Brushed aside: The subtle scam you didn't order. - Hacking Humans

Summary7 min read

Podcast Summary: Hacking Humans – "Brushed Aside: The Subtle Scam You Didn't Order"

Release Date: July 3, 2025
Host: Dave Buettner, Joe Kerrigan, Maria Varmazes
Produced by N2K Networks

1. Email Scams: The e-Vanguard Deception

Timestamp: [00:50] – [02:18]

Joe Kerrigan kicks off the episode by sharing a personal encounter with a deceptive email purportedly from Vanguard. He received an email that appeared legitimate at first glance. However, upon inspecting the links, he noticed they directed to "e-vanguard.com" instead of the authentic "vanguard.com."

Joe Kerrigan [01:21]: "So I reported it as spam immediately. But then I was like, I want maybe... it was really convincing."

Despite Vanguard owning the "e-vanguard.com" domain since 2007, Joe criticizes their choice of using a subtly different domain, which can easily be mistaken for a phishing attempt. He emphasizes the importance of companies maintaining clear and distinguishable communication channels to prevent consumer confusion.

Joe Kerrigan [02:10]: "Why are you using something that looks like a scammer's address to send out your emails?"

2. Listener Contribution: The Fortified Chicken Coop

Timestamp: [02:18] – [04:20]

Transitioning to a lighter topic, the hosts discuss a creative listener submission featuring a highly fortified chicken coop. Joe describes the image as reminiscent of a "prepper bunker" complete with a watchtower, sandbags, and even sharks with lasers guarding the moat.

Joe Kerrigan [03:10]: "It's surrounded by a moat with sharks with lasers on their heads."

The playful banter continues as the hosts imagine a world where chickens defend their coop by launching eggs, blending humor with creative imagery.

3. Travel Scams: Insights from McAfee's Survey

Timestamp: [05:20] – [14:00]

Maria Varmazes introduces a significant segment based on McAfee's annual survey on travel scams, highlighting the vulnerability of American travelers. The survey, which included 7,000 adults from the U.S., France, Germany, India, Japan, and Australia, revealed alarming statistics:

23% of Americans fell victim to travel scams while booking trips.
13% lost over $500, and 5% lost more than $1,000.
Men were more susceptible than women (29% vs. 18%).
Younger individuals, particularly those aged 18-24, were at higher risk, with 21% falling for fake confirmation links.

Maria Varmazes [08:58]: "Economic pressures play a role here, with 58% of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams."

Common scams identified include:

Fake Booking and Payment Sites: Scammers create counterfeit websites resembling legitimate booking platforms.
Fake Confirmation Links: Malicious links that mimic genuine booking confirmations.
Misleading Listings: Advertisements that manipulate or misrepresent accommodation details.

The hosts share personal anecdotes about encountering misleading listings and emphasize the importance of vigilance when booking travel, especially through third-party sites.

Dave Buettner [13:03]: "We were kind of booking places as we went... the place is a dump. It's a total dump."

4. Social Engineering in Insurance: Rachel Tobek's Expertise

Timestamp: [14:41] – [24:26]

Joe Kerrigan delves into a LinkedIn post by Rachel Tobek, a renowned social engineering expert. Rachel discusses a group named "Scattered Spider" targeting insurance companies to steal data using sophisticated social engineering tactics. Her primary techniques include:

Impersonating IT and Help Desk Personnel:
- Technique: Call employees posing as IT support to extract usernames, passwords, and multi-factor authentication (MFA) codes.
- Quote:
  
  Rachel Tobek: "Impersonating IT and help desk people to get passwords and multi-factor authentication codes."
Using Remote Access Tools as Help Desks:
- Technique: Malicious actors use remote access tools to gain unauthorized access to systems, bypassing MFA through tactics like MFA fatigue.
- Quote:
  
  Joe Kerrigan [17:09]: "Remote administration tool. You're not our remote administration tool if you're not going to run."
SIM Swapping:
- Technique: Fraudulently obtain a victim's phone number to intercept MFA codes by impersonating the victim with their telecom provider.
- Recommendation: Secure telecom accounts with PINs and stringent verification processes.
- Quote:
  
  Rachel Tobek: "Best way to protect yourself is to put a PIN on your telco account."

Rachel's recommendations for preventing such attacks include:

Multi-Factor Authentication (MFA) with FIDO Tokens: Utilizing hardware tokens like Yubikeys for enhanced security.
Application Whitelisting: Allowing only approved applications to run within the network, thereby blocking unauthorized remote access tools.
Password Managers: Implementing secure password management solutions to prevent credential theft.

Joe Kerrigan [22:10]: "If you can do, if you're going to do one thing, multi-factor authentication with a FIDO token... then application whitelisting."

The discussion also touches on the overconfidence individuals have in their ability to detect scams, underscoring the need for robust security protocols.

Dave Buettner [23:42]: "People fall for this and they think, oh, it won't happen to me or I'll be able to detect it."

5. USPS Scam Awareness: A Valuable Resource

Timestamp: [26:46] – [31:03]

Dave Buettner introduces a valuable resource from the United States Postal Service’s Postal Inspection Service. He highlights their comprehensive YouTube channel dedicated to educating the public about various scams. The channel boasts over 80 informative and engaging videos covering topics such as:

Investment Scams
Romance Scams
Phishing and Refund Scams
Tax Scams

Dave Buettner [28:00]: "This is an amazing list of... well produced, they are informational, they are entertaining."

The hosts commend the USPS for their effective use of multimedia to combat fraud and encourage listeners to share these resources with friends and family.

Maria Varmazes [29:21]: "We gotta get them on the show. We gotta talk to someone from them. I would love to pick their brain."

They also share amusing personal stories related to counterfeit stamps, adding a nostalgic touch to the conversation.

6. Personal Stories: Counterfeit Stamps and Their Consequences

Timestamp: [31:03] – [34:26]

The conversation shifts to personal anecdotes about counterfeit stamps, illustrating how such scams operated in the past. Dave recounts a story shared by the CyberWire CEO, Peter Kilpe, about a student at the Rhode Island School of Design who fraudulently sent handwritten stamps to apply for college admissions.

Dave Buettner [31:38]: "We've yet to see any of your work. And the student responded and said... all stamps that I have sent you has been hand drawn."

Joe shares a similar experience from his youth, attempting to reuse stamps by erasing cancellation marks.

Joe Kerrigan [33:06]: "Can you really? So one day I had a letter with a stamp on it and started erasing it... it's possible that I erased a good portion of the cancellation."

The hosts reflect humorously on the outdated nature of such scams and the stringent security measures now in place to prevent them.

7. Catch of the Day: Recognizing Advanced Fee Scams

Timestamp: [34:50] – [38:19]

In the "Catch of the Day" segment, Joe presents a text exchange from the scam subreddit, exemplifying an advanced fee scam commonly known as "check floating."

Scam Text Exchange:

Sender: "Hey, what are you doing? Hate to ask, but I don't know who else to ask. Can I ask a favor? I need a big favor. You one of the few people I can ask. There is no punctuation in this, so it's just a huge ass run-on sentence. I need you. Spare me $300 for an emergency. I'll tell you where to send it on and I promise to send it back later today."

Joe analyzes the scam, explaining how scammers entice victims with seemingly urgent financial needs, only to ultimately have them deposit fake checks and lose money when the checks bounce.

Joe Kerrigan [36:03]: "This is sounding a lot like a scam. Not going to lie."

Dave emphasizes the importance of recognizing such red flags and advises listeners to avoid engaging with suspicious requests.

8. Understanding Modern Text Abbreviations

Timestamp: [38:19] – [41:16]

The hosts engage in a light-hearted discussion about contemporary text abbreviations like NGL (Not Gonna Lie) and TBH (To Be Honest). They reminisce about older abbreviations like BRB (Be Right Back) and LOL (Laugh Out Loud), sharing amusing anecdotes about their usage and generational differences in understanding these terms.

Joe Kerrigan [40:35]: "Yeah, I knew it was laugh out loud."

This segment adds a relatable and humorous element to the episode, highlighting the evolving nature of digital communication.

Conclusion

In this episode of "Hacking Humans," the hosts delve deep into the intricate world of social engineering scams, offering listeners both critical insights and practical advice on recognizing and preventing various types of fraud. From deceptive emails and travel scams to advanced social engineering tactics targeting the insurance industry, the discussion is both comprehensive and engaging. Additionally, the episode underscores the value of educational resources like those provided by the USPS and emphasizes the importance of vigilance in an increasingly digital world.

Notable Quotes:

Joe Kerrigan [01:21]: "So I reported it as spam immediately. But then I was like, I want maybe... it was really convincing."
Maria Varmazes [08:58]: "Economic pressures play a role here, with 58% of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams."
Rachel Tobek [17:09]: "Impersonating IT and help desk people to get passwords and multi-factor authentication codes."
Joe Kerrigan [36:03]: "This is sounding a lot like a scam. Not going to lie."

Resources Mentioned:

USPS Postal Inspection Service YouTube Channel: Comprehensive videos on various scams. [Link in Show Notes]
ThreatLocker: Sponsor providing Zero Trust Endpoint Protection. [ThreatLocker.com/HH]

For more details and links to the resources mentioned, refer to the show notes.

Loading summary

Transcript227 lines

[00:02]
Maria Varmazes
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Dave Buettner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.
[00:31]
Joe Kerrigan
Hi, Dav.
[00:32]
Dave Buettner
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Maria.
[00:37]
Maria Varmazes
Hi, Dave. And hi, Joe.
[00:39]
Dave Buettner
We've got some good stories to share this week. Let's start and jump right in here with some follow up.
[00:46]
Joe Kerrigan
Joe, I have a complaint, Dave.
[00:50]
Dave Buettner
Okay.
[00:50]
Maria Varmazes
All right.
[00:51]
Joe Kerrigan
This is about one of my financial service providers.
[00:53]
Dave Buettner
Okay.
[00:54]
Joe Kerrigan
Okay. And I'll name them because I'm really mad about this. Oh, my Vanguard.
[00:58]
Dave Buettner
All right.
[00:58]
Joe Kerrigan
I got an email, got an email the other day saying something that seemed a little odd that I didn't know was right. And I was like, it looks good. It looks like a regular Vanguard email. But every time I mouse over the links and look at where it's going, it's going to e. Vanguard. Not vanguard.com, but e-vanguard.com.
[01:22]
Dave Buettner
Huh.
[01:23]
Joe Kerrigan
So I reported it as spam immediately. But then I was like, I want maybe. I mean, it was really convincing.
[01:31]
Dave Buettner
Right.
[01:31]
Joe Kerrigan
I'm thinking maybe this is a. So I go to. I think GoDaddy has a who is. And you can look up who owns a domain.
[01:40]
Dave Buettner
Right.
[01:40]
Joe Kerrigan
And guess who owns E. Vanguard.
[01:44]
Dave Buettner
Vanguard.
[01:44]
Joe Kerrigan
Vanguard Vanguard does. That's right. And they registered back in 2007. But my complaint with them is why? Why are you using something that looks like a scammer's address to send out your emails? Good question. Don't do that. Send out. You know, you can direct it to a different web server on your main domain, vanguard.com that eventually resolves to evanguard.com you can still use the domain you bought. But don't do this. Your communication is going to get lost in the shuffle.
[02:18]
Dave Buettner
Interesting.
[02:19]
Joe Kerrigan
And I'll be talking more about that in my story today and why you don't do this.
[02:23]
Dave Buettner
Okay, we have another bit of follow up. We've gotten, of course, this. Lots of nice, positive responses to our conversations about chickens.
[02:33]
Joe Kerrigan
The coop is coming along, by the way.
[02:34]
Maria Varmazes
Oh, that's lovely to hear.
[02:36]
Joe Kerrigan
Yes.
[02:38]
Dave Buettner
Well, Joe, one of our listeners sent in a photo for you that should be inspiration for your new coop.
[02:46]
Joe Kerrigan
Yes.
[02:47]
Dave Buettner
Do you want to describe it for us?
[02:48]
Joe Kerrigan
So it is a. It looks like a what? I would Call a prepper bunker. There is a watchtower in the background. There's a bunch of sandbags piled up. And then off to the left of the sandbags, there is a structure that looks like a standard chicken coop, but there's guns and missiles all over the place. And one of my favorite things, it's surrounded by a moat with sharks with lasers on their heads.
[03:11]
Maria Varmazes
Photorealistic, which I don't think it's too.
[03:12]
Joe Kerrigan
Much of a beer cube.
[03:13]
Dave Buettner
Right?
[03:13]
Maria Varmazes
Yeah.
[03:13]
Joe Kerrigan
To get some sharks with lasers on their heads.
[03:16]
Maria Varmazes
Lasers.
[03:18]
Dave Buettner
One of our colleagues said that she hopes that some of the rocket launchers on top of this chicken coop shoot eggs.
[03:29]
Joe Kerrigan
Well, that's why I have the chickens, Dave. I'm not gonna have it launch eggs. I'll have it launch. Like, I'll build some little Estes rockets and put, like, nose triggers on the front of them.
[03:37]
Maria Varmazes
Okay, now you're speaking my language.
[03:41]
Dave Buettner
Right?
[03:42]
Maria Varmazes
I wanna see this.
[03:43]
Dave Buettner
You know, imagine if chickens had evolved to use egg launching as a defense mechanism.
[03:50]
Joe Kerrigan
Like skunks, but with eggs. Exactly.
[03:52]
Dave Buettner
Just like all the chickens form a circle. Like, they circle up the wagons, and they all just go, wah. And all these eggs fly out.
[04:00]
Maria Varmazes
So instead of, like, gently looking through the coop for the eggs that they've left behind, we have to line up and catch them midair. Oh, that would be.
[04:08]
Joe Kerrigan
You need a catcher's mitt.
[04:09]
Dave Buettner
Just picture the chickens, you know, bent over their head between their legs, looking backwards, you know, to aim.
[04:14]
Joe Kerrigan
Right.
[04:16]
Dave Buettner
I don't know. Kind of a bird version of a spitting cobra with eggs. All right, well, thanks to our listener for sending this in. This has been great fun, and I say everybody in the company has very much enjoyed it, so we appreciate you the time. I don't know if it's possible for us to include it in the show notes, but if we can, we will. And now a few thoughts from our sponsors at Threat Locker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back. All right, let's jump into some stories here. Maria, why don't you kick things off for us?
[05:20]
Maria Varmazes
Sure. Well, it's summertime here in the northern hemisphere, and I know I'm thinking about summer vacation. Mine's still a ways away, so I'm sort of dreaming about it at this moment. And our friends at McAfee. Yes, them. Yes. For Real. This is not a scam. It's actually McAfee. They put out their yearly survey about travel scams. And this survey, they surveyed 7,000 adults across the U.S. france, Germany, India and Japan and Australia, focusing on travel scams and their impact. And the news was not great for Americans specifically because they interviewed all they. They surveyed all these different people. But the results were just about Americans. So I'm guessing that everybody else is great and Americans didn't do so well. That's what I'm reading in between the lines on this because McAfee said that one in five Americans, at least in their survey group, has fallen victim to a travel scam while booking a trip. 23% of. Go ahead, Joe.
[06:16]
Joe Kerrigan
I'm sorry, Marie, I don't mean to interrupt you because you're about to run through a bunch of statistics and I am will stop me from doing that because it's really interesting, but I'm wondering if this has any. Anything to do with the old stereotype about Americans that were not well traveled.
[06:28]
Dave Buettner
Yeah.
[06:28]
Joe Kerrigan
To begin with.
[06:28]
Dave Buettner
So we don't have a lot of same thing.
[06:30]
Maria Varmazes
I think that's exactly what I was thinking is that this is probably due to a lack of experience and perhaps institutional knowledge about holidays. And I'm thinking about. Yeah, I think you're exactly right on that was what my. Where my mind went as well. So of those scammed, and I'm gonna guess it's Americans and the other people included. But this seems again to focus on Americans. 23% lost money, 13% lost over $500 and 5% lost over a thousand dollars. With apparently men more likely to lose money than women. And that was a 29% likelihood for men versus 18% likelihood for women. And the group that is the most at risk of losing money in these scams is not older folks. In fact, it is so older folks, you win again. It is the young. The youngins. The youngins booking those cheap travel groups and all that kind of stuff. So Dave and I are over here.
[07:28]
Joe Kerrigan
High fiving each other.
[07:30]
Dave Buettner
It's bad enough that we have homes with low interest rates and retirement accounts.
[07:35]
Joe Kerrigan
Right.
[07:35]
Dave Buettner
But you're not getting scammed.
[07:37]
Maria Varmazes
Oh, darn it. Yeah. So 21% of the 18 to 24 year olds clicked fake confirmation links. So booking links that are saying here you go, click this to confirm. And they're not legit. 10% of 25 to 34 year olds clicked or rather were tricked by AI altered travel photos. So this is that one starts getting into a gray area of can you believe what you see on TikTok and Instagram? Is this place that you think you're going to actually real. Do these accommodations actually resemble in real life what you're seeing online? I think that's a very interesting conundrum. And so the, the types of scams that McAfee said that people are falling for, especially this year, are, as mentioned, fake booking and payment sites. So I would imagine all the lookalikes that we've covered on this show, so. And even the legit ones using sites like booking.com, but then they go to a fake booking itself. Those are. Those can be quite tricky, especially if it's in a country that you're not familiar with, you know, trying to book something overseas and you just don't know what sites people tend to use. Scam confirmation links are another common thing that people fall victim to and misleading or manipulated listings, which, again, that is such a gray area and makes me wonder how are we defining that? Because that could be just about anything, if you really get down to it.
[08:58]
Joe Kerrigan
Right?
[08:59]
Maria Varmazes
Yeah. And. And Joe, I think you were right on the money, because McAfee was saying that economic pressures play a role here, with 58 of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams. And again, if you're not familiar with the places you're trying to travel to, you just see it online. You're like, I'd like to go there, but I want to do it on the cheap as possible. Then I can see that just being a way that you could definitely get taken without even realizing it.
[09:26]
Dave Buettner
So if you're hunting around for a good deal, if you Google, you know, discount travel, I'm sure that there are.
[09:34]
Joe Kerrigan
Scam sites all over the place. Search engine optimized to rise to the top of that, or maybe even just they buy ads.
[09:41]
Dave Buettner
Yeah, absolutely.
[09:42]
Maria Varmazes
Yeah. And we, we've talked about a while ago about some booking sites being specifically in English to target visitors from overseas, whereas everyone knows in the country of the targeted country, you don't use that site. You use a different one that's in their native language, and you get different results. We've. We've had stuff like that all over our show before. So the. I could see these things being just rife. And then events also seem to be an area where scammers are targeting, apparently especially American travelers. 60% of Americans planning to travel to a sporting event this summer say they're worried about being scammed for fake tickets or lodging. I know, I've read the stories, I'm sure you both have heard them as well about people trying to book something for this once in a lifetime event and they get to the place and the place doesn't exist.
[10:33]
Dave Buettner
So that, that's a lot with the Olympics.
[10:35]
Maria Varmazes
Yes, yes, indeed. I feel like we, some of these are really ringing, ringing a bell of memory for me because I seem to recall we talked about some of these. And trust in third party booking sites remains high. 59% of the people surveyed say they still trust them as much as booking directly. However, these third party booking sites can also be where scammers will put up fake listings and the like and can get sometimes get away with it before they are caught. So these are, you know, if they're the preferred place to go, scammers are going to go there too and put those fake listings up. So yes, the, the takeaway for this that McAfee was saying just to keep an eye out for was people are trying to save money, especially now. Add that in with deals seeming to be urgent that are fake urgency or real urgency. We, we. That is a really nice tactic and the trust in online platforms that can be exploited and you mix it all together and you get the ideal conditions for travel fraud to thrive. So I already booked my trip, so I'm hoping next month when I show up to the place that I'm going to, it is a place that exists. I mean, I've been there before, so if it dematerializes, I will be very concerned. Very surprised, Very, very surprised. And it's also in the United States, so it should be okay. But yeah, I know a lot of people are trying to go overseas this summer on last minute deals and the like. And certainly I remember when I was in my 20s, I had to travel on the absolute cheapest possible. So losing 500 or a thousand dollars at once would have been completely devastating.
[12:10]
Joe Kerrigan
Yeah. You're just going back home at that point.
[12:11]
Maria Varmazes
Yeah, there's just no trip anymore. I, I'm just out that money and there's no trip. So people need to be careful. And yeah, thanks McAfee for that research.
[12:20]
Dave Buettner
Trying to think if I've ever been travel scammed before. I don't think I have.
[12:25]
Joe Kerrigan
But I don't know, maybe it was a really good scam.
[12:28]
Dave Buettner
Could be.
[12:29]
Joe Kerrigan
Still don't even know it.
[12:30]
Dave Buettner
Yeah, I mean, I guess there have been times when, you know, I've shown up places and they're like, we have no reservation for you, sir. But we figured out.
[12:39]
Joe Kerrigan
Right.
[12:39]
Maria Varmazes
Yeah, or the part where they said about misleading listings. That's the one where I go. I mean, I've booked places overseas and I get there and I'm going, that's not what I thought it would be. But it's fine, right? But definitely, yeah, Those photos were very strategically taken to not show, you know, the huge under construction building next door or whatever.
[13:04]
Dave Buettner
I do remember one time we were, we were on a family road trip and we were doing kind of a southern loop, you know, through the Carolinas and back up again through Virginia, just visiting Atlanta and stopping at some theme parks and water parks and so on. And we were kind of booking places as we went. And my wife booked. She was in the car on her laptop booking places that we were heading to. And she books this hotel and she's like, oh, this is, you know, this looks good. It's four stars. We're like, oh, that's great. So we get there and the place is a dump. It's a total dump. We're like, okay. But, you know, it's late, we're tired. We're like, okay, here's the deal. You know, don't unpack anything.
[13:48]
Maria Varmazes
We're keeping the sleepier, Right.
[13:50]
Dave Buettner
Tomorrow, tomorrow we're going to a water park.
[13:54]
Joe Kerrigan
We will let wash all the bedbugs off.
[13:56]
Dave Buettner
Chlorine will clean, clean us, make us.
[13:59]
Maria Varmazes
Sure.
[14:00]
Dave Buettner
Right? So on, on the way to the water park, my wife and she, because my wife, of course, feels terrible, you know, that she booked this, this awful place. So she's, she looks, she goes, oh, it's four stars out of ten.
[14:17]
Maria Varmazes
They always find a way to get you.
[14:19]
Dave Buettner
Yeah.
[14:19]
Maria Varmazes
Four stars out of ten.
[14:21]
Joe Kerrigan
It's a four star hotel. Hey, that sounds nice.
[14:23]
Dave Buettner
Yeah. Yeah.
[14:24]
Joe Kerrigan
Out of two.
[14:25]
Dave Buettner
Oh, you know, double check. Somebody might have recalibrated the scale. Yeah.
[14:30]
Maria Varmazes
And also, what does three stars mean in this country? It means we have a bed. Don't expect anything else.
[14:39]
Dave Buettner
All right, good stuff. Joe, you're up. What do you got for us?
[14:42]
Joe Kerrigan
So everybody here on the show knows Rachel Tobek, right?
[14:45]
Dave Buettner
Yep.
[14:46]
Joe Kerrigan
She is, yes, indeed, a social engineering genius, owner of her own company. And she has posted a link, or not a link, we're going to put a link to it, a post on LinkedIn. And because she and I are connected on LinkedIn, I saw it. So I wanted to start with what she said here. I wanted to cover this because this is my story. It's just Rachel toback on LinkedIn. But it's very interesting. She opens with my favorite way to hack in my Ethical hacking is phone call based hacking with impersonation. Why? Because it has the highest success rate. So I want to pause right here and say to everyone listening, this is probably your biggest threat model right here. Someone calling and saying they're somebody. They're not on the phone. They're probably not the elite hacker who's got a cadre of zero day exploits behind you, behind them that's going to penetrate your Comcast router, get inside and start messing with your Windows machines and your Mac machines. That's probably not the person you need to worry about. The person you need to worry about is the guy with the cell phone who can convince you that he's calling from Microsoft tech support or from your company's tech support. But what Rachel is talking about here specifically is there is a group and I love the name they've given themselves here, scattered Spider Again, scary sounding spider name I think we had that last episode was another spider name. But these guys are targeting insurance companies and they're going in and they're stealing data out of insurance companies. And their techniques are. She has four techniques here that they're using. Number one, they're impersonating IT and help desk people to get passwords and multi factor authentication codes. So they call up, they say, hey, I'm, I'm from your IT department. I need your username and password to log in. Oh, and while I'm doing that, give me your, your multi factor authentication code. This is why I say that Multi factor authentication codes that are either sent to you or are generated by some third party app like Google Authenticator or an RSA token or a HID token or something. Microsoft Authenticator also does this. Those are all socially engineer able. Can I say that? Is that a word?
[17:10]
Dave Buettner
It is now.
[17:10]
Maria Varmazes
It is now.
[17:11]
Joe Kerrigan
Right. So we're going to get to what you can do to protect that. It's better than nothing. Way better than nothing. But if somebody calls and asks a person in your company for that code, there's a pretty good chance they're just going to give it to them, especially if they're very convincing. Number two, that she has here is remote access tools as help desk. So we had this happen at work the other day. Somebody actually had somebody. I called the help desk and they had to run a remote access tool to see what I was talking about because apparently they didn't believe me. But these are real tools that people use, but malicious actors also use them. And if you can give them access to your computer via these remote tools, it doesn't Matter what multi factor authentication you have on there, if you're letting them in this way, they are essentially acting as your employee then MFA fatigue, which is where they send so many of these repeated prompts. We saw this with the Microsoft Authenticator app that when you were logging into some service it would give you a Microsoft Authenticator alert and they would just overwhelm the user with so many alerts that eventually the user just said fine and pressed accept and let the person in. And then finally sim swap. So this is where they call the telco company and they pretend to be the employee and they take over the person's phone and then they can receive codes for the two factor authentication. I think that's a really uncommon risk model. But it's not impossible. Absolutely not impossible. Best way to protect yourself there is put a PIN on your telco account. So we have a mobile phone service in my family, when we call them before they talk to talk to us about anything on the, on the account, they say we need your pin. And if you can't remember the pin, they say you need to come into our, one of our offices and bring a driver's license with you.
[19:15]
Dave Buettner
Right.
[19:16]
Joe Kerrigan
Which is good, good practice. So Rachel then moves on to talk about the websites they're using and how they're using things like whatever the victim company name is dash sso, which is single sign on or dash service desk, or dash octa, which is a specific multi or universal sign on tool. These look legit, much like e-vanguard.com right? I told you I was going to tie something in.
[19:45]
Maria Varmazes
Yeah, well done. Okay. Yep.
[19:46]
Joe Kerrigan
But they're actually, they're actually owned by malicious actors and they can just be cloned versions of the website that let you log in or and just collect your username and password. So they say train. Rachel's saying train your team to spot those specific attacker controlled lookalike domains. The human protocols that you need to implement is start being politely paranoid or start a protocol to be politely paranoid. So in other words, when you get a call from the help desk, normalize the behavior that the employee goes, you know what, I know you're calling from the help desk, I'm going to call you right back, let me have a name. And they'll transfer me to you and call the help desk back and use the known good number. And if the person says, hey, hold on, let me give you my cell phone number because I'm out of the office. No, that's not going to work, I'm going to have to call the help desk and get your cell phone number from them. So don't let them cajole you at that point. And make sure that this is part of your company's policy that you have this. You're allowing people to question these inbound calls, educate on the exact types of accounts or attacks that are popular right now. And Rachel says that this attack is the more common attacks that are going on in this industry right now. So have a little situational awareness about what your industry looks like and say, hey, if you work for a major insurance company and you're not Aflac, who got hit as of this recording last week, maybe you work for another insurance company. You go, hey, look, Aflac just got hit last week. They're going to come for us. Here's what to look for, right? Get out in front of it right now, follow the news and know what's going on. She makes three recommendations. Rachel does about what, what you can do. I'm going to put them in my favorite order, and that is multifactor authentication with some Fido token, some Fido alliance tool. And she specifically mentions Yubikey. I like Yubikeys because I own them. Google Titan makes one. They're all. There are lots of manufacturers of these things. Now, next thing she says is, or I'm putting next is application whitelisting. If you can do application whitelisting on your network, do it, do it. And that will take care of so many problems because it stops anything that's not supposed to run from running.
[22:08]
Dave Buettner
Yeah, so just explain real quick what whitelisting is.
[22:11]
Joe Kerrigan
Right. Okay, so the idea of a blacklist is here's the applications that we're not going to let run. This is what standard virus scanners run on. They have some kind of signature based algorithm of some kind that looks at the comp, looks at the file you're about to run and it goes, nope, that file is on the not allowed list. So we're not going to do that. The problem with that is if someone comes in with a piece of new malware, or God forbid, a piece of bespoke malware, your malware detector is not going to see it. So when you do the opposite, or not the opposite, I guess it's the inverse.
[22:52]
Maria Varmazes
Yeah, it's explicitly allowing. It's an allow list as opposed to a block list.
[22:57]
Joe Kerrigan
Right, Exactly. I'm going to allow this list of applications to run. If your name is not on the list, you're not running. So guess what? Remote administration tool. You're not our remote administration tool you're not going to run.
[23:09]
Dave Buettner
Right.
[23:11]
Joe Kerrigan
And then finally, password manager. So I think if you do these things, if you're going to do one thing, multi factor authentication with a FIDO token, and then if you're going to do two things, multi factor and application whitelisting. And then if you're going to do three things, implement the password.
[23:29]
Dave Buettner
I think another thing this points to is that I suspect that most people are overconfident when it comes to their own perceived ability to detect and thwart scammers.
[23:42]
Maria Varmazes
Yes. Yeah, I think you're right.
[23:45]
Dave Buettner
I'm reminded of a statistic and I'm going to just make it up. You know, why not? It's a real story, but I'm gonna make up the numbers. There's something like 50% of men think they could beat Venus Williams in a tennis match. You know, something absolutely ridiculous like that. You know, one of the greatest tennis players, you know, male or female, that has ever lived. But never underestimate someone's overconfidence when it comes to things they don't actually know about. But I think that people fall for this and they think, oh, it won't happen to me or I'll be able to detect it. And these people are doing this every day, day in and day out. They are good at it. Right.
[24:26]
Joe Kerrigan
You know what I like to see is a survey where you stop a random guy in the street and you say, do you think you could beat Venus or Serena Williams in a tennis match? And when they say, yes, okay, which one could you be? Venus or senior? Either one. And then they roll back a thing and there's the Williams sister standing there with tennis rackets and the tennis court behind him. Let's go.
[24:46]
Maria Varmazes
Whatever. Shut up.
[24:48]
Dave Buettner
Right, right. That'd be great on the Tonight show or something, right? I'd pay to see that. Yeah. All right, good stuff. Well, tell you what, we're gonna take a quick break for a message from our sponsor. We will be right back. So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker, allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust Control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. All right, we are back. And my story this week isn't so much a story as it is hoping to send you all to a website that I found particularly interesting. I don't know why, but somehow the YouTube algorithm brought up a link for me that was a video from the United States Postal Service postal inspectors, and it was about brushing scams.
[26:47]
Joe Kerrigan
You know these guys carry guns, Dave.
[26:48]
Dave Buettner
I do know that. And you know how I know that?
[26:51]
Joe Kerrigan
How? I want to know how you know. I know because you told me, but.
[26:55]
Dave Buettner
Well, my first job out of college was with the Postal Service.
[26:57]
Joe Kerrigan
Oh, was it?
[26:58]
Dave Buettner
Yeah, I worked.
[26:59]
Maria Varmazes
And they gave you a gun when you walked up into.
[27:01]
Dave Buettner
I did not have a gun. No. But I did actually score a pair of handcuffs.
[27:06]
Joe Kerrigan
Somebody starts yelling. Somebody starts yelling in the waiting room, you got to shoot them.
[27:11]
Dave Buettner
Yeah.
[27:12]
Maria Varmazes
No, no, but it's the hacking humans after dark version. Okay.
[27:16]
Dave Buettner
Yeah. I was fresh out of college with a TV degree, and the Postal Service has a television production facility in Washington, D.C. and I got a job there, and I worked with a lot of postal inspectors, and let me tell you, the sanctity of the mail is taken very seriously.
[27:32]
Joe Kerrigan
Yes, it is.
[27:33]
Dave Buettner
And postal inspectors do have guns, but they also have a really good YouTube page, like, seriously, really good YouTube page with videos about scams. If you look at some of the playlists here, they have a playlist that has over 80 videos on it. Of the. It's categorized protecting the public PSAs, there's 84 videos here.
[28:01]
Maria Varmazes
They're gonna put us out of business. Look at these. This is amazing.
[28:04]
Dave Buettner
Investment scams. Yeah. Romance scams, text identity, text messaging. Don't fall for phishing, refund and recovery scams. That's not the irs. Tax scams on the rise. Like, this is an amazing list of. These are short, they are well produced, they are informational, they are entertaining. I would just say that this is something that you should send to your friends and family and your relatives. Maybe you could send them just to the site. You could send them one at a time, but they're very good.
[28:41]
Joe Kerrigan
They have 88 videos on investment in Ponzi scams.
[28:45]
Dave Buettner
Yeah.
[28:45]
Maria Varmazes
Wow. Wow. That's a lot.
[28:49]
Dave Buettner
Yeah. This may be the most complete collection of scam fighting easily digestible videos that I've ever seen. I gotta get them on this channel. But it makes sense. Cause the Postal Service is at the center of a lot of this. So many of these things pass through the Postal Service, especially historically, before we all went online, all these, you know, there were all kinds of mail scams. So it's a big part of what they do. Yeah. What do you guys think of this?
[29:21]
Maria Varmazes
We gotta get them on the show. We gotta talk to someone from them. I would love to pick their brain. Man, this is impressive.
[29:30]
Joe Kerrigan
I do like that. At the very top left here, Project Safety Holiday Delivery. The thumbnail is police US Postal Inspection. And they have got somebody in cuffs and they're dragging them away.
[29:42]
Maria Varmazes
Oh, the package bandit's got like the little raccoon mask on his eyes. That's cute. That's exactly what they look like in my neighborhood. So, you know.
[29:52]
Dave Buettner
Yeah, yeah. Evidently they do. They have historical clips. They have something they call Wanted Wednesday, which is, you know how they put people's pictures up in the post office? Yeah, they put the pictures up on YouTube.
[30:05]
Maria Varmazes
Oh, my gosh.
[30:07]
Joe Kerrigan
Interesting, right?
[30:08]
Dave Buettner
Yeah. Who knew? The Postal Service. But I love it. I legit love this. Like, I'm not being funny or snarky. This is really well done. And I love that they're short, they're to the point, well produced, informational, accurate, all that kind of stuff. So we're going to have some links to it here in the show. Notes linking specifically to the brushing scam, but then also to the. Basically their page, full playlists, which is where they have. Everything's organized into handy playlists. So do check it out. And I think really the value here is if these would be great to send around to your friends and loved ones. You know, when you're.
[30:54]
Joe Kerrigan
I can think of four people I'm going to send them to tonight.
[30:57]
Maria Varmazes
Yeah, they've got one on counterfeit stamps. So all your philatelist friends will really appreciate that, right?
[31:03]
Dave Buettner
You know, I have a counterfeit stamp story.
[31:07]
Maria Varmazes
You have a story for everything, Dave.
[31:10]
Dave Buettner
Well, if you've been around a while, you collect some stories. I believe this story was actually shared with me by our N2K CyberWire CEO, Peter Kilpe, who went to the Rhode Island School of Design. And as part of your applying to a very well regarded art school, of course you have to show a portfolio. Yeah.
[31:39]
Joe Kerrigan
You have to draw Tippi. Right.
[31:42]
Dave Buettner
I Think it might be a little more complicated than that.
[31:45]
Maria Varmazes
Draw the rest of the owl. Yeah, that's the one of the matches.
[31:48]
Dave Buettner
Yeah. And the story, as I recall it, is that one of his classmates had applied and applied and applied and had somehow not sent in a portfolio. And the school responded and said something along the lines of, you know, we're very impressed with your background and your grades and it seems as though you would be a good student here, but we've yet to see any of your work. And the student responded and said, oh, to the contrary. On all of our correspondence, every stamp that I have sent you has been hand drawn.
[32:28]
Joe Kerrigan
Every single one of those letters is 10 years and $10,000.
[32:34]
Dave Buettner
Yeah. Yeah. And I guess they were absolutely dead on that the postal service didn't detect them. You know, this is the time before they were putting like, you know, infrared ink on them, stamps and things to be able to easily detect them. But yeah, how about that?
[32:49]
Joe Kerrigan
So I have a similar story. I know somebody, not me, not anybody that I associate with on a regular basis now, but this person was like, you know, you can grab the stamp and you can erase the cancellation mark on it with an eraser and then you can reuse the stamp.
[33:07]
Dave Buettner
Okay.
[33:07]
Joe Kerrigan
And I was like, can you really? So one day I had a letter with a stamp on it and started erasing it, the stamp. And I was shocked to find that it was possible that I erased a good portion of the cancellation. This is back when I was below the age of 18, so hopefully I'm not indicting.
[33:27]
Dave Buettner
Statute of limitations.
[33:29]
Maria Varmazes
There was the old. If the cancellation stamp was not on the stamp itself and you soaked the envelope bit in water, and it was the kind where it used glue. You could lift the stamp off and then reuse it.
[33:41]
Joe Kerrigan
Yeah, that's on the postal Service. Right. Because they're the ones responsible for canceling the stamp. But I didn't use the stamp because I knew that it was like 10 years at the time. Like 25 cent stamp. You do 10 years in prison for one of those. And I'm like, no, it's not worth it.
[33:59]
Maria Varmazes
Not worth it?
[34:00]
Dave Buettner
Not a crime that's worth doing? No, the 32 cent stamp or whatever it was back then. No, not worth it.
[34:07]
Joe Kerrigan
Yeah. So I just buy my forever stamps and yeah, I got some cool Dungeons and Dragons stamps and yeah, I have those too.
[34:15]
Dave Buettner
Then I got those for my son.
[34:18]
Joe Kerrigan
Did you?
[34:18]
Maria Varmazes
Yeah, I got them for my husband. So I got him the whole thing. You can get like note cards. And then I got myself the Web telescope ones, like on a whole roll.
[34:27]
Dave Buettner
So, no, I've got a few sheets of Star wars stamps. You know they know how to get me.
[34:32]
Joe Kerrigan
Right.
[34:34]
Dave Buettner
All right, well, we will have links to those stories in our show. Notes. Joe, Maria, it is time to move on to our catch of the day.
[34:50]
Joe Kerrigan
Dave, our catch of the day comes from the scam subreddit and it is a text exchange.
[34:57]
Dave Buettner
Yes. I'm going to ask Maria to be the first person in this list here. Joe, I'm going to cast you in the part that you were born to play.
[35:09]
Joe Kerrigan
Okay.
[35:09]
Dave Buettner
Which is the skeptic.
[35:10]
Joe Kerrigan
The skeptic. Okay. Sounds like me.
[35:17]
Dave Buettner
Yeah. So this is a text message that someone received and it started out like this.
[35:23]
Maria Varmazes
Hey, what are you doing? Hate to ask, but I don't know who else to ask. Can I ask a favor?
[35:28]
Joe Kerrigan
Did you get hacked?
[35:30]
Maria Varmazes
I'm not hacked.
[35:32]
Joe Kerrigan
Okay. What's up?
[35:33]
Maria Varmazes
I need a big favor. You one of the few people I can ask. There is no punctuation in this, so it's just a huge ass run on sentence. I need you. Spare me $300 for an emergency. I'll tell you where to send it on and I promise to send it back later today.
[35:49]
Joe Kerrigan
Sorry, I don't have $300. That would be a true statement for me.
[35:54]
Maria Varmazes
How much can you help me with right now?
[35:57]
Joe Kerrigan
I don't think I can help at all, to be honest. I don't have a job for the summer, so I don't have any money.
[36:04]
Maria Varmazes
The issue is I have almost $4,000 stuck in my bank account right now. I can't make any. Oh my God, this is so long. I can't make any transactions. The only way to move the money. It's a mobile deposit. That's through check. Would it be okay if my accountant sends you a check of $2,000 to $3,000? You can deposit it and once it clears, you keep $300 for yourself and send me the rest. Let me know if that works for you. It's a mobile deposit. You don't have to go anywhere before you do that.
[36:32]
Joe Kerrigan
This is sounding a lot like a scam. Not going to lie.
[36:36]
Maria Varmazes
It's not a scam. Trust me. It's totally me if you have to say it. I haven't been able to get anything for myself for days, so the only way I can access money from my account right now is through a check. Yeah, that sounds real. I really appreciate your help. None of your bank details are needed. Just provide the accountant with your full name and email so she can send the check to you.
[37:00]
Joe Kerrigan
I just don't trust this. I don't think I'm the person you should go to for this.
[37:05]
Maria Varmazes
You can trust me. I'm trusting you with my whole, whole life savings.
[37:10]
Joe Kerrigan
I just don't think that I can help. Sorry.
[37:12]
Maria Varmazes
Just check your banking app and see if there's an option like deposit check or something similar. I've sunk my teeth and I'm not letting go.
[37:21]
Joe Kerrigan
Right?
[37:22]
Dave Buettner
Yeah. And it ends. Oh, my.
[37:25]
Maria Varmazes
Oh, my God.
[37:26]
Dave Buettner
So what do we got here?
[37:27]
Joe Kerrigan
This is. Well, first off, it starts off with one of those, hey, send me some money. I'll send it right back to you scams, right? Which you never get the money back. And then since that didn't work, the guy says, I don't have any money. The person here tries to trick him with an advanced fee scam or no advanced check scam. Check floating scam. So the way this will work is they will actually send you a check for two to $3,000. You deposit it, and then they're going to put the pressure on you to send back everything but $300. So in this case, like, up to $2,700. So you'll send them $2,700, and then that check will bounce and you will be on the hook for $2,700. And they're going to ask for the money in a way that you can't claw it back. Right.
[38:12]
Maria Varmazes
Wow.
[38:15]
Dave Buettner
All right. So needless to say, if you get something like this, don't go for it.
[38:20]
Joe Kerrigan
Right. I like how this person immediately goes, have you been hacked? The first question out of the gate before they even hit you with the question. I mean, it's very common in English and. American English. I hate to have to ask you this, but can you do me a favor? Yeah, you know, that's very common. You know, like, my first question would have been, like, what? Not did you get hacked?
[38:41]
Maria Varmazes
Yeah, but like, did you get hacked? And I go, yes. I mean, yeah, yeah, I got hacked. The part where it goes, this is sounding a lot like a scam. Not gonna lie. I feel like we should just cut crop that image and make that the banner for our show.
[38:58]
Dave Buettner
Yeah. Should put that on T shirts.
[39:00]
Maria Varmazes
Just put it in. I'm not gonna lie. It's not a scam. Trust me. It's really me. Okay. I'm convinced. I'm in.
[39:09]
Dave Buettner
I have to say, just as an aside that I'm very impressed the two of you got all of these texting abbreviations. Right.
[39:15]
Maria Varmazes
I was thinking the same Thing, there's a lot of NGLs, TBHs. And I was like, Jim knows all of these. Well done.
[39:22]
Joe Kerrigan
That's right.
[39:22]
Dave Buettner
Someone like, I didn't know all of them. So I'm.
[39:25]
Joe Kerrigan
I've been using shorthand for decades. So when BRB and BTWS all came out as things. Although I will tell you, my favorite BTW story is one of when I was up at Hopkins, up at the university, I had a student, younger woman, and she says btw, And I'm like, what? She goes, oh, btw. That's how we say BTW now, Which is how we used to say, by the way, in like, IRC chat and everything like that. So she said, you know what? I appreciate that. I'm going to use that on my kids tonight. And I got home and I shoehorned it into something. And I turned to my daughter, I said, oh, BT Dubs. And then said something. And I got exactly what I was looking for, which was the chin drop and the eye roll. Stare right at me. And I'm like, there it is. And that's why I do it.
[40:19]
Dave Buettner
Where did you hear that? Dad, right? Who told you that? Who shared that with you?
[40:23]
Maria Varmazes
No, my. Yeah, that was the sacred knowledge. You're not supposed to have that.
[40:27]
Joe Kerrigan
Right.
[40:27]
Maria Varmazes
My question is, when LOL dropped back in the day, did you know that it was laugh out loud or did you. Were you one of those it's lots of love people?
[40:34]
Joe Kerrigan
No, I knew it was laugh out loud.
[40:36]
Dave Buettner
Yeah.
[40:36]
Maria Varmazes
Okay. I loved it when people were like, oh, it means lots of love going, no, it doesn't. No, it does not.
[40:43]
Dave Buettner
Yeah. There's a few of those. I've heard of people having some understandings of some of those. Exactly. Wrong.
[40:51]
Joe Kerrigan
Yeah. I can even name the guy that gave me a lot of these abbreviations. It was my friend Eben. Because we were sitting the computer lab up at Frostburg and we'd be typing an IRC and he'd go, oh, by the way, you need to know these abbreviations. BRB, LOL.
[41:05]
Dave Buettner
Yeah.
[41:06]
Joe Kerrigan
This was in the 90s.
[41:07]
Dave Buettner
Yeah. Yeah. Good times.
[41:09]
Maria Varmazes
Well, yeah, NGL and TBH there are a little. Well, TBH is not newer, but NGL, I think, is a little newer.
[41:13]
Joe Kerrigan
Yeah. IIRC, if I recall correctly.
[41:17]
Maria Varmazes
If I recall correctly. Yep.
[41:28]
Dave Buettner
And of course, we want to thank this week's sponsor, ThreatLocker. Go to ThreatLocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices. And that is our show. We are taking an audience survey through the end of the summer, so please check out the show notes and do participate in that survey. That would help us us out quite a bit, so we'd appreciate you taking the time. This episode is produced by Liz Stokes. Our executive producers, Jennifer Ivan, were mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher. I'm Dave Buettner.
[42:19]
Joe Kerrigan
I'm Joe Kerrigan.
[42:21]
Maria Varmazes
And I'm Maria Varmazes.
[42:23]
Dave Buettner
Thanks for listening.
[42:32]
Maria Varmazes
Why mmv? Your miles may vary. I A N A L Tricky one. I am not a lawyer right.