb if you don't play after that happens.

B

Really? That's what worked out for you?

C

Joe, you're not the first person to ask me that question. You know, I'm still here, Dave. It has not worked out for me.

B

Right, exactly. I don't see you wearing a tuxedo or a top hat right now.

A

No, no, Mr. Peanut.

C

You wouldn't see me at all if I were the.

B

Right. Right, exactly.

C

Call me the breeze. I'm. I'm out of here. But yes, it is true. I think that this is absolutely a real thing. Desperation is, you know, I need the money. I need to see if this pans out.

B

Yeah. And sort of, I mean, Maria mentioned this in passing a minute ago, but it's been my experience with the wealthy people who I have been able to spend time with through, you know, happenstance in my life, that the richer you get, the fewer things you have to spend money on.

A

Yeah, of course.

B

Because people buy you things like meals and even cars and things like. It's just bonkers clothing. You know, things get. When you reach a certain status and certain type of celebrity. Yeah.

C

Like the Kardashians don't buy anything. Everything is handed to them.

A

They don't need to. It's all gifted to them because their attention pays.

B

Right. Yeah, exactly. Exactly.

A

Yeah. It's. If you're on the hamster wheel of everything is you have to buy cheap things and then it always breaks and then you're always trying to get it fixed. You're just. It's very hard to get off of that hamster wheel.

B

Right.

A

And yeah, a lot of these scams are often. I know, I know we've covered these, but. But maybe not in this specific case. You know, the kind of part time job type scams where.

C

Right.

A

You know, you're just trying to earn A few bucks at home to supplement income. I mean, obviously wealthy people are probably not going to be doing that, right? But yeah, it's just taking advantage of people who are already very in need of money.

B

Yeah.

A

Yeah.

B

All right, well, our thanks to Randy for sending in that kind note. We do appreciate it and of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com and now a word from our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. All right, let's jump into our stories here. Joe, you are up first. What do you got for us, Dave?

C

My story comes was actually referred to me by my office mate, Michelle. Oh, Michelle, yes.

A

Hey, Michelle.

B

Hi, Michelle.

C

And it comes from Medium and the headline is great. How a Fake AI recruiter delivers five stage Malware disguised as a dream job. I might get a little bit into the malware here because it's impressive with what's going on here. I mean, suffice it to say, this malware equates to total pwnership of the target device. All right, but here's how this works. It starts with a social engineering attack. So it's Maria, you remember the, the, the Disney opportunity you had, right?

A

I'm sure I do, yes. Refresh my memory.

C

Or was it. No, it was Spotify. It was Spotify.

A

Spotify. Actually, it was both. Yes, I got, I got a Spotify one first and then a few weeks later, the exact same email, but it was Disney that time.

C

Okay, well, this is a very similar email, but it doesn't target anybody. It doesn't target somebody who might work at Spotify or Disney. It targets somebody who's looking for an AI engineering role. And it starts with the same sentence. You've been shortlisted for an AI engineering role. The question I would ask myself immediately is, did I apply for an AI engineering role? Because one of the big things about you've won the lottery scams, going back to the lottery is you won this lottery that you didn't buy a ticket for. That's impossible.

B

Right, Right.

C

Even if you do buy a ticket, your odds are only slightly better than if you hadn't bought a ticket, but actually they're also infinitely better because it's not zero. Anyway, the company looks exciting. It's called DL Mind and it's called an AI Driven Innovation Lab. And the recruiter that contacts you, his name is Tim Morent, M O R ENC and he has a polished up, nice looking, very professional LinkedIn profile. And if you start doing some looking around, everything will add up. And what they will do is they'll say, hey, we want to see how you feel about this or how you, you want. Are you interested in this position? Great. Here's what you need to do. You need to collaborate with us on this GitHub repository. So what's your GitHub username? And then I need you to clone the repo, review the code, run the setup and share your feedback. Now where's the.

B

So let me pause for the few people in our audience who are not developers.

C

They're probably the vast majority of our audience.

B

Explain what that all means in normal person English.

C

So GitHub, now Microsoft property, is a collaborative. Yeah, I think Microsoft bought them a couple years ago, right?

B

That's true.

A

Yeah. I just love that you had to mention that. That's.

C

No, no, yeah, I just. Yeah. GitHub is a place where you can store code that you write. So it's called. It's based on a code management system called Git, which was written by Linus Torvalds so he could develop Linux. In the process of developing Git, he came up with this really great idea for dispersed code version control system. Git is designed for dispersed teams all over the world as opposed to something in your local area. But everybody uses it now it's the de facto code repository.

B

Okay.

C

But GitHub is a website that you can go to, sign up for and put a code repository up there, and you can put source code up there. You can also store executables up there. So you can compile the source code and have executables.

B

And this is to share with the world.

C

This is to share with the world. Exactly. Or to share with a limited group of people. You can actually make it private and share it with just people who you want to share it with.

B

Right.

C

So the code actually runs in something called Node JS Node JS, which is a JavaScript runtime environment, which means this code will run on anything that has a NODE JS environment. So if you go out and you download Node JS for Apple, for Linux, for Windows, what have you, once you download this code and Start running it, it's going to execute no matter what the, what the environment is. Now that's good for the developers, right? The developers malware. Because you don't want to maintain like three different bases of malicious code, you only want to maintain one. So that's what they've done here.

B

I'm being facetious because JavaScript is kind of universally installed. No matter if you're a Mac person or a Windows person or a Linux person, chances are you have a JavaScript runtime on your machine as a result of having a browser.

C

I think it has to be Node Js, the Node JS environment.

B

Oh, is that right?

C

Yeah.

B

Okay.

C

In my reading of this, but you might be right. I don't know. I think it's Node JS though.

B

Yeah. Probably doesn't matter, right?

C

Probably doesn't matter. The developers probably have this installed.

B

Yeah.

C

So again, the guy says clone the repo, which just means make a copy of it on your local machine. Right. Review the code, which means look at the code, run the setup and share your feedback. So what's the problem in that set of four operations? It's run the setup, right?

B

Oh, okay.

C

Share your feedback is irrelevant. They don't care about that. So once they get you to run the setup, the code goes through and essentially steals all your browser logins and cookies, hijacks your Clipboard, installs like five different kinds of malware, including Node JS malware, JavaScript malware. This runs in Node JS. It installs a python piece of python malware that is like obfuscated. All this code is obfuscated, which means that it's not really like if you were to look at the code and you could read JavaScript or Python, you wouldn't be able to do it. You'd have to deobfuscate it first. And one of these deobfuscation tactics I was impressed with it is it's a 64 stage process of reversing the code, encoding it with base 91, which is like base 60, which is just another way of representing digits with text and then zipping it with something called Zlib and then doing that 64 times. Right. And then in order to get the code to run, they have to do that backwards 64 times.

B

Right.

C

You know, you don't have to have an encryption key, so it's not really encryption, so that's why it's just obfuscation. But I bet the output is indistinguishable from anything real.

B

The idea being that a human is going to get is going to run out of patience before these. 64 times.

C

Exactly. So if you start reverse engineering this thing, you're like, what is this? What's going on? First off, you have to know. So you have to find some piece, you have to reverse engineer the code that unpacks this thing, right? Which means you have to go through and say, what's this thing going to do? Oh, it's going to do this three step operation 64 times just to get to the code again. I'm not going to go deep into the weeds about the technical details. The most important. Too late, too late. Yeah, sorry, I have only scratched the surface on this article. If you want to read the technical details, the article is very long, has all kinds of cool things, but essentially it's got like remote administration tools in it. It's got crypto key stealers, it's got session stealers, everything. You know, if, if you get hit with this malware, just throw your, throw, throw your entire online identity away and, and that computer, just light it on fire and walk away. Right, you're done.

B

Go live in a different country. Go. Yeah, go live on the moon.

C

I mean, you can of course recover from it, but it's really, really, really bad.

B

Yeah. So what are your recommendations here?

C

Well, first off, when you hear, hear that you've been shortlisted for a, for a, for a job, you got to think to yourself, did you apply for a job at this, at this company? Right, right, that's number one. And if you haven't applied, you need to, you know, start, start thinking about, well, tell me more about the company. What do you guys do? Where are you located? Can I come see you? Can I, can you, you know, that kind of stuff. I don't know. Um, the job offer is for a remote position. So, you know, they're probably going to tell you, oh, I'm, I'm over in, far away from you. You just need to trust me on this. Yeah, so certainly don't install random things from GitHub. Now I took, I took Maria's advice and clicked on the link that had. For the GitHub repository.

A

That's what I'm going to be known for forever. Just click the link. Just click it, it's fine.

C

But you know, because I'm familiar with GitHub, I do some work in GitHub. So I went, I clicked on, the repository is gone now. So GitHub has cleaned it up.

B

Okay, well that's good. T shirts made that just have Maria's picture smiling on the front End of the text.

A

Just click it.

B

Maria says, of course it could happen.

A

Click the link. Just click it. Yeah. I am single handedly undoing decades of user education.

B

That's right.

A

With my blase attitude. Yes.

B

Right.

A

You're welcome, everyone.

B

All these IT people who are called in to clean up the mess are like, who the heck is Maria?

C

Right.

A

I'm keeping you employed, okay. I'm giving you job security. So you're welcome.

C

That's.

B

These people are saying Maria said click the link. I don't understand.

A

Just click it.

B

Yeah, just click it. All right, well, we will have a link to that story in the show notes. Maria, you are up next. What you got for us?

A

So, speaking of just clicking things, I'm actually covering a phishing campaign today which is a newish one from our friends at Malwarebytes. And the phishing campaign itself is a pretty classic fishing campaign. Just the flavor of it is a little interesting for me. It feels very seasonal because it is a purported email, obviously fake from none other than everyone's favorite hardware store, the Home Depot.

C

It's not my favorite hardware store.

A

Well, true.

B

Let me just. I'm sorry to interrupt you, Maria, but I am currently in a stalking relationship with the Home Depot in my neighborhood.

A

Stalking relationship?

B

Yes.

A

They're stalking you?

B

No, no, I'm stalking them because I desperately want to buy one of the new full size R2D2s that they're selling for the Christmas season.

A

Oh, gotcha.

B

They are in short supply.

A

I wonder why.

B

Yeah, so I'm like checking online and dropping by and when you say full.

C

Size, you mean like, did I stutter? Well, I mean. Okay, do you mean like a 3 foot tall R2D2 or 4? But not like a 20 foot tall R2D2?

A

Not a 12 foot tall skeleton R2D2? No. That would be amazing though.

B

So the real R2D2 makers out there of the world who make screen accurate R2D2s are quick to point out that the Home Depot R2D2 is actually a 7 8th size R2D2.

A

That 1 8th will always get you.

B

He's big enough for me.

C

Right.

B

So anyway, Proceed, Maria, proceed.

A

It's okay. I somewhat. I actually kind of picked this story partially because I love the Home Depot theme. I really hope that our audio team will just insert some audio from that during the story because I really, I feel like it just adds so much. So the phishing campaign that is supposedly from Home Depot is offering people purportedly a free gorilla cart, dump cart, which is for folks who don't know, instead of a wheelbarrow, which is a two wheeled thing in my, or one wheeled thing, I should say this is a four wheeled pull along thing that you can put all your yard detritus in and instead of having to. Yeah, okay, I have one. Not a gorilla one but a similar one. They're actually quite handy for I pulling my then toddler around the yard. That was what I mainly used it for. But it's also attached to a lawnmower. Joe, one can do anything one puts one's mind to. I mean I'm not going to tell you what to do with your life.

C

So.

A

Yeah, I mean I want video though. If you do that, if you're brave enough. Yeah, you can do anything with a zip tie. I mean just, just go on it.

B

Duct tape.

A

Yeah, yeah, slap it on, on there. So the, the phishing campaign is interesting to me because it uses some marketing best practices. It has a, a tracking pixel in it so the scammers can actually track who is opening the email, who is clicking through and what actions they're taking. So it's like they've somebody worked at, in a marketing department who worked on this campaign.

B

Yeah.

A

And the URLs involved in the phishing campaign are a whole smorgasbord of abandoned and compromised legitimate URLs. So the first URL, if you were to click this fishy email, sends you to a compromised Los Angeles high school website. And if you keep going through the, the attack chain, or I guess in this case the fish chain, I'm sure there's a proper term for this. If you keep going through it, it takes you through some other websites. Like one's a supply website that's been compromised. Another one, I'm trying to find the name of it, it's buried here. It's a, it's a guide website. It's like a compromised WordPress instant and it's in the UK so I don't know why Home Depot US would be sending you to a UK website for any legitimate reason. Spoiler alert. They wouldn't. So there's, it just, you just keep going through all these compromised websites through this fake giveaway path. So the, the path is basically you, you click the phishing email saying you could win a gorilla cart. And the moment you click to the website it says actually you did win a gorilla card. Even though we know nothing about you stranger, we're giving it to you with a little fine print. There may be a teeny weensy weensy weensy processing fee. Just a tiny one. It's really no big deal. But you've won this cart, and those cards go for 40, $60, if I remember correctly. Somewhere in there.

C

So, you know, when I saw them, they were. I just looked them up. They're like $150 or something.

A

Well, that's inflation for you, because last time I bought one was like 10 years ago. So the times we're living in. And also my brain is Swiss cheese, so I could also just be wrong. But yeah, it's. You know, it compared 150 bucks to, I don't know, like a $11.97 processing fee. That seems like a steal. You're going to use that much money just burning gas to go to Home Depot, so you might as well just pay the fee. Right. So if you actually put in your shipping details and your payment details for this free cart, well, what do you know? You get this error. Oh, something went wrong with the request. Just please try again. Oh, what a shame. Maybe you won't get that gorilla card after all because something went wrong with the website. Well, of course, on the back end, the scammers now have all your info and your payment info and your shipping address, which is. I can't imagine that's something that you want to give away either.

C

No, but they use it for confirmation. Order on the orders.

A

Absolutely. So you've given away a lot of information unbeknownst to you, and you thought, oh, it just didn't work because all those darn websites just sometimes break sometimes. But actually, you've been compromised, unfortunately. And it's. I just. It. It felt timely. This is the time of year for me that I'm doing a lot of yard work, and I could absolutely see a lot of people going, I could really use a gorilla cart. And to me, insult to injury is that they have a tracking pixel that's tracking you as you go through all these steps. So they can probably optimize like a real marketer would. Oh, people are actually. We're losing people on this part of the process. Maybe we can optimize or do some a B testing on this figure we can get people to go through. Yeah, that's kind of horrifying, but makes sense that they would do it. So, yeah, don't get. Don't believe a free gorilla cart scam if you get it from the Home Depot, because it ain't real.

C

Yeah, Now. Now I want a gorilla cart.

A

Well, I mean, I kind of like them. Yeah, yeah. They have not Paid me to say that I had one until recently. So, you know, they're good.

B

So I guess, you know, obvious red flags to look out for here.

A

Anything free.

C

You shouldn't win a free gorilla cart.

A

Yeah, you didn't. Yeah. You know, the. The phishing email has a lot of the urgency language that you should always watch out for. You know, the. The offer is only valid for a few minutes, so you got to click now to see if you won. And then they don't know who you are, but they tell you, oh, you totally won. Just believe us, you won. And then of course, you got to take a survey and there's a fee. And just in general, if you get an email with a huge clickable image with really no other text in there, that's a big old red flag. And a lot of email providers do filter stuff like that, but usually an image like that is trying to mask the intent to fish you. So be very, very wary of just a big clickable image with no other text. That would be what I would watch out for.

B

Yeah. Just a side note, the mail client that I. The email client that I use has the option to block tracking pix.

A

Oh, that is nice.

B

Which I think many. Yeah, that's not an unusual feature for email clients to have, but if you have one, you may want to look in your email client and see if you have the ability to block tracking pixels because it's a small thing you can do, but it can help these folks. It can make it a little harder for these folks to track you around.

A

Don't let them a B test on your watch.

C

Right, Right.

B

Exactly.

A

What is the client that you use, Dave?

B

It is called mimestream.

A

Okay.

B

And it's for the Mac. It's specifically a standalone client that works with Gmail. Nice.

C

Okay.

A

Yeah, good to know.

B

So it kind of gives me the best of both worlds between Apple's mail app, but still using the Gmail environment. But it has some things about it that I prefer over Apple's app. So that's awesome.

C

So I went to the Tractor Supply website. Now I'm looking at these carts and they're like $400 for just.

A

Well, that's because you went to Tractor Supply, and that's like more serious business than Home Depot for this stuff.

C

Big bucket on a. On a pair of wheels. Like, I could build something like that for like a tenth of that price.

A

Well, then do it. Joe.

B

Just.

A

Then you should build it.

B

Right. Like your chicken coop.

C

I'm going to need something to get rid of all the chicken poop?

B

Yeah.

A

Do you go to art fairs and go, I could paint that when you're walking around.

C

No, I don't. That's a different thing.

A

I could build that. I could paint that. Well, then just do it.

B

Yeah, let me see you.

C

But whenever we do go to the quilting show, my wife goes, I could do that. And I'm like, I know you could do that. You could do that better.

A

And she has done it, so.

C

She has done it. Yeah, she does it.

A

And she has.

C

She's probably doing it right now.

B

In fact, I'm looking at these gorilla. First of all, they have quite a wide array of different carts.

C

Right.

A

We have not been paid by gorilla cart. This is not like subliminal marketing or anything like that.

B

When I was a teenager, I worked at a local retail nursery, like garden center kind of place, and we had these kind of carts for hauling plants around the place. So, yeah, I'm familiar with these. They're nice.

A

Yeah. For things that you can't. So a wheelbarrow is awesome for certain things. And other times you need to keep whatever you're carrying flat. And, and, and. But the child, like my child. Yeah. Like she. We would just carry her around either in a wheelbarrow or in the gorilla cart. And, you know, and other times it was compost, you know, I'm sure it was good for her immune system. So.

C

Yeah, that's gonna kill that kid. That's right.

A

Hey, that's.

B

No allergies here, right? All right, we will have a link to that story in the show notes. I'll tell you what, let's take a quick break. We'll be right back after this message. And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core ThreatLocker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are Allow listing, Ring fencing and Network Control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. My story this week comes from a journalist. His name is Sean Captain and he writes for online publication Called Techlicious, which I wish I'd come up with.

C

Oh, that's pretty good.

A

Techlicious.

B

Techlicious, yeah. And he was sort of chronicling his own journey down a pathway of almost being scammed. And he noted that he's a tech writer, you know, so he should be immune to these sorts of things. No, he was not.

A

He said, we get complacent and listen to people like me and say, just click it.

C

Right.

B

Right. What could go wrong?

C

I've talked on this show about. Numerous times about how I've been hit by early fishing. First step fishing, emails. Yeah, we all have.

B

Yeah, yeah, yeah, absolutely.

A

Yeah. Yep.

B

So Sean got an email and the subject line as he described it was screaming, dashlane have been hacked. Now, Dashlane is a password manager, so this could be concerning. And turns out that this writer used Dashlane. Used a free version of Dashlane. And as he pointed out, he says, at first glance, the whole thing looks legitimate. The message he said used familiar breach reporting language. Had phrases like zero knowledge architecture and encryption metadata relay systems. The technical jargon that makes you lower your guard because of how Specialist got me.

C

Technical mumbo jumbo. Right.

B

Reminds me of. What's the thing? Tune in to see Geordi use up all of his screen time on technobabble.

A

Reverse the polarity. Something, something, qu. Quantum relay, something Warp drive. Yeah, right.

B

But then he also points out that there are tells here. A sloppy subject line, a suspicious link, and request to download software that Dashlane doesn't even support. He was saying Dashlane stopped making standalone apps for, I want to say, Mac and Windows a few years ago. And these folks are asking you to download the new version, the updated. The patched version of Dashlane. Yeah. But he points out that he had an emotional reaction to this. His heart skipped a beat. He was afraid that his passwords would have been compromised. He had written a recent article about Dashlane talking about pass keys, and he was concerned that maybe he had just endorsed a compromised product. Ah, right.

C

See, that's the multi. What's he. What is he? What he is experiencing here is called cognitive narrowing.

B

Okay?

C

And he is losing focus on what is important here and focusing only on what. What they want him to focus on.

B

Right.

C

And in this case, unbeknownst to the hackers or the attackers, he has an extra layer of things he can focus on. Things that make him think, oh, my God, I just recommended this. Oh, am I gonna look like a jerk?

B

Right? Right? Yeah. So Captain cognitively narrowed the main deflector dish, Correct?

A

He Says, well, that's how you get rid of the Borg. So, you know.

C

Right.

B

That's great. So he said once he calmed down, he got his wits about him. And he said he checked Dashlane's official site, he searched for credible news reports, and he found there was no evidence of a hack. And the email was, in fact, a classic phishing attempt that was designed to steal his credentials or spread malware. And so he points out, it's the classic thing, the simple reminder. Pause, pause, pause. Unlike Maria, pause before you click. Don't dive for that button reflexively, as quickly as possible, trying to set a new record for how quickly you can click.

A

Unlike me, who will never work in cybersecurity ever again.

B

No.

A

Through this.

B

No. Verify directly from the company's official site. Inspect the sender address carefully. And he said, even cybersecurity experts can be fooled. So what matters next is what matters most. What you do next is what matters most, I guess is the right way to say it. So we'll have a link to his complete narrative here in the show notes. But I thought it was a nice example of both the combination that this can happen to anybody, even folks who have some knowledge in this space, but also, as we say over and over and over again, how important it is to pause when you find yourself wound up emotionally. All right, it is time to move on to our catch of the day.

C

Dave, our catch of the day comes from the scam subreddit, and it is a message. It looks like it's on an iPhone. Somebody's battery's at 73%. That's pretty good.

A

That's all right. We'll allow it.

B

Not bad. Not bad, not right. Got a strong WI fi signal, right?

A

Yeah.

B

So not bad.

C

Yep.

B

Right. So it goes like this. It says, hey, I forgot to give you a text yesterday with my new number. It's your aunt heart emoji. Save it. Text me when you get this. I'm waiting for my stuff to sink now. I also seen a few sets you might like from Victoria's Secret. Do you prefer seamless or cheeky?

A

Oh, God.

B

What size are you now in regular bras? When's the last time you were measured?

A

Not my auntie.

B

I might have to get you a size up in the seamless ones. Does your regular cotton shrink after you wash them on the sides?

A

Who.

C

What the hell, man?

A

Who has a relationship like that with their aunt? I just.

C

Me. Me. That's my. No, I don't have a relationship.

B

Well, you know, it reminds me of the scene In Sixteen Candles, where what's her name?

C

Molly Ringwald.

B

Molly Ringwald gets felt up by her. By her grandmother.

C

Believe it or not, I've never seen that movie.

B

Oh, really?

C

Even though I'm a big Molly Ringwald fan?

B

Yeah. Yeah. It's a teen favorite of mine. Of the John Hughes films. It's probably that one and Ferris Bueller are probably my 2 favorite.

C

Ferris Bueller is good one. He also did Better Off Dead.

B

Right? Was that John Hughes? I don't know. It was John Cusack.

C

John Cusack was in it.

B

I don't know if Hughes directed that one or not. Yeah, wouldn't surprise me. All right, so anyway, Maria. Seamless or cheeky?

A

No, no.

C

What does that mean, by the way?

A

No, you can Google it. I'm not gon. So that's just. I'm horrified at the thought of any of my aunties asking me any question even remotely like this, so.

B

Right.

A

I just. Even if it actually was a legit message for my aunts, I would delete and block immediately.

B

Right.

C

I'm not talking to you anymore. You're out of the will.

A

You are rescinded. I just know we're not doing this.

C

Yeah, Better Off Dead was directed by Savage Steve Holland.

B

Okay. There you go.

A

Thanks for that.

C

Sorry.

B

Real time follow up, right? Yeah. Yeah. So what's going on here? Obviously someone's trying to slide into somebody's DMs, right?

C

Yeah, this is a. Oh, it goes on there.

A

What is the scam here, though?

C

Oh, they're just trying to get you to talk.

A

Okay. I was like, it's creepy as heck.

C

But because it looks like the next thing in this picture is 11 photos with the top of it being Victoria's Secret.

A

Right, right, right, right. Okay.

C

Now, I don't know about you, but I'd be tempted to look at those pictures.

A

Oh, Joe, there's this whole thing called the Internet now. I don't know if you've heard.

C

That's right.

B

We don't need to be squirreling away Victoria's Secret catalogs anymore, Joe.

C

Don't know what you're talking about, Dave.

B

Yeah, there's this whole thing called the Internet. Or so my teenage boys remind me regularly. Oh, my God. All right, you know what? Let's get out of here. Nothing. We are heading down there is beyond their dragons be. So let's take take a quick break before we wrap things up. We'll be right back. Thank you. To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks for sponsoring hacking humans, visit threatlocker.com all right, and we are back. And mercifully, that is hacking humans. Brought to you by N2K CyberWire we would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity and women's intimate undergarments. If you like the show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Buettner.

C

I'm Joe Kerrigan.

A

And I'm Seamless or Cheeky.

B

Thanks for listening.