A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone and welcome to a very special edition of N2K, CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. Dave I'm Dave Buettner and joining me is Maria Vermazes.

A

Maria hi Dave. Good to see you in person.

B

This week we are coming to you from Zero Trust World in Orlando, Florida, where we are joining security leaders and practitioners from across the industry. Our coverage here is made possible by our sponsors at ThreatLocker, who've brought the community together to talk all things Zero Trust resilience and the future of cybersecurity. We are grateful to threatlocker for helping make it all possible. Joe Kerrigan was unable to join us this week here in sunny Florida, but we have a very special guest today, host of the Bowtie Security Guy After Dark podcast.

C

There you go. You got it.

B

Rob is one of the featured speakers this week here at Zero Trust World and he's going to be sharing highlights from his presentation on phishing. We've got some good stories to share this week. I tell you what, let's just jump in here. We don't have any follow up this week, so we're. Rob, welcome. Before we dig into you sharing some of your insights on fishing, can you just tell us a little bit about yourself? What's your story of where you started and what brought you to where you are today?

C

I started as a poor kid who just pulled computers out of trash and figured out how to work on them and kind of repair them. I was an early hacker when there weren't any laws, right? And then Mitnick got arrested and I got real scared because I was like, oh, you can do real jail time for this now, right? It became much more serious from there. I've always been just a lifelong tinkerer, playing and building stuff. I build replica movie props in my free time. I worked for Disney for 20 years. I helped build out a lot of their programs, their social engineering program as well as their security awareness stuff. I worked with and then a lot of securing the technology like the MagicBand. I worked with those guys. Oh, wow. We got to do a lot of cool stuff for my time there. Now I'm just a boring executive at a Fortune 500.

B

Well, it's not that boring.

C

I mean, you would.

A

The war stories are amazing.

C

I'm sure I've got some of the best Stories. Yeah, that is for sure.

B

Well, tell us about the podcast.

C

Yeah. So I started it specifically just to help new people get into technology and understand what the job was really like. I talked to professionals and just ask them how they got into it, how they started. Marie and I were talking before this. It's not the same way. Everybody has a very interesting journey into technology and into cyber, and now there is no real path. So I try to educate what the job's really like, how many hours you're going to be spending, the life sacrifice, as well as the constant learning aspects of it, and then lots of advice for new people and technology. So that's one of the biggest things for me, is just helping as many people as we can and then educating them on what the job is like. And that way they don't go into it blind. You know, it's a. It's a rough gig. And I think a lot of people who go into technology think it's going to be this constant entertainment and fun, and it's very monotonous, boring work a lot of times.

B

Way to sell it, Rob.

A

This is realistic, though. I'm saying you got to get. You got to deal with the tedium with. Spot it with, like, some moments of huge excitement.

C

That's the biggest. Every thing. Like, let's say you start in like a sock. When I was first doing sock work, like, it took me literally eight months till I found my first real threat. Right. And once I found my first real threat, it was like, the greatest thing ever.

A

Yeah, yeah, yeah.

B

So you find yourself a mentor.

C

I do. I spend a ton of time mentoring. It was. It's definitely something I fell into. I have Audi hd. So, like, I'm. I get very obsessed with things. I had social anxiety disorder and I had really hard time with that for the longest time. I found mentoring to be really helpful for me because it keeps me engaged. And then I learn a lot about people and I get to hear their stories and understand things more. Like, how did that make you feel? Oh, that makes sense. How can I help? You know, those things have been really beneficial to me in my career in general.

A

Yeah.

B

Well, you are presenting here at Zero Trust World this week, and your topic is phishing. And when I was running down the list of presenters this week, I saw your name there and I said, oh, perfect. Guest for Hacking humans.

C

I love it. Yeah.

B

You were gracious enough to join us here today. Give us a preview of what you're going to be presenting.

C

My biggest thing is, I think a lot of security Awareness programs focus on the wrong things, which is they focus on click through rate of a simulation. And that sounds like the right thing to focus on, but really you're training human behaviors, which is very apropos for the name of your show, because I want you to know that your job is to kind of hack your employee and treat and teach them behaviors that you want them to have. When you look at things, you're basically, when you send a simulation out, you're bypassing all your own security. You're giving it the literally best chance for success. And many people who are getting the email would never receive an email from an attacker. So the numbers in themselves are skewed, but a lot of them are built off of things like the Verizon data breach report and things of that nature where they go, well, Verizon says it needs to be 1.5% click through rate to be successful. So when I was working for Disney, I said, well, where are you getting this number from? Oh, well, we work with one company and we get their information and they work with several others. And I'm like, okay, well, how difficult is the fish? Are you. If you're an international company, are you fishing in their native language? There's so many variables that don't go into it. And I feel like focusing on that number as opposed to focusing on risky human behavior and training behaviors is much more important. So the majority of the talk is just going to be about bucketing your people into high risk categories and then specifically focusing on the skills that you want them to learn and then hitting them where they learn. Right. If you're giving somebody a 40 minute or an hour long fishing thing, the simulation training, no one's paying attention.

A

Amen.

B

I can vouch for that.

A

Yeah. I think all of us know they don't care.

C

So it's a big focus on micro learning because as a society, we've really gone into microlearning and that's where we absorb the most data.

A

What do you mean by microlearning?

C

Two to five minutes tops. Okay.

A

Yeah.

C

If you're giving somebody more information than that, they are not retaining any of it.

A

Yeah.

C

Your mind's not designed to.

A

My mind's certainly not designed.

C

No. Especially. Yeah, no, that's very much how my mind is like, oh, this isn't useful. We'll just trash that.

A

I'm curious what you think about in terms of training people better behaviors. Sometimes it can be a bit of a blunt instrument in terms of how we train the end user. And I'm curious about your approach, your thoughts on the approach there.

C

A lot of people train people with punishment. Right. I've found that that's never worked. It just makes them angry. It makes them hate the security simulations. Instead. What I did is I gamified it. I would put pop culture references in my simulations and I would train and I went across the company, told them I was doing this. So, hey, when you see a simulation, I want you to look for that reference to Mel Reynolds from Firefly. I want you to find that and I want you to message me. And if you do, I'll send you some stuff.

A

Oh, no. Yeah, that would have worked so well on me.

B

Yeah. Right. You'd be the most well trained person in the company.

C

Right. So it trained a behavior of analyzing an email before clicking or doing anything. And you reinforce that behavior with. It's very similar to Pavlov's dog. Right. So you reinforce that behavior with good things.

A

Yeah.

C

And you don't punish them. And when you have a situation where people have fallen for multiple simulations, you give them a live presentation and you talk about the personal brand damage, making it about them as opposed to making it about the company. Because anyone listening, no one cares about your company. You do, because you may be the boss, but your employee doesn't care. They just don't want it to hurt them. So really focusing on brand damage and personal brand damage. And when I worked at Disney, it was easy. Like, hey, if you get compromised, your informant that you have for ABC may not want to work with you anymore. You've spent the last two years cultivating that relationship and now they're scared because they don't know if their identity is safe anymore. And that instantly kills it. We were able to go from like a 2 to 3%, like people reporting to 50, 60%, where people started reporting and really putting in the effort because they engaged and they thought it was fun and they. I really empowered them. I deputize everyone that I would, would do a class with. I'm like, you are the frontline defense.

A

Yeah.

C

You're what catches what comes through the cracks. And there are things that come through the cracks. And that's where you would, you know, maybe test it a little deeper. Where you have a red team go in, pull some emails from the outside world that are found in the wild. Because hackers are lazy for the most part.

A

Like they lean towards optimization 100%, that's

C

a much better way. But they want to go through the easiest path. And many of them don't have the Technical skills to do anything but the easiest path. And fishing is one of those that has no bar to entry.

D

Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing. Configurations verified with ThreatLocker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K.

B

So there's this notion that from a company's point of view, it's corrosive for me as the company to be in situation where I am intentionally trying to deceive my employees. Yeah, that makes a lot of sense to me when it comes to phishing simulations.

C

I can understand it.

B

But how do you walk the line between effective phishing simulations, let's say, and you know, we all hear the ones about everybody's getting a raise or everybody's, you know, Christmas bonuses are here, that sort of thing.

C

Oh yeah, extra day of vacation.

A

I love that one.

C

No, well, so I kind of fell into the program because I had talked smack about it and I didn't realize the person who was running it was on the other side of the fence. So I was like this, he's right

A

behind me, isn't he?

C

The simulation is ridiculous. And they go, do you think you could do better? And I'm like, yeah. So I throw out my first simulation idea. And I'm like, cool. Well, we'll just say that we're no longer, we're not going to look at Memorial Day as a holiday anymore. And we want people to click on this if they don't agree with it. And they're like, no, that's insane. You'd get a high click through rate. And I was like, but isn't that what we want to do? And they're like, well, no, we want a low click through rate. And I was like, then why are you running simulation?

A

Oh boy.

B

Oh no. So perverse incentives.

C

Yeah. So I dialed it back and really it's about educating people on why you're doing it. And I had a lot of conversations and what I called the security roadshow where I went around and I talked to a lot of people while we're doing it. I'm not trying to trick you. I'm trying to be there so if you do fall, I can pick you up easily as opposed to losing a promotion, losing, you know, that that person that sponsor that you were trying to work with that you now just sent a phishing email to, those things can turn off people. So I made it about them and I made it important to them being part of that equation. And we didn't get as much kickback as we thought. There were certain business units that will remain nameless that were like, we will never do that because we are not going to deceive our users.

D

Okay.

C

And I can understand that because in reality, majority of your phishing attempts are going to be stopped at your perimeter. If you have even basic security. Right. You're running spf, dmarc. Let's hope you're doing the basics. And if you are, why are simulations even important? And it's about teaching behaviors and training people to kind of think differently.

A

I'm curious when you have these conversations with the C suite or just executives in general, how you approach it with them.

C

Oh, man, those were, I believe, the words I used in the first C suite conversation I had. Keep in mind, I was a young punk and I'm not a guy who has any sort of pedigree. I somehow fell into security just by being there at the right time and putting in a metric ton of effort, like high school education. So I'm working with people who have been previous dod, previous FBI. And I go, yeah. I said. And they go, well, the Verizon data breach says that 3% should be our click through rate. And I said, it's garbage. And they go, excuse me. And I was like, it's garbage. I said, can you tell me any of their information? How are they doing their simulations? Where are they sending their simulations? How many samples are they getting? How many samples are being sent? Well, we don't know. So we asked them, were like, hey, can you tell us? They couldn't. I kept pushing. They said, well, we work with two companies that are, that are. They do phishing simulations for a living. So they work with a ton of other companies and that's where we get our data. Well, do you control the simulations? They do? No. Do you control the difficulty of those simulations? No. Do you do it in the language that's native to that person if you're an international company? No. So how is it an accurate number? And I really started to talk about changing the way we look at a click through rate as not a negative, but a way that we need to know that we need to do harder simulations. Yeah, we need to make things more difficult based on the phishings that are getting through our perimeter and being reported we need to build those simulations exactly like the attackers are sending. And I sold that idea and they bought into it and they said, no, this makes sense. So when we would see a consistent two months in a row, a 3% click through rate, we would then up the difficulty. But it took us a while to go from like Starbucks gift cards to one that tricked me, like. And I left the program and I'll tell the story because I have, I have no shame.

A

Listen, we've all gotten fish. It's everybody.

C

It's a, it's, it's not a matter of if you can be fish. It's just a matter of are they going to catch you at the right moment.

A

Yep.

C

So I'm somebody who's been trained on this. I'm somebody who had built a program and spent the last two years living and breathing phishing emails, reviewing them, clicking on malicious links, detonating malware, and I was obsessed. So I had moved on. I become the manager of security engineering. And I got an email at 2 o' clock in the morning docuSign for a new employee. I literally had just hired a new employee in the uk. I clicked on it and I saw the simulation notice come up and I go, okay. Oh, man. They are never gonna let me live this down. They are never. The second I logged in, they go, we toppled the king.

B

That's just the watchman.

A

Yeah.

C

Yep. I was so.

A

It was nothing but smiles. When you saw them the next day, they were like this.

C

Yeah. But it proves that anyone can be compromised. Right. And it's just catching them at the right time. I always say security is like being a goalie and they have unlimited penalty shots. They can just keep shooting at you nonstop and you have no choice but to continue defending. So educating people on slowing down was the biggest thing I focused on. I probably investigated a thousand phishing emails over the several years that I was doing it, and every single one of them that clicked was just in a rush.

A

Yeah. Yeah. And it's anathema to how we work in the corporate world where everything's fast all the time. And I remember when I got popped.

C

Yeah.

A

In a simulation, thankfully, that our company was running, it was in response to a fake email from our CMO of this thing that needed to happen right away. And I was so used to those requests coming in from her. That completely worked on me. And I remember when I saw that screen come up and our security analyst just wandering over to my cube with this big grin on his face like, gotcha. Because I had just Been working on some DBIR stuff. So it was like, really? I got qualified. I got. Yeah.

C

And we love popping security people.

B

It's literally a pleasure.

A

Joy.

C

It is our favorite. And anybody who's in security who gets popped will tell you immediately and will message you. Because I had built that relationship with the group. So they knew who I was. They knew the face behind the simulations, and they could come to me directly to complain or to tell me that, oh, that was a good one.

A

Here I am.

B

Yeah.

A

And I'm like, 15 years later, I still remember how it happened to me. I will never.

C

I will never. I was so pissed.

B

Yeah.

C

I was. Like, I said, did you. I said, did you plan that? Did you know I had hired someone? Were you specifically targeting me? And they're like, no. Just absolute happenstance.

A

Wow.

C

And that's just. It's like a horoscope, right? A simulation is a horoscope and a fishing attempt is a horoscope. Somebody it'll relate to.

B

You're right.

A

That's a great way of putting it. That's a great way of putting it. Yeah.

B

All right, well, Rob, we are definitely looking forward to seeing your presentation here at Zero Trust World. I tell you what, let's shift gears a little bit and get to this week's stories. And Rob, we'd love to have you participate along the way and let us know as we go. Maria, what do you have for us this week?

A

All right, I'm excited about this one, especially since, Rob, you mentioned that you're a fellow tabletop role playing game. So it is Thursday, as we're recording this, which is normally my night, and I'm missing my session with my friends

C

don't make believe time.

A

So I thought I'd bring the role playing to us today. And so this, the story that I have, is about a case that's going to the main Supreme Court right now. And I was reading the story, and I'm not telling you too much about it because I want us to role play this a little bit. And my reaction to the story was, what did they expect would happen? So that's all I wanted to tell you. So I want the two of you to be a financial advisory firm. I want you to. You're in charge of other people's money. Okay. And I'm going to be your client who has been working with you for 15 years. And I'm just curious how you would react to this situation that an actual financial advisory firm dealt with. Okay.

B

All right.

A

All right. So I'm calling you Up. I've. Again, I've been working with you for 15 years. So I have $1.3 million in money with Fidelity, and I would like to completely empty that out. Can you help me with that, please?

C

Why?

A

Well, I have a really exciting opportunity. Opportunity? But it's in real estate. It's in real estate. It's definite legitimate, and it's a once in a lifetime thing, and I really need that money. And I wouldn't be doing this for any other thing. You guys have known me for 15 years. We have a long, good relationship. I've always appreciated your advice. I'm not going to another firm. This is the only time I will ever have this opportunity. So I just need that money.

C

I mean, that sounds amazing. Can you tell me more about it?

A

Yes. So this is. And I don't know all the details of this, but assume that I fill in a lot of relevant details here. And everything I'm telling you sounds completely of sound mind and legitimate.

C

Awesome. No, that's great. How long have you known this person? Are they the king of Nerobia? Like, I'm a big kid.

A

Yeah. Yeah. I wish I could follow you down that path on the rp. But, yeah, no, it's definitely. It's through a realtor who I know really well. And, you know, this is something that my wife and I have been looking into for years and it finally happened. And, you know, again, I wouldn't normally ask for this, but, yeah,

B

I agree with everything. In fact, as Rob was saying those words, I was thinking the exact same words, like, tell me more.

C

But you don't want to instantly shut them down. So if they're a customer that's been there for a while. So you want to just kind of buy into their crazy, right?

A

Would you don't met a game now. You don't know that I'm crazy.

B

I would say, as your financial partner, would you be okay with us doing a little due diligence?

A

I would really appreciate that if you did some due diligence, actually. Yeah. So by all means, go ahead.

B

All right.

C

So that's where things can. So we do the due diligence and then we say, yeah, no, it looks good.

A

Yeah. So that would have been amazing had that happened.

C

No.

A

Oh, no.

C

No. Oh, no.

A

So, okay, so you both did really well. I feel a little metagaming did go on because this is a show about hacking humans, after all. So you kind of knew where I was was going with it. But you both did very well, I gotta say.

B

So let me do we get to go on to the next round.

C

I feel good. I mean, honestly.

A

So roll for initiative.

C

I'm down. I've got dice on my hands.

A

Yeah, I was gonna say I should have brought my dice with me. No, no, that was really well done. And I feel as the co role player in that one, I didn't actually have enough to give back to you. But you did really well. So let me tell you a little bit about the story about what actually was going on here and where this role played situation diverged from what actually happened. So there is a firm in the state of Maine called RM Davis and they indeed had a 15 year client, a couple named Bruce and Linda McMillan. And Bruce and Linda McMillan went to their advisory firm and said exactly what I said to you both. Hey, I've got my entire Life Savings, $1.3 million in Fidelity funds. I want to wipe it out. And it's for a really exciting real estate opportunity. And to their credit, R.M. davis did very similarly to what the two of you did. Said, tell us more about that because that is quite a request.

C

Sounds a little sus.

A

Sounds a little sus. Exactly. And indeed it was. And here's where it got tricky for everybody involved. Bruce and Linda lied to RM Davis at every turn and said everything's totally on the up and up. Like you can do your due diligence and everything we're going to tell you essentially is a lie because as you would predict, they were being scammed and that money was indeed going to go to bitcoin crypto scammers.

C

Oh wow. I'm sure the scammers told them very specifically July, also. Correct. Which is the. It's very easy when you basically make the people in on the scam with you because you can convince them that if you tell these people, they're gonna get in on the two and you're gonna lose profits.

A

That's correct. That is exactly what happened. So Bruce and Linda were coached every step of the way by the people who are scamming them. And the place where it diverged from what the two of you raised, which is actually Dave, where you mentioned essentially a red flag type law which does exist in Maine.

C

It does.

A

That is a law. Types of laws like that exist in about half of the US states, not in all of them, but half the states does exist in Maine. And that is actually the reason why there's a lawsuit going all the way to the Supreme Court in Maine. Bruce and Linda. Actually Linda has since passed away, but Bruce is suing his financial firm Saying, you didn't see all of these red flags that we were throwing your way. We were clearly being scammed and you guys didn't see, stop this scam. Whereas the financial firm said, you guys lied to us. Every step in the way, we tried to stop you. And so essentially, when this lawsuit was at a lower level of the courts, there's a phrase in the article that I was reading about this saying the courts question whether investors have the right to spend their money as they wish, quote, even if it's stupid. Which made me go, this is a really interesting.

B

Can't wait for law students to quote that.

A

Even if it's stupid.

B

Even if it's not stupid.

C

Yeah, that's awesome.

A

So basically, on one side, the clients were saying we were being scammed, and there were a whole bunch of red flags that our financial advisors should have caught. And then the financial advisors are going, yeah, but you lied to us when we were trying to do that. And also, by the way, compliance and the red flag laws are not mandated. So we were doing the best that we can. But, you know, you know, we did what we could, but it's not, you know, there wasn't a law saying we had to actually, you know, we had to do the best we could, essentially. So again, on the client side, they never disclosed to the financial advisors that they believed that their accounts had been compromised. And so that is why. So everyone was lying to each other.

C

Yeah.

A

So what do you do in that situation as a financial advisory firm? You did that. You did your due diligence, you did the best you can. But essentially, if the client wants to

C

do something dumb, I mean, you can't stop them. It's their money. Right. And that's the biggest thing. So my hope for them is that they documented it in writing. Because if a lot of this happened verbally, then that hearsay argument is going to be pretty difficult to prove.

A

Yeah.

C

And I can understand both sides of it. Right. Because a lot of these people who get involved in these scams, they get scared, right?

A

Yeah, yeah.

C

And there's all kinds of different scams that are going on right now that especially with AI making things a lot easier to falsify evidence and proof, that can be very scary. So especially for an older couple, I'm assuming they are. They got 1.3 million. I'm assuming they've been saving for a bit. When they get targeted, it becomes a very simple thing of like, are they going to resist it and tell the truth and kind of come clean and risk the ramifications of that? Because a lot of times there's some serious threats. I mean, I engage with attackers all the time as part of my social media stuff where. And I share those stories where I, like, I click on a fish or I. Or I call back that phone number from the Norton antivirus.

A

That's fun time. Yeah.

C

And I share what that's like and kind of that experience. And they can get very threatening.

A

Oh, absolutely.

C

Very quickly.

A

Physical threats. Yeah, absolutely. Yeah. And another question about the red flag law and in this specific situation was there's a bit of a wrinkle about whether or not a financial advisor can act, whether or not they think their client isn't of sound mind, like, you

C

know, power of attorney, like taking it because they're not of sound mind. That'd be rough.

A

Well, it's also, you know, are the people making this decision, are they mentally competent at that point?

C

Something they could never answer.

A

Yeah. And also in the case of this couple, Bruce, who is the surviving member, the husband who's still alive, he's not mentally deficient, it seems so. You know, it's not like he had dementia or something. He seemed just fine. So it's. I'm watching this case with great interest because this is one of those. I was reading through it and I'm going, what did they expect expect the financial guys to do in this situation when you lie to them?

B

Well, it seems to me like somewhere in the terms of service with your financial advisor, there should be a paragraph about willful deception.

A

Yeah. If you lie to us, like, what do you want us to do?

C

But I mean, if you think about it though, like, a lot of money people take massive risks sometimes. So, like, it may not be completely out of the ordinary, or they may say, look, I understand this is a huge gambler, but I'm gonna put 500,000 on, you know, this small little company called Apple. And. And then your financial advisor is like, you need to sell everything. They're about to go out of business. And it's like, no, I'm just gonna hold. I'm gonna hold. And they're like, you're gonna lose all your money. And then it turns out to be a huge win, right?

B

Yeah.

C

But for every huge win, there's about a million that are huge losses. And when it comes to crypto scams, like, it's getting more and more just demanding, and they're becoming more and more scary because the. The information is readily available. I. I investigated a scam recently where the attacker sent an email. Was your Standard sextortion email where it's like, hey, we saw you on the Internet. We saw you going to these nasty sites and we recorded you.

A

Yep.

C

But then they took it one level further and they sent a follow up email the next week saying, why are you going shopping in your blue sedan? Why do you think you can take your Toyota out and go do these things without my permission? You need to pay or I'm going. They literally just looked up open DMV records and found the information online. But it added that additional scare where I had to talk a customer of mine and somebody I work with from a consulting side and I'm like, no, no, no, it's still a scam. It's like, well, how do they know it was my car? I was like, I mean, they paid $20 to get that information.

A

Yeah. You don't realize how much information is readily available online.

C

Seen.

A

It's unreal. Yeah.

C

And it's, it's readily available for anyone who's willing to pay a very small amount. Yeah, right, Right. Because a lot of that is public record. Anything that is entered into the, your, your home or any of those things, it's very difficult to get those records scrubbed. I've tried.

A

Yeah.

C

Unless you're within law enforcement, it is not an option.

B

Oh, interesting.

C

Yeah. Yeah. My, my buddy is in law enforcement. He lives next door to me. So when you go on Google Street View, it's like my house. And then blank.

A

Yeah. And I'm like, it doesn't exist. Don't ask who's asking.

C

There's nothing there.

B

We need to ask him to deputize you.

C

Totally. Let me get that. Sweet privilege. That's right. But like a blurry house. That's the thing that makes it really interesting is these scams are becoming easier and easier to do. And people in general want to please people. And if you add a little bit of fear and a little bit enough to give them social trust, it's over.

A

Yeah, yeah, yeah.

C

And when you can tell them you've got their home address.

A

Yeah. Here's a picture of your house. That one scares people. Understandably.

C

And you could take a photo now with AI from Google Street View. You could say, create this. Put this car in a Publix parking lot. Put this car in a Walmart parking lot.

A

Yeah, yeah, yeah.

C

And create that image. And then you could send that and say, hey, I'm watching you.

A

Yep.

B

Right, Right.

C

There's a new scam on ebay that you may have heard about where people are getting items in and Then they're tossing them in the air and they're saying, add a crack to this.

A

Oh, boy.

C

And then they send it and they go, this item broke in shipping. I'm not paying for this.

A

Oh, dang. So, like, it's going to be all these small sellers that are getting nailed. That I'm sure. I'm sure they are. Yeah, yeah, yeah.

C

Where do you go when AI is making scamming incredibly easy? There's really no repercussions for things like this.

A

Cabin in the woods is my answer to that one. A lot of the time, honestly. Bug out. Cabin, time to go.

C

Yeah, yeah.

B

Herding sheep in New Zealand was always my out.

A

That sounds great. Hang out in the Shire.

C

That's right. I mean, we'll set up an Airbnb. Marie and I will come in and hang out.

A

That's right.

C

We'll play D and D. We'll play D and D. Of course we will. I want to go to like one of those D and D campaigns, like in a castle.

A

I've been wanting to do one of those for ages.

C

Yeah, I found out that you can rent Gary Gygax's original house in his basement on Airbnb.

A

I'm not sure I'd want to do the smell, man. I'm sorry.

B

Can you imagine?

A

It's going to smell like dirty socks and Doritos. I'm not sure.

B

Cigarettes from that day era.

A

Cigarettes.

C

I can't wait.

A

Everybody's mom's basement smell.

C

I'm trying to convince my friends to go. I was like, hey, we're going to go here and this is going to be what we're doing for my birthday, the rumpus room. Oh, boy.

B

All right, I'll tell you what, lets take a quick break here to hear from our sponsor. We will be right back after this message.

D

Most environments trust far more than they should and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

B

And we are back. We are coming to you from Zero Trust World in sunny Orlando, Florida. Thanks to our sponsors at ThreatLocker. We appreciate them hosting us this week while we're here and providing the facilities for us to record our podcast live. It's time for my story this week, and mine is about malvertising. So malvertising is one of those cyber threats. I think most people encounter it many times without realizing it. You visit a perfectly legit website and an ad loads in the background, and suddenly you're redirected to a scam page and it's an operation. In this case, in this research from the folks at Confiant Security, they identified a threat actor called D Shorties.

C

That's a good name.

B

D Shorties.

C

My favorite is still Charming Kitten. Yes, that's the best attacker group name.

B

Yes. Well, you joke that if Canada had a threat group, it would be Apologetic Beaver.

C

Yes, I'm down Angry Moose.

B

So the folks at Confiant, they've been tracking this group since 2022. And early on, their ads pushed fake giveaways. You know, the things like, hey, congrat, good news, you're the 5 billionth Google search today. And they had bogus Amazon prizes that trick people into entering their credit card information. But last year, the researchers noticed some changes. The same infrastructure suddenly began redirecting Windows users to fake tech support alerts that look like Microsoft security warnings. But while investigating these campaigns, the team stumbled onto something interesting. They found an internal testing page that the attackers themselves were using.

C

Nice.

B

It was sort of a staging area where the criminals tested their ads before launching them. And of course, for the researchers, this was a gold mine. The page was publicly accessible.

A

Oh, no.

C

I love when attackers leave their stuff open.

B

Wait for it. It gets better.

A

Oh, good.

B

It was regularly updated with the new domains that the attackers plan to use next.

C

Oh, how convenient.

B

Yeah. So the researchers built some automation to monitor the page and harvest the domains, which meant they could block the infrastructure before the ads ever went live. So a few months later, they discovered a second cluster of infrastructure. This one had an admin control panel that showed all the active campaigns, performance metrics, and targeting data.

C

Awesome. Well, for the researcher.

A

For the researcher, yeah.

B

The attackers had added a password.

C

Oh, no. Is it password?

B

1, 2, 3, 4.

C

Password.

A

Oh, no.

C

Nicely done.

A

I was going to go with Hunter 2, but that was the other good guess.

C

Hacker proof.

B

Yeah. So the researchers could still Keep watching from the inside. They were able to match the campaign IDs and domains to their own scanning systems. And again, they could identify and block these malicious ads before users ever saw them. They track 59 million malicious ad impressions in 2025. About 95% of them were aimed at US users. So a couple of takeaways here. I mean, first of all, malvertising remains massive and profitable as a.

C

It's not just profitable for the attackers. That's the thing people don't realize.

A

Yeah, yeah, yeah.

C

Like, I investigate fake jobs and stuff on LinkedIn, which is basically the same thing. It's. They're just trying to steal your information.

B

Right.

C

There's people getting rich off of it and the companies who put the data out there. I think Facebook recently had a thing where it's like $2.1 billion of ad revenue is from scammers.

A

We talked about that on the show and we were like, yeah, why would they want to stop when that much money's coming in again?

C

I had built a bot that would go and validate every URL that was posted and then post a comment that said, like, hey, just want to let you know this website was created in the last 24 hours and is most likely a scam.

A

Yep.

C

And they permanently banned me and then IP banned me and then banned my name. So, like, like, I was. I was meta.

B

Did this.

C

Yeah.

A

And then they found your Mac address and they blacklisted.

C

I was permanently removed. And then they added a thing on my account.

A

You need a trophy for that. I would be very proud of that.

C

So then they added something to my account where they said, if you want your account back, we need your photo ID and all your. Basically a copy of your driver's license to re enable your account. Oh, and I sent them a photo of myself and at the time it Christmas giving the middle finger and. And surprisingly, my account never got re enabled.

B

What a shame.

A

But it had little Christmas lights on the finger.

C

Yeah, but that. That the advertising makes companies huge amounts of money. Yeah, yeah. Most of the fake ads, the fake jobs that myself and my buddy Jay, the profiler, like, look into on, on LinkedIn are all sponsored, meaning that they paid a percentage to get those jobs out there.

B

Right.

C

And we've had the attackers. So, like, whenever you start exposing scammers, you get attacked and you get attacked a lot. So I get threats all the time. And on top of that, they'll be like, no, we're totally real. And I've invited multiple to my podcast. I'm like, look, if we're wrong, come hang out. Between myself and Jay, we've got probably around 40,000 people. Like, come listen. We are happy to have a conversation. Surprisingly, no one has ever taken me up on this offer.

A

Gosh. Maybe they're just camera shy. No, no.

C

But that's the audacity of these things. And the thing is, there's no repercussions.

A

No, none at all. Yeah.

B

Yeah. Well, obviously the other thing here is that sort of the break in the investigation came not from the sophistication of the researchers, but from the laziest.

A

Yeah, I was gonna say.

D

Nope.

C

I found that multiple times in my investigation where they would leave the attacking website open, and then I would find INI file or some sort of configuration file with all of the domains. So we could pre block all of the domains that were associated with the attack. I mean it all the time, because majority of attackers. So here's another thing that a lot of people don't talk about is a lot of people doing attacking are not doing it willfully. They are literally enslaved.

A

Yes. Yeah.

C

Like, they went to a tech interview in Nairobi or some third world country, and then they were captured and they have to earn their way out, especially with the. With the lonely heart scams and the pig butchering scams.

B

Right.

C

So I've talked to these attackers that have told me, like, I don't want to do this. I literally have no choice.

A

Yeah.

C

So as much as I feel bad for them, I also understand that not everyone is malicious. Some of them are victims themselves.

B

Yeah.

C

And that's the craziest thing about attacking outside the United States and even in the US like, pig butchering happens here too. It's just people are more afraid of it, but it's very difficult to prosecute.

A

Yeah.

C

And like, in the instance where the crypto scam that we talked about, you know, it's like, it's very difficult to kind of get through things like that because how do you trace it?

A

Yeah.

B

Right.

A

Well, what you were just saying about. We used to say a lot of the times that, you know, a lot of times attackers are kind of stupid and, you know. Sure. But especially with the organized crime and the slavery involved. Now, it kind of reminds me of those stories From World War II of when people would find shells that didn't have any explosives inside. And it was written on the side like, this is the best we could do. It's like, maybe now when we're seeing this real incompetence, sometimes it could be somebody going, this is the best I could do.

C

I can tell you, talking with these individuals, that is very much what they do because their heart's not in it and they don't want to do it. But also remember when they send a phishing email that's very easily identified, they do that on purpose because they only want to catch the dumb people. They don't want to catch somebody who's gonna second guess it. They wanna catch somebody who's like, oh my goodness, this prince from Nigeria is sending me a million dollars. All I need to do is this. And we joke about that, but that's still a multi million dollar profit scam every year.

A

It sure is.

C

It's insanity how much money it makes.

A

It sure is.

C

It's like I'm in the wrong business.

A

I know the Yahoo boys are doing real well.

C

Yeah, retirement plan.

B

Retirement plan, right.

A

You can't say that on the Internet, Dave.

C

Everyone has that moment when you're where you're like, is this the moment I turn blackhead? I remember I was doing a hack one time and I had gained access to like financial records for all of these super high level executives, as well as all the bank account information, as well as all the things where I

A

was like, you know, this is a lot.

C

Is this the moment? Is this when I go, you know what, let me just write my own check, let's get out of here. I, of course, didn't do that. But you always have that moral dilemma. Moral dilemma. And I try to explain that to people. Like your hackers are only as loyal until they're not.

A

Maybe we need some more ethics classes for people.

C

I think it's important.

A

I think it's really important. Yeah.

B

All right, I tell you what, let's move along here just for the sake of time and of course to our listeners, if there's something that you would like to send us and so we can consider it for the show, please do so. Our email address is hackinghumans2k.com all right, Rob, Maria, it is time to move on to our catch of the day. Our catch of the day comes from the scambait subreddit. And Maria, why don't you lead us off here. This is some pretty standard stuff here, but I think entertaining.

A

All right. Hello, I'm Mavis Wanczyk. Wanczyk. Wanczyk.

B

Your guess is as good as mine. It's a lot of syllables, not very many vowels.

A

Apologies to our Polish listeners. I'm learning. I'm Mavis from Texas and I'm 65 years and I'm a businesswoman but my pastor to us on this week about helping the and it really touched so that's why I'm here to help other for a little out of what I have. I'm texting you YouTube to see if you need some money to pay off bills or do some other things.

B

Hello, nice to meet you.

A

And you also send me your number sir so I can message you on signal app sir so we can cat more better sir I can help you with any amount sir. If you want to buy a car or house or truck sir let me know. I can help you with any amount sir.

B

Hello Mavis.

A

It's a lot of sirs.

B

Mavis is very polite. To be honest with you, I don't actually need much money. You see, I've already retired to my farm out in the country here. And between farming, my pension and my superannuation, I have plenty to get by.

D

My worry is my son, you see,

B

he works out on an oil rig across the country and between his poor financial choices and some unfortunate incidents, he's found himself in quite the debt. Now initially I wasn't going to help him out of it, but since you reached out to me, I thought I might as well solve this problem for him.

A

You can see sir, look at the people I help sir on TikTok sir all day get their money immediately sir. So let me know sir. I can help you with any amount of money sir. Are you afraid of telling me the amount you need sir? Question marks.

C

Skip ahead a little bit.

A

He says a lot of question marks.

B

Let's just say $100,000. That should work for the time being. If he needs more than that, he can sort it out himself.

A

Yeah. Yes. Okay sir. I will help him with that sir. So are you the one who is going to help him and collect the money or will he do that himself sir?

B

Oh, it would probably be best if I get it then I can pay off his debts for him.

A

Okay sir. How you get the money? The one green dot is free at the store. All you need to do is activate it with minimum amount of $50 so I can pay you off immediately.

B

The one what? What?

A

This is the card you are going to get sir. So I can be a two load the money. Okay. It sir. Wow. I don't know what how to parse that. And you go to the ATM around you and take the money out of the card sir. So when you get the card you activate it sir. So I can be able to load the money on the card sir. And you can go to the ATM around you and take the money out of the card, sir. Question marks.

C

The question marks really sell it.

B

They really do. I think we can stop there. Like, it goes on, but it's a lot of sirs. Mavis. Includes a picture of a Visa debit card.

C

Only 50 bucks.

A

Only 50 bucks? Yeah.

C

So do you guys have that?

B

Unpack it. Help us out here. Rob, what do you think's going on behind the scenes?

C

I feel like this. This might be just a scam to get $50. I'm just saying. I mean, just prompt me 50. Maybe not. Maybe it's legit. I always like to think that there's, like, somebody who's been trying to give away their money forever, but nobody believes it's real. It's like, I just. Why can't anyone take my millions? This is the struggle of a prince. This is what I have to deal with. I feel like that. I would love that to be a reality.

A

I mean, I'm available if that person does exist. Feel, please pay off my mortgage@n2k.com I would love that. Go ahead.

B

Yeah, Yeah. I wonder too. Like, is this as you were saying earlier, Rob, like, they want to find the gullible people to get them on the course, and you start with 50 bucks, and now we got a hot one on the line.

C

Sometimes it ends there too. So I've investigated a ton of these because I. I love investigating scams and kind of messing with scammers, probably to a point of obsession. And sometimes it stops at the $50. And then. But other times, what will happen is, so I've given my information away to hundreds of hackers. I have burner phones in my house that ring. And like, I'm like. And I like, run over and grab the burner phone.

B

Cocktail party at your house?

C

Totally.

A

So it's a symphony of ringing.

C

My kids are always like, like, what are you doing? I'm like, why are you giving them money? So, so, like, what it'll start off is 50, and then what happens is your information gets added to what. What I call, like, the hacker Rolodex. So a lot of these people share information. It's run by, I would guess, probably maybe 100 or 200 organizations. They're all little small sub pockets and they share information with each other. And the reason I know this is because I fall for scams purposely. And my phones blow up constantly with phishing messages, with scam text. My fake emails that I've used in scams get tons of like, hey, you need to pay Norton Antivirus because they know once they have one person, then they sell that information to another hacker group. And it's very inexpensive to buy things like that. Like on the dark web like this, you can buy like a whole trove of people who are just like, you know, whales, so to speak. And you pay like, you know, $0.50 $. Because they're just making money on top of money at that point. They've already done the scam. Right now they're selling your information to make more money. That's how a lot of the job scams are working right now too, is like, they'll get you with a $25 application fee.

A

Yeah, yeah.

C

One of the ones I investigated recently was brilliant. They said, hey, we would love to hire you, but we need to do a background check. And they send a link. The link goes to a legitimate website for a credit check. And I was like, how are they making money? Like, what is this scam? There was a referral link in the URL.

A

So they get a cut.

C

They send it out to millions of people. They get a cut for every person who signs up. They spend 9.99 for the first month. That person at the end of that month gets paid five bucks or whatever it may be for that new person that just signed up. You're making literally 500 to $1 million a year just sending out fake jobs and sending them a referral link to sign up for the credit check.

A

Wow.

C

And then that's how you streamline it, right? They go, hey, we want to streamline you, but we need to get a background check done immediately. And with so many people struggling to find work and technology.

A

Oh, yeah, time a dozen.

C

It's very easy to get people who will fall for it.

A

You gotta wonder how much of the tech ecosystem right now is being propped up by scamming.

C

I estimate 80%.

A

Oh, my God.

D

Wow.

C

It is an obscene amount of fake jobs. My buddy Jay and I've mentioned him before, he's called the profiler on LinkedIn. He's removed 38,000 jobs in the last year.

A

Jesus.

C

I've investigated in the last two years, I've investigated for mentees, probably maybe 40 or 50 job offers. 99% of them have been scams.

B

Really?

A

Yeah, man.

C

And they're really good. I had one that was brilliant. They had compromised a recruiter's account that a well established account. So it passed my first sniff test and the account looked good. They've been posting. My friend went for the job interview and it just seemed A little bit off.

A

Was it remote in person?

C

Remote.

A

Okay. Yeah.

C

And they wore the recruiter's face. Oh, wow.

A

Jesus.

C

They put on a deep fake, which is relatively easy now with some photos, and they wore the recruiter's face. And luckily my mentee, who's been in technology for a while, she goes, can you spin in your chair? Because the mask can't keep. It won't stay. And they refused. Oh, my chair doesn't spin. Well, that's fine. Put both your hands in front of your face.

A

Yeah, yeah.

C

And that's good now. But we're looking at maybe six months, maybe even a year.

A

That won't work anymore. That won't work anymore. Yeah. I know that cat and mouse game is always being updated.

C

It is scary. But majority of jobs that I've investigated, majority of roles that are posted are either not real or they're already filled. Like, companies have to post roles externally. There's a lot of policy around that. So I always tell people who are in the job market who are struggling, I'm like, it's not you. Statistically, that job went to their 10 friends who are unemployed right now. Yeah, like, you just. You have to become one of their buddies. Like, when I got laid off, I hit LinkedIn really hard. And I realized that building a social presence was really important. And then I started to get interviews by building a reputation, and kind of people started coming to me. But I would fall for scams on purpose. I would. I would get on calls, and they would try to drill me for information about my previous company that was my favorite. Like, I would get a job offer and they'd be like, we want to talk to you. And I joined with five guys, and they would start peppering me with questions about Disney and their AI posture and all this stuff. And I was just making up crazy stuff. I was like, yeah, we really invest. Our biggest investment right now is AI honeypotting. And they're like, oh, wow, tell me more. And I was like, yeah, we do honeypot AIs. And they're, like, really enthralled. And they're taking copious notes. They literally are the whole time. And they're like, well, we would love to offer you job. And I was like, oh, that's awesome. I said, but I'll let you know, everything I told you was a lie. And I was just wasting your time. Cause clearly you're scamming me.

A

Nice.

C

And I posted some of those videos. But it's very interesting because a lot of people who are in a Desperate. And I've been working with people for the last two years in this hiring market, like, they're struggling, and the attackers are taking advantage of it wholehearted because it's very easy to do and it costs very little. And you can scam a lot of people really, really quickly.

A

Yeah. And especially if you're looking for a job that's wasting a ton of your time, which you could be using to find a better job.

C

And that's the biggest thing. And all of the job Networks, not just LinkedIn, all of them, are just flooded with fake jobs because there's a lot of value to it. I've had mentees who have signed up for jobs. There's two big scams that I've seen recently that are really clever and just terrible. One is what I call the MSP scam where they'll hire you, and in your contract, it basically says if you leave within the first two years, you owe them $20,000.

A

Get out.

C

Yeah.

A

Oh.

C

And then they make it a very inhabitable work environment. You were hired as a security professional, but you're doing desktop support and you're going house to house. And if you quit, you owe the money.

A

Oh, my God.

C

Because they invested in you, and that's their logic. And people sign it because they have no choice. And I had one guy who moved across country for a job scam, and it was absolutely. The building was fake. He came to me after and I tried to help him recover some of his things, but, like, it was rough. Wow. It happens so often that it's, like, not even when anybody messages me. So if you're a new person in cyber and you're listening to this and you get a job offer, it's a scam. Unless you actively know the person, it's a scam.

A

So go to BSides near you. Seriously. Go meet people in person. Go to Lobby Con.

C

Volunteer your time. Don't go as an attendee, go as a volunteer and put the cycles in, because that's how you get noticed. All of my mentees who have listened to me and taken this advice have found jobs for entry level because you have to put in the work. All of us who got into technology and cyber, we basically got into it because we were, like, the one who just kept breaking stuff and showing up and showing up. I hung out long enough that they go, hey, you could probably do this. Do you want to figure it out?

B

But we might as well start paying you.

C

Yeah.

A

Honestly, yeah. And I've known people who've gotten jobs by hanging out at the locksport table at every con.

C

Yeah.

A

And it's just like, you make enough conversation with people, they go, you know, your brain works the way we need it to work for the kind of work that we're doing.

C

100%.

A

Yeah. It's amazing. Yeah. And cons always need people really need volunteers.

C

And I know it's hard for people who are neurodivergent, like myself, to be social.

A

And a lot of us are in this space.

C

Almost all of us.

A

Almost all of us are.

C

So, like, you're with friends, the majority of people in technology, because you kind of got to be a little bit.

A

You gotta be a little spicy and

C

a little narrow spicy.

A

You gotta be spicy. You have to.

C

Because the job itself is very repetitive, very monotonous, and you have to get kind of obsessed about the world's smallest details. Yeah.

D

Yep.

A

And get mad about it, like really

C

upset like that you can't find this tiny needle in a haystack. I remember staring at logs for like a day, and my daughter comes in, she's like, what are you doing? And I'm like, well, I'm analyzing log traffic. She's like, that's boring. And I was like, yes, it is.

A

Yes, it is.

C

But I will find this anomaly if it kills me. The attacker got in somehow and I will find it.

A

My pattern matching skills are unmatched.

C

Yeah.

B

For me, that was as a teenager, debugging code and basic on my trsa.

A

Oh, boy.

B

Locked in. Like, why is this not working?

C

No, you get super obsessed. And I think a lot of people, because especially the younger generation, because of the constant on instant knowledge, super fast kind of ba, ba, ba, ba ba. They don't know how to dig in

A

deep to do the deep work. Yeah.

C

I hired an entry level role recently and I asked very basic questions, like basic troubleshooting stuff.

A

Stuff.

C

I gave people 24 hours, granted, a very short amount of time to prep. And I interviewed 15 people out of the 700 applications I got in the first 24 hours because I opened a true entry level role. Like, literally no experience was required, which is a unicorn.

B

That's unheard of.

C

A unicorn at a Fortune 500.

B

Wow.

A

Rip your inbox.

C

Yeah. Oh, it was nuts. So I didn't post it on my social media because, God, that would have been bad. So I went with mentees, I went with people who were referrals. And we interviewed 15 people and 10 of them right off the bat. Didn't even research what the role was. Didn't do any sort of deep Diving into it. One guy was using AI. I totally busted it. Like, bro, I asked you these questions specifically because I know what the prompt's gonna give. And the other ones just didn't do any basic troubleshooting and had never done it in their entire life because they don't need to anymore. Yeah, why do you need to troubleshoot when I can just ask AI?

A

Yeah, so you gotta. Knowing how to do deep work and tinkering and getting into a flow state and failing. Yeah.

C

Over and over again. That was my greatest future.

B

Persistence.

A

Always.

D

Yeah.

A

Always, always.

B

All right, we gotta wrap up here. Rob, thank you so much for taking the time for us. This is a true delight. No, I'm really glad we got together here. This was really great. And since I butchered it on the way in, I'm going to let you tell people how to find your podcast.

C

Go for it. Yeah, so I'm all over you could just search Bowtie Security Guy. All one word After Dark is the podcast. I also post a lot of content on LinkedIn. Just search Bowtie Security Guy. One word on Google or any search engine. The AI will tell you how fantastic I am. I love how the AI is like a 20 year security veteran with multiple connections.

A

Is the information correct? It is.

C

Okay. It is.

A

It's all hallucinations.

C

I'm okay with it being hallucinations too, but yeah.

B

Known for his extraordinary good looks.

C

Oh my God. Exactly. His amazing beard. Yeah, but no, it's really fun. But yeah, please definitely check it out. Anybody who needs help. Who's listening? If you're struggling in this job market and you can't find anything, I help people for free. I get that you have a ton of listeners and I'm probably going to rest in peace. My inbox. I don't care. I'll make time for you because there's so many people struggling and if you're in technology and you are employed and you are not actively helping at least one person a week week, you are doing a disservice to our community.

A

Amen to that.

C

So please reach out to me. I don't charge anything for it. I'll do resume reviews, I'll look at your LinkedIn, I'll help you do interview prep. If you have an interview, I will make time for you. Because this market we need people who are willing to give time and help people. And it's hard.

D

Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K.

B

That is hacking humans brought to you by n2k cyberwire we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review you in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Teltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

A

And I'm Maria Varmazes and Robert Westein.

B

Thanks for listening.

D

Sa.