Catch me if you scam. - Hacking Humans

Summary6 min read

Podcast Summary: Hacking Humans – Episode: "Catch Me If You Scam"

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: Catch Me If You Scam
Release Date: March 13, 2025

1. Introduction and Banter

Timestamp: [00:02] - [02:32]

Maria Varmazes kicks off the episode by welcoming listeners to "Hacking Humans," hosted by N2K Networks. She humorously mentions her attempt at impersonating Dave Bittner, who is currently on vacation, and introduces Joe Kerrigan as her co-host. The opening segment features light-hearted banter between Maria and Joe about their names and family members, setting an engaging and personable tone for the episode.

Notable Quote:

Maria Varmazes: “You are my one and only Joe Kerrigan.” ([01:08])

2. Listener Feedback and Q&A

Timestamp: [02:04] - [06:49]

The hosts transition to discussing listener feedback from the previous episode, “Hacking Chickens.” They highlight comments from Joe (also known as "Crow Child Bob") who appreciates Maria's use of specialized terminology related to cybersecurity. The discussion then delves into a query from a listener named Robert regarding the impact of bird flu on egg prices and potential scams related to tariffs affecting Canadians.

Key Points:

Bird Flu Impact: Joe explains how bird flu can devastate large flocks, leading to the euthanization of all birds in an affected flock to contain the virus.
Tariff-Related Scams: Joe hints at potential scams involving the smuggling of eggs from Mexico, creating "egg mules" and "egg traffickers" at the southern border, although he acknowledges the need for further investigation.

Notable Quotes:

Robert's Question: “Don’t get me started on that topic.” ([05:05])
Joe Kerrigan: “If my crypto wallet calls me, I have questions.” ([08:17])

3. Main Stories

a. Cryptocurrency Seed Phrase Scam in the UK

Timestamp: [06:49] - [13:15]

Maria introduces a concerning crypto scandal from the UK, where scammers pose as police officials to obtain victims' cryptocurrency seed phrases. Detective Sergeant Daryl Paulson of the Kent Police warns against sharing personal details with unsolicited contacts claiming to be from crypto hosts or law enforcement.

Key Points:

Scam Methodology: Scammers secure data from leaked sources and impersonate police to create a sense of urgency, convincing victims to divulge their seed phrases.
Understanding Seed Phrases: Joe elaborates on the importance of seed phrases, distinguishing them from passwords. He explains that a seed phrase (more accurately termed a recovery phrase) is directly linked to a user's private keys, granting full access to their cryptocurrency wallets.
Financial Impact: Approximately £1 million has been lost to this scam, emphasizing the sophistication and peril of such schemes.

Notable Quotes:

Joseph Kerrigan: “The seed phrase is not like that. So, yeah, if anyone's expecting ... never give it out to anyone for any reason at all, ever.” ([11:19])
Detective Sergeant Daryl Paulson: “Don’t be embarrassed about reporting a scam, as it only takes a second to be distracted and fall victim.” ([13:15])

b. Grandparent Bail Money Scam in Canada

Timestamp: [15:47] - [18:07]

Joe shares a report from Hank Sanders at the New York Times about a fraudulent call center in Montreal targeting elderly Americans. The scammers impersonate grandchildren in urgent need of bail money, a classic example of the "grandparent scam."

Key Points:

Operational Details: The U.S. Attorney's Office in Vermont, in collaboration with the Royal Canadian Mounted Police, has charged 25 Canadian nationals for defrauding Americans across 45 states.
Financial Losses: Victims have lost approximately $21 million over three years.
Legal Consequences: The accused face severe charges, including grand larceny and computer tampering, with potential sentences ranging from 20 to 40 years.

Notable Quotes:

Joe Kerrigan: “The amount of money that has been lost is staggering. It is $21 million over three years.” ([17:12])

c. Taylor Swift Concert Ticket Scam

Timestamp: [18:05] - [24:58]

Maria and Joe discuss a sophisticated scam targeting Taylor Swift's concert-goers. Two individuals from Jamaica and Queens, New York, exploited a loophole in an offshore ticket vendor's system to redirect and steal 993 concert tickets, amounting to $600,000.

Key Points:

Mechanism: The scammers accessed StubHub's secure network, altering email addresses in the ticketing system to receive ticket URLs directly, bypassing legitimate purchasers.
Impact on Fans: With Taylor Swift's concerts being sold out and tickets highly sought after, victims faced frustration and financial loss when they didn't receive their purchased tickets.
Industry Response: The Taylor Swift Touring company reported massive attendance and revenue, highlighting the vast scale of the scam relative to the concert's success.

Notable Quotes:

Joe Kerrigan: “It's just stealing... And it's just... anybody who's bought one of these tickets... it's gone forever.” ([20:47])

4. Catch of the Day: Joann’s Fabrics Liquidation Scams

Timestamp: [26:43] - [38:34]

Mayan Plout joins the hosts to discuss the alarming rise of scams amidst Joann’s Fabrics' liquidation process. As the company winds down, scammers exploit the chaos by advertising fake online deals, tricking consumers into providing credit card information without delivering goods.

Key Points:

Company Closure: Joann’s Fabrics filed for bankruptcy a few years prior and began closing over half of its stores last year, with full liquidation underway.
Scam Tactics:
- Fake Websites: Scammers created look-alike websites (e.g., joanne-us.com) offering unrealistic discounts (70-90% off) to lure customers.
- Social Media Ads: Deceptive ads promised massive savings on fabrics and sewing supplies, capitalizing on Joann’s ongoing sales and stock scarcity.
Consumer Vulnerability: The urgent need for materials during liquidation drives consumers to seek deals, often falling prey to fraudulent schemes.
Preventative Measures:
- Official Channels Only: Consumers are advised to purchase directly from physical stores or the official website, which currently halts online orders.
- Awareness Campaigns: The Better Business Bureau has flagged such scams, urging customers to verify the authenticity of online offers.

Notable Quotes:

Mayan Plout: “If you go to the Joann's website right now, it says... If you see an ad for an online order from Joanne's, it's not real.” ([35:54])
Maria Varmazes: “So, yeah, if anyone's trying to build up your stash long term or know someone who might be, don't fall for the scams that are promising extremely deep discounts that don't exist.” ([35:54])

5. Conclusion and Final Thoughts

Timestamp: [38:34] - [40:00]

The episode wraps up with final thoughts on the discussed scams, emphasizing the importance of vigilance and skepticism when encountering deals that seem too good to be true. Maria and Joe encourage listeners to stay informed and share their feedback to help shape future episodes. They also remind the audience to utilize trusted sources and official channels when making purchases, especially during times of corporate uncertainty like Joann’s liquidation.

Notable Quotes:

Joe Kerrigan: “If you can't afford to take that money out in the street, don't buy cryptocurrency.” ([14:37])
Maria Varmazes: “This one's as you can tell, near and dear to my heart.” ([37:17])

Key Takeaways:

Cryptocurrency Security: Always safeguard your recovery phrases and understand the critical difference between wallets and exchanges to prevent unauthorized access.
Awareness of Common Scams: Be cautious of unsolicited calls, especially those creating a sense of urgency, and verify the legitimacy of any requests for personal or financial information.
Navigating Corporate Liquidations: During company closures, be extra vigilant of scams exploiting the situation by offering fake discounts or deals. Always rely on official sources for purchases.

For more insights and updates on cybersecurity scams and protective measures, subscribe to "Hacking Humans" and follow N2K Networks' CyberWire.

Loading summary

Transcript161 lines

[00:02]
Maria Varmazes
You're listening to the Cyberwire Network, powered by N2K. Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Maria Varmazes, still doing a lousy Dave Bittner impression as he is still out on vacation, but he will be back with me right now is the one and only Joe Kerrigan. Hi, Joe.
[00:39]
Joe Kerrigan
Hi, Maria. There's actually three of us.
[00:41]
Maria Varmazes
There are actually three of us today. Although the third person.
[00:44]
Joe Kerrigan
I mean, three. Three. Joe Kerrigan's. Wait, but you said one and only. There's three of us. My dad, my son.
[00:51]
Maria Varmazes
Oh. Oh, my goodness. So you're the second and you have Joe the third in your family.
[00:54]
Joe Kerrigan
I'm actually the third. My son is the fourth.
[00:58]
Maria Varmazes
Okay. You are actually the second person I know who has. I know I robbed the fourth and the third. Like, I. You're not the only person I know doing. That's pretty cool. That's really cool. Okay, well, you are. You are my one and only Joe Kerrigan.
[01:09]
Joe Kerrigan
Okay, very good. Okay, I will accept that.
[01:13]
Maria Varmazes
And we do actually have a third person joining us today, although she is not with us right at the moment, but she'll be jumping in for our catch of the day and it's our own N2K's Mayan plout.
[01:21]
Joe Kerrigan
She.
[01:21]
Maria Varmazes
She is a good friend of mine and she'll be joining us later on to talk about a really interesting story. And actually, we've got a whole bunch of interesting stories to share with you this week. We will be right back after this message from our show sponsor.
[01:38]
ThreatLocker Sponsor
And now a few thoughts from our sponsors at ThreatLocker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny. More critical than ever. This is where Threat Locker comes in. Stay tuned for how Threat Locker allow listing and ring fencing has your back.
[02:05]
Maria Varmazes
Okay, welcome back. We do have some follow up from Hacking Chickens, AKA Hacking Chickens. That is the name of our show. The other suggested title for last week's episode is actually what the cluck. I don't think. But you are. You are the subject of much love and adoration, at least for everyone who was listening to the episode internally as it was being edited. So well done, Joe. We got some.
[02:29]
Joe Kerrigan
I'm glad to hear that we got.
[02:32]
Maria Varmazes
Some listener feedback from that episode. Big surprise. I'll. I'll Read some excerpts from it. This comes from Joe, AKA crow, Child Bob. And he said, I liked Maria's use of specialized words such as obfuscation. I can't even say it correctly now. Obfuscation, checkniques, and legidish. What a good couple of words. I think a lot into my lexicon in the same vein as automagically, I'm glad you like my garbled pronunciation of things. I will just blame my lack of coffee. Robert. Thirdly, chickens, Joe, really? Do you know why eggs have gone expensive in the US Huge factory egg farms have been slammed by bird flu. Are you going to be keeping an eye on your backyard birds for the same. Stay healthy, my friend. Joe, what is your answer?
[03:13]
Joe Kerrigan
I have answers for this. Yes, that is correct. Bird flu does spread through a flock very quickly. So it will. Actually what happens is once you get a single bird in the flock with, with, with bird flu, they have to euthanize the entire flock because the assumption is that everybody has it and they're trying to contain the, the spread of the bird flu. So that's what happens. And I don't know if that's USDA regulations or what I think it. But it kind of is. But yes, if you have a huge factory, that means you have like 10,000 chickens in one factory and they're one of those birds. Test positive for bird flu, all 10,000 of those chickens have to go. So the question is, will we be keeping an eye on our backyard birds for the same. Yes.
[04:02]
Maria Varmazes
Polish chickens. Yes.
[04:03]
Joe Kerrigan
Well, I won't have Polish chickens, but maybe, you know what? Maybe I will get one. Because I don't.
[04:08]
Maria Varmazes
Maybe you should.
[04:09]
Joe Kerrigan
Right. But in the county we live in, even if you have just backyard birds for your own usage, you have to register your flock with the, with the county or the state department of Agriculture. I think it's actually a Maryland law, not a county law. And then if you see symptoms of bird flu, you have to let them know. Uh, but because we're not gonna be selling any eggs, that's. We just have to register the flock and then that is monitored at the state level. Um, so what does bird flu look.
[04:41]
Maria Varmazes
Like in a chicken? Do they get sniffly and need, like, chicken soup? That would be weird if they drank chicken soup, right?
[04:46]
Mayan Plout
Yeah.
[04:46]
Joe Kerrigan
You see em. You see them under blankets and they're watching TV and they're not much. Yeah. Price is right. I. I don't know. Actually. That's a good question. I'll. I'll have to learn how to spot the signs but generally, I, I, I know that when chickens are not healthy, it's very, it's generally quickly pretty obvious that something's wrong.
[05:05]
Maria Varmazes
Oh, this makes me sad. It does, but it's a sad situation. But yeah, it's a good question from Robert. And then lastly, this is still reading Robert's follow up lastly, with all the talk about tariffs and he writes in parentheses. Don't get me started on that topic. As a Canadian, are you and your sources seeing an uptick in scams related to tariffs and how to get around them? There are a lot of groups and sites now that show Canadian alternatives for U.S. goods and services. I see mountains of scams and bad actors rubbing hands with glee. That is a great question. I have been wondering the same thing. Yeah, go ahead, Joe.
[05:39]
Joe Kerrigan
I actually have an interesting, I haven't validated this, but I had a discussion this morning with one of my co workers that kind of ties the egg story and the tariff story together. Apparently people are smuggling eggs in from Mexico and I have to find the story about this because now there are egg mules and egg traffickers at the southern border. And I need, I gotta look into this a little bit more. I just haven't had time to look into it. But it, it does. Yes, I have heard of something.
[06:11]
Maria Varmazes
You have heard of it already? Yeah, I have been wondering the same thing, Robert. Honestly, I'm in New England, so we're quite close to the Canadian border. We're just a few hours away. So I would imagine our economy is gonna get pretty slammed by these tariffs because it used to be that we could cross the border really easily. I haven't seen anything specifically, but I'm keeping my antenna up and I'm sure we're going to be seeing things and covering them on the show. So, Robert, you're ahead of it. Yeah, we'll definitely be seeing it. No question there. Yep. Thanks for the follow up. Yep, that's good. Good follow up. All right, so let's, we'll dive into our story. So I'm going first today. Ladies first, I guess. And I.
[06:49]
Joe Kerrigan
Last week, I guess.
[06:51]
Maria Varmazes
No, you. Well, yeah, well, it's okay. This week I'm borrowing a story from my friend from my friend Graham Cluley, who I saw in Florida two weeks ago after not seeing him in person for 15 years. That was quite a thing. And he has this great story coming out of the UK from the Kent Police Department that is about how at least nine people in the UK have lost a combination of a million pounds to a crypto Scheme and I am normally on team crypto means cryptography but today it's going to mean cryptocurrency. I'm sorry, right, yeah.
[07:25]
Joe Kerrigan
That's something that irritates cryptographers is when people start saying crypto meaning cryptocurrency.
[07:30]
Maria Varmazes
I know, I remember there was a pin. Crypto cryptography. Yes, I remember when that was what it meant and now it's confusing. So I'm going to have to define when I say crypto today I'm talking about cryptocurrency. I'm sorry, cryptographers. So this specific scam that the Kent police are covering is. It's not complicated but it's just interesting that it's working. The scammers found data on the Internet, pick a source that was leaked and they contacted victims under the guise of being the police following up on an action fraud report investigation. So Action Fraud, being a UK based organization that does follow up on fraud that is reported and trying to sort of remediate that. And then these fake police tell the victims that you should expect a call soon from your crypto wallet.
[08:18]
Joe Kerrigan
And I now right there I'm like, if my crypto wallet calls me, I have questions. Yeah, yeah. Like a crypto wallet is just a piece of software or hardware that, that holds your keys for accessing the blockchain and signing transactions on the blockchain. That's what a crypto wallet does.
[08:40]
Maria Varmazes
Yeah, a very, very clumsy, and this is an admittedly extremely clumsy metaphor, metaphor comparison is saying expect a call from your email. It just to me is like, I don't. That would, yeah, you wouldn't be getting a call from them. It. But the soon after this first fake call from the so called police, you get a fake call from the so called crypto host that then says it needs to verify your seed phrase or your crypto wallet. And this is where I stop and go, that is a terrible idea. Never ever give anyone your seed phrase ever. Joe, please explain why a seed phrase is so important and why it's not the same as a password.
[09:19]
Joe Kerrigan
We've had this discussion before, but I don't know that you were there. So it's actually this is a misnomer that. But everybody knows what you mean when you say seed phrase, but it's actually a recovery phrase. A seed, a seed in cryptography is some random number, hopefully truly random number maybe from the environment, the physical environment that you can use to begin the selection of other random things in a, in some kind of crypto primitive that generates something like for example, a private key. So that's not what this is. What this is is the recovery phrase, which is a bunch of words that a crypto wallet will show you that essentially those words map to bits of your private key. And they're long and they.
[10:13]
Maria Varmazes
24, usually something like that. 12, 24 words.
[10:16]
Joe Kerrigan
Yep, yep. And. And each one of those words might map to, say, maybe, I don't know, maybe 12 bits of your. Of your key. So it's a way for a human to write down their key without having to worry about whether or not they're writing down all the right hexadecimal characters.
[10:36]
Maria Varmazes
Right.
[10:37]
Joe Kerrigan
Or in the case of an address, a base 56 encoded address. I'm pulling that off the top of my head. But a bitcoin address is encoded with something, I think it's called base 56. It's not base 64, because they remove all the redundant letters. Like they don't use O and 0 and they don't use 1 and L.
[11:00]
Maria Varmazes
To remove the possibility of them getting confused. Right, Correct.
[11:04]
Joe Kerrigan
Because if you send cryptocurrency to the incorrect address, it's gone forever.
[11:10]
Maria Varmazes
Gonzo. Yep.
[11:11]
Joe Kerrigan
Because. Because nobody will ever be able to generate the private key that can sign transactions coming out of that address.
[11:19]
Maria Varmazes
Right.
[11:19]
Joe Kerrigan
And I'm, I'm. I'm butchering that. I know, but it's essentially. It's called burning when you do that. So, yeah, don't give up either your seed phrase or your recovery phrase. It's actually a recovery phrase because that is your private key. That is essentially your private key. It maps directly to your private key.
[11:38]
Maria Varmazes
Yeah, and that's exactly. Sadly, what happens is the scammers then completely rebuild the crypto wallet and they just make off with the funds and it's just gone. Correct. So, yeah, all they have to do.
[11:48]
Joe Kerrigan
Is open a software, open a crypto wallet, and they say, oh, I'm going to recover my wallet, here's my recovery phrase. And then they have access to all your private keys.
[11:58]
Maria Varmazes
Yeah, there's no speed bump there. It's just if you have the seed phrase, it's. That's it. So, yeah, if anyone's expecting, you know, them to be prompted with some other thing that would stop them. No, that. That is it. So it is. You never, ever, ever give away that seed phrase. Don't tattoo it on your arm or anything like that. Like, you don't want anyone to ever, ever have that. So the Kent Police Detective Sergeant Daryl Paulson had. There's a quote from him at the End of the story. That says, I urge anyone contacted by someone claiming to be from a crypto host or from the police not to give out any personal details. Scammers are becoming increasingly more calculating in their methods to defraud their victims into losing a substantial amount of money and will often, as we've talked about on this show, create urgency in the situation, such as telling them that they need to act now to stop their funds from being stolen. I imagine that is a big part of the scam that's happening over the phone on this one. Don't be embarrassed about reporting a scam, as it only takes a second to be distracted and fall victim. Very important note there. So, yeah, the fact that £1 million have already been lost to this scheme. You know, folks who have fallen for this, you're not alone. You know, again, it's the. It's the bad guys who are bad here, not you. Just for folks who are new to crypto, and I imagine there's going to be a lot more folks who are new to crypto sort of coming around. That seed phrase really, really is very, very secret to you. And never give it out to anyone for any reason at all, ever.
[13:16]
Joe Kerrigan
Right. Okay, So a couple of things. Number one, understand the difference between a crypto wallet and a crypto exchange. A crypto wallet is something that you're going to run. A crypto exchange is where you can also keep your cryptocurrency, but that is like a company, and they have the wallet. They'll give you an address that you will. Then you can receive cryptocurrency at the address, but you'll never be in control of those private keys. So an exchange might be safer from this. But what I would think is going to happen is that somebody who's scamming somebody from an exchange will say, okay, here's what you need to do. You need to go out and get a wallet, okay? And then you need to transfer your money from the exchange to the wallet. Okay? Now give me the wallet seed phrase or recovery phrase. Then they get access to your cryptocurrency. So it's really not that big of a speed bump. But understand the use case for each of these. You know, don't let anybody log into your exchange. Don't give out the, the recovery phrase for your wallet. And, you know, make sure that you do your due diligence. And like I always say, if you're going to invest in cryptocurrency, make sure that you can afford to take that money out in the street, pour gasoline on it and light it on fire.
[14:37]
Maria Varmazes
That's right.
[14:38]
Joe Kerrigan
If you can't afford to do that, don't buy cryptocurrency.
[14:41]
Maria Varmazes
Yeah. I also want to say in my brief dabble in crypto a couple of years, it is really. I'm sure it's changed a bit. It's still not that user friendly. It's not as intuitive as you might think if you're coming in from the outside. A lot of these concepts don't necessarily have a great analog to stuff that we're more familiar with unless you're like, really in this world. So part of me feels like that's a little bit by design, but it is genuinely worth taking the time, slowing down, and really getting to understand what you're doing before diving in head first to make sure you understand, like, what the keys to the kingdom are here. Especially because it's not always obvious. Seed phrase kind of seems like, okay, one of those backup keys that you get when, I don't know, like when you create a new account somewhere and they're like, you should save this somewhere. And almost never. Almost no one ever does.
[15:31]
Joe Kerrigan
Yeah, whatever.
[15:31]
Maria Varmazes
Yeah, whatever. Print this out and save it. Yeah, yeah, yeah, whatever. Yeah. It's not like that. The seed phrase is not like that. So, yeah. All right, well, thanks for your help in explaining that one, Joy. I appreciate that one a lot. Because crypto, again, not a world I understand nearly as well as I'd like. But anyway. So what is your story, Joe?
[15:48]
Joe Kerrigan
Actually, I have two, because one of them is kind of short, and it's, Dave's not here, so why not? Let's go. And I said that without making a Cheech and Chong reference. So I'm very proud of myself.
[16:01]
Maria Varmazes
Well done.
[16:02]
Joe Kerrigan
So first one comes from Hank Sanders at the New York Times, and he is talking about a call center in Montreal, Canada, that was targeting older Americans claiming to be grandchildren in need of bail money. This is a common grandparent scam. And US Federal prosecutors have been working with the Royal Canadian Mounted Police, and they have announced. The U.S. attorney's office in Vermont has announced that 25 Canadian nationals have been charged with conspiring to Defraud Americans in 45 states. And 23 of these people have been arrested. And the amount of money that has been lost is staggering. It is $21 million over three years. Wow. So, you know, it's. I hope that some justice is served here. I don't know what happens to the $21 million. I don't know if that money is still around. If there's anything that can be recovered. The people who ran this organization who are being charged with managing and then on top of that, laundering the Money, there are four people there looking at 40 years and other people who were involved in this are looking at 20 years. So of course, everyone's innocent until proven guilty. These are alleged crimes. They have to be proven guilty in a court of law. But yeah, I don't know what happened to the 21 million, but it's. It would be nice if we get some of that back, But I don't know that we will.
[17:31]
Maria Varmazes
Yeah. These grandparents scams are preys on everyone's worst fears. It's what makes them so evil. But man, that is a lot of money. Gosh, don't even know. Yeah.
[17:40]
Joe Kerrigan
Speaking of worst fears, Taylor Swift. That's one of my worst fears. Having to go to a Taylor Swift concert.
[17:48]
Maria Varmazes
Wow, Joe.
[17:50]
Joe Kerrigan
I'm gonna raise the irony of people. You know, and she started as a country music singer.
[17:55]
Maria Varmazes
That's right. I'm kind of surprised. All right. Yeah. All right.
[17:57]
Joe Kerrigan
So, yeah, I'm not. Yeah, I'm not a really big fan of country music, Although I do like the hats. So.
[18:05]
Maria Varmazes
Learning more about you every day, Joe.
[18:07]
Joe Kerrigan
Queens. The district attorney for Queens, who is Melinda Katz, has announced the. The arrest of two people. One is named Tyrone Rose from Kingston, Jamaica, and the other one is Shamara Simmons from Jamaica and Queens, New York. They have been arrested and charged with grand larceny in the second degree, computer tampering in the first degree, conspiracy in the fourth degree, and computer tampering in the fourth degree. So according to these charges, these defendants used the popularity of Taylor Swift's concert series, the ERA Tour. ERAS Tour. I'm going to say that not error.
[18:46]
Maria Varmazes
In New England accent. ERA Tour.
[18:48]
Joe Kerrigan
Right. It's ERAS E R A S. And they are. They are accused of stealing, using the. The article says this is from. Oh, by the way, I should say this is from People magazine from Kimberly Speakman. The article says that it. That they allegedly exploited a loophole in an offshore ticket vendor to steal tickets to the. To these concerts and then sold these seats for $600,000. Now here's the interesting part. They only stole like less than a thousand tickets. 993 tickets that they stole. And this was between June of 2022 and July of 2023. So they were in this for a year. There are other conspirators.
[19:38]
Maria Varmazes
I was gonna say the fact they got that many at all is actually kind of impressive given how Fast. They sold out.
[19:43]
Joe Kerrigan
But. All right, yeah, so it says they took advantage of a loophole, but I don't think that's right, because what happens here is there was another accomplice that's still not been apprehended in Jamaica that had access to StubHub's computer system. And it says here that they were able to find a back door into a secure area of the network where the already sold tickets were given a URL and queued to be emailed to the purchaser for download. So when you go online and you buy a concert ticket, this system would generate a URL where you would download the tickets and then it would email you the URL. So people had paid for these tickets, and this guy went in there and just put a new email address into the. Into the field so that the email would not go to the person that bought the tickets, but go to Ms. Simmons in Queens.
[20:44]
Maria Varmazes
Huh.
[20:45]
Joe Kerrigan
Stealing and. Yes, stealing.
[20:47]
Maria Varmazes
Stealing. Yep.
[20:48]
Joe Kerrigan
Yeah, it's. It's just. And it's. I don't even know if it's hacking. If you. If you have access to this and you're. You're. You can see the. You know, if it's an insider job is what it looks like to make. Yeah, yeah.
[20:59]
Maria Varmazes
I was gonna say it doesn't take a lot of technical knowledge. You just literally are just stealing from people at that point.
[21:03]
Joe Kerrigan
Right.
[21:04]
Maria Varmazes
Yeah.
[21:04]
Joe Kerrigan
So, I mean, I'll take this.
[21:05]
Maria Varmazes
Yeah.
[21:07]
Joe Kerrigan
The. There's not really a lot of social engineering here. But there is. There is. What? I mean, what happens next, really? I mean, if you're someone who bought one of these tickets and you never get the email, what do you do? Do you call your credit card company and go, I paid 600 for this ticket, or I paid 200 for this ticket. I never got my. Never got my ticket. I'm not paying for the ticket. And the credit card company goes, okay. And maybe that's long enough for somebody else to sell a ticket and the person who bought the ticket to go to the Taylor Swift concert.
[21:43]
Maria Varmazes
But honestly, I would think it'd be the opposite. It's probably. I remember the frenzied media coverage of the ticket feeding frenzy there of people, you know, no amount is too high for my sweet girl to see Tay Tay in concert. And, you know, you think you've paid for it and where's the ticket gone? You know, I'll pay anything. Please get that ticket. But they're all sold out, so I would think you're going to have a lot of panicked fans and Parents or parents who are fans.
[22:10]
Joe Kerrigan
Yes. Yeah, I don't, I don't know. I would not. I mean, I, There's a quote in here from Taylor Swift's concert company, Taylor Swift Touring. And they told the New York times that over 10 million people attended the Arrows tour and, and it sold over $2 billion in tickets. So that's like an average price of $200 a ticket.
[22:33]
Maria Varmazes
Jeez.
[22:34]
Joe Kerrigan
So, I mean, I, when I was a kid, I would go to a lot of concerts, right? So I, I, I get going to a concert, I, I enjoy, I would enjoy seeing these people perform, but I have never in my life spent $200 on a concert ticket.
[22:53]
Maria Varmazes
I mean, so, I mean, I have. But tickets are for. Concerts are extraordinarily expensive nowadays just because of all the fees that you get tacked on through Ticketmaster and the like.
[23:04]
Joe Kerrigan
Right.
[23:06]
Maria Varmazes
If you see anyone that's fairly big act nowadays, I mean, you're looking at almost, you're looking at that per person, which is why I haven't taken my kid to a concert. Cause I'm not willing to pay that. Yeah, I think I paid $40 to see Raffi.
[23:21]
Joe Kerrigan
Raffy. You had to sit through a Raffy concert?
[23:26]
Maria Varmazes
I mean, that was my life at that time. So it really wasn't that bad.
[23:29]
Joe Kerrigan
I think I would rather, rather go to a Taylor Swift concert.
[23:34]
Maria Varmazes
Well, remember what it's like to have a 3 year old?
[23:37]
Joe Kerrigan
Just remember.
[23:39]
Maria Varmazes
Yeah, it was a big deal at the time, but yeah, it was 40 bucks. And he was great. For the record, Raffy was wonderful.
[23:45]
Joe Kerrigan
So was he, I'm sure.
[23:46]
Maria Varmazes
Yeah, he was great. My kid loved it. But Tay Tay. Yeah, I'm not paying 600 bucks. I was seeing tickets around here for over a thousand. I had no, I had no inclination to go, but yeah, it's your Taylor Swift fan. She is, she, she is, she is. Because it's just the age that she's at. But I keep blowing her mind. Yeah, I blow her mind.
[24:10]
Joe Kerrigan
Nobody should be surprised that I would not like to go to a Taylor Swift concert because I didn't exactly blow.
[24:15]
Maria Varmazes
Hair back with that revelation again. Really? Oh, never would have guessed, Joe.
[24:20]
Joe Kerrigan
Right?
[24:22]
Maria Varmazes
But this. And yet the scams persist.
[24:24]
Joe Kerrigan
Yes.
[24:25]
Maria Varmazes
Oh, yes. Well, it's a great story, honestly, when big acts like Taylor Swift or Beyonce or name a group go on tour, I mean, you see scams like this happen. So I know it's a cat and mouse games with the ticket ticketing providers, but sometimes I think they're part of the problem anyway.
[24:42]
Joe Kerrigan
I will agree with that 100%, as is the case here, they did not have a well designed system on the back end.
[24:49]
Maria Varmazes
What are they doing with all those fees?
[24:51]
Joe Kerrigan
An inside job. Somebody with doing being an insider get access and redivert tickets.
[24:58]
Maria Varmazes
Well, they're only human after all. Anyway, so before we get to our next story, let's take a quick break to hear a message from our sponsor.
[25:13]
ThreatLocker Sponsor
So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't want to run, Threat Locker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
[26:35]
Maria Varmazes
All right, we're back and now it's time for the catch of the day. And as I mentioned, at the top of the show, we have N2K's own Mayan plout joining us. Hi, Mayan.
[26:44]
Mayan Plout
Hi.
[26:45]
Maria Varmazes
Hi. All right, Mayan, why don't you introduce yourself for our listeners?
[26:49]
Mayan Plout
Absolutely. I'm Mayan. I'm the director of Enterprise Content strategy here at N2K. I think about how our audio and video and everything else reaches the audiences that it reaches and make sure that it's as awesome as it can be.
[27:04]
Maria Varmazes
Awesome. Thank you, Mayan. And you do an amazing job of that, by the way. So thank you.
[27:07]
Mayan Plout
Thank you.
[27:08]
Maria Varmazes
And the other thing that our audience should know about you is why we brought you in for the catch of the day today. Specifically, we're going to be talking about.
[27:15]
Mayan Plout
What we are talking about craft scams. And if we were all sitting in a room together, you guys would see that I'm wearing at least four hand knit objects right now. And that is actually part of the reason that I'm here today is just talking about how things get made by hand and what it means for people to need materials in Order for them to make things by hand.
[27:34]
Maria Varmazes
Yes. Mayan's not overselling it at all. Honestly. She is an incredible crafter. And if you are in the United States, you've probably heard about what's going on with Joanne's, AKA Joanne's Fabrics. Joanne's Fabric. Joanne Fabrics. Joann's Fabrics.
[27:50]
Mayan Plout
I think it's Maya, actually. Joanne.
[27:53]
Maria Varmazes
Joanne. Joanne's Joann.
[27:56]
Mayan Plout
Joann Fabrics. But it's just called Joann's.
[28:00]
Maria Varmazes
Joann's. All right, so there. Spoiler alert for everybody. They're going completely out of business, so that is kind of making a bit of a mess. Mayan, can you tell us a bit about what's going on with this?
[28:12]
Mayan Plout
Absolutely. So, Joanne, the company itself filed for bankruptcy a couple of years ago, and they started closing, I would say, over half of their stores starting last year. And as of a couple of weeks ago, they're just fully liquidating. The store is going to be no more. And at the moment, they're selling out of all of their stock of fabric and sewing supplies at every single location.
[28:37]
Maria Varmazes
Yeah.
[28:37]
Mayan Plout
Yeah.
[28:38]
Maria Varmazes
So I would imagine scams. Scams. Go for.
[28:41]
Mayan Plout
Definitely scams. And I will say, as someone who doesn't sew or quilt, I'm really intrigued by this one because I see a lot of parallels with how this one operates with other people who do any sort of handcraft. Because in order to do handcraft, you need physical materials, like, in my case, yarn and needles, or if you're sewing fabric and thread and sewing machines. And those things have to come from somewhere. And in particular, like, we can buy a lot of things online, but you usually want to, like, feel or see things in person, especially when you're doing things with color. Like, it's hard to sometimes tell those things online. So having a physical location, like going to a yarn store or a fabric store, can really help you figure out, like, oh, this color goes with this color, or I'd like to use. It feels like this. So I'd like to use it with this other thing. And that's actually how this even came to me. I'm a part, like, a lot of handcrafters, like, are in crafting communities with each other. So I'm in a knitting group that's also like a knitting slash, crocheting slash, spinning group. So we just, like, get together regularly and work on things together, but we inevitably end up talking about, like, ooh, that yarn is really pretty. Where did you get it? Like, how do you think about this color and this color or this fiber and this Fiber. So I learned about this because many crafters are multi craftual. Like they will do a number of different handcrafts in a single category. So there are some people who really like to sew in my particular craft group, which got us on the topic of Joann's going out of business and the kinds of scams that they were seeing online that touched this as well.
[30:14]
Maria Varmazes
Oh yeah. So tell us about this because Joann's had. Has had. I mean they're tilts still going out of business right now. But 800 locations in the US if I remember that number, which is a lot, I mean it would be basically every state had numbers of locations. So these were plentiful. So right now I think as we're recording this, they're in the process of liquidating, but it seems to be a mess. So what are, what are the scams that people are encountering?
[30:38]
Mayan Plout
Yeah, so I think the root of what's happening here, I think there's two parts, right? Like one part is there are a lot of stores, physical stores that people are going to, but folks who are not necessarily like immediately able to go to a store like in their neighborhood or in their city are considering like, do I drive several hours to a store in order to get one of the deals related to one of these liquidation sales. So they're going online and finding that the website for Joann's isn't really up to date because they're just dealing with stock leaving so quickly because there's sales happening everywhere. So that's piece one. Like the website for the official website for Joann's isn't operating the way that it should for people to be able to do online purchasing.
[31:20]
Maria Varmazes
So don't trust the website. That's a good one. Yep, it's a good one.
[31:23]
Mayan Plout
But like that one's like, don't trust the official website, but also don't trust the unofficial websites, which is the second half of this and where it came up in my craft group as well. So it turns out that people are starting to see social media advertisements saying that their are even deeper discounts on the fabrics that are going out. Like basically everything that they sell is going out of business like this just not going to exist anymore. So from what I can tell, I think the discounts in stores are somewhere between like 20, 30, 40% off. But people started seeing advertisements on social media for 70, 80, 90% off. And people were like, ooh, that's a really good deal. And also like it's a great deal. And if you Also, think about it, like, that's such a good deal that you should maybe be a little bit skeptical. But because people also couldn't get stuff on the official Joann's website, they're probably also starting to look at, like, other places they could get it. So the fake sites that are popping up online look like they have all sorts of things, like, things that you would have seen at Joann's and its heyday with, like, wide ranges of fiber, fabrics, and, like, colors and everything. And it looks like the site. Right. Like, you should trust it, because it looks like the site turns out it's not the site. So the steps that people were going through, like, they'd put a lot of things in their cart, and they'd go to check out, and they'd put in their credit card information. They'd finish the order, and then they would never actually get anything because it wasn't a real site and it wasn't a real order. Now they just have your credit card information.
[32:47]
Maria Varmazes
Yep, yep. Yeah. And those. Those discounts are great. And especially for inventory that will never expire. I mean, fabric or notions, you can just have it sit in your closet for decades.
[32:58]
Mayan Plout
Yeah.
[33:03]
Joe Kerrigan
Yeah. I. I feel this. My wife is an avid crafter. My daughter and wife both do crochet, and my wife is actually kind of a. She's a very good quilter with. With a reputation around the area. So. Yeah, a good one, I hope. Yes, absolutely. And there is plenty of stock laying around our house.
[33:26]
Maria Varmazes
Hey.
[33:26]
Mayan Plout
We at Abyss call it a stash.
[33:28]
Maria Varmazes
Stash.
[33:30]
Mayan Plout
The stash is everything because it means that you can shop from the things that you have in your home or you can just add to your stash as a beautiful collection of things that you have around.
[33:39]
Joe Kerrigan
Yes.
[33:39]
Mayan Plout
And I think that's also part of what's. Like, there's sort of two things happening here.
[33:42]
Maria Varmazes
Right.
[33:42]
Mayan Plout
Like, part of the reason this came up in my craft group is, like, we as crafters have stashes of things that we love that we also like to use.
[33:49]
Maria Varmazes
And.
[33:49]
Mayan Plout
And especially when we know something isn't gonna exist anymore, we're probably gonna start stocking up on the things that we know that we're not sure where we're ever gonna be able to get them again. So this is.
[33:58]
Maria Varmazes
There's the urgency.
[33:58]
Mayan Plout
Yes, there's the urgency around it. And at the same time, like, you know, Joann's as a very, very large, like, organization with a lot of different products, like, they're. They're one of the only ones that can do this. So if you're looking for like what I would call like the pantry staples of the crafting world, like you're gonna get them at Joann's because they have the widest range of colors, widest range of things, like, and at a good price point because you can only really do that kind of thing at volume.
[34:24]
Maria Varmazes
Yep.
[34:25]
Mayan Plout
So when we start to look at like if you can't get it from the official site or you can't get into a store and you're being targeted on social media, maybe, I don't know, this seems like pretty good. What if I just do this? I know that there's like a feeling generally that like, oh no, it's going to run out. Like, we don't know when it's going to run out. I should also like hop on this opportunity immediately because I don't know when.
[34:45]
Maria Varmazes
It'S going to happen and it's chaos in real life. Also, I've been hearing stories of people going in person and what they're hearing from flyers or emails does not match with actually what their experience is when they go into the store. So it's very hard to get a sense of what's actually like coupons aren't being honored or gift cards aren't being honored anymore, but some sources say that they are. So it's just there's a lot of confusion. I haven't been to one because I'm too sad to go in, but yeah, actually now I'm really sad thinking about it. But yeah, well, you know what would.
[35:16]
Mayan Plout
Make you sadder is if you ended up on one of these sites that was also going to steal your credit card at the same time. Which man, thank goodness that isn't what happened to you.
[35:24]
Maria Varmazes
Well said, Mayan. Thank you. So I guess it's a PSA for our listeners that there is a lot of confusion and chaos going around. Joanne's going out of business for again, it's a US Based store, so folks outside of the United States, you don't need to worry about this. Unless you were trying to buy stuff online from Joann's, in which case don't. But for folks in the US who are trying to build up your stash long term or know someone who might be, don't fall for the scams that are promising extremely deep discounts that don't exist.
[35:54]
Joe Kerrigan
If you go to the Joanne's website right now, it says as of this recording, it says due to high demand, we can no longer fulfill online orders. Please see your local store for all your Crafting needs. So Jo, if you see an ad for an online order from Joanne's, it's not real.
[36:11]
Mayan Plout
Well, here's an extra fun one. So Maria, I'm also really glad that you mentioned that this is a US Based company and that's where the like where this would be happening. One of the sites that the Better Business Bureau scam tracker noted was doing scammy things was joanne-us.com so it feels like it could be real and official. If it's oh, it's a US Based store. So I'm going to go to the like. If you don't think about the fact that maybe there's not stores in other countries or maybe this is like the official US site and add in what Joe just said, like we don't like if their website isn't doing it and you're trying to find a different place to order, then yeah, it's easier to shop from your home than it is to physically go into a store.
[36:53]
Maria Varmazes
Yep.
[36:53]
Mayan Plout
Scam opportunity.
[36:55]
Maria Varmazes
Yeah. We, we have a link to the Better Business Bureau's story about the Joann's going out of business scams for our listeners to take a look at. But Mayan, thank you for walking us through this scam. This one's as you can tell, near and dear to my heart. Joe, I imagine your wife being an expert quilter, she probably has her favorite stores. But I imagine she also dropped in at Joann's now and then for notions and the like.
[37:17]
Joe Kerrigan
So she would buy the her Kona fabric there, her white Kona because they always had it and it was well priced.
[37:24]
Maria Varmazes
And you Kona, nicely done.
[37:27]
Joe Kerrigan
I know a lot. You do? I absorb a lot of the information.
[37:31]
Maria Varmazes
You're not just chickens. It's honestly no, it's not just chickens. Thank you so much for joining us for the catch of the day today, Mayan. I appreciate it.
[37:40]
Mayan Plout
Of course. Thank you so much. And watch out out there.
[37:44]
Joe Kerrigan
I tease my wife about all the extra stock she has laying around the house, but at the same time, if you come down to my lab, there's extra stuff laying around. For example, this week I just purchased 12 remote control transmitters and receivers because someone at my office was selling them for two bucks a piece and I bought them.
[38:05]
Maria Varmazes
Listen, we all have our hobbies, right? You know, it's and you know, the stuff with all these hobbies is a lot of times you want to take advantage of when there's sales for things that don't expire. You know, it's not like buying fruit where it's going to go moldy instantly. You know this is stuff that will last. So I understand we again, I know I know a lot of people these things will affect so I just hopefully people will hear my aunt's warning here and be careful. So.
[38:35]
ThreatLocker Sponsor
And of course we want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.
[39:04]
Maria Varmazes
And that is Hacking Humans Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Also, please fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher and I'm Maria Varmazes.
[39:57]
Joe Kerrigan
And I'm Joe Kerrigan.
[39:58]
Maria Varmazes
Thanks for listening and Dave will be back next week.