Loading summary
Transcript309 lines
- [00:02]
Dave Buettner
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Joe Kerrigan
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me, as always, is Joe Kerrigan. Hey, Joe.
- [00:32]
Maria Varmazas
Hi, Dave.
- [00:33]
Joe Kerrigan
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazis. Maria.
- [00:39]
Dave Buettner
Hi, Dave. And hi, Joe.
- [00:41]
Maria Varmazas
Hi, Maria.
- [00:42]
Joe Kerrigan
Hi, Joe. Hi, Maria. Hi.
- [00:44]
Dave Buettner
I'm going to do this every week.
- [00:45]
Joe Kerrigan
We got some good stories to share this week. We'll be right back after this message from our show's sponsor.
- [00:56]
Sponsor Voice
But first, a word from our sponsors at. Know before time travel would be a particularly powerful tool in the hands of any overworked infosec professional. Think about it. Being able to see the future and know which malicious emails would be missed by all the existing filters. Your ability to stay one step ahead of the bad actors would rise to a whole new level. Unfortunately, our sponsors haven't cracked time travel just yet. They are, however, introducing a new phishing protection product that can block and remove dangerous phishing emails before your users even see them. Stay with us and, and in a few minutes you'll learn how.
- [01:40]
Joe Kerrigan
All right, before we dig into our stories, we got some follow up here from a listener who wrote in with some information about fema. So this was following up. We were talking about some of the goings on after the terrible hurricanes.
- [01:54]
Maria Varmazas
Yep.
- [01:55]
Joe Kerrigan
That hit the Southeast here in the United States. And someone wrote in with some good information about fema, the Critical Needs Assistance, which is. Remember we were kind of recalling that there was an immediate fund that you could get. Joe, you remember that? Yes. So that's the Critical Needs Assistance Fund. And that is indeed what that is for. So basically the bottom line. I'm not going to read the whole email from this kind listener who wrote in, but the bottom line is disasterassistance.gov is pretty much the one stop shop for everything you can want to know about these sort of situations and what FEMA can and cannot do for you. And then also there's resources at the Better Business Bureau to protect yourself from folks who are out there trying to scam people. This listener also recommended calling 211 to find local resources if there is an emergency. And also wanted to remind folks that a lot of what happens through FEMA is tied to your home address. So be careful to not apply for multiple things using the same address. Like you can run into issues with that, or someone could use your address without you knowing it and get funds that were intended to be for you. Disasterassistance.gov is the main link to check out, and we thank our listener for writing in and clarifying some of that. We do appreciate it and of course, we'd love to hear from you. If there's something you would like to share with us, you can email us. It's hackinghumans2k.com all right, well, let's jump into our stories here. This week I'm going to kick things off. This is a story from the New York Times. It's called Their parents are giving Money to Scammers. They Can't Stop Them. And it's kind of a tragic story here. There's two folks that they talk about in this story, but I'm just going to talk about one of them. This was a gentleman named Chris Mancinelli. And when his father passed away, his father Alfred Chris went to his father's home. His father was 79 years old when he passed and he went to his.
- [04:19]
Listener
Home and he went in.
- [04:20]
Joe Kerrigan
And there on the refrigerator were somewhere family photos, pictures from his grandchildren, crayon drawings and snapshots of his grandchildren. But also on the fridge was a photo of Alexa Bliss, a WWE wrestling star. Now let me pause here and ask, are either of you familiar with Alexa Bliss?
- [04:45]
Dave Buettner
No, I am not. No. No.
- [04:48]
Joe Kerrigan
Neither of you have your Alexa Bliss action figures doll?
- [04:53]
Maria Varmazas
No.
- [04:55]
Dave Buettner
As opposed to something else.
- [04:57]
Maria Varmazas
I like when people say they're not dolls, they're action figures. I'm like, they're dolls.
- [05:01]
Joe Kerrigan
They're dolls. Yeah, they're dolls. But I put a photo of Ms. Bliss in our show notes here.
- [05:10]
Maria Varmazas
So the two of us scroll down.
- [05:11]
Joe Kerrigan
And take a look, check out what Ms. Bliss looks like. Maria, why don't I give you the honors since you're less likely to get in trouble describing this lovely lady than either. Huh. Well, your word's not mine, so in the self interest of both Jo and me.
- [05:31]
Dave Buettner
Oh, I see.
- [05:31]
Joe Kerrigan
Why would you describe.
- [05:33]
Dave Buettner
Yeah, she's got a rockin hot bod, everybody. And she's, she's very athletic and she's wearing skimpy clothing and she looks great.
- [05:44]
Maria Varmazas
She's in good shape.
- [05:45]
Joe Kerrigan
Yeah, she's in fantastic shape.
- [05:46]
Maria Varmazas
Yeah.
- [05:47]
Dave Buettner
Good for her.
- [05:47]
Maria Varmazas
She looks like exactly like I expect when you said female WWE star.
- [05:52]
Dave Buettner
Yeah, yeah. She looks like she is in fantastic physical shape.
- [05:56]
Joe Kerrigan
Yeah, I imagine you have to be for that job.
- [05:58]
Maria Varmazas
I mean, there have been Some really fat guys in that job.
- [06:01]
Joe Kerrigan
Oh, that's true. That's true.
- [06:03]
Maria Varmazas
George the animal Steel was a big fat guy.
- [06:06]
Joe Kerrigan
Yeah, I mean, strong, strong. Andre the Giant was no string bean, Right?
- [06:10]
Maria Varmazas
Yeah, exactly.
- [06:12]
Joe Kerrigan
Anyway, Chris found out that his father believed that he was in a romantic relationship with Alexa Bliss. And over the years, his father had sent nearly a million dollars to this imposter. Obviously, this person was not actually Alexa Bliss, the WWE star. This was someone awful pretending to be Alexa Bliss. Alfred, the father. His nest egg was nearly a million dollars, and at some point, it had gotten down to just about $100,000. And Chris, his son, decided to intervene and moved his father's funds to a secure account in the hopes of protecting them from further loss. And his father was furious at him, sued him and demanded that the money be returned. He was convinced that he and Alexa had a real relationship, and he refused to believe otherwise. And this resulted in the family not communicating, disowning children, not being able to see granddaughters. Just terrible, terrible pain for the family that lasted through. When the father died. There was no reconciliation here.
- [07:40]
Maria Varmazas
Awful.
- [07:40]
Dave Buettner
Jeez, that's heartbreaking. So infuriating.
- [07:44]
Joe Kerrigan
After his father passed, Chris put together a bit of a timeline of this, and he says that it seems to have started back in 2018. And he credits the pandemic has kind of deepened his father's vulnerability. The isolation from the pandemic, and I think. I think we can all relate to feeling lonely or vulnerable during the pandemic at one point or another.
- [08:10]
Dave Buettner
Oh, 100%.
- [08:11]
Maria Varmazas
I kind of like it.
- [08:12]
Joe Kerrigan
So this relationship with. What did you say?
- [08:16]
Maria Varmazas
I kind of liked it.
- [08:22]
Dave Buettner
We're both hearing our feelings and you're like, it was great.
- [08:25]
Joe Kerrigan
Yeah, that's right. All those pesky people.
- [08:28]
Maria Varmazas
Sorry, sorry. For my extrovert co host.
- [08:30]
Joe Kerrigan
Sit home by myself.
- [08:31]
Dave Buettner
I am not an extrovert. I am not an extrovert.
- [08:34]
Maria Varmazas
I have to be.
- [08:34]
Joe Kerrigan
Be bothered by all you people.
- [08:39]
Dave Buettner
Joe, I was basically taking care of a three year old all day. I'm not an extrovert. I just got worn out.
- [08:46]
Joe Kerrigan
Yeah. I have extrovert. I have extrovert. I have extrovert abilities.
- [08:52]
Maria Varmazas
You have extroverties.
- [08:53]
Joe Kerrigan
But I do enjoy my solitude when given the opportunity.
- [08:56]
Maria Varmazas
Yes. Oh, I love my solitude from time to time.
- [08:59]
Joe Kerrigan
Yeah. This had gone so far that Alfred had even considered selling his home. And he had taken out loans against his car. He had put his television in hawk to send more money to the scammers. He never actually met anyone, but they had convinced him that this Fake Alexa. There were times when she needed help with money for surgery that she needed help being protected from Vince McMahon, the guy who runs the World Wrestling. Oh, my gosh. Organization so super deep. And the person had, you know, fallen for this horribly. And, you know, his Chris, the son. It's just heartbreaking, you know, because these scammers, not only did they take away the father's resources, and in doing so, any resources that could have been passed along to the family when the father passed away.
- [10:09]
Maria Varmazas
Right.
- [10:11]
Joe Kerrigan
But also, it just broke up the family. I mean, everyone felt betrayed, and they felt like they had lost their grandfather, their father and their grandfather to these scammers. The father was so trusting of these scammers. And it's just heartbreaking. It's so hard when someone believes in this sort of thing and they think that there's real. That. I was gonna say real love, but even just a real relationship.
- [10:39]
Maria Varmazas
Right.
- [10:42]
Joe Kerrigan
You know, I have a neighbor who's going through this in real time.
- [10:46]
Maria Varmazas
Really?
- [10:46]
Joe Kerrigan
Yeah. Yeah.
- [10:48]
Dave Buettner
Oh, God.
- [10:49]
Joe Kerrigan
A young man who has some challenges in life, has some physical challenges in life, and lives with his. And he's in his 20s, lives with his mother near me. And I've spoken with his mother about this, about the romance scam, but, yeah, there's a woman in Florida who's basically fleecing him. And the thing is, he's an adult. Right? Right. I mean, he's not a child. He's an adult. He gets to do what he wants with his money. It's his money.
- [11:20]
Maria Varmazas
Yeah. And have you talked to him?
- [11:23]
Joe Kerrigan
I have not yet crossed paths with him to speak with him. When I do see him, I am going to talk to him. Yeah.
- [11:29]
Maria Varmazas
I'd like to know how it goes. I have a prediction about how it goes.
- [11:32]
Dave Buettner
Yeah, yeah, yeah. I actually, oddly, have some experience on the one angle that we haven't. Not me personally, but I have friends who are somewhat public figures that have been impersonated by scammers. And when they go to events, sometimes people who are convinced that they've been in a relationship with them come up to them, like at a. You know, to get an autograph or, you know, like a meet and greet event. And it's. In some cases, people don't know that they've been impersonated until that moment. But other folks find out ahead of time and they actually try to intervene to the person saying, you know, we've been. I'm so glad to finally see you in person. I've sent you all that money. How is your dad doing? Or Whatever. And, you know, you only get a little bit of time to actually tell them, I'm not the person you've been speaking to. Like, you're being taken advantage of. Like, I would never ask you for money. And sometimes that gets through, but in other cases, the person just goes, oh, you're being coy. I get it. You're being shy about our relationship. And it just.
- [12:32]
Maria Varmazas
Right.
- [12:32]
Dave Buettner
Wow, the denial runs so deep. Yeah. I mean, you just kind of don't know what to do at that point.
- [12:38]
Joe Kerrigan
But. Yeah, no, it's heartbreaking. There's more to this story and so we will have a link to the story in the New York Times. But these are becoming so common now and the heartbreak here is so deep and the financial loss. So I guess the lesson to our listeners is check in, you know, be on the lookout for this sort of thing and just make sure that. I guess the hope is if you can catch it early on, then maybe you'll have some chance of heading it off at the pass. But it really is a tough one.
- [13:15]
Maria Varmazas
Yeah, it's awful.
- [13:16]
Joe Kerrigan
Yeah. All right, let's move on here. Maria, what do you have for us this week?
- [13:21]
Dave Buettner
Oh, it's a pretty simple one, I think. Sort of an update to an ongoing issue that I'm sure a lot of our listeners who work in IT have been encountering. This one is from our friends at Wall Arm who have some new research about DocuSign API abuse and that's sending out a whole bunch of convincing looking invoices at scale. So folks who have been working in IT for ages can tell you there have been for ages email security issues where you get square. DocuSign. I'm trying to think of other, like all sorts of services that businesses often use. Impersonated and phishing emails. Sorry, what was that? Bitcoin?
- [13:56]
Joe Kerrigan
Yes.
- [13:57]
Maria Varmazas
PayPal.
- [13:57]
Dave Buettner
PayPal, yes.
- [13:59]
Maria Varmazas
Yeah. Because PayPal has their own interface that you can use, right?
- [14:02]
Dave Buettner
Yes. And these have been getting abused for years. So that, that is nothing new. And the typical scam is, you know, you get a convincing looking invoice that you didn't expect, but maybe you just figure you forgot something and you click on a link, it takes you to a phishing website, your credentials get exposed, etc. This is a slightly different flavor on the old scam that Walrum is exposing. And this one specifically abuses the, in this case, the DocuSign API to send a valid looking invoice for a product. And it relies on essentially human error at an organization because in many cases this product actually has been requested by the organization. So they are expecting an invoice. Somehow the scammers, I suppose, either know or anticipate this, and they essentially use the DocuSign API to create an invoice that, again, is coming From a real DocuSign URL, in this case, usually DocuSign.net and then the scammer tacks on an additional charge in the invoice that wasn't supposed to be there, but they kind of sneak it in. And then the idea is that the recipient at the organization misses that detail, still signs the invoice through DocuSign, puts in all their bank information, and then the scammer actually receives the funds in their direct bank account. So to me, it sort of reminds me of, like, those birds that sneak into, like, a nest and push the other eggs out, like a.
- [15:26]
Joe Kerrigan
Right.
- [15:26]
Dave Buettner
I couldn't remember what that was called as a brood parasite, apparently. I'm like, that's sort of like a brood parasite, right?
- [15:31]
Joe Kerrigan
Yeah.
- [15:32]
Dave Buettner
Which is like. That's an interesting little twist on this very common scam. And so, Joe, you mentioned that PayPal allows people to send these things out at scale. DocuSign does as well, because, I mean, my God, how many DocuSign emails have you all gotten in the last month? I mean, I get a ton, so you can. Doggysign does make it easy by necessity, to automate, spray and pray, sending out tons and tons of emails through their API. But unfortunately, it does make it hard to detect these incoming attacks and these incoming fraudulent emails, because it is that cat and mouse game I was reading on. I went down a bit of a Reddit rabbit hole on this one to figure out what people are doing about this. This is way outside of my lane. I've never worked in it, so I'm just trying to figure out what people are doing. But I was reading some folks saying that essentially they had to. It got so bad that they had to essentially manually stop every single email that says it's from DocuSign, and then manually approve them one by one because they just cannot stay on top of these kinds of scams, which is like, what a nightmare for a business.
- [16:30]
Maria Varmazas
Well, I mean, the solution is just tell people, I'm not doing business with you if you're gonna do DocuSign. I mean, but that's not gonna work so well.
- [16:36]
Dave Buettner
That's hard.
- [16:37]
Maria Varmazas
Nobody uses DocuSign.
- [16:38]
Dave Buettner
Yeah, that's right.
- [16:39]
Joe Kerrigan
Yeah. And you often find yourself in a. A business relationship where you are not the alpha person in that relationship. If you're a small Contractor and you're doing business with Anheuser Busch, you're not going to go to them and say, listen, we can't use DocuSign. They're going to be like, we use DocuSign.
- [16:59]
Dave Buettner
And you don't get to say in this.
- [17:01]
Joe Kerrigan
And that's it.
- [17:01]
Dave Buettner
Yeah, exactly.
- [17:03]
Joe Kerrigan
If you want our money, this is who we use. And that's the way it goes. Just real quick backing up here, Joe, for the folks in our audience who may be scratching their heads, can you give us a brief description of what an API actually is?
- [17:15]
Maria Varmazas
So an API API stands for Application Programming Interface. And it allows you as a programmer to write code that then calls some web service. Somewhere I'm imagining this is a web based API, a web API, but other APIs can be like, with like Remote Procedure Call or some other. There's hundreds of ways to do it. But this is probably a web based API where you go out and you say, I'm going to get either. I'm going to, I'm going to essentially automate doing something right with a web service. And it's usually a pretty simple interface that you just have to format correctly. And that's what 99.9% of software development is, formatting things correctly, data formatting and code formatting. And actually there's more to it than that. I'm exaggerating, but yeah, it's just a way to automate interacting with DocuSign.
- [18:12]
Joe Kerrigan
Yeah. So APIs really enable and empower automation.
- [18:17]
Maria Varmazas
And they speed it up, they make it so a scammer can really go ahead and do this.
- [18:21]
Dave Buettner
Yeah, get data out there really fast. That's the beauty of an API, but also the huge risk that they also can entail.
- [18:27]
Maria Varmazas
Enjoy a problem at DocuSign.
- [18:30]
Dave Buettner
It does sound like a problem with DocuSign, although again, them being one of the huge orgs that is targeted for this kind of abuse. I mean, I mean, I wish them the best of luck. I mean, my goodness, that sounds like a really hard one to tackle. But I was there, they had a white paper about what you as an organization can do about it. And a lot of their recommendations were essentially, hope you're. Hope your IT team has enough money to have really fancy tools to fight this. But they did say something about which like, okay, great, that's, that's fun, that's wonderful. Enforcing DMARC reject or at least quarantine policies is like, this is getting very. But Joe, can you explain what that means? Because I thought that was kind of neat.
- [19:08]
Maria Varmazas
So DMARC actually Stands for Domain Based Message Authentication and Reporting and Conformance, which is an email authentication policy that also you can get reports as well. It builds on top of SPF and dkim, which are. I'm not going to go down to the weeds on those, but they add linkage for the domain it was from and they look for signatures from it as well. So presumably somebody using the API might not have access to a signature. I don't know how well that will work. It would be interesting to see if this is an issue that exists if you put on DMARC Deny, which means if it doesn't have a DMARC record and I can't validate it, I'm not going to even receive the email.
- [19:52]
Joe Kerrigan
Right.
- [19:52]
Dave Buettner
Yeah. Which again comes down to I hope you have enough money in York to do this, which just frustrates me.
- [19:59]
Maria Varmazas
But yeah, that's right.
- [20:01]
Joe Kerrigan
Yeah. I mean, I guess the quick thing here would be just to have extra scrutiny for anything coming from DocuSign.
- [20:08]
Maria Varmazas
Yeah.
- [20:08]
Dave Buettner
Yes.
- [20:09]
Joe Kerrigan
Which, you know, whether or not that's practical or not, that's where we are.
- [20:14]
Dave Buettner
Yeah. Yeah, it is.
- [20:16]
Joe Kerrigan
Yeah. All right, interesting. Well, we will have a link to that story in the show notes. Before we get to Joe's story, let's take a quick break to hear a message from our sponsor.
- [20:31]
Sponsor Voice
We were talking about mitigating cyber threats to your organization before your users even see them. The new Phisher plus from KnowBe4 was developed to help you supercharge your organization's email security defenses. How you get a unique crowdsourcing advantage. More than 10 million highly trained knowbefore end users from across the globe catch and report malicious email that makes it through all the filters. KnowBe4's threat lab then validates it with AI and with human researchers. Phisher blocks phishing threads other tools have missed and proactively removes them from your users inboxes. Not quite time travel, but we think you'll agree it's a vital capability in any infosec professional's arsenal. Visit knowbefore.comproducts to learn more. That's knowbefore.comproducts,/fisher. And we thank KnowBe4 for sponsoring our show.
- [21:43]
Joe Kerrigan
And we are back. Joe, you are up. What do you got for us this week?
- [21:47]
Maria Varmazas
Should I talk about the election?
- [21:49]
Joe Kerrigan
No.
- [21:50]
Maria Varmazas
Okay. I actually wanted to talk about this a little bit.
- [21:55]
Joe Kerrigan
People listen to our show to get away from that kind of stuff.
- [21:57]
Maria Varmazas
I want to say I have done something right on Facebook.
- [22:01]
Joe Kerrigan
Okay.
- [22:01]
Maria Varmazas
Because have you guys been looking at Facebook since the election?
- [22:05]
Joe Kerrigan
I've checked in.
- [22:06]
Maria Varmazas
Have you seen. What does it look like? Does it look like a dumpster fire?
- [22:09]
Joe Kerrigan
Well, I mean, I'd say no more than usual.
- [22:12]
Maria Varmazas
Okay. But I have seen almost no political posting on Facebook.
- [22:18]
Joe Kerrigan
Really? Really?
- [22:19]
Maria Varmazas
Yes, really.
- [22:21]
Joe Kerrigan
You mean even from your friends?
- [22:23]
Maria Varmazas
Yes, even from my friends. The closest I get, I get the ones that are vaguely political. Like, I think I saw one of your posts, Dave, that was not political, but something else.
- [22:31]
Joe Kerrigan
Yeah.
- [22:32]
Maria Varmazas
That kind of tangential. And then I had another friend who said, nothing is ever as bad or as good as it seems.
- [22:37]
Joe Kerrigan
Okay?
- [22:38]
Maria Varmazas
Right. And that's. That's been the extent of what I've seen. I've seen tons of ads, though. I scroll through and I see ad after ad after ad. But no, I have gone through enough times and said, I'm not interested in seeing anybody else's political opinion.
- [22:51]
Joe Kerrigan
Okay?
- [22:51]
Maria Varmazas
I don't want to see it. I don't want to hear it. It's not what I do with my life. It's not how I spend my time. It's not what I think about. I don't want to see it. And I think that something has happened where I'm not. I've done enough complaining or enough saying I'm not interested in this, that I don't see it.
- [23:06]
Joe Kerrigan
You've been a squeaky enough virtual wheel that Facebook has thrown up its virtual hands and said, don't show Joe anything political. Right.
- [23:15]
Dave Buettner
Joe has won over Zuckerberg.
- [23:17]
Joe Kerrigan
Pays off. Holy cow.
- [23:19]
Maria Varmazas
Although, I'll tell you, I'm seeing tons of ads.
- [23:22]
Joe Kerrigan
Yeah.
- [23:22]
Maria Varmazas
And I get lots of links to all the pages I'm following as well, which are stupid pages.
- [23:27]
Joe Kerrigan
Yeah.
- [23:28]
Dave Buettner
What's different there? I mean, ads and stupid pages are already always. Always like, there's no change. That's exactly what my Facebook's been like for years. Although it says probably a lot more about me, to be honest.
- [23:37]
Maria Varmazas
So aside from that, I just wanted to say, yay me.
- [23:41]
Joe Kerrigan
Congratulations.
- [23:42]
Maria Varmazas
Actually, here is. Here's something where Facebook has actually produced a pleasant user experience, or at least not a negative one.
- [23:50]
Joe Kerrigan
Right. That's the high praise that I could say this.
- [23:53]
Maria Varmazas
Using Facebook after the election for me, did not suck.
- [23:57]
Joe Kerrigan
Yeah.
- [23:57]
Maria Varmazas
But that did require a lot of upfront work.
- [24:00]
Joe Kerrigan
Yeah.
- [24:01]
Dave Buettner
Sorry. That has not been my experience at all.
- [24:03]
Joe Kerrigan
Yeah.
- [24:04]
Maria Varmazas
I'm sure. I'm sure that most people listening to me right now are like, how does he do it? And I'm like, I don't know. I just started complaining about. I don't want to see this. I don't. Whenever, anything, anybody Posted anything political. Didn't matter if I agreed with it or not. I was like, I don't want to see it. And that. And that apparently works if you do it long enough. All right, I'm going to try it. Actual stories. Let's see. I have this. This one that's actually from the middle of last. Last month it came out. It's from Okta actually. It's actually on CVE.org which is common vulnerability enumeration. Okta found out that if there was something with their okta Verify for iOS version 9.251 beta and 9.27 allow push notification responses through the iOS context sensitive features and that allows authentication to proceed regardless of your selection. Okay, so if you click authorize, the connection is authorized. If you click don't authorize, the connection is authorized.
- [25:11]
Joe Kerrigan
Oops.
- [25:12]
Maria Varmazas
Now this is not. Yeah, this is like the part of social engineering that I think is part of social engineering. But a lot of people will say, no, this is just a software bug. Okay, it is a software bug that's 100% correct. And it's probably not a software bug with the underlying security principles. It is a ui, or as they say in the Biz UIX user interface experience, it's a UI bug. This is someone who just called the same function on two parts of a form or web app or whatever it is that it's not a web app, it's a phone app on two parts of the interface. They called the same function. That's my guess. I'm speculating, but I'll bet that's what it was. Okay, so that's a problem caused by a human doing something wrong. So this illustrates how there's this general sense out there that, oh, the computer says this, it must be right. No, no. Humans write software. Humans are vulnerable and fallible. Therefore software is vulnerable and fallible. So keep that in mind.
- [26:20]
Joe Kerrigan
Humans write software. For now.
- [26:23]
Maria Varmazas
For now. Correct? Yes. I'm not sure there's a lot of people out there.
- [26:30]
Joe Kerrigan
I'll add to your story here, Joe, that things have not been going well for Okta lately. And for folks who aren't familiar Okta, they are in the authentication business. Yes, that's what they do. If you need a widget for your app or whatever, you can get it from Okta and they'll take care of that part of it for you. And they recently had another bug where if your username was longer than 52 characters, you didn't have to have a password to log in.
- [27:08]
Maria Varmazas
Well, that's just because your username is as long as a username and password should be.
- [27:13]
Joe Kerrigan
Dave. Yeah, I'm joking. It had something to do with some sort of hashing issue with something blah, blah, blah, under the hood, technical kind of things.
- [27:24]
Maria Varmazas
They were not validating input. That's my guess.
- [27:27]
Joe Kerrigan
Yeah. I do believe that was among the things I read about the problem. So, yeah, not good if you're okta right now.
- [27:36]
Maria Varmazas
No. Okay. So that was my first story. Second story actually is a social engineering story. And it has to do. This is from the bbb and it has to do with a new scam that's going around. And since we're now entering, we're exiting out of silly season.
- [27:50]
Joe Kerrigan
Yeah.
- [27:51]
Maria Varmazas
As Dave likes to call it. And we're going into now the Christmas holiday or Christmas holiday liturgical calendar.
- [27:58]
Joe Kerrigan
Yes.
- [27:58]
Maria Varmazas
Yeah, that's right.
- [27:59]
Joe Kerrigan
That's right.
- [28:00]
Maria Varmazas
Right.
- [28:00]
Joe Kerrigan
We're on final approach.
- [28:01]
Maria Varmazas
We're on final approach for all these shopping scams.
- [28:04]
Dave Buettner
Scammer Advent.
- [28:05]
Joe Kerrigan
Right?
- [28:06]
Maria Varmazas
Scammer Advent.
- [28:07]
Joe Kerrigan
That's right.
- [28:08]
Maria Varmazas
That's a good one, Maria. So here we are. Scammer Advent.
- [28:13]
Joe Kerrigan
Yeah. So what did we get today?
- [28:15]
Maria Varmazas
Right. Can you imagine the scammer Advent calendar?
- [28:19]
Joe Kerrigan
Yeah, I can.
- [28:20]
Dave Buettner
Oh, my God.
- [28:21]
Joe Kerrigan
There's your million dollar idea, Joe. Scammer Advent calendars.
- [28:27]
Maria Varmazas
So you're shopping online and as Dave likes to say, minding your own business, and you decide to purchase from some website. Or maybe you get an email that says, hey, it looks like it's from Amazon or Best Buy or wherever you shop. It's not, but it looks like it is. So you go there and there's this incredible deal on something, and you go to enter your credit card information and it says, your credit card's been declined. And you're like, huh, that's funny. This card has plenty of room on it. So you try it again. Nope, declined again. So what do you do, Dave? What's the first thing you do?
- [28:59]
Joe Kerrigan
I get a different credit card.
- [29:00]
Maria Varmazas
You get a different credit card. That's exactly right. And you try it again. Nope, that was declined too.
- [29:06]
Joe Kerrigan
Huh.
- [29:06]
Maria Varmazas
Maybe you try as many as three credit cards.
- [29:09]
Joe Kerrigan
Yeah.
- [29:10]
Maria Varmazas
And they all get declined. Or at least they're told what's happening behind the scenes is that the bad guys are collecting all your personal information and they're telling you the card is declined so that you enter more credit card information, and then they're charging your credit card more than they told you they were going to charge for something they're not going to send you.
- [29:27]
Joe Kerrigan
Wow.
- [29:28]
Dave Buettner
Wow. All right.
- [29:30]
Joe Kerrigan
So they're using the card declined.
- [29:32]
Maria Varmazas
Right.
- [29:33]
Joe Kerrigan
To get me to give them another credit card, more credit cards. And then all the credit cards I give them, they're fraudulently charging.
- [29:42]
Maria Varmazas
Yes. And there is one story in here where somebody entered a. The consumer entered a. To make a purchase on a website, got the decline message, retried with the same card, and obtained the same error message. Then they got an alert from their credit card company almost instantly said that a $2,500 charge was declined.
- [30:02]
Joe Kerrigan
Wow.
- [30:02]
Maria Varmazas
Now that's probably a legitimate decline because they might not have had $2,500 on a credit card.
- [30:08]
Joe Kerrigan
Right.
- [30:08]
Maria Varmazas
I mean, I have credit cards that have limits close to that. Right. I mean, sure. That credit card is never going to have $2,500 on it, which is good for this person. So what they're doing is they're just getting more information from you. They're stealing your identity. They're actually collecting all your personal information as well, and then they're just charging your credit card and hoping to get away with it. I don't know how effective this is going to be. I think if they go for these $2,500 charges, they're going to get busted. It's not going to work. I think if they go for 10, $15, it'll work all day long.
- [30:43]
Joe Kerrigan
Well, but I Wonder, was the $2,500 charge the one that tripped up the bank? Do they start. Because I've seen a lot of these things where they'll start with a dollar just to see if it's a usable card.
- [30:55]
Maria Varmazas
Right.
- [30:56]
Joe Kerrigan
And then they escalate.
- [30:57]
Maria Varmazas
Yeah.
- [30:58]
Joe Kerrigan
Like, all right, let's try 100. That worked. Let's try 1,000.
- [31:01]
Maria Varmazas
Right.
- [31:01]
Joe Kerrigan
And they go from there. So I wonder if it's something like that. But I mean, how do you protect yourself against this?
- [31:09]
Maria Varmazas
Well, the BBB has several tips. They say verify that you're shopping at a legitimate website. Scammers like to use fake and lookalike web domains. And we've seen how those can get really good.
- [31:19]
Joe Kerrigan
Yeah.
- [31:20]
Maria Varmazas
Using different alphabets that look, you know, have letters that look kind of like, I guess, Roman Alphabet is what we use. I don't know. Is it Roman? It's Roman, right?
- [31:28]
Joe Kerrigan
I think so, yeah.
- [31:31]
Maria Varmazas
And then it's not Egyptian. Right. That's just a bunch of pictures.
- [31:36]
Joe Kerrigan
It's not Greek.
- [31:37]
Maria Varmazas
I would know.
- [31:40]
Joe Kerrigan
You're welcome, Maria.
- [31:42]
Dave Buettner
Thank you.
- [31:42]
Maria Varmazas
Stop at the gamma. That's where we catch on. Watch out for emails and texts with ads now. I don't know, there's. I've never clicked On a text. Gotten a text and go, oh, I think I'll go buy that never.
- [31:53]
Joe Kerrigan
No, me neither.
- [31:54]
Dave Buettner
Well, that's you, right?
- [31:57]
Maria Varmazas
That is me. You're right, it is me, old man who hates getting a text message. Don't be fooled by great offers. That's a big one. That is one that works on me. And research the business. Look them up. Of course, the BBB says look them up on bbb.org.
- [32:12]
Joe Kerrigan
Sure.
- [32:13]
Maria Varmazas
And use the BBB Scam Tracker and use your credit card with some extra protection so that when you say, hey, that's a fraudulent charge, I need you to turn that credit card off, get me a new one and not charge me for that.
- [32:29]
Joe Kerrigan
That may be the best advice of all.
- [32:31]
Maria Varmazas
Yes.
- [32:32]
Joe Kerrigan
We've talked here before about how their premium credit cards. An amex comes to mind. You'd pay a lot more for the privilege of using that card. But if something does go wrong, they just fix it.
- [32:45]
Maria Varmazas
Right.
- [32:45]
Joe Kerrigan
And so, you know, it is nice. Yeah. Interesting I guess too, if you get a card declined and you know it's a card that has available balance, probably the thing to do is to call the credit card company before you whip out another credit card.
- [33:04]
Maria Varmazas
You know, this actually happened to us recently. My wife had a credit card where was she trying to use it? Because she was calling somebody, I think giving them a card over the phone for something we had to pay for. She wasn't there in person. And it got declined like three times.
- [33:24]
Listener
Oh.
- [33:26]
Dave Buettner
Were they overseas?
- [33:28]
Maria Varmazas
No, we had to take our dog to an emergency vet.
- [33:31]
Joe Kerrigan
That's what it was.
- [33:32]
Maria Varmazas
And they might have been using something like Square or something.
- [33:37]
Dave Buettner
I mean, I've had this happen to me when I've tried to buy things from retailers that are overseas because my credit card will go. That's a weird location to be using this for, right?
- [33:44]
Joe Kerrigan
Yeah.
- [33:45]
Dave Buettner
And sometimes when you're buying stuff online, you haven't, like, you don't really necessarily think about where you're buying it from. So. Yeah, yeah, that can happen.
- [33:53]
Maria Varmazas
But anyway, she. She wound up using a different card that worked. And when I called the credit card company, I'll tell you, it was Capital One. I said, what's going on? Are you seeing. You seeing these declines? They're like, oh, yeah, that card's not activated. I'm like, well, wait a minute. She used it to two days ago to buy groceries.
- [34:12]
Joe Kerrigan
Yeah.
- [34:12]
Maria Varmazas
I'm like, oh, yeah, that was a card present. A card present transaction. This was a not card, not present transaction.
- [34:19]
Joe Kerrigan
Oh.
- [34:19]
Maria Varmazas
So I don't know what system the The. The emergency vet was using.
- [34:25]
Joe Kerrigan
Interesting.
- [34:26]
Maria Varmazas
Yeah, my dog got into it with. With one of my daughter's dogs and had to go up. She's fine. There are a couple of dumb dumbs. These. I love him.
- [34:37]
Joe Kerrigan
Yeah. He can't help it.
- [34:38]
Maria Varmazas
Yeah.
- [34:39]
Joe Kerrigan
All right, well, we will have a link to these stories in our show. Notes. Joe, Maria, it is time to move on to our catch of the day.
- [34:56]
Maria Varmazas
Dave. Our catch of the day comes from William. I'm just gonna go ahead and let you read this, Dave.
- [35:01]
Joe Kerrigan
All right, it goes like this.
- [35:04]
Listener
Dear Unhappy Beneficiary. I felt it was needful to confide in you something that I found very disturbing in relation to your financial transaction that has appeared unending even with a substantial amount you have put into it. No doubt the outcome has been very distressing and damaging for you. But I must make it very clear to you, at no point must you divulge our correspondence to any third party without the permission of Mr. Mark Baumgardner, who has done well in making sure your funds were not illegally confiscated, as it were. No doubt a lot of things missed the right way, but a lot has been straightened to accommodate your request for withdrawal of your funds via the recommended platform without any iota of delay. Kindly reply to me if you choose, as quickly as you can for more information. In any case, you might need a lead to its urgent and positive finalization. It is important you reply with your full details for reconfirmation and further directives and positive advice. Sincerely, Mr. Christopher Wilson, Chief of Protocol, Office of the Due Process Unit, Payments Review Unit, United Nations Headquarters, New York.
- [36:12]
Dave Buettner
Who does work on somebody.
- [36:16]
Maria Varmazas
Or even more.
- [36:18]
Joe Kerrigan
I'm not even sure what they're asking for here.
- [36:20]
Maria Varmazas
Right.
- [36:20]
Dave Buettner
It's all business speak. Like, what is this? Yeah, like, the ask is not clear. How is this effective?
- [36:27]
Maria Varmazas
I don't think I have a question for you, Maria.
- [36:29]
Joe Kerrigan
Yes?
- [36:30]
Maria Varmazas
Do you know how the word iota got to be mean something very small? It's a Greek letter. Is it the same etymology?
- [36:38]
Dave Buettner
No, that's a good. You know what? I took an etymology class many years ago, and I think back then I knew. I do not know now. I'm still laughing at the idea of writing in an email, Mr. Christopher Wilson to refer to oneself.
- [36:49]
Maria Varmazas
That's just Right.
- [36:50]
Dave Buettner
Sorry, I'm still kind of stuck on that.
- [36:52]
Listener
Mr. Wilson to you.
- [36:53]
Maria Varmazas
Right.
- [36:54]
Dave Buettner
And also the UN having a payment review unit, which.
- [36:57]
Maria Varmazas
Yeah.
- [36:57]
Joe Kerrigan
Wow.
- [36:58]
Dave Buettner
Okay. Anyway, no. So how did Iota. How did YOTA become a thing?
- [37:04]
Maria Varmazas
Well, in Modern Review, that makes sense because. Yeah, because it's the I is actually like a J, right? Like a J or a Y backwards J. Yeah.
- [37:13]
Dave Buettner
Yeah.
- [37:15]
Joe Kerrigan
So you don't know the answer either, Joe?
- [37:16]
Maria Varmazas
I don't know. No.
- [37:17]
Dave Buettner
You were asking me if I knew. Oh, no, I have no idea.
- [37:21]
Maria Varmazas
Okay, great homework.
- [37:25]
Dave Buettner
I don't know everything related to Greek stuff. In fact, there's a lot I don't know.
- [37:29]
Joe Kerrigan
Come on, Maria.
- [37:30]
Dave Buettner
I know my cards were grouped.
- [37:32]
Joe Kerrigan
Well, we've created a cliffhanger for our listeners and some follow up for ourselves. So when we come back next week for a follow up, we will start off with this story of, you know what? Let's do this, let's do it now. Google it. Here's what we're gonna do. No, no, no, no. Here's what we're gonna do. Here's what we're gonna do. Okay, I'm Joe and Maria, the two of you, when we're done, you're going to decide. One of you is going to look up the real reason of how iota got to mean a small thing.
- [38:04]
Maria Varmazas
Okay?
- [38:05]
Joe Kerrigan
The other is going to come up with a fake reason for why it is a thing. And then I'm going to choose which one is the real story.
- [38:14]
Maria Varmazas
Okay?
- [38:15]
Joe Kerrigan
All right.
- [38:16]
Maria Varmazas
Okay.
- [38:16]
Dave Buettner
Okay.
- [38:16]
Joe Kerrigan
All right. So one of them is real, the other one not real, but has to sound real. Because your goal is to trick me into choosing the not real one.
- [38:28]
Maria Varmazas
Oh, jeez, let me see if I can. I'll take the fake one, Maria.
- [38:33]
Joe Kerrigan
Well, now I know you can't.
- [38:35]
Maria Varmazas
Well, well, you can't.
- [38:39]
Joe Kerrigan
Hold on. No.
- [38:40]
Maria Varmazas
Wow.
- [38:40]
Joe Kerrigan
Oh, you mean. Gosh, I wonder which one of you has the real. No, you're horrible at this game, Joe.
- [38:48]
Maria Varmazas
Dave.
- [38:49]
Dave Buettner
Wait, wait, don't tell me.
- [38:50]
Maria Varmazas
We'll blind it, Dave. We'll blind you to who wrote what.
- [38:54]
Joe Kerrigan
I see. So I won't know which. I won't know if either of you are reading the one that you actually wrote.
- [39:02]
Maria Varmazas
Well, you can read them both. Correct. You'll read them. We'll put them in the document and you can read them both and then you can decide.
- [39:10]
Joe Kerrigan
All right?
- [39:11]
Maria Varmazas
And mine will be the fake.
- [39:13]
Joe Kerrigan
Am I going to regret coming up with this fun little thing?
- [39:15]
Maria Varmazas
Probably. Yes. I like it.
- [39:18]
Dave Buettner
I like it.
- [39:19]
Joe Kerrigan
All right. Okay. All right.
- [39:21]
Dave Buettner
I'm pretty sure I know the reason, but I don't know for sure.
- [39:23]
Joe Kerrigan
Listeners, no spoilers. Yes. Yeah, no spoilers. And I am going to do my best over the course of the next week to avoid learning we're doing etymology.
- [39:33]
Dave Buettner
And semantics on hacking humans. Is that the segment we're doing okay.
- [39:38]
Joe Kerrigan
It'll have a whole new podcast.
- [39:40]
Maria Varmazas
John McWhorter would be proud.
- [39:42]
Joe Kerrigan
Yeah. There you go. All right. That is our catch of the day. I don't know if we mentioned that this came from a listener named William. And William, we. We thank you for sending that in. This is a good one. We do appreciate it.
- [39:55]
Sponsor Voice
We want to thank all of you for listening. And of course, we want to thank our sponsors at knowbefore they are experts in helping users do the right thing through new school security awareness training.
- [40:10]
Joe Kerrigan
That is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumansndash. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpy is our publisher. I'm Dave Buettner.
- [41:04]
Maria Varmazas
I'm Joe Kerrigan.
- [41:05]
Dave Buettner
And I'm Maria Varmazas.
- [41:07]
Joe Kerrigan
Thanks for listening.