Convinced, compromised, and confirmed.

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K.

Joe Kerrigan

Hello everyone and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines, taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.

Maria Varmazes

Hi, Dave.

Joe Kerrigan

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes.

Dave Buettner

Maria hi Dave. And hi Joe.

Joe Kerrigan

We've got some good stories to share this week, so stay with us. So we have a ton of follow up this week and I guess I will take the honors and start off here. We got A listener wrote in with a very detailed accounting of a story about how their husband was the victim of his sextortion scammer. And they wisely told their husband to stop engaging with the scammer and for damage control, they posted on Facebook that they'd been hacked just in case the scammers acted on their threats of humiliation. You know, try to get in front of it, let everybody know this has happened. And I'm gonna read from part of our listener's letter. Here they write in here's where things get interesting. And here's the reason I feel like I need to share my particular story mere seconds after I posted my warning that I'd supposedly been gotten by a social engineering attack and was doing damage control. My post was absolutely mobbed by bots offering password recovery and account recovery services, legal aid help obtaining financial clawbacks, etc. I was floored by how many there were, how instantly they showed up, and how much pressure they applied. You have to act fast. I can help you. Please message me immediately. Reporting it won't help. I would know. You have to talk to a specialist, but do it quickly because otherwise he might not be able to help you. And on and on and on. I reported as many as I could, but it was like playing whack a mole. What's more, they started liking each other's comments and started commenting on other unrelated recent posts of mine, which I can only assume was meant to disguise the fact that they were not my friends and I had never interacted with any of them before so they could potentially get at uninvolved third parties who were dealing with something similar. I barely use Facebook at all these days. Shocker was not aware of how out of control the bot problem had become. It was a pretty sharp wake up call, and I think it may be what prompts me to finally delete my Facebook account altogether. I was just trying to cover my own rear and I absolutely don't intend to provide an attack vector for scammers. I sincerely hope that no one sees any of these comments and falls for it, because I'd feel absolutely terrible if my attempt at damage control for one scam resulted in any of my friends or relatives getting hit by another. Love the show and really appreciate all we do for awareness on these issues. Yeah, yeah. The first came to mind to me, I describe this as like digital piranha.

Maria Varmazes

That's a good analogy.

Dave Buettner

Just the feeding frenzy, right?

Maria Varmazes

Right.

Joe Kerrigan

Yeah, right, right. They smell blood in the water and they just attack. And you know, in mere moments, the entire horse carcass can be stripped of.

Dave Buettner

All of its flesh, down to the bone to shreds.

Joe Kerrigan

You say down to the bone, right? Sexually. So, yes, I have seen this sort of thing. Not to this degree, but I've seen the bots just jump into action. And I wonder how, I mean, how does it work? How are they monitoring feeds for this sort of thing? Are there Facebook APIs where they can just manage every or monitor everything that's coming through the public feedback? I don't know.

Maria Varmazes

My guess is that they have some kind of app that is web scraping or something. Some kind of, you know, it's like an API, but maybe they're just using the web interface instead of the. Instead of some API, but they're probably monitoring. Once they are starting this sextortion scam, they probably start monitoring all the family's feeds for stuff like this. Because it's probably the same organization doing this. That would be my guess.

Dave Buettner

Yeah, of course they have. I was gonna say public posts on Facebook are notorious cesspool. Like, I had to. I think I mentioned this some months ago, I had to re enable my old Facebook account, which is ancient. I don't post on it. And I noticed that if anytime anyone I know uses or makes a post that's public, they always get these awful spam comments, kind of no matter what. So don't make public posts on Facebook. But of course, then if you're trying to get found, you can't get found. But yeah, they get swarmed kind of no matter what you post, if it's public. I've noticed.

Joe Kerrigan

Yeah. So I would say, you know, lock down your Facebook account so that any of your posting only goes to your friends. And that way it's harder for people to scrape them publicly like this. And in this case, all you want to contact are Your friends.

Maria Varmazes

Right.

Joe Kerrigan

So that would help. The one time I saw this was I was looking for some tickets for a local theater group, like a community theater group. And I knew the event was sold out, and I posted to Facebook, I said, hey, does anybody have any extra tickets for this event tonight? And somebody I didn't know replied and said, yeah, I have a couple tickets. Be happy to sell them to you. And I was like, oh, great. How much? He was like, $500 each.

Maria Varmazes

What are you talking about?

Dave Buettner

I'll take it.

Maria Varmazes

Wait, to a local theater event?

Joe Kerrigan

Yeah, it was like a $10 sort of little community theater fundraiser thing. So obviously this bot was standing by looking for someone looking for tickets and would just jump in at any time opportunistically and lie and say, oh, sure, I've got tickets to that. Here they are, and hope for the best. So, yeah, it's just a cesspool. Well, thanks for sharing this. This is very interesting. And again, I think probably a solution or at least a mitigation to this is to lock down your Facebook account so that it is not public. Of course, the ultimate mitigation is to get off Facebook altogether.

Maria Varmazes

But yes, wouldn't that be nice?

Dave Buettner

It would be nice. And then some of us get drawn back in, even when we've been off of it for five years.

Maria Varmazes

I think Maria and Dave, both of you have tried to stop your Facebook accounts and both of you are still on Facebook, if I recall correctly.

Joe Kerrigan

I took about a four year break.

Dave Buettner

Yep.

Joe Kerrigan

Yeah.

Maria Varmazes

Okay. I'm gonna try and experiment because I am recording from home today. I actually have access to my Facebook account at the beginning of this. Right now, I'm gonna say, here's a public post I'm making. I actually have to set the post to public. I'm thinking about buying some tickets to a baseball game. Unfortunately, it's sold out. And I'm just gonna post this and see what happens. And. And by the end of the show, we'll come back to it.

Dave Buettner

I love this idea. Thanks for being the guinea pig, because I'm not doing that. No, thank you.

Maria Varmazes

I'll delete the post before the end.

Joe Kerrigan

Speaking of not doing that, our next.

Dave Buettner

Letter, don't do what I did and messed up to do.

Joe Kerrigan

Someone writes in and says, I listened and smiled. When Maria boldly clicks on suspected links to see where they go to boldly click on links.

Dave Buettner

No one should be clicking Worst Star Trek spinoff ever.

Joe Kerrigan

One thing I do is to use www.shouldic.org, which tells you if it's safe to click on a link, they paste the suspected link there and let their system and browser deal with any potential drama. They'll show you a screenshot and a few details they found and a recommendation on whether you should click the link or not. Yeah, I think that's great. I love these kind of things. What do they call it? Pre detonating. The webpage.

Maria Varmazes

Right.

Dave Buettner

Yeah, it's like a.

Joe Kerrigan

Like a webpage bomb squad, you know.

Maria Varmazes

Monsters Incorporated.

Joe Kerrigan

Yeah, exactly, exactly.

Dave Buettner

Or the. The link expanders. Back when there was a lot of those. Link shortener spam. Actually, it's still a thing, but when you didn't know where that link shortener was going to take you, you would put it in the link expander and it would tell you. This actually redirects you to this terrible website. Do not go there or you're going to get Rickrolled or whatever.

Maria Varmazes

You know Rickroll. I used to have an app that would tell me when I was about to get Rickrolled because my son is a notorious rickroller.

Dave Buettner

I had an extension for a while that would just warn me if that link was actually a Rick roll.

Maria Varmazes

Yeah, I had it too.

Joe Kerrigan

I just got Rickroll a lot. Enjoy. That was from Chris, who had some nice things to say as well. And Maria, you dropped a note in here.

Dave Buettner

I did. For reasons that are completely unrelated to me, click links. My own Internet's been really slow since I started.

Joe Kerrigan

Oh, sure.

Dave Buettner

My husband wanted to make sure I mentioned that on the show. He was like, our Internet's been really slow.

Joe Kerrigan

I see. So he's. He's.

Maria Varmazes

Your. Your.

Joe Kerrigan

Your loved ones are publicly shaming you now for your.

Dave Buettner

I mean, honestly, cavalier you are. I just mouse over. I don't actually click. Just.

Joe Kerrigan

That's what they all say.

Dave Buettner

You know what? I deserve it. I deserve it. It's fine. It's fine.

Joe Kerrigan

Flip of the finger. All right, Joe, you want to take this next one?

Maria Varmazes

I will. This one comes from George. It says hi there. About a month ago, there were several seeks covering Joe's chicken dilemma. We were talking about the episodes.

Joe Kerrigan

Right.

Maria Varmazes

We still talk about chickens from time to time.

Joe Kerrigan

Sure.

Maria Varmazes

The coop is done and we're putting the run in and they'll be going outside soon. My wife received the attached magazine out of the blue with quotes around it. She does not have any current magazine subscriptions, so this was a surprise. She tried to contact the publisher, who immediately tried to upsell her more magazine subscriptions. Of course, she was then informed, per the publisher, that the data broker who subscribed her to the magazine was subcom.com with a phone number. And he lists the phone number here. The website does not work and the phone number goes to an automated out of the office mode, which is great. If you want to cancel a subscription, that's what you want. You want immediately suspected this was an attempted scam, like what the FCC reported in the past. And he has a link to that. You know how subscriptions, how to stop subscriptions. You never ordered. And then the question was, or did Joe conjure up the chicken deities for the hacking human listeners? Because the picture he sends is the COVID of Elle magazine from May of this year, and it has a picture of Addison Rae. You know who Addison Rae is?

Dave Buettner

No.

Joe Kerrigan

Well, not until this moment.

Maria Varmazes

Not until now. She is a social media influencer. And now she's moving into singing. Singing and acting.

Joe Kerrigan

Okay.

Maria Varmazes

But she is holding a chicken. And let me tell you, that is one good looking chicken.

Dave Buettner

Okay, what kind of chicken is that, Joe?

Maria Varmazes

I. I don't know. It's a. It's a black lace. It might be a wyandot. I think it might be a wine. I don't.

Dave Buettner

Okay.

Maria Varmazes

But it says fox in the hen house. Thank you for all the excellent humorous podcasts. Oh, by the way, she did wind up. George's wife did wind up getting it canceled. Remember the old adage about things that show up in the mail if you didn't order them and they show up, they're yours to keep.

Joe Kerrigan

You can keep them. Right.

Maria Varmazes

And if you didn't sign up for a subscription to a magazine, just don't pay the bill. I didn't sign up for this.

Joe Kerrigan

Right, right.

Maria Varmazes

Thanks for the free magazines.

Joe Kerrigan

Yeah, yeah. All right, we got one more bit of follow up here. This is a listener named John wrote in and said when you cited a poll recently about people's use of strong, unique passwords, I wonder how much the respondents could explain what strong and unique mean for passwords.

Dave Buettner

That's a good question. Great question.

Joe Kerrigan

Passing characters onto the end of a single word is neither strong nor unique. But I would imagine a sizable percent of the population would disagree with this opinion. Joe, I imagine you're champing at the bit to respond to this.

Maria Varmazes

I think John raises a very good point here, and this is an excellent point that I don't know how you test for this in a survey, though. Aside from asking, do you use strong and unique passwords for each website? And then maybe you could ask, can you define what a strong and unique password looks like? Um, you know, passwords are passe. Hey, that's a good one. It's time to move on to pass keys and. And multifactor authentication with. With some kind of universal two factor. We have to do that because the password. We're just. Humans are just not good at passwords. We should just say that we're not good at passwords.

Joe Kerrigan

Right, Right. My response to this is that. Which is what, Joe, you always talk about, which is that you should not know any of your passwords.

Maria Varmazes

Y. That's a good point. Oh, yeah, yeah. That's what I should have said, Dave, is that people should know. People should use a password manager and let that thing derive a password for you. I don't know any of my passwords that I don't need to enter on a tv. I do know those because, yeah, those are annoying. I'm not entering a 25 character random password, but all my financial institutions, 25 character random passwords, at least some of them are even longer than that, you know, and then there's always multi factor authentication on the accounts I care about. And, you know, you do the risk model. You do the risk model for each and every site that you visit. You know, if you're, if you're. What happens if someone gets access to your Disney plus account? They put up a. They put up a new profile and then you have to delete the profile and sign yourself out of all the devices and reach and they pay your bill for you.

Joe Kerrigan

No, that never happens.

Dave Buettner

Wouldn't it be lovely?

Maria Varmazes

It would be, yeah.

Dave Buettner

Yeah, yeah. So I remember I had a coworker whose idea of a strong password was using Shift. So when her finger would go from one all the way across the number keys at the top, she's like, oh, I need to do a different one. Shift. Right, Right. I've now changed my password.

Joe Kerrigan

Right?

Dave Buettner

Yeah. So we go from 102 to Hunter 2. Yeah, exactly.

Maria Varmazes

That's called keyboard walking. And that is also bad because every single one of those keyboard walks is in the password databases.

Dave Buettner

Oh, yeah. There's no question that's a very, very bad idea. It's so bad that even I won't do it. Right.

Maria Varmazes

That's pretty bad.

Joe Kerrigan

All right, well, thanks to everybody for writing in. We do appreciate it and of course, we'd love to hear from you. You can write us at hacking humans2k.com and now a word from our sponsor, Threat Locker, the powerful Zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is An application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat locker. All right, let's jump into our stories here. I'm going to start things off for us. This is a story from the Record, which is a cybersecurity news site and they are chronicling some China linked hackers who are using fake websites impersonating major brands to steal people's payment data. And some of the Brands include Apple, PayPal, Nordstrom, Hermes. Is that the right way to say it? Hermes.

Maria Varmazes

Hermes.

Dave Buettner

You dropped the H. Hermes.

Joe Kerrigan

Hermes. Okay, okay, got it. All right. And Michael Kors. So, you know, premium brands, it would seem like at least Nordstrom and Hermes are. And they're using thousands of these websites that mimic the real retailer design. So in some ways they're lifting the real websites, duplicating them. And all of the functionality is there up to and including putting in your payment information. They have some legitimate Google Pay widgets on them to get people to pay, to put in their payment information or to gather up the funds through Google Pay.

Maria Varmazes

Amazing.

Joe Kerrigan

But there's no product. So you go through and you think you're going to buy what you're going to buy and you do not get your stuff. Even though when you check out it appears as a regular checkout. It appears, you know, everything looks on the up and up. But ultimately you will wait a little while and you'll wonder to yourself, hey, where's my iPhone? Or where's the thing I ordered from Nordstrom? And they never come. And all they do is they get both the money that you put in and your payment information as well. So that's basically what they're harvesting again, they're sourcing this back to China. They're not sure how many victims or losses have resulted from this scam. They say many fraudulent sites were taken down, but thousands remain active. And I just wonder, how do you fight this if. Because I'm imagining they're also using very convincing URLs.

Maria Varmazes

Yeah, they're probably using domain squatting. The kind of. Well, it's impersonation. It's not buying a domain, sitting on it for a while. They're actually buying domains that look similar. They're lookalike domains. That's the term.

Joe Kerrigan

Right?

Maria Varmazes

They're looking for lookalike or they're using lookalike domains. So like the Nordstrom may have the, maybe the Swedish O in one of the o's Right, right.

Joe Kerrigan

They're using, what is it? The Unicode characters that look exactly the same, but.

Maria Varmazes

Yep.

Joe Kerrigan

Are not exactly the same.

Maria Varmazes

They're not exactly the same. That's correct.

Joe Kerrigan

Yeah.

Dave Buettner

Yeah. Because these are not, these are not, you know, bootleg websites. Right. Where people kind of know that you're maybe taking a risk to buy something that's a little iffy, but maybe it could be worth it if it's, you know, a convincing fake. Some people are willing to take that risk. This is not that situation. Right. Like people completely believe these are legit.

Joe Kerrigan

Right, right, right.

Dave Buettner

Yeah, that's. Yeah.

Joe Kerrigan

But again, so how do you fight this? Because we can't trust search engines.

Maria Varmazes

No, you can't.

Dave Buettner

No, not anymore.

Joe Kerrigan

I guess with major brands, you know that, you know, apple.com, paypal.com, nordstrom. So manually type it in. Don't take a link from a place like Facebook or any of the other social media places.

Maria Varmazes

The real question is, the real question here for me is how are they starting this chain of events? What's the first step? Are they buying fraudulent ads on Google? We've seen that. Are they using Facebook as like you suggested, Dave, and just putting ads on Facebook that are just straight up scam ads? Are they using some kind of search engine optimization that raises, it raises their site to the, to the first page of results that really matters and how, and how you face this.

Dave Buettner

Maybe for certain items that people are looking for, they're not necessarily going to, you know, Nordstrom.com but they're looking for a high value item that Nordstrom would probably maybe sell and then that's how they lure them in. I could see that being a possibility.

Joe Kerrigan

Yeah, absolutely.

Maria Varmazes

I will tell you one of the things I think would be really helpful here and that is if a company like Apple or PayPal or Nordstrom or Hermes, one of these companies, found out that like Facebook or Google was, was leading their customers to different, different websites, fraudulent websites, and they just slap them with a huge lawsuit and just keep slapping them with huge lawsuits until they do something about the problem that they have, which is these fake ads. I think that's the only way you get a company to pay attention because they don't care as long as their shareholders are happy. Well, start, start angering their shareholders. Start scaring their shareholders. Start doing that, you know? Yeah, that's what has to happen.

Joe Kerrigan

It's like a, like a Godzilla vs. Mothra movie. Right? You get the two big giants duking it out.

Maria Varmazes

Right.

Joe Kerrigan

With big lawsuits.

Maria Varmazes

Yeah, that's what you do.

Joe Kerrigan

Yeah. All right, well, we'll have a link to the story in the show. Notes. This is kind of a cautionary tale. Just, you know, be extra vigilant when you're going to these sites because some of these are big purchases. You know, you're gonna buy something like a laptop or an iPhone or, you know, whatever. Even an Hermes watch would probably be very expensive.

Dave Buettner

Hermes, there's. Some of their bags are extraordinarily expensive, like tens of thousands of dollars. So.

Joe Kerrigan

Yeah.

Maria Varmazes

Does it do a different job than a regular bag?

Dave Buettner

No, it's all just bragging to other people that you can afford this expensive bag. It's a whole thing. Look up the Birkin bag and go down that rabbit hole and enjoy the Birkin bag. Yeah, the Hermes Birkin bag. Yes.

Joe Kerrigan

All right.

Dave Buettner

B. I are not. Not. Okay, never mind. I'll tell you offline.

Maria Varmazes

Okay.

Joe Kerrigan

All right, let's move on here. Joe, what do you have for us?

Maria Varmazes

So I have a story from Ravi Lakshmanan from Hacker News. And this is a story that is based on some research done out of Trellix, which is the company that I think now owns the McAfee virus scanner and their EPO product, their E Policy Orchestrator, which I actually used to do integrations on long ago. But it's just interesting to see where these companies go. And that one has a really interesting history. Anyway, they're quoting Trellix researcher Srini Sridhapati and they're talking about this phishing scam that. You know, Dave, you had a story a couple, a couple weeks ago about a phishing that was like a resume based phishing scam where they would send you to a website. This has a lot of similarities. The targets are completely different. In Dave's story, they were targeting HR people. Here they're spear phishing CFOs from and other financial executives at banks, energy companies, insurers, investment firms, and these, they're located across the world, around the world. So what they're doing is they're impersonating a company called Rothschild and Company. You ever heard of the Rothschilds? Rothschild.

Dave Buettner

Rothschild, yes.

Maria Varmazes

Rothschild can never get their name right. That's a big financial services firm. Very big. And if you were a CFO or a financial executive, they send this to you and go, hey, we're looking to recruit people. So it's kind of like the opposite way of, hey, I'm looking for a job. It's hey, we're looking for somebody. So if you, if you open up the email that they send you. It's an infected zip file that contains a JavaScript that downloads a second file. That's a Visual Basic script. I'm, I'm getting too, too in the weeds here. But if you down. But that, that automate that download happens automatically. Then immediately after that that file opens up and downloads. Does, does four things or two things. First it download three things. I don't know how many. A lot of things. First it downloads two Microsoft installer files.

Joe Kerrigan

Right.

Maria Varmazes

One of them is for netbird, which is a remote access tool like, like a help desk access tool. And we all see, we've heard about a lot of these, these kind of bad guy implementations of this, but these, these tools have real uses.

Dave Buettner

Yeah, of course the other thing it.

Maria Varmazes

Does is it downloads OpenSSH, which is a server, so they can access your computer remotely without using the interface that you're using, like your desktop. Then it creates a local admin account that's kind of hidden and it enables remote desktop protocol. That's everything that the third file does. So you open the file that downloads a second file which then downloads a third file and does all this malicious stuff. Okay, so it is a very complicated attack, a pretty advanced attack. And Siddhapati says that this is a quote from Sirius Yihabiti. The attack isn't your typical phishing scam. It's well crafted, targeted, subtle and designed to slip past technology and people. It's a multi stage attack where the adversaries use social engineering and defense evasion techniques to create and maintain a persistent access to the victim system. Oh, there's one thing in here that I totally forgot to mention. One of the other similarities between the attack that you were talking about a couple weeks ago and this one is, this one is also using a Captcha service and they say it's using the Captcha service to avoid things like Cloudflare flagging it as a phishing landing page. So if you put that captious service on the front of that, then these other tools that, you know, take a look at it use AI to say, hey, this is trying to look just like Microsoft's page and it's a login page. But that automatic system can't get past the captcha. So it doesn't flag it as a phishing page. But you, the human are very good at getting by captchas. So you do. And then you wind up at the phishing page. So a lot of similarities to this and the other attack. These things are getting really, really advanced, these phishing attacks. They're getting really advanced and really hard. Once you've clicked on that, once you click on that JavaScript, it's pretty much game over. These installs happen so quickly.

Dave Buettner

That was a milliseconds, right?

Maria Varmazes

Yeah, it's, you know, all that stuff I described in that, in that long, drawn out explanation happens almost immediately and then you're hosed. That person has access to the back end. If you are a CFO of a large financial institution, that's a lot of damage that somebody can do.

Joe Kerrigan

Well, the other thing that strikes me about this is the social engineering component of it, which is you're getting interest and an offer from a very high profile, perhaps an elite organization.

Maria Varmazes

Absolutely.

Joe Kerrigan

So there's a component of flattery here.

Maria Varmazes

Yes.

Joe Kerrigan

That this elite organization is interested in you. And so not only are you being flattered, it could be that you're seeing dollar signs. Yep. Right. But then also I could see that someone would be hesitant to report a problem because your co workers might say, what are you looking around for other work.

Maria Varmazes

Right. That's a good point, Dave. There's two prongs to that, isn't there? Obviously the upfront stuff of, hey, look, we're the Rothschilds organization and we're Roth's child organization. I'm gonna get hung up on that all day. I'm gonna.

Dave Buettner

We've literally never talked to you before, but suddenly we're throwing money at you. I trust this immediately. Yeah. Okay.

Maria Varmazes

Well, I mean, we'd like to tell.

Dave Buettner

You that's only how business works, right?

Maria Varmazes

Yeah, I still get some emails.

Dave Buettner

Yeah, like a cold email from somebody saying, hey, I'm from this really famous firm and I'm giving you money.

Maria Varmazes

I do get cold emails from companies I've heard about that are like, hey, we're hiring, we just got a new contract in here. We'd like you to take a, take a look and go apply for some things and they, they send the link along. But you know, I like my current job, so I don't look at them.

Dave Buettner

Yeah, no. The thing that occurs to me when, when you were describing the chain of events was I thinking to myself, I would hope that there'd be some local control that would stop this attack in its tracks at several different points. Like being able to open a zip file that shouldn't necessarily be able to happen depending on your level of permissions and certainly launching something that launches a JavaScript that hopefully one could stop depending on how locked down it is. But be creating a local admin account that shouldn't be easy to do. I mean, again, I'm thinking like this should be locked down, but I know it's not, obviously, that's why it works.

Maria Varmazes

Right.

Dave Buettner

But there's so many points at which in this attack where I'm thinking that shouldn't be allowed to happen.

Maria Varmazes

It's got a long kill chain.

Dave Buettner

It does, but clearly it, it, it's, it's working so, you know, it's not being stopped. But yeah, that's, I, I think there would be opportunities for somebody to be able to put the brakes on this if, if there's some awareness there. But of course the attackers are banking that there isn't. So. Yeah, especially if you've got a sea level being targeted, they probably don't want those lockdowns happening on their accounts.

Joe Kerrigan

Yeah, that's exactly what I was going to get to is that I can imagine there being a tension here between the necessity to lock down a C level person's computer because of all the goodies that they have access to, but also that person's resistance to having any roadblocks thrown up in their way when they have stuff they want to do.

Dave Buettner

Right, Yep. Yeah. I remember there was a discussion at one of my previous employers about this exact thing about potentially the C level should have the most locked down machines of anyone at the company because they were such frequent targets of this kind of thing, especially since we were a cyber security company. So it was like, yeah, you're going to be getting attacks like this all the time, so your machine should basically just be able to read things. And that's it. That's it. Read permissions only. But of course, like, you know, if you're a CFO who's got a lot of things that you've got to look at, then that becomes a problem. So yeah, there's a tension there. I'm just remembering admin being able to create a local admin account. I'm going, that should not be easy, right?

Maria Varmazes

Yeah, shouldn't be easy.

Dave Buettner

But at the same time, if you want to install a font, then you need local admin privileges. So there you go.

Maria Varmazes

But if you're a cfo, why are you installing fonts?

Dave Buettner

Because you want a pretty PowerPoint presentation, right?

Maria Varmazes

I want to send emails and wingdings.

Dave Buettner

Yeah, you would be surprised. I had a CFO who had a custom email font that he sent. That's how we actually knew whether or not he was being phished, because or the fish was coming from him or not. Was the, the email was using a default font. And we said, no, this guy Always uses a weird font so we know it's not.

Maria Varmazes

He always uses comic.

Joe Kerrigan

Funny.

Dave Buettner

It was like this bizarre sort of cursive, fake cursive script and like bright bold blue. It was almost illegible and it was very annoying. But we knew when it was like this email from supposedly the cfo and it was just standard calib or whatever going, oh, no, that's on him. It's definitely a fit.

Joe Kerrigan

Funny.

Maria Varmazes

This is easy to read. I don't have to copy and paste this into a text editor.

Dave Buettner

Yep.

Joe Kerrigan

Right.

Maria Varmazes

No, that's not Bob.

Dave Buettner

Nope.

Joe Kerrigan

What happened to Bob? All right, well, we will have a link to that story in the show notes. I'll tell you what, let's take a quick break here to hear from our show sponsor. We will be right back. And now back to our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring fencing, and Network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. Maria, you're up. What do you got for us?

Dave Buettner

Well, it occurred to me that a lot of the stories that I cover tend to have a very large US Focus. And I thought it'd be interesting to look around at the rest of the world and see what's going on, especially when it comes to consumer protections. Because many times when we cover a story, you know, we're all based in the US we go, well, there's not much that can be done for us in the US because we're all kind of on our own on a lot of this stuff. But it's not the case in the rest of the world when it comes to some of these scams. So let's, let's go elsewhere. For today's story, let's go to Australia. So I've got a story from ABC News Australia. And it starts with this, this heartbreaking profile of a young man who was trying to buy a home in Sydney. He was 24 years old and he put $109,000 down for a home deposit. And this is every home buyer's worst nightmare. I just went through home buying less than a year ago. This is my nightmare. And he got a fake email from someone pretending to be his real estate lawyer. His conveyancer is the word that they use in Australia. And it had fake information on where to basically send his home down payment and fake bank details. And he sent that $109,000 before he realized it was a scam. Like on the morning he was supposed to get his keys, which is just, oh, my God. And he went to his bank saying, listen, I've just been scammed. Please help me get that money back. And even though he was super fast about it, he did not get his money back and the bank was not able to help him. So he filed a complaint with the Australian Financial Complaints Authority, which is, for our US listeners, better roughly equivalent to the US CFPB dispute resolution. That's sort of the somewhat equivalent, but not quite. And the AFCA said that the bank had warned him, like, hey, you got to make sure where you're transferring this money is the correct place. So we can't have them reimburse you the money that you lost because the bank did their job saying, be careful. And that was all the bank needed to do. So for, for this young man who lost all his money that he ended up getting his house because his family helped him fill in the blanks with the money that he lost, but he had absolutely no cash left over for, you know, actually improving this house that he bought. The long and short of this story is Australia has been recently taking notes from the UK in rolling out, unfortunately not in time for this gentleman, but rolling out this thing called confirmation of payee, which has been in existence in the UK since 2020. And basically confirmation of Payee warns users if the account name does not match the routing number and account number. So if there's a weird mismatch there, it'll tell you before any money is sent. Hey, something's fishy here. Australia has been rolling this out in over the last year at least, and it sounds like they're.

Joe Kerrigan

It's.

Dave Buettner

It's pretty much ready to go for prime time, but it's not exactly the same as what the UK system has been doing. And I should know for our US listeners, we have nothing like this. We have little.

Maria Varmazes

Yeah, I've heard of something like this coming, although I don't think it's ready yet. But I think this, this is interesting. The confirmation of Payee and I've. I can't remember where I heard this, but there's some kind of. That uses the same data points. You know that.

Dave Buettner

Yeah.

Maria Varmazes

You're sending. Who are you sending this to? I'm sending this to this title company. Well that account is owned by Joe Kerrigan. You can't Send Joe Kerrigan $109,000. It's intended for this title company.

Joe Kerrigan

Right.

Maria Varmazes

And I'm pretty sure it was a US based thing. I mean but yeah.

Dave Buettner

So the differential. Yeah. We don't have anything national and I, I think Canada is also working on something like this, but they don't have it yet either. But they're further along ahead the. So for me from as a US Person I'm thinking there is no national standard here like a confirmation of payee standard across all US Banks. Some financial institutions have some sort of things like this in some parts of the United States. So some will say hey, if you're trying to do what we have is the ACH system here, the automated clearinghouse. Is that what it stands for? They will some. Yeah. ACH is, is our, our sort of version of the, the routing number Basic or I'm, I'm. Our financial listeners are gonna are pillaring me on this. But the ACH is what we use. I'm not a financial person. This is probably pretty clear right now. But I'm sure you, some of you have encountered where they'll do like a micro deposit saying hey we're going to give you $0.01 and $0.02 and just verify the amount over the next week to say that we've actually deposited to the correct place and then we'll send the, the final amount. I've seen that with my financial institutions or I've seen that too or a lot where they'll have you log into your bank in the other. They call it instant account verification. It's a login sharing thing where they'll say you want to add your bank to do a deposit you have to log into your bank while in our app and then verify that you actually own this thing. So it's, it's sort of a system to catch this but again it's, it's piecemeal as so many things in the US it's piecemeal and it depends on who you have and how advanced your bank is and that sort of thing. And there's certainly no regulation about this. So don't hold your breath on that one. Yeah and Zelle apparently has a sort of system about this as well. And Zelle is used a lot in the States for some of this kind of thing. The thing that was interesting to me about confirmation of payee in the UK is that it basically holds the bank really responsible for if, if somebody gets scammed. So the bank has to reimburse the victim. On average, apparently the UK banks reimburse almost 90% of the money of the person who gets scammed. So the banks have really stepped up and said, we're going to make sure we protect you. And if we fail to do that, we will do a lot to make sure we get you almost as much money back as we possibly can. In Australia's case, this is the big complaint in Australia right now is that scam losses there are only covered 2 to 7% on average. So the banks are still doing more than that, certainly compared to the United States in terms of trying to protect their consumers. But money may not come back to you if you are scammed. So it's still the cop. The confirmation of PACE in Australia still puts a lot of the burden on the consumer. Although again, I'm coming from the States, I'm going, it's better than what we have, but I think people would like it to still be better. So the UK model to me clearly is sort of a gold standard where they're, they're both saying, hey, we want to make sure that the, the names align with these bank accounts that you're trying to get money to or from and that if somebody's unrecognized or seems to be doing an imposter situation, we're going to flag that instantly. And then if you happen to get scammed despite that, we're also going to make sure we get you money back. That sounds pretty fantastic. So I would love to hear from our listeners because I know we have a lot of listeners who are financially savvy and also in the world of finance institutions, what other similar protocols are in place around the world? Because coming from the United States, I don't think I'm going to see anything like this anytime soon, except for the piecemeal sort of thing that we have going on right now, bank by bank. But I'd be very curious what other countries are doing. And yeah, I just, I thought this was fascinating. So I guess kudos to Australia for taking some good steps here and certainly advocates in Australia want more things to happen, but this sounds like a fantastic step to follow the UK's model on this.

Joe Kerrigan

I have friends who are bankers, commercial bankers, and they've talked to me about just A huge percentage of their time that's taken up dealing with scams. I can only imagine their clients being scammed. It's just relentless and it's a huge time suck. And so there's lots of motivation to get this under control. But if you made the banks liable, then, boy, you could bet they'd throw technology at it.

Dave Buettner

You bet. Yeah. When I was going through my house buying and selling process last year, it was just terrifying. Going through. We have the wiring, the money wiring process, lots and lots of money being moved. And this was quite literally phone calls going up the banking chain. It was about as lo fi as one might imagine and was oddly comforting actually, that this was slow. It was also very frustrating because it held up a lot of the paperwork on my side. But it would be nice if we could make this easier, but also stronger as opposed to let's hope this phone call reaches the right person who in my case was on vacation and couldn't be reached. So it held up my closing for several days. It was very annoying.

Joe Kerrigan

Well, you know, because everything here in the US is based on a profit motive. I can't help thinking about, you know, I don't even know if this exists anymore, but it used to be that if you went to an airport and you're about to take a flight, there was a little kiosk where you could buy last minute life insurance.

Maria Varmazes

Yes.

Joe Kerrigan

You know what I'm talking about.

Maria Varmazes

Oh my gosh, is that still a thing?

Joe Kerrigan

I don't know, but I have never seen that.

Dave Buettner

That's fascinating.

Joe Kerrigan

Right. There's a little kiosk and you could, I don't know, just, you know, it wasn't expensive, but you could buy last minute life insurance. And it was just, you know, playing off of people's fear of flying. But it was legit. If the plane crashed, which planes almost never do, there'd be an extra little something for your loved ones. And I can't help thinking, like for major transactions like settling mortgages and things, could there be an opportunity here for a small last minute insurance policy that the money will go through? And the vast majority of times the money does go through. But if you happen to be victimized, then whatever, it would be $10, $100, who knows?

Maria Varmazes

Depending on how often this happens, you'd have to have an actuary look at this.

Joe Kerrigan

Right.

Dave Buettner

But here's my viable.

Maria Varmazes

Yeah, yeah, here's my thinking on this. This, this Lewis May guy received a, a fake email from someone posing as his conveyancer, which is a real estate attorney. In Australia. Was that a business email compromise attack? Was that coming from, I mean, how'd they know to email him this? Seems like he should be saying something to the conveyancer or getting somebody to sue the conveyancer and, or saying to the conveyancer, hey, I hope you have errors in, errors in emissions insurance because I just got scammed out of $109,000 because someone impersonating you from your email sent me an email that said, put the money over here. That's where I think the blame lies in the liability lies.

Dave Buettner

Yeah, I mean, I remember again, Joe, you've recently sort of gone through this process too. I think there were all sorts of disclaimers saying, if you get any kind of email from anybody that's not literally directly me, and also, if you don't get a phone call about it, do not trust that email. I, because a lot of this information becomes public record once it starts going through the legal system. So I, I, I have to wonder if maybe that's what it was, is something public essentially was intercepted, for lack of a better term. Yeah. Everything that I, I remember going through this twice last year and it was literally like everything had to be verified in person or by phone call. Email was just not to be trusted. It was, it was a starting point of basically, hey, we're moving on to the next step. Do not convey anything through this. Everything. You need to call someone.

Maria Varmazes

Right.

Dave Buettner

Which is just wild to me that that's how it's still going, at least states wise.

Maria Varmazes

No, that's fine. I think it is.

Dave Buettner

I mean, like, I appreciate it. I didn't want to lose my money, obviously. And again, I mean, it cost you.

Maria Varmazes

A couple extra days. And I get that, that's, that's frustrating.

Dave Buettner

But, and I wanted to lose my money. But, you know, it's also like it was 2024 y. That's like, what year is this?

Maria Varmazes

Well, I will never forget when I was standing in line at a, this was probably 20 years ago. It was, I mean, it was two houses ago because I remember the polling place and there was somebody standing in front of or behind me going, why are we standing in line to do this? Why aren't we doing this online now? And I turned to her and said, if we did it online, I guarantee you my candidate would win every time I just stared at her. And you don't want that.

Joe Kerrigan

Right? Right. Especially the way you vote.

Maria Varmazes

Right? That's right.

Dave Buettner

Early and often. Right?

Joe Kerrigan

Right.

Maria Varmazes

Yeah, that's right. Well, just once, but there's some radical Fringe party.

Joe Kerrigan

Yeah. All right, well again we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com Joe Maria, it is time to move on to our catch of the day.

Maria Varmazes

Dave, Our catch of the day comes from Jim and it's a pretty good one. It looks like it's an imessage from on an iPhone that Jim just got from an email address from somebody named Paula.

Joe Kerrigan

Okay, Maria.

Dave Buettner

Okay. This is from Paula. Hello, I'm Emma from the HR team at Work remotely. And we recognize that you have excellent potential for career advancement and would like to introduce you to a remote high paying job opportunity. Location flexible anywhere hours 30 to 90 minutes per day training. Comprehensive free training provided. Compensation, 200 to $3,000 per day. Paychecks are paid daily. Recruitment requirements, age 24 plus benefits, 401k and health insurance upon hire and 20 to 30 days paid annual leave helping you achieve a better work life balance. If you would like to know more, please write to me via WhatsApp or Telegram. And the telegram address is at Linda.

Joe Kerrigan

Oh.

Maria Varmazes

So Jim has some comments. He said these guys really need to up their game. The claims are beyond ridiculous, but sadly some folks will fall for it. Which is correct. The annual salary of over three quarters of a million dollars for only working 90 minutes a day. You can work from anywhere, there's free training and you get 30 days of off a year paid. It's that, I mean if you want to pay, if somebody wants to pay me 3/4 of a million dollars a year, I don't need any paid vacation. Dave and Maria, I'd be happy to take just the three quarters of a million dollars a year.

Dave Buettner

Seriously, take that to the bank.

Maria Varmazes

Yeah. And if I don't, if I don't, if I happen to take a couple days off and you just don't pay me for those days, that's fine, that's fine. I'd be happy with it.

Joe Kerrigan

Right.

Maria Varmazes

And then finally Jim points out that Paula's using Emma's email to ask him to contact Linda, which seems legit. Right.

Dave Buettner

But Emma also. Paula, Emma, Linda.

Maria Varmazes

Yeah. Paula's. Did I say that right? Paula's using. Paula's. Using Emma's email. Yeah. Yeah.

Dave Buettner

Emma's using Paula's email to contact Linda.

Maria Varmazes

Right.

Joe Kerrigan

Were we in middle school?

Maria Varmazes

Right? Yeah.

Dave Buettner

Paula, Linda, Emma, Emma.

Maria Varmazes

I heard from Jenny that Maria likes you and that you should tell.

Dave Buettner

You should check yes or no on this box. Pass the note.

Joe Kerrigan

Right, right. Oh, my goodness. All right. Well, that's a good one. And don't fall for it.

Maria Varmazes

No.

Joe Kerrigan

Thank you. To ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com that is hacking humans. Brought to you by N2K CyberWire. We would love to know what you think of this podcast. We are conducting an audience survey through the end of this summer. You'll find a link in the show notes, and we do hope you will check it out. This episode is produced by Liz Stokes. Our executive producers, Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher. I'm Dave Bittner.

Maria Varmazes

I'm Joe Kerrigan.

Dave Buettner

And I'm Paula and Melinda Maria Varmazes.

Joe Kerrigan

Thanks for listening.