Loading summary
Transcript358 lines
- [00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
B
Hello, everyone, and welcome to the Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. Dave. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe. Hi, Dave. And our N2K colleague, Maria Vermazes. Maria.
- [00:34]
A
Hi, Dave. And. Hi, Joe.
- [00:36]
C
Welcome back. Maria.
- [00:37]
B
Welcome back.
- [00:38]
A
Thank you.
- [00:39]
B
Yes. Good to have you back. Well, we've got some good stories to share this week, but first we have a little bit of follow up here. What do we got, Joe?
- [00:47]
C
Yeah, I got two links about the same story. One is from USA Today and the other one's from Semaphore. And this is about the United States and China cooperating for a bust of about 276 people. Sorry, can you back up?
- [01:02]
A
US and China were cooperating?
- [01:04]
C
Yes. Yes. Wow. This was. They were. They were busting some people who are participating in pig butchering scams.
- [01:14]
A
Huh.
- [01:15]
C
Wow. And that includes like eight people here in the U.S. in Southern California, who are probably lucky that they got arrested in Southern California and not China, because earlier this year, China executed 11 people for doing this.
- [01:28]
B
Wow.
- [01:29]
A
Well, the US is taking notes.
- [01:31]
C
Right, Right.
- [01:33]
B
All right, well, it's good to hear there's some crackdowns happening. Maybe international pressure will be enough.
- [01:39]
C
Yep. Hope so.
- [01:41]
B
I'd love to see this fall into some sort of international norms where we just don't accept these things.
- [01:46]
C
Right. Yeah.
- [01:47]
B
Feels like we're a ways off from that.
- [01:49]
C
It doesn't matter how different you like. I don't want to say politically because that implies, like, different sides of the same kind of system, but, like, how far away you are governmentally from somebody else. We all agree that these guys are just terrible, terrible people.
- [02:06]
A
The worst. Yeah, yeah, yeah, yeah.
- [02:08]
C
And I think, you know, hey, we got something in common here. Why don't we leverage that and work to put a stop to this and try to make the world a better place? Because these guys really mess up people's lives.
- [02:18]
B
Yeah, for sure, for sure.
- [02:20]
A
Yes, they do.
- [02:29]
B
Every attacker counts on one thing. Environments that trust too much. Threat Locker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. Let's get to this week's stories. Maria, welcome back. You have the honors this week. What do you got for us?
- [03:18]
A
Right into it. Well, I'm not to brag, but I was in Paris for a week. It was really lovely. Yeah. And. Yeah. Obligatory. And it was.
- [03:28]
C
It's universal, too.
- [03:30]
A
You know what? I have my kid. When we told her where we were going and she was 8, she did the whole thing, too. I was like, where do you even pick that up from? I don't even understand. But she knew that one.
- [03:42]
C
I have a great ha ha story.
- [03:44]
B
Okay.
- [03:46]
A
You can't leave me hanging.
- [03:47]
C
Okay. So we were. I was talking to somebody who was from Canadian. Canada, and I was Canadian, right? This. I teased this woman mercilessly calling her country Canadia all the time.
- [03:59]
B
Okay.
- [03:59]
C
And she had. She said, yeah. So she did not. We don't speak anymore.
- [04:06]
A
So.
- [04:07]
C
But not because I teased her about Canada. Anyway, the. She made a big point of saying, well, in. In Canada, you have to have both English and French on. On the front of every package, and on the back of every package, it has to be bilingual. And I pick up this. It was a Simpsons themed bag, and it had Krusty the Clown on the front of it, and he's going, hey, hey.
- [04:29]
B
Right?
- [04:30]
C
And I said, why doesn't it say
- [04:32]
A
ha ha on here?
- [04:34]
B
Right?
- [04:36]
C
And she looks at me and goes, you idiot, they're spelled exactly the same.
- [04:39]
B
Oh, okay.
- [04:41]
C
There's my. There we go. Off the rails already. Sorry, Maria, I'm glad you're back in Paris.
- [04:46]
A
No, I mean, I wouldn't normally have mentioned that, but the reason I'm bringing up is I wanted to brag. No, that was it.
- [04:52]
B
Okay.
- [04:53]
C
A little bit of a home.
- [04:54]
B
Fair enough.
- [04:55]
A
Yeah, Yeah. I. I'm from the Boston area, so when it's. It's an area that a lot of people in France know of its existence. So when it came up in conversation, like where I'm from and all that kind of thing, the first words out of a lot of people's mouths, especially now, is, oh, you guys are going to be hosting some of the World cup matches because it's coming up in June and July.
- [05:16]
C
Hold on, hold on, hold on. Let's clarify. Which World cup fifas?
- [05:21]
A
The football world. The World Cup. The world.
- [05:25]
C
That is not the World Cup. The World Cup.
- [05:28]
B
Oh, Maria.
- [05:30]
A
All right. Well, there's like 3 billion people on my side.
- [05:33]
B
You had to go there. You had to go there.
- [05:36]
C
Three billion people can very well be wrong.
- [05:39]
A
Okay, well, the thing that everyone else knows is the World Cup 2026, the one that FIFA puts on. FIFA, okay, yeah, yes, the FIFA one. The matches are happening across Mexico, Canada and the United States. And seven of them I believe are happening here in the Boston area where I'm recording from. And it's extremely expensive. I don't think the World cup, the World cup has ever been cheap, but what we call in the US Soccer is usually considered a sport that is a little more working class. So usually match prices are on the lower side. However, this World cup seems, seems to be defying all expectations for how expensive things are. And I know around where I live there have been people sort of desperate to find deals and ways to make it not so painfully expensive. And this is apparently a rather universal experience for a lot of people trying to make it to World cup matches this year, to the point that there are now scam watch notices being put out by various organizations, including the ftc, saying this is becoming a serious problem. Now, I don't think any World cup has ever been immune from this sort of thing, but we, I think again, this specific one, given that we are in a perfect storm of flight, prices are extraordinarily expensive due to the war in Iran that in the Strait of Hormuz dramas. And we also like the United States especially, is a very expensive place nowadays. So places to stay, tickets, transit is extremely expensive. So we've got a lot of people who are looking for the cheapest way possible to get to places that just aren't cheap and they're getting ripped off. So I wanted to just put out a little notice, a little bit of a conglomeration of a couple different posts that I found about this. The first one is actually from proofpoint and this is not about price scams, but this is actually about email impersonations related to the World cup that are leading to people getting scammed. And they put out a study, Proofpoint did that. Apparently 36% of World cup related domains, like the sponsors and partners, people who are officially affiliated, they're not fully protected against email impersonation because they don't have the strongest DMARC settings allocated. So, Joe, can you walk us through the DMARC setting thing?
- [08:05]
C
Oh, off the top of my head, no. But good talk. I have to look this up every single time. But DMARC is a. It's a dark DNS based security system that provides some kind of attestation that you're actually talking to the right server.
- [08:21]
A
Right.
- [08:22]
C
And I don't Remember exactly how the inner workings are. But it's like one of the things we like to say, table stakes. Now, if you don't have your DMARC records defined, you are really behind the curve on this.
- [08:36]
A
Yeah. So, yeah, I think the gist of that is probably good enough for what we're talking about here. The, the getting into the stats from what proofpoint studied. I think a lot of them have DMARC defined in some way, but only 64% of them are using the strongest setting, which is reject. So the other 36% still may allow spoofed emails to reach inboxes. So that means that people or bad guys who are impersonating a legitimate brand, like an airline or a hotel or some other FIFA sponsor, can appear completely real when it lands in someone's inbox. So they can impersonate a legitimate brand. So not helping in this situation.
- [09:17]
C
Right.
- [09:18]
A
Calling it table stakes feels like a good way of doing that. It's like this feels like something that they should be able to easily tamp down. But 36% is a lot higher than I would have liked to see, so that's not great. So the warning is for people who are interested in trying to attend a World cup match if somehow don't have tickets already or are looking for a deal, is to be especially cautious, even from people who are official partners. There are, there are, there is potential for things to be spoofed effectively and you could get really burned. And again, these tickets are not going to be cheap, so you could be out a lot of money. So please be careful there, there. There's another story that just came from Reuters about World Cup 2026 scams and they cited this nonprofit called the Noble. I've never heard of these guys, but this was, I guess they researched this sort of thing and they said they have already tracked nearly 30,000 suspicious transactions tied to the World cup and it hasn't even happened yet.
- [10:19]
C
Right.
- [10:20]
A
So, yeah. And they're seeing a lot of these scams actually organized by global or state linked networks. So there is human trafficking involved in this. As you might imagine, the kind of pig butchering scam call centers are probably also getting involved in this sort of thing. They're able to exploit people who speak different native languages to increase the efficacy of these scams. So as always, please be careful. Don't fall for anything that seems too good to be true or has a level of urgency to it. Uh, and I, I think that be really careful about deals that seem too good to be true is especially Important given. Again, people are looking for deals with this expensive event. I. There. I really don't think deals are to be found, unfortunately. So it's. I, I'm. I'm just thinking of things even here in the Boston area where the train ticket to the stadium from downtown Boston, one way I think is $80. And it's just like. That's the official.
- [11:16]
C
Holy smokes.
- [11:16]
A
And it's like a. It's a really short train ride, but it's 80 bucks. And I think to park there directly is 120. It's just nuts. There's no way it's highway robbery. It's totally highway robbery. And it's just, it's just insane.
- [11:29]
C
So charging 80 bucks for a train ticket.
- [11:32]
A
Our Massachusetts Bay Transit Authority, the official.
- [11:36]
C
So they're getting in on these scams.
- [11:38]
A
They are 100% extorting people because they can. Yes.
- [11:41]
C
And Europeans like trains. Let's, let's, let's jack up the price of our trains.
- [11:45]
A
Yeah.
- [11:46]
C
And then no European who does this will ever ask an American again. Why don't you guys have a train system?
- [11:52]
A
To be fair, driving to the stadium is a million times worse than taking the train in this specific area. It's the worst experience possible. But there's no cheap way to get there and it just stinks. So. Yeah, at the same time, I think if you're going to the World cup, you sort of expect it to be extraordinarily expensive. But just please be careful.
- [12:10]
C
If I can be serious about the World cup for a.
- [12:12]
A
Well, I can't do that.
- [12:13]
C
Sure.
- [12:15]
B
I'm sorry, Joe. Which World Cup?
- [12:17]
C
The FIFA World Cup.
- [12:18]
A
This one.
- [12:19]
C
This year I saw a marketplace ad for someone selling two tickets to a game. One of the games this summer. $2,100 for both tickets.
- [12:30]
A
That's a deal. No, it's not a deal.
- [12:34]
C
Well, these are category one club section tickets. I don't know what that means for the stadium. I'm not. I don't know where these tickets are or this game is taking place with the stadiums. Like, you know, is that Gillette Stadium? And is Gillette Stadium in Boston?
- [12:51]
A
No. Stadium is an hour south of Boston proper. It is in a town that. Sorry, I could go on a tear about this. I'll just stop it. It's in Foxborough. It's a tiny little town with like a one lane road in and out that just cannot handle the sheer amount of cars that go through. If you try to get out of a game at Gillette, you're gonna be stuck in like two hours of traffic. I've been in it. I hate it. It sucks.
- [13:14]
C
So, yeah, I have been to two American football games, professional American football games, and both times I left with the same experience or the same impression. This is just better on tv. Yeah, it's football now, soccer. You know what the rest of the world calls football? I don't know. That might be good and. Cause I've never been to a soccer game either. But unfortunately I also never been to a rugby game. But maybe when the World cup for rugby comes to the United States in 2031.
- [13:47]
A
Oh, I see. Oh, I see.
- [13:49]
C
Yes, the real World Cup. The Rugby World cup is next year in Australia, though, so I'm going to be watching my matches like at 2 o' clock in the morning.
- [13:59]
A
I don't even know what to add to that. Yeah, yeah. I mean, a lot of. A lot of football stadiums is what we call soccer. Again, like they're. They're usually in downtowns of cities, so you can just walk. That is just not the case for the United States at least.
- [14:12]
C
So, yeah, like in Dublin, the Aviva is like right in the middle of things and you can just get there.
- [14:18]
A
Yeah, no, it's not like that here. It stinks.
- [14:20]
B
My wife is a big European football fan and I blame. Not blame. I credit Ted Lasso for it.
- [14:30]
A
Yep.
- [14:31]
B
But he has lots of fun. So we watch a lot of games and I enjoy it. And it's one of those things with everything, the more you watch it, the more you understand it. And so you start to see the nuance of the game, which is at first foreign to you, but then, you know, now I can see plays unfolding and things which I never was able to do originally. But to your point about the stadiums, or I believe they call them the pitches.
- [14:56]
A
Yeah, yeah, yeah.
- [14:57]
C
The pitch is actually the field they play on.
- [14:59]
A
Oh, my God.
- [14:59]
B
Anyway, Alanna was saying that if we had soccer teams aligned with the populations in our country the way that they do in England, that our hometown of Columbia, Maryland, or in Howard County, Maryland, which has 300,000 people, would likely have two professional soccer teams.
- [15:28]
C
Wow, really?
- [15:29]
A
Yeah, I could see that. Yeah. I'm a fan of our a regional team, the New England Revolutions. But I can go to only one match a year because I just hate going to Gillette that much. It's just. It's like that's all I will do to myself. I really enjoy going. It's a really fun time. I take my kid, we go with friends. It's a nice day. But Just Gillette stinks. I hate it.
- [15:48]
C
So what's the DC team? Old Glory? No, that's the rugby team.
- [15:52]
B
DC United.
- [15:53]
C
DC United. DC United.
- [15:54]
B
Yeah.
- [15:54]
C
That's the soccer team.
- [15:55]
B
Yeah. Yeah. All right, well any suggestions here, Maria, for people to best protect themselves here?
- [16:04]
A
Yeah, well, definitely only buy tickets from official sources. So I mean, tickets went out a couple months ago and of course now the resale market is huge. So remember that the tickets are only valid through like the FIFA app, so be really careful about that. But things that have a sense of urgency to them, that are trying to pressure you into buying something, you know, be, be very careful. And even if that email appears legitimate, just keep in mind that stuff can get spoofed. So just be very careful what you click.
- [16:32]
C
Yeah.
- [16:32]
B
It's so hard. It's a shame.
- [16:34]
A
It really is. It really is.
- [16:35]
B
I just want to go see a soccer game.
- [16:37]
C
And this is why we can't have anything nice.
- [16:39]
A
I know, I know. It's a bummer.
- [16:41]
B
It's expensive and hard to trust.
- [16:44]
A
So yeah, 2026.
- [16:47]
C
Woo hoo.
- [16:48]
A
Yay.
- [16:50]
B
All right, well we will have a link to those stories in our show notes. My story this week is information coming from the ftc, the good old Federal Trade Commission. This is a story from the folks at TechCrunch. And the FTC just put out a report saying that in 2025, consumers in the USA lost $2.1 billion to social media scams.
- [17:17]
C
Yeah, that's a lot of money.
- [17:18]
B
Wow. They said social media scams have increased Eightfold and exceeded losses from any other scam contact method. Nearly 30% of scam victims say the fraud started on social media and then
- [17:34]
C
moved to another platform.
- [17:35]
B
Guess which social media platform was number one for scams?
- [17:39]
A
No, it couldn't be. Facebook
- [17:46]
C
came back with an accent.
- [17:47]
B
The book of the face. Yes. Facebook had the highest reported losses, followed by WhatsApp and Instagram, all owned by Meta.
- [17:58]
C
Three of them are owned by Meta.
- [17:59]
A
Wow. Amazing. Crazy.
- [18:01]
B
Crazy.
- [18:03]
C
How are they making so much money?
- [18:04]
B
What a crazy random happenstance.
- [18:06]
A
So strange.
- [18:09]
B
They said that shopping scams were the most common type, often involving ads for discounted goods that led to fake or unfamiliar websites. I'll just chime in here and say that one of the patterns that I've sensed on Facebook with things that are for sale is that when someone has an ad on Facebook for whatever it is, their sneakers, their pop up tent, their who know, whatever, right? The first comment is always glowing.
- [18:44]
C
Always the first comment on the.
- [18:46]
B
Yeah, the first comment on the ad. So I don't know, it seems universal. I don't know how they game it to make it so. But no matter what it is. And maybe I'm just reinforcing my own biases here, but it's always great product. Love it. So glad I bought it. It's never, this product is not what it says it is.
- [19:11]
C
I've been very good at ignoring ads and just scrolling past them, and I'm wondering if this is just part of the ad. Like, buy the ad. Yeah, the comment is part of the ad.
- [19:22]
A
Oh, it's gotta be. Because my favorite thing is when you see the post and it says it's got like 90 comments and then it. Only two will show up and the rest are hidden.
- [19:30]
C
Right.
- [19:31]
A
It's like, okay, yeah, gotcha.
- [19:35]
B
Right. Well, and if you're Facebook, it's in your. It's in your best interest to let your advertisers edit the comments. Yeah, right.
- [19:42]
C
Or control which ones are on top.
- [19:43]
B
Yeah, exactly. Exactly.
- [19:46]
C
And scam advertisers. I 100% guarantee you have bot farms out there that just come in and comment. This is the greatest product since sliced bread.
- [19:55]
B
Yeah. Yeah. Getting back to the report from the FTC, they say that investment scams caused $1.1 billion in losses. So more than half.
- [20:06]
C
Yeah, more than half. That's impressive.
- [20:08]
B
They say frequently using fake advisors, group chats, or testimonials to build trust. We've covered those countless times here.
- [20:18]
C
Testimonials. I mean, I don't know how I feel about this because I don't want to put my money anywhere that I've never heard of before.
- [20:27]
B
Right, Right.
- [20:28]
C
And I don't care how many people tell me that. Come to Bob's bank. He's got really good interest rates. I'm like, I don't know who that is.
- [20:35]
A
I don't know who you are. I don't get in my house. Yeah. I mean, they're all on the take
- [20:41]
C
as far as a series of important questions.
- [20:44]
A
Yeah.
- [20:45]
C
Right. So testimonials for a financial institution from some stranger don't do me any good. I will use testimonials from people I know. Where do you keep the majority of your money and what do you do with it? If I want to have a financial discussion about this, and that's how I wound up where I keep a lot of my retirement savings now, because all the jobs I've had over my career, most of them have had 401ks. I've rolled those into an IRA. So, you know, it's Important for me to trust that place.
- [21:23]
A
Yeah.
- [21:23]
C
So I'm not just taking some guy's word off the Internet. Oh, this is a great place to put your retirement stuff.
- [21:28]
A
Well, I was reading something just the other day that said I think Gen Z and Gen Alpha are the most likely to do, like, believe influencer marketing. So I. Because it's sort of just part of their. I mean, Gen Alpha's still quite young, but, you know, Gen Z are full, all fully adults now, and it's been part of their, you know, ecosystem from the get go. Yeah. So. But at the same time, they're all Gen Z's also super smart, and they understand that literally every influencer is being paid. So I do wonder how that all shakes out. But yeah.
- [22:00]
B
Huh. That is interesting. They're so different from us.
- [22:06]
C
Almost another species.
- [22:07]
B
Yeah.
- [22:08]
C
These crazy kids. Come on, Dave, join me in my old man rant.
- [22:12]
B
It's like the weight of the world has not yet crushed their spirit. Give it time. Their time will come.
- [22:18]
C
I think Gen Z is probably one of the most weight of the world crushed generations we've seen.
- [22:23]
A
I was just thinking that. I was gonna say they've been through. It's a Gen Z.
- [22:28]
B
True.
- [22:28]
A
Yeah.
- [22:29]
B
Well, they don't have homes. That's why they don't have homes. To protect them from having their spirits crushed. We have homes.
- [22:35]
C
Yeah, my spirit's still crushed.
- [22:40]
B
All right, back to the ftc. Enough of me being an elitist jerk.
- [22:46]
A
I'm crying in Millennial over here. None of my friends at home. Anyway,
- [22:52]
B
back to the ftc. Of course, they touch on romance scams, which often begin on social platforms, and then, as Joe said, move to another platform.
- [23:00]
C
Move to another platform. Right.
- [23:01]
B
Yeah. And so the scammers are exploiting people's personal profiles and then requesting money or even moving on to fake investments. So the ftc, they have some recommendations. They say limit your profile visibility. I don't know about you guys. I've done that with my Facebook profile.
- [23:19]
C
Oh, yeah. Nobody can find me.
- [23:20]
B
Yeah, mine's only visible to.
- [23:22]
C
I don't get very many friend requests anymore, and that's just fine with me.
- [23:27]
A
Yeah, I'm going to take that as a challenge and find you right now on Facebook. Hang on a second.
- [23:31]
C
You might be able to find me. I don't know. See if you can find me.
- [23:34]
A
Let me see if I can find you.
- [23:35]
B
The FDC says avoid investment advice from online contacts. Yep. And be sure to research sellers before purchasing. I would go a step further than that and say if Joe, that Was not hard.
- [23:49]
C
Did you find me?
- [23:50]
A
There's a picture of you with a chicken on your shoulder.
- [23:56]
B
Not only did she find you, you should be ashamed of yourself.
- [24:01]
C
I actually think friends of friends can find me. So maybe that's the setting I have. So is Dave.
- [24:11]
A
I'm not friends with Dave on Facebook yet. Yet, huh?
- [24:14]
C
And we don't have any mutual friends.
- [24:16]
A
Nope.
- [24:17]
C
Really? Lock that down.
- [24:19]
B
Joe, Just say hi.
- [24:21]
C
I'm very angry at Mark right now.
- [24:23]
A
That or I found your impersonator. So either way, we've made a good disc.
- [24:27]
C
It could be an impersonator. Send me a friend request and I don't have any Facebook. Way to get Facebook here at.
- [24:35]
B
Might be a while.
- [24:36]
C
Yeah, send that Joe Kerrigan a Facebook request, a friend request, and if I respond, I'll send you a direct message on Facebook tonight.
- [24:44]
A
You got it.
- [24:46]
C
But it won't be till like 10 o'. Clock.
- [24:50]
A
Sorry, Dave.
- [24:52]
B
Anyway, the FTC. I would take the FTC's advice one step further and say if there's something that strikes your fancy that you see coming by when you're scrolling through Facebook or wherever, don't buy it directly on that platform.
- [25:09]
C
Right?
- [25:10]
B
Go visit the company directly. Even going to Amazon's better than buying it directly on Facebook. You're less likely to be scammed.
- [25:18]
C
And you gotta pick your tech oligarchs carefully.
- [25:21]
B
That's right, that's right.
- [25:23]
A
2020.
- [25:24]
B
Which one hurts the least, right?
- [25:26]
A
Oh, my God.
- [25:27]
C
Bezos or Zuckerberg?
- [25:29]
B
Bezos or Zuckerberg? Resignation. Just pure resignation.
- [25:32]
A
And then you can throw musk in there, you know, it's just great. Great times, great times.
- [25:37]
B
Throw them all the way to Mars. All right, I tell you what, let's take a quick break here to hear from our show sponsor. We will be right back after this message. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the Source and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. Joe, you're up. What do you got for us, Dave?
- [27:03]
C
I have two stories, but they're around the same topic, and they Both come from gadgetreview.com.
- [27:08]
B
okay.
- [27:09]
C
Which is a website, actually. Initially found the second story on a different site, but found that the source was Gadget review. But the first one is from the. The headline is Taylor Swift deepfakes are fooling TikTok users in the Phishing scams. Oh, now here's one that wouldn't work on me.
- [27:26]
B
Me neither.
- [27:26]
C
Right. However, Maria.
- [27:32]
A
Yeah, it wouldn't work on me.
- [27:33]
C
No.
- [27:34]
B
How about your daughter? Is she a Swifty?
- [27:36]
A
No, not anymore. Oh, yeah, I know. Not anymore.
- [27:40]
C
How old is she?
- [27:41]
B
Interesting. 7.
- [27:42]
A
Funny you asked. She just turned nine years old today.
- [27:46]
C
Nine years old and she's out of the Taylor Swift market.
- [27:49]
A
Wow. I know.
- [27:50]
C
Interesting.
- [27:51]
A
Yeah.
- [27:51]
B
Okay.
- [27:51]
C
Huh.
- [27:52]
B
Interesting.
- [27:52]
A
It's actually her birthday.
- [27:56]
B
What are you whispering? Is she not aware of this?
- [27:58]
A
No, she's very aware of it. Dating. Okay. Very aware.
- [28:04]
B
You just don't want her to know that you're aware of it.
- [28:07]
A
I don't know why I whispered it.
- [28:09]
B
Yeah, I don't. She's gonna come bursting in the room with a bunch of balloons and confetti.
- [28:16]
A
She's supposed to be in school, however.
- [28:19]
B
Yeah, exactly. Ferris Bueller's Day off.
- [28:24]
C
Now I have to. Which is really weird for me to have to do.
- [28:28]
B
All right, go ahead, Joy.
- [28:30]
C
Happy birthday to your daughter, Marie.
- [28:31]
A
Thank you very much.
- [28:34]
C
This gadget review article says that scrolling through TikTok just became more dangerous than you think, which, I don't know. I already think it's pretty dangerous. I know that there's tons of scams out there, but. And our listeners probably know this too, but AI generated deepfakes of Taylor Swift and maybe one that would work on me. Rihanna are flooding the platform. I love Rihanna. I don't know what it is about her. Music has always just been like. Every time I hear a song from her, like this Good song. I like it.
- [29:06]
A
Well, Joe, you are full of surprises. I never would have clocked you for a rerefan. That's amazing, right?
- [29:10]
B
Yeah.
- [29:11]
C
Slayer and Rihanna, both.
- [29:13]
A
You contain multiple. There you go.
- [29:15]
C
I have range.
- [29:16]
A
Right.
- [29:17]
C
I also love Bach, by the way. One of my favorites. So this thing is talking about celebrity cons, and it looks like these scams are really just to get access to your accounts, stealing passwords, or maybe stealing your personal information. There's a quote in here that says YouTube recently removed 1000 AI scam ads. 1000 that were using fake celebrity endorsements. You know, like those Keanu Reeves endorsements. Yeah, but not before they'd accumulated 200 million views.
- [29:51]
A
Yeah.
- [29:52]
C
Hey, there goes the horse. You better close the barn door. So they're saying in this article that AI detection systems are struggling to maintain keep up with the sophistication of the generation algorithms. And speaking of generation, this story also came from Gadget Review. And this I think was originally started in Wired, if I'm not mistaken. But the access I have to it is from Gadget Review, and it says, MAGA influencer Emily Hart exposed as Indian man. And this is a. Emily Hart is a beautiful young woman, but she is completely synthetic. She does not exist. And this is coming from an Indian medical student named Sam with air quotes around it. And according to this article, he used Gemini, Google's Gemini, to. To come up with this whole idea of scamming people. And he started some kind of social media influencer account somewhere. So Sam asked Gemini how to maximize this influencer's reach, and the chatbot reportedly said to him, we should target conservative audiences because they have higher disposable income and show more loyalty than generic usergram is.
- [31:23]
B
So the AI was happy to help with this scam?
- [31:25]
C
Yes, I'm helping.
- [31:27]
A
That's so nice. Thanks, AI.
- [31:29]
C
Now, Google disputes that Gemini would have said such a thing.
- [31:33]
B
Of course.
- [31:33]
C
Right. I buy it. But shortly after starting to post these things, going after MAGA conservatives as a cheat code is what the article says. Emily hart gained over 10,000 followers in one month. And Sam spent just like 30 to 50 minutes daily creating content. And this thing says that Emily Hart resembles Jennifer Lawrence. I looked up a picture of Jennifer Lawrence. I think the AI character doesn't look anything else like Jennifer Lawrence, but they're using all kinds of catchphrases, conservative catchphrases, to rope in people. And then Sam monetized this AI personality through a platform called Fanview. Are either of you familiar with Fanview?
- [32:27]
A
No, I am not.
- [32:27]
C
I do not go to Fanview because I'm afraid it's something like Only fans. It sounds like it's something. And I.
- [32:34]
A
That would have been my guess as well.
- [32:35]
C
Right. And he sold AI generated content, partly working with X's Grok AI. He also served MAGA themed T shirts and provided that also provided some income, and it made him a few thousand dollars a month. So by scamming standards, he's not killing it, right? He's not walking away and he's not actually, you know, he's not, I guess he is lying to people, but I mean, it's, I guess the only thing that he's not producing that's real is it's just AI generated content that he's selling to people, that people think that they're getting some kind of interaction. But I don't know how different that is from following Kim Kardashian.
- [33:18]
B
Right, so he's providing entertainment, right?
- [33:21]
C
Yeah, yeah, because people, that's, that's been the whole argument with the influencer culture, right? Is that this is, this feels like a two way communication street, but it isn't, it's just one way.
- [33:33]
B
Right.
- [33:33]
C
Kim Kardashian doesn't know what you said. And if you message her and somebody replied to you, that's just some contractor in some other part of the world that works dirt cheap that sends back a text to you.
- [33:45]
B
Right.
- [33:47]
C
Anybody you know, it's not the person you think you're talking to. So this, this all came out when Wired posted an investigation. Instagram removed Emily Hart's account in February for fraudulent activity with Facebook following only after the investigation went public. So that's interesting that Instagram, a meta property, removes it in February. But when the ball drops, Facebook goes, oh, we better get on this. I mean, it seems like they still have some kind of, some kind of, some kind of back end differences, I guess.
- [34:22]
A
Yeah, I mean, like medical scams abound and those just keep going. But this was priority. Okay, yeah, right.
- [34:29]
C
That's a good point, you know?
- [34:31]
B
Well, I mean, I wonder too, like, what's the difference between someone adopting a Persona, let's just say an influencer Persona.
- [34:43]
C
Right.
- [34:43]
B
That is very different from who they are in their day to day life.
- [34:48]
C
Right.
- [34:49]
B
Versus spinning up an AI generated Persona that's completely different. Is one inherently less ethical than the other? Discuss.
- [35:02]
C
I don't know. I don't particularly find either one of these things ethical. But I mean, if you're going for a social media Persona, I don't know that people are capable yet of understanding that that's an act. Like seeing someone on TV is an act. I play the bad guy on tv, but I'm really not mean.
- [35:27]
B
Right.
- [35:28]
C
Or, you know, whereas I play the hot, attractive young woman who is attracted to you, but I'm really not attractive to you. And in this case, I'm really not a hot, attractive young woman. Right. Yeah, I, I mean, I don't know.
- [35:43]
A
I, I, that's the sound bite for this Episode. I just.
- [35:47]
C
I'm really not hot.
- [35:48]
B
Joe Kerrigan says, quote, I'm not a hot, attractive young woman.
- [35:52]
C
There has never been a more true statement that is a true, true.
- [35:56]
A
Hang in the air. Oh, my God.
- [35:59]
C
None of those three things, hot, attractive or young apply to me.
- [36:03]
A
Or woman, presumably.
- [36:04]
C
Or woman. Yeah.
- [36:05]
B
Fair to lead.
- [36:06]
C
Yeah. Sorry.
- [36:08]
B
Is there something you want to.
- [36:10]
A
This is that kind of episode. It's a very special episode. Okay.
- [36:13]
B
Yeah.
- [36:14]
C
Feeling kind of loud.
- [36:15]
B
So I think put the MAGA part of this aside.
- [36:20]
C
Right, right. I mean, that's not the important part. No, the important part. Well, I mean, there is a portion of this and it's not unique to maga. I don't think. I had this discussion with Michelle. She was like, there's research that says people on the right are more susceptible to this. I think that might be because generally people on the right are older. I don't know. I haven't delved into that report and I just don't have time. That article, I just haven't had time to go through it. But this is not something that's unique to any single political party, any single religion, any single belief system or status or whatever. There's something out there that will exploit you. It's there. Don't let whatever tribe you identify with lead you so far into the weeds of that tribe that you're willing to or that you're capable of falling for this kind of a scam, you know? Yeah.
- [37:24]
B
This person was exploiting trust.
- [37:26]
C
Right.
- [37:27]
B
That. Yeah. He was using, you know, in group language and iconography and all those kinds of things.
- [37:33]
C
Absolutely.
- [37:34]
B
With this particular group to get gained trust and was successful, basically. Had a part time job doing it.
- [37:40]
C
Yeah. And was able to fund him going to medical school with it. I mean, that's the kind of money he's making.
- [37:46]
B
Yeah.
- [37:47]
C
So, yeah, I mean, I just. It just.
- [37:49]
B
The question is, should this be illegal?
- [37:51]
C
Yeah, that's a good question. I don't know. It's certainly against the terms of services because the platforms took it down.
- [37:58]
B
Right, right.
- [37:58]
C
But only after.
- [37:59]
B
If he'd said at the outset that this was AI generated for entertainment only, then what happens? I don't know. Yeah, I don't know.
- [38:07]
C
That's a good question. Is it then AI generated or is it then against terms of services?
- [38:11]
B
Yeah.
- [38:12]
C
Who knows?
- [38:12]
B
Interesting. All right, well, we will have a link to those stories in the show notes. Joe, Maria, it is time for our catch of the day.
- [38:30]
C
Dave, our catch of the day comes from my daughter.
- [38:34]
B
All right, terrific.
- [38:35]
C
This is a text message that she received. You will notice that she has cropped out all the information on top.
- [38:41]
B
She's a little girl.
- [38:42]
C
Yes.
- [38:43]
B
She is her father's daughter.
- [38:45]
C
She is.
- [38:46]
A
How charged was the battery, though?
- [38:48]
B
I was gonna say we don't even know.
- [38:50]
C
We can't tell if she's on wi fi, can't tell if she's.
- [38:54]
B
She's just protecting her dad from undue anxiety.
- [38:58]
C
And I didn't even have to crop this image. This is the image she sent me.
- [39:01]
B
Okay. All right.
- [39:03]
C
So it's a text message. You want to read it, Dave?
- [39:06]
B
Sure. It says, hi, Kayla. I'm Prisella, a PR consultant at Pathos Communications. RSAC 2026 coverage is putting a spotlight on self propagating software, supply chain attacks and risky auto updating pipelines. As an embedded CNO engineer at Acme Engineering, working close to vuln research and reverse engineering, you're a cred on what defenders should actually do. At the firmware and build system layer, we are pay on results. And I think we could land you in Business Insider. Open to a quick chat.
- [39:41]
C
She did not respond to this text.
- [39:44]
B
Yeah. Good for her.
- [39:46]
C
Yeah. But I have received like in the past couple of months, two LinkedIn things that were kind of similar to this, including one this morning where somebody's like, hey, I'm looking for super connectors. And I'm like, yeah, what do you mean by super connector? What are you doing? Why are you doing this? And I think this is probably just part of some opening scam to just.
- [40:13]
B
Wait, wait, wait, wait. Is super connector a social thing or an electronics thing?
- [40:17]
C
I don't know. Okay. I think the way, in context, it sounded like a social thing, kind of
- [40:23]
A
a diode situation, you know, room for. Yeah, yeah, right. No, you know, it's interesting. I was just googling pathos communications, and apparently the first word that comes up afterwards is scam. Apparently.
- [40:41]
B
Very good.
- [40:41]
A
Yeah.
- [40:42]
B
Well, Joe, you noted I edited out the name in my read. But they did have the name of her employer accurately in the thing here.
- [40:50]
C
They sure did.
- [40:52]
B
They scraped that from LinkedIn.
- [40:54]
C
You know, I'm gonna tell another story about this. It happened to me this week. I got an email from a recruiter who had a bunch of information about me, and I, you know, like I do when I want to torment a recruiter. I wrote this guy back and said, cause this job was not a good fit. I said, no, I'm not in the market right now. But tell me, where did you get my information? And to my surprise, the guy wrote me Back and said, hey, this came from X job board from 2024. I'm like. I immediately replied to him. I said, hey, thanks for the transparency. This guy is not a scammer. He's actually real. And then he said, you would not believe the number of scam resumes we get and the number of horror stories I've heard from people I'm trying to recruit about scam recruiters. And I'm like, well, we talk about this all the time on my podcast. So, yes, I would believe this. I actually said podcast, I co host. So both of you don't get mad that I claim ownership of the podcast. So, you know, so I'm gonna. You know, this guy, I think, is a real person. I'm gonna have a phone call with him, I think, sometime in the next week or so, because there are a number of young engineers that I know that are looking for work, and it's kind of hard to find right now.
- [42:08]
A
Yeah. And so much AI slop in the. Just clogging up the pipelines in all directions.
- [42:15]
C
I mean, AI has done nothing but make the job search thing terrible. Yeah, absolutely terrible.
- [42:21]
B
It is kind of the tip of the spear, I think, for the spy versus Spy, AI versus AI, where people are using AI to try to get past the AI that's filtering you out.
- [42:33]
C
Right. And here's the thing. You can't, as a HR company or anybody that has to receive resumes, you can't not do that, or else you just get tons of AI resumes.
- [42:48]
B
Right, right, right. And these days, you gotta worry about. In tech, you gotta worry about North Korean workers and all kinds of things that you never had to worry about before.
- [42:58]
C
Yeah, absolutely.
- [42:59]
A
There is an alumni group for former coworkers of a former employer of ours that we all post in. And there's a jobs board where people post, you know, hey, I'm hiring at my new company or whatever. And there was something that was posted there recently saying the moment that they posted a job wreck, they got a thousand applications that were all AI slop. Which is just like how you just can't. How do you deal with that? So.
- [43:25]
B
Right.
- [43:26]
A
It's bad.
- [43:27]
B
What is the societal tax for having that be the current reality?
- [43:33]
C
Massive unemployment.
- [43:34]
A
Yeah, right.
- [43:36]
C
That's. That's the societal tax.
- [43:37]
B
Right. I mean, it's just an anchor. It's a drag on people's ability to hire.
- [43:42]
C
Right.
- [43:42]
B
And that has real world effects.
- [43:45]
C
Yep, yep.
- [43:45]
A
Sure does.
- [43:47]
B
All right, well, we would love to hear from you if there's something you'd like us to consider for our catch of the day and you're not one of Joe's offspring, please email us. It's hackinghumans2k.com I wonder if my son's
- [44:03]
C
gonna send one in now.
- [44:10]
B
Most environments trust too much and attackers know it. Threat Locker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that's hacking humans brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
- [45:02]
C
I'm Joe Kerrigan.
- [45:03]
A
I'm Maria Varmazas.
- [45:05]
B
Thanks for listening.