Loading summary
Transcript237 lines
- [00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Joe Kerrigan
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me are my co hosts, Joe Kerrigan. Hey, Joe.
- [00:33]
Maria Varmazas
Hi, Dave.
- [00:33]
Joe Kerrigan
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazas. Hello, Maria.
- [00:40]
Dave Bittner
Hi, Dave. And hi, Joe.
- [00:41]
Maria Varmazas
Hi, Maria.
- [00:42]
Joe Kerrigan
We've got some good stories to share this week, and we'll be right back after this message from our show sponsor.
- [00:59]
Unknown Sponsor
But first, a word from our sponsors at KnowBefore Time Travel would be a particularly powerful tool in the hands of any overworked infosec professional. Think about it. Being able to see the future and know which malicious emails would be missed by all the existing filters, your ability to stay one step ahead of the bad actors would rise to a whole new level. Unfortunately, our sponsors haven't cracked time travel just yet. They are, however, introducing a new phishing protection product that can block and remove dangerous phishing emails before your users even see them. Stay with us and in a few minutes you'll learn how.
- [01:43]
Joe Kerrigan
All right, before we dig into our stories this week, we have a couple of bits of follow up here. What do we got here, Joe?
- [01:49]
Maria Varmazas
Right. Well, first we got Will, who writes in to tell us that he apologizes for being a little late on this, but he's going through some old episodes. And in short, he works for a Bank and FinCEN is the financial crime enforcement's networks. He wanted to tell us about how we were. How they're clawing money back on these events. It was set up during the Patriot act to cover how to cover ways to get money back from fraud or from terrorism. Huh.
- [02:16]
Dave Bittner
And the problem with post 9 11, right.
- [02:18]
Maria Varmazas
Yeah, with FinCEN is that it's voluntary, so banks have to volunteer to join. He says they have a recent incident at their bank, that they attempted to notify the other bank, who. I don't know if I should even name who this is, but it's a bank you've heard of. And he said basically they ignored us. They said that they were waiting for the owner of the account to approve returning the money, which of course will not happen. So the customer was out the cash. So there are some big banks out there, very big banks. I'm going to not even say my opinions, but he also wants us to Keep the great work on the show, but they're not participating in this. They're not participating in this FinCEN.
- [03:02]
Dave Bittner
Yeah, it being voluntary is. There's the problem right there.
- [03:06]
Maria Varmazas
Yeah, I think you're right.
- [03:08]
Dave Bittner
Jeez.
- [03:09]
Joe Kerrigan
Right, right. All right, interesting. What else do we have here, Joe?
- [03:13]
Maria Varmazas
We have an anonymous listener who wrote in and was talking about the DocuSign API. Remember we were talking about people using, you know, Cyber. Cybercriminals using DocuSign to trick people into opening things and clicking on things and paying them or giving them information. Well, it's. This is a illegitimate use of legitimate tool, the. The API. So he, he writes in, he says, I love the show and how it provides awareness and education about social engineering. I hope this email may contribute in my role. I have looked at a lot of these DocuSign API emails and wanted to share some indicators of attack that I see frequently. A DocuSign email that was sent via the DocuSign API will show that it was sent via the DocuSign API by having X API host field in the header and a DocuSign host name is the value.
- [04:11]
Joe Kerrigan
Okay.
- [04:11]
Maria Varmazas
So you immediately know that's how you can scan for a DocuSign email.
- [04:16]
Joe Kerrigan
That's how you can scan for a DocuSign email.
- [04:19]
Dave Bittner
I personally will not be doing that, but yes, okay.
- [04:21]
Maria Varmazas
No, of course, if you're. Let's say you're an email system administrator.
- [04:24]
Joe Kerrigan
Right? Right. Yes. Yes, right.
- [04:26]
Dave Bittner
He says how one can do that.
- [04:28]
Joe Kerrigan
Yes, that's right.
- [04:29]
Maria Varmazas
The reply to field for these phishing emails, all the ones that, that our listener has seen, all have some free email account like a Gmail OR A. An outlook.com or mail.com or the field can be blank. Right. So there's nothing. Interestingly, he says the to field sometimes is sent to a similar domain, not the recipient's domain, but the recipient is blind, carbon copied. So I think they do that so they can shove like 100 email addresses into the BCC field and send it all out with one click.
- [05:04]
Joe Kerrigan
Yeah, right.
- [05:05]
Dave Bittner
That makes sense. Yep.
- [05:06]
Maria Varmazas
Scammers are lazy just like the rest of us. Right. So he says creating two email rules on these emails on these fields will quarantine them. First, check the API host field with DocuSign with a DocuSign value and the reply to with any of the free domains. Right. So if you see One of these DocuSign emails come in and it's got a reply to it Gmail, just put it in quarantine. Don't even send it out.
- [05:30]
Dave Bittner
Yeah, yep, yep.
- [05:31]
Maria Varmazas
And the same check, check the reply to field for not having an at symbol, which means it doesn't have an email address. It's a really simple way to check for an email address. You don't have to write a big regular expression. Just say, does it have an at? Then it's not valid. It doesn't.
- [05:47]
Joe Kerrigan
I see. Okay.
- [05:48]
Maria Varmazas
Because if it's blank, that's what it is.
- [05:49]
Joe Kerrigan
Right.
- [05:50]
Maria Varmazas
He hopes that this information is not too technical but useful to somebody. So thank you. A nonny mouse.
- [05:56]
Joe Kerrigan
I think it'll be helpful to the technical.
- [05:58]
Maria Varmazas
Yes, yes, I would agree.
- [06:01]
Joe Kerrigan
All right, we appreciate you sending that information in. Good stuff. And of course, we'd love to hear from you. If you have something you'd like to share with us, you can email us. It's hackinghumansn2k.com all right, let's jump into our stories here. And Maria, you have the honors here. You want to start things off for us?
- [06:21]
Dave Bittner
Yeah. It's the holiday season. Well, it was inevitable, right? Yeah. Now that song's in your head.
- [06:28]
Maria Varmazas
It won't go away.
- [06:30]
Dave Bittner
You're very welcome. I'm going to get hate mail for that chimney tonight. Let's keep going, Joe. Keep going. I think for my story, I kind of wanted to do the obligatory PSA for the holiday season, especially since we are in the thick of Black Friday sales, which is no longer a one day thing. It's now basically all of November until December. At this point, they've just given up on it being a day. There's no Cyber Monday either. It's gone. And there was a report out in the Guardian featuring an interview with the UK's cybersecurity chief saying, black Friday show now be called. And I love this Black Friday.
- [07:15]
Maria Varmazas
Nice, Good one.
- [07:17]
Joe Kerrigan
Yeah, love it.
- [07:18]
Dave Bittner
Got to give it to them. Yeah. So there were a number of data points that the UK Cyber Bureau kind of pulled together thanks to Action Fraud, which is Britain's scam reporting center. And they said, on average people who are reporting online scams that they've fallen victim to, especially around this time of year, they're losing about 700 pounds on average. And that's not weight. That's around $800 when we convert it.
- [07:47]
Joe Kerrigan
To say, what's that in real money?
- [07:48]
Maria Varmazas
Yeah. Do they have a scam where I can lose £50 like I would.
- [07:52]
Dave Bittner
It's called Ozempic. It's.
- [07:53]
Joe Kerrigan
Yeah, that's right.
- [07:55]
Dave Bittner
And it's. It's sort of. I was looking through some of these data points and it's one of Those things that it just feels right to me given. I don't know about YouTube, but the flood of emails I'm getting this time of year, I'm at probably quadruple the normal amount of marketing emails I normally get, which is already too high. But it's. I just get so many and it's very easy to feel a bit overwhelmed by it. I don't know about YouTube.
- [08:18]
Maria Varmazas
Yeah, absolutely, yeah.
- [08:20]
Dave Bittner
And I'm. I have sort of opted out of the doing the obligatory social ties of buying gifts for people. I managed to do that many years ago, but I know a lot of people do that part of maintaining social ties. It's a good thing, network maintenance in the meatware way. So if you're doing that, you're usually buying a lot of gifts for people and things are coming and going and it's. Honestly, even in normal times it can be really easy to forget what you've ordered and what's coming to your house if you're ordering large volumes of things. I don't know, sometimes it's like something arrives at my house, I'm going, I don't remember ordering that. And sometimes. Yeah, it's been a while.
- [08:54]
Joe Kerrigan
Yeah.
- [08:55]
Dave Bittner
And there's actually some data to back that up. Also from Action Fraud they found that there has been a large uptick in social media related scams. 43% of the scams that they've had reported to them are social media related. And many of them involve people paying for items that they see advertised on social media that literally never arrive. So especially if you're ordering a lot of stuff this time of year, you might just completely forget that something was supposed to come to your house. And I think some scammers are really banking on that. Things getting lost in the shuffle. And another data point I thought was very, very salient was the people who are reporting scams. The largest proportion of people reporting to Action fraud are aged 30 to 39 and the average age of victims is 42 years old. So to me that completely turns on its head a lot of the stereotypes people have about who tends to get scammed. And it speaks a lot to who's doing a lot of the shopping this time of year and what age they are. It's probably a busy parent or a sandwich generation person who's got grandparents or elderly parents on one end and then maybe cats, dogs and children on the other to shop for. And there's just a lot of money coming and going. Another thing that this report mentioned is as we've talked about many Times on this show, Generative AI is making everything a lot worse. And a lot of the people that Action Fraud has talked to, people feel very confident in their ability to spot a scam, whether or not generative AI is involved. And I think there was in a McAfee survey that they said 59% of people said they feel confident that they can identify deepfakes or AI generated content, which is red alert. Yeah, well, we are all very overconfident on that.
- [10:38]
Maria Varmazas
Yeah. And my story is going to touch on. Well, not touch on this, be about this as well. But it's. I think, I think that's remarkable that 59% of respondents say they feel confident in this. That's. That's high, I think.
- [10:52]
Dave Bittner
Too high. That's very, very high. Yeah. Every time I've taken one of those. Can you tell if this picture is AI or real? I do, miserably. So it's very humbling. I really recommend doing it. Yeah. It's not the extra fingers or feet for hands thing anymore. It's way more sophisticated than that. So I just sort of wanted to put a PSA to our listeners about all of this, all these data points, because if you're listening to this show, chances are you're very, very aware, I would hope so, of all these kinds of scams and fraud. But I'm very curious how much we think the regular person knows and how much has percolated to the general world. Because we've talked a lot about on the show about how generative AI has made scams really easy to pass the sniff test. But a lot of people still are looking for the very obvious signs that aren't necessarily going to be presenting anymore. So, you know, the really. The hilarious emails with the laden with typos or the really obvious looking fraud website, those are the easy ones. It's the ones that are harder to spot. I don't know if people know to even look for those. So tell your friends, tell your family.
- [11:54]
Maria Varmazas
Right?
- [11:55]
Joe Kerrigan
There's an element of this that I don't. There's a reality to this that in my life that I'm. That I'm not proud of, but it is the reality. And that is that when the holidays come around and it's time to start buying gifts, my wife and I just go to Amazon. Right. Like we just go to Amazon because everything's there. It's easy. It comes to us. We can ask family members to make a request on Amazon. We can. You know, generally when you order from Amazon, you're going to get the thing you ordered. Yes, I, you know, I do know.
- [12:31]
Dave Bittner
There are some exceptions.
- [12:33]
Joe Kerrigan
Yeah. And there are. There are counterfeit items and things like that, but it just makes it easy. And there's a part of me that likes that because there's less a chance of being scammed. But on the other hand, it means I'm not shopping at that Main street, you know, person who has the brick and mortar store because it's so easy.
- [13:00]
Dave Bittner
Yeah, yeah, yeah. And I think to the social media scams point many people, and I'm just going to say it, a lot of women who are doing a lot of the shopping, and I include myself on this. You see an ad on Instagram or a social media platform of choice, and you feel that sense of this must be okay because it's the proximity to my friends that I trust. And it's, you know, this sort of lulls you into that sense of false security. And so you're just. It's very easy how these social media platforms have made it seamless to check out and shop while you're still on the platform. Like, Instagram has these integrated shops now. You don't even have to leave the app anymore to do your shopping. And, yeah, it's. It encourages you to shop at smaller boutiques. But, yeah, you may not actually get the thing you ordered, and it's very easy to forget that you ordered it. So.
- [13:49]
Maria Varmazas
Yeah, right.
- [13:50]
Joe Kerrigan
Yeah, Yeah.
- [13:50]
Maria Varmazas
I have never shopped on a social media platform. Like, I've never bought anything from a vendor on there. I've gone and purchased, like, things off Facebook Marketplace. But every time I do, it's. I'm going to go and meet you somewhere and give you cash for the product, you know, and that's how that's going to work. And if that's not how it's going to work for you, then guess what? We're not doing business. Thank you.
- [14:11]
Joe Kerrigan
Yeah. I can think of one or two times where I purchased something that I first saw on Facebook, but I did not buy it through Facebook, through the Facebook interface. I went to the company's actual website, or I'm just. I don't trust Facebook at all for anything. You know, Like, I don't want to. There's not a platform I want to transact through.
- [14:36]
Maria Varmazas
Yeah, it's not. You don't want to reward them for their terrible corporate citizenship.
- [14:42]
Joe Kerrigan
Right.
- [14:43]
Maria Varmazas
Yeah.
- [14:43]
Joe Kerrigan
Right.
- [14:43]
Maria Varmazas
By giving them. By enabling them to profit from your business, your purchases. Yeah, I feel the same way.
- [14:54]
Joe Kerrigan
Interesting.
- [14:55]
Maria Varmazas
I don't mean to judge, Maria. I'm not Saying I'm just sort of.
- [14:59]
Dave Bittner
Like, well, that's nice. There are a lot of people. I mean, I want to say I actually do a lot of my shopping through Instagram, which I'm not proud to admit that, but it is my reality. I know I'm not alone.
- [15:10]
Maria Varmazas
That's okay. So I'm not. I'm not judging you.
- [15:13]
Joe Kerrigan
Have you ever been scammed?
- [15:14]
Dave Bittner
You totally judged me, and I'm feeling it right now.
- [15:17]
Maria Varmazas
I'm sorry. Don't feel bad.
- [15:18]
Dave Bittner
It's okay. I accept your judgment. It's all right.
- [15:21]
Joe Kerrigan
Have you ever been scammed, Maria?
- [15:23]
Dave Bittner
Oh, I'm sure I have. I've probably been scammed and didn't even know I'd been scammed.
- [15:27]
Maria Varmazas
It's the perfect crime.
- [15:30]
Dave Bittner
Yeah, it would be the height of arrogance for me to think that I haven't been scammed. Nothing comes to mind recently. I tend to be really, really diligent about keeping track of things that I've purchased. But again, I realize I'm a bit of a corner case because I don't have, like a huge family that I'm shopping for. And my family is very non materialistic for the most part, so we don't do that kind of thing. But again, that's just not the reality of most of my friends. They're inundated and some of them are. It's all year round. They're always trying to figure out what to get for this cousin or that person or this nephew. So it's a lot of work.
- [16:06]
Maria Varmazas
We don't do that in my family either anymore. We all agreed, you know, like my brother, my sister, my mom, dad, no more presents. That's it. And that was years ago that we did that. So, you know, like, we don't. I don't like, not even for the kids. The kids are all adults now. That's really the thing.
- [16:22]
Dave Bittner
Yeah, that makes it easier.
- [16:24]
Joe Kerrigan
Yeah. Yeah.
- [16:25]
Maria Varmazas
So I hope you enjoyed all the presents I got you, nieces and nephews. But there will be none. No more of that.
- [16:30]
Joe Kerrigan
The Joe Gravy train has left the stage.
- [16:33]
Dave Bittner
What's the cutoff not coming? College graduation. I'm very curious what your cut off off is for adulthood.
- [16:39]
Maria Varmazas
We just kind of decided one day all the kids were adults and that was it. And, you know, there. I mean, I guess there are still two, you know, there are still two young nephews that we buy presents for, but it's not. Not like super big presents.
- [16:54]
Joe Kerrigan
The moment for us was a couple years ago when the youngest, my youngest Jack, who's Now who's about to turn 18? He. A couple years ago we decided that there was no reason to get up at the crack of dawn to run downstairs and see what Santa left under the tree.
- [17:18]
Dave Bittner
Cover your ears, children.
- [17:21]
Joe Kerrigan
Yeah. So, well, so we've all decided to sleep in. So instead of, instead of like an 8:00am start, it's now like a 10:00am start. So 8:00am yeah.
- [17:35]
Maria Varmazas
My kids wake me up at 6:00. Yeah, well, and that's because I said you can't wake me up before 6:00.
- [17:42]
Joe Kerrigan
Well, that way we did the same thing except it was 8am so now people come down and they get their coffee and they get their danishes and donuts and bagels and whatever they want and it's just more of a, oh, shall we go in the living room and start opening gifts? Sure, why not? But it also makes it easier because we have family who comes to the house and you know, just shifting it all a little later made it all easier. But it was the result of people aging out of that childhood. Joy of, you know, going down to get your presents. All right, well we will have a link to your story in the show notes here. Maria, Joe, you're up next. What do you got for us?
- [18:24]
Maria Varmazas
I got two stories. I was going to do this story last week but the story about the bear was too good. So we couldn't.
- [18:31]
Dave Bittner
Nobody can follow up from that. That.
- [18:33]
Maria Varmazas
Right. So the US Trustee program is part of the US Bankruptcy Court and they are warning people of bankruptcy fraud alerts. It's a scam about fake fraud. So here's what happens if you, let's say you are in the throes of bankruptcy. When you go to bankruptcy and you file for bankruptcy protection, you are given a trustee of somebody who is going to help you go through this process. And what they're doing here is they're, they're saying, these scammers are saying we're from the bankruptcy fraud watchdog group and they, they're sending out information accusing debtors of failing to disclose assets in their bankruptcy case. So when you go into bankruptcy you have to disclose all your assets. Not disclosing assets is criminal. But these guys are saying we can, we can waive any penalties for a one time fee of $450 in Bitcoin or paid via QR code for avoid further legal consequences. I see the actual watchdog group in the bankruptcy system is saying don't fall for this. This is not how this works. This is not what we do.
- [19:47]
Joe Kerrigan
Right.
- [19:48]
Maria Varmazas
We do not accept payment in Bitcoin. And we will not let you. If you try to defraud your creditors by hiding assets, we will not waive any penalties by assessing you a $450 fee.
- [20:02]
Joe Kerrigan
Right.
- [20:03]
Maria Varmazas
I think it's actually pretty severe.
- [20:06]
Joe Kerrigan
Are there any federal agencies that. That actually legitimately take Bitcoin? Like, can you pay your taxes with Bitcoin yet?
- [20:12]
Maria Varmazas
I don't think so.
- [20:12]
Joe Kerrigan
I don't think there are.
- [20:13]
Dave Bittner
Not yet.
- [20:15]
Joe Kerrigan
Just. Yeah, you're at Doge. Okay, you're right. I spoke too soon.
- [20:26]
Maria Varmazas
Right. Speaking of Doge, and we're all alluding at this at Elon Musk. My next story is actually from cbs. Texas is where it is. CBS News Texas. This is written by Brian New, Lexi Salazar, Mike Lozano, and Scott Freilich. So that's four people working on this story. I got a question. What's going on over there when you got four people working on a story this, this short. But it's. There is a woman named Heidi Swan, and she saw an ad on Facebook and then again on TikTok, talk of it was a deep fake of Elon Musk talking about cryptocurrency. And she invested in this scam ad, $10,000. And of course, now it's gone, which is unfortunate. But I mean, we all know how these scams work is they run these ads, and Facebook and TikTok don't do anything to stop the ads from running there because they've got a vested interest in keeping these ads on the platform because they're getting paid for it. You know, so what if somebody gets scammed out of $10,000? That's okay with them. They weren't scammed out of $10,000. But Swan, who is Ms. Swan, who is bold enough to come forward on this. And I'm always grateful when people who have been scammed come forward on this and go, look, here's what happened to me. Because I think that takes courage and I think it takes an amount of bravery that is not common. So that's why when we hear about this, I don't try to blame the victim here, but she is looking at these videos and she goes, these videos are still convincing. Even though she knows it's a scam and she knows the video is fake, it's still convincing. So according to Deloitte, this article states that the AI generated content contributed to more than $12 billion in fraud losses last year. Billion with a B. That's how much people are getting hurt in this. And Deloitte is saying this could go up to 40 billion by 2027. Any bets on how soon we get to 40 billion? Because I'm betting it's a lot faster than 2027.
- [22:38]
Joe Kerrigan
Yeah. And it's just hard to measure these things.
- [22:41]
Maria Varmazas
It is also hard to measure these things. The problem is that these AI generated deepfakes are getting harder and harder to spot. You remember when they first came up with the things that were deep fakes, like face swapping. You'd see people's faces literally moving around in the video. That does not happen anymore. They had another bug where people who were being faked wouldn't blink. Now they have blinking. You know, all these things are just improvements that have happened over the past four years in this field. And remember, a deep fake does not need to be perfect, just needs to be good enough to fool somebody into coughing up some money. So CBS News, the Texas I team, they put five websites and this is admittedly an unscientific test, but they took six deep fake videos and they tested five sites. One called Deepware, one called Attestive, or maybe that's a test, I don't know. Deep Fake O Meter, that's my favorite name. It's really easy to remember. Sensity and deepfake Detector. Deep Fake Detector is good name, but I'm still saying Deepfake O Meter is my favorite. In total, These tools, all five of them combined, only recognized 75% of the videos as fake. I think it was, in fact it was sensitive S E N S I T Y that actually measured all six of the videos as fake, was the only one that caught all six of them. So here's the thing. We can't as Internet users, right, go around and say, I wonder if this is real and then dump a video that we, that we've seen into six different engines that will tell us whether or not it's real or fake. You know, I barely have time to do that when somebody with a suspicious looking LinkedIn photo connects with me on LinkedIn. But I still do it, Dave, because I'm very interested in how it works. But you know, it's. The problem is that these things are getting so good. This is what Maria was talking about. They do say watch for the lip sync being a little bit off, but I can even see lip syncing being a little bit off just being. Because the audio is out of time with the video.
- [25:08]
Joe Kerrigan
Oh yeah, that happens on live tv. I mean, broadcast television has occasional lip sync issues. That's just a digital issue.
- [25:16]
Maria Varmazas
If you lose lip sync, I can tell that it's out of sync, but I can't tell if what the way the person is moving their mouth is in line with the audio I should be hearing at a different time. It's totally gone. For me, any recognition of what they said is gone. So. And I'm not saying I'm a lip reader or anything, but I mean, if what I'm saying is it's entirely plausible for me to be listening to audio that's different from the way the mouth is moving and me just to say this audio is out of sync with the video, and that would be a plausible way for me to believe that or for me to fall for this kind of thing.
- [25:55]
Joe Kerrigan
Okay, so when you were a kid, you didn't notice that the Godzilla movies were dubbed?
- [26:00]
Maria Varmazas
No, no, I did. I did, but I couldn't tell that the people were. You know, it didn't look to me like the people were speaking Japanese. It just looked like they were. You know, maybe they were speaking English, but it was just out of sync. Right, right.
- [26:14]
Joe Kerrigan
Right.
- [26:14]
Maria Varmazas
Now, I could. You can tell. You can tell that things don't add up. But what I'm saying is, you know, if you watch a video that's out of sync and somebody says, hello, Dave, and you see their mouth make the move. Hello, Dave. There's no. There's no. There's no join on that data for me.
- [26:30]
Joe Kerrigan
Okay.
- [26:30]
Maria Varmazas
Is what I'm saying.
- [26:31]
Joe Kerrigan
Yeah, yeah, I see it. But, you know, I used to be my world.
- [26:36]
Maria Varmazas
So, like, I'm sure you've done a lot of video editing, right?
- [26:39]
Joe Kerrigan
Right.
- [26:40]
Maria Varmazas
Not me. I've done a lot of video watching.
- [26:41]
Joe Kerrigan
It was important. Yeah.
- [26:42]
Maria Varmazas
Right.
- [26:44]
Joe Kerrigan
Interesting.
- [26:45]
Maria Varmazas
I could tell when it's out of sync, and the least bit of out of sync really does irritate me. Which is kind of, I guess, my defense on this, because I'm guessing you.
- [26:52]
Dave Bittner
Don'T play a lot of video games then.
- [26:55]
Maria Varmazas
I do. And their lip movements are just awful.
- [26:58]
Dave Bittner
Yeah. Lip flap, mouth flap is just endemic to video games. It's comical how bad it is sometimes. So I was gonna say I'm probably completely desensitized to it at this point because nothing ever matches.
- [27:09]
Maria Varmazas
Right.
- [27:12]
Joe Kerrigan
I saw a thing just this past week talking about the detection software. I saw a thing where somebody put something into ChatGPT and they said, create an image of a slice of pizza. And ChatGPT generates a delicious, hot, steaming, wonderful looking slice of pizza. So the person then downloads that image and in the same interface, uploads it back to ChatGPT and says, Is this an authentic photo of a slice of pizza and ChatGPT says absolutely. It looks real to me. It's like you just generated this two minutes ago.
- [27:51]
Maria Varmazas
Right?
- [27:52]
Dave Bittner
Total amnesia. That's great.
- [27:54]
Joe Kerrigan
Yeah, yeah. So. All right, well, interesting stuff as always. We will have links to these stories in the show notes. We are going to take a quick break before we get to my story to hear this message from our show sponsor.
- [28:21]
Unknown Sponsor
We were talking about mitigating cyber threats to your organization before your users even see them. The new Phisher plus from KnowBe4 was developed to help you supercharge your organization's email security defenses. How you get a unique crowdsourcing advantage. More than 10 million highly trained KnowBe4 end users from across the globe catch and report malicious email that makes it through all the filters. KnowBefore's threat lab then validates it with AI and with human researchers. Phisher blocks phishing threads other tools have missed and proactively removes them from your users inboxes. Not quite time travel, but we think you'll agree it's a vital capability in any infosec professional's arsenal. Visit knowbefore.comproductsfisher to learn more. That's knowbefore.comproductsfisher. and we thank knowbefore for sponsoring our show.
- [29:33]
Joe Kerrigan
All right, we are back. Before I dig into this story, I want to ask both of you and let me start with you, Maria. In your life, do you feel as though you have ever crossed paths with a serious con man or con woman? A con person?
- [29:52]
Dave Bittner
Um, how serious are we talking?
- [29:56]
Joe Kerrigan
Well, in other words, was there anyone who you've ever had a friendship with or a relationship with? In other words, more than just someone you cross paths with casually while out and about? You're someone who you felt as though you were getting to know, but it turned out that they were. Someone who was either conning you or your friends or this person didn't turn out to be who they thought they were in a negative way.
- [30:25]
Dave Bittner
Yes, I have. Definitely have that. I have before. I've had experiences like that. The con was not necessarily for monetary gain. It was more taking advantage of people. And I'm trying to figure out how to phrase this. Taking advantage of people's time and benefiting from basically labor that should have been paid for.
- [30:54]
Joe Kerrigan
I see.
- [30:55]
Dave Bittner
If that makes sense.
- [30:56]
Joe Kerrigan
Sure.
- [30:56]
Dave Bittner
Yeah. People who are pretending they were much more important than they actually were and saying, oh, I need you to help me with this thing, and ends up that this person was a complete fraud. That definitely happened to Me in my early 20s, I would say.
- [31:10]
Joe Kerrigan
Yeah. How about you, Joe?
- [31:11]
Maria Varmazas
Yes.
- [31:14]
Dave Bittner
Okay.
- [31:15]
Maria Varmazas
Twice a year.
- [31:15]
Dave Bittner
That's also my answer.
- [31:16]
Maria Varmazas
Yes, right. No, I get it.
- [31:19]
Joe Kerrigan
And one of them was named Dave Bittner.
- [31:20]
Maria Varmazas
No, not Dave Bittner.
- [31:22]
Dave Bittner
What the hell are we doing here? Yeah.
- [31:26]
Maria Varmazas
Why?
- [31:26]
Joe Kerrigan
Well, can you share one of them?
- [31:31]
Maria Varmazas
Let's see. Well, one of them is a family member we don't communicate with anymore. All right. Heartbreaking. Well, they were skilled in the way of the scam, if you will. The scam way, if you get it.
- [31:45]
Joe Kerrigan
Ah, I see. Sure, sure.
- [31:47]
Maria Varmazas
Yeah. And another one is a little recent, so I'm not going to breach that broach that.
- [31:57]
Joe Kerrigan
Okay, sure. I had one that I can remember actually, back in college, was a college dorm mate, you know, so somebody who lived down the hall from me.
- [32:08]
Maria Varmazas
The shifty dorm guy.
- [32:10]
Joe Kerrigan
Right.
- [32:11]
Dave Bittner
There's always one.
- [32:12]
Maria Varmazas
Yeah, there is.
- [32:13]
Joe Kerrigan
Yeah. Who just. And it only in retrospect did I figure out, in fact, it dawned on me years after college that this person was absolutely just full of it with like everything that he claimed to be and say and do and promised. And he was just. He was someone who, through the boldness of his claims and the total confidence in the things that he said, somewhere along the lines he learned that many, many people, including me, would just believe it. And I did.
- [32:47]
Dave Bittner
Yeah. So there's a bunch of people like that in Infosec, actually. And it's amazing that how long they were successful before the community would go, hey, wait a second. So that's a bit of a sad reality.
- [33:01]
Joe Kerrigan
Yeah. So that brings me to my story, which was shared from. One of our N2K colleagues here sent me this article. This is from Outside magazine. It's an article written by Brendan Borel and it's titled Inside the Mind of Thru Hiking's Most Devious Con Man. So this is the story of a woman named Melissa Trent, who was a single mom. She lived in Colorado Springs, and she was on the dating app Plenty of Fish. And she was approached by a man named Jeff Cantwell. And he had rugged outdoor photos of himself just who seemed like the perfect guy for Melissa. He was an outdoorsy kind of guy. He was training to be an arborist. He was a military veteran, a nature enthusiast, and he had a tragic backstory where his family, both his parents and his wife and child, had died in a tragic car accident. And Melissa and this guy Jeff hit it off. They grew to know each other very well. They met in person. They. They had dinners together. He was very kind to her children. And it Seemed like everything was going great. They both loved the outdoors and enjoyed adventures, those sorts of things. And then one day, Jeff borrowed Melissa's car. She was. I can't remember if she was at work or school or, you know, something like she was somewhere else where she didn't need her car for the day, and she loaned Jeff the car and didn't really think much of it. And while Jeff was out using the car, Jeff sent her a message and said, hey, while I'm out using the car, this car's a little low on gas here. Do you mind if I use this credit card that you left in the car to buy some gas? And Melissa thought to herself, I don't remember leaving a credit card in the car, but sure, why not? She trusted him.
- [35:08]
Maria Varmazas
Also a violation of my car borrowing policy.
- [35:11]
Joe Kerrigan
What's that?
- [35:12]
Maria Varmazas
Which is to always return the car full of gas.
- [35:15]
Joe Kerrigan
Oh, yes.
- [35:17]
Maria Varmazas
Well, that's at my expense.
- [35:19]
Joe Kerrigan
Yeah. Yeah, right. I think that's a good policy.
- [35:21]
Maria Varmazas
Yeah. When you borrow someone's car, return it full of gas.
- [35:24]
Joe Kerrigan
Yeah. You're a gentleman, Joe. I agree.
- [35:27]
Dave Bittner
And a scholar. It's true.
- [35:28]
Maria Varmazas
Yeah.
- [35:30]
Joe Kerrigan
So maybe.
- [35:32]
Maria Varmazas
Maybe I'm one of those things.
- [35:33]
Joe Kerrigan
When he starts getting a little suspicious about this, this just feels different. Right. And eventually, Jeff makes off with the car and the credit card, And Melissa contacts the police, and they do some digging, and they find that this gentleman, Jeff Cantwell, was actually Jeffrey Dean Caldwell, who was a career con man with a history of theft and fraud. He had spent the past couple of decades posing as this outdoorsman, and he was preying primarily on women and elderly people with his tales of hardship and adventure. And the story talks about this pattern that's so common with con men. He earned her trust using flattery and also shared stories. But then he orchestrated a crisis to manipulate his victim. He talked about his, you know, his family passing away, which wasn't actually what had happened. His family was still around.
- [36:39]
Maria Varmazas
Probably hates him.
- [36:40]
Joe Kerrigan
Yeah, I mean, Melissa, the victim here, you know, she stayed hopeful for a long time, as the victims often do.
- [36:48]
Maria Varmazas
Right?
- [36:49]
Joe Kerrigan
But eventually he was arrested in South Dakota driving her car, which, by the way, he had just beat the crap out of. Surprise, right?
- [37:00]
Dave Bittner
Yeah.
- [37:01]
Joe Kerrigan
You know, that's what these types of folks do, I think. They go from one person to another, use them up, and then find someone else. Now, Melissa eventually got access to his Facebook account, and she updated it.
- [37:21]
Maria Varmazas
How did she do that?
- [37:22]
Dave Bittner
Did she hack it or something?
- [37:24]
Joe Kerrigan
No, no, she found. So one of the things he left behind was a notebook that had Access to his face. It had the credentials written down for his Facebook.
- [37:33]
Dave Bittner
Good for her.
- [37:35]
Joe Kerrigan
So granted, in violation of the Computer Fraud and Abuse Act, Melissa logged into his Facebook account and basically put a warning up for everyone to see, saying that he was a con man and that he was heading to prison. And sure enough, when he got caught in South Dakota, he was faced with the reality of the many, many people that he'd conned. And he'd been in prison before. This was not his first time in the slammer. So now he's facing up to 25 years. And the author of this article spoke with him many times.
- [38:10]
Maria Varmazas
Really?
- [38:11]
Joe Kerrigan
Yeah. Yeah. And said that he is a charmer. He wins you over for some reason. He's someone that you can't help kind of rooting for, which, again, is this like the folks who have this gift of the gab, who are able to do this over and over and over again. Somewhere along the lines, they realize that they have this skill. They can weave a spell over people. And it's easier, they think, than living an honest life despite, like Caldwell could face the next couple decades in prison.
- [38:51]
Dave Bittner
Yeah, he should have become a podcaster like the rest of us. Dave, not a good idea.
- [38:55]
Joe Kerrigan
That's right. That's right. The place where all ne'er do Wells land, Right? Podcasting. It's either prison or podcasting. There's no in between one or the other. That's right.
- [39:08]
Dave Bittner
That's how it goes.
- [39:09]
Joe Kerrigan
Yeah. So hopefully soon we won't be down to two hosts for this show.
- [39:16]
Maria Varmazas
Everybody's taking bets on which one of us is going to prison.
- [39:20]
Joe Kerrigan
Which one will fall first?
- [39:22]
Dave Bittner
The over. Under on that one.
- [39:24]
Joe Kerrigan
Yeah, yeah. So it's an interesting read. There's a lot more details here. We'll have a link in the show notes. I recommend that folks check it out. This is one of those articles you can send around to your friends because it really does have so many of the indicators that seem obvious in retrospect. But as you're in the middle of it, you could understand how people would fall for this thing, this sort of thing. People are, you know, they create a connection and they tug at your heartstrings, and they're so good at doing that. They're effortless at doing that. And folks fall for it and, you know, end up losing a lot of money. In this case, Melissa lost her car and some money from her credit card. So not so bad in the grand scheme of things, but still, you know, terrible. Real hassle. And so, yeah, Mr. Caldwell's doing time.
- [40:19]
Maria Varmazas
Yeah. Hopefully he'll do a good amount.
- [40:21]
Joe Kerrigan
Yeah, it's just a shame. And I think like we were talking about, we all know we've crossed paths with these sorts of people and some of them just get away with it. They manage to do it time and time again and they just get away with it. And that can be frustrating on its own. So. All right, we will have a link to that story in the show notes. Joe, Maria, it is time to move on to our catch of the day.
- [40:58]
Maria Varmazas
Dave, our catch of the day comes from Raul who says this was sent to my mother whom I've educated over and over again about what to look for when it comes to a scammy slash spammy text message. Now, Raoul notes that his parents first language is not English, so bear that in mind and that that seems to have an impact on how they would overlook the bad grammar, which I think is, you know, an excellent observation. We've never really addressed here that if you're not a native English speaker, some of this stuff may not seem as hilariously awkward.
- [41:31]
Joe Kerrigan
Right.
- [41:32]
Maria Varmazas
As it does to us.
- [41:34]
Joe Kerrigan
Right.
- [41:34]
Dave Bittner
Yep.
- [41:35]
Joe Kerrigan
All right, well, let me read this one. It says apple transaction info. We have noticed that Your Apple iCloud ID was recently used at Apple Store California for US dollars, $149.93 paid by IPAY pre authorization. Also some suspicious sign in request and Apple pay activation request detected. That looks like suspicious to us. And a temporary hold has been initiated. In order to maintain the security and privacy of your account, we have placed those requests on hold. If not you, please reach to us at 1808 blah blah blah blah blah to talk to an Apple representative. Failing may lead to auto debit and charge will not be reversed. Call immediately to cancel this charge. Have a great day.
- [42:22]
Maria Varmazas
So that's the text message that Raul's mom got.
- [42:25]
Joe Kerrigan
Yeah.
- [42:27]
Unknown Sponsor
Yeah.
- [42:27]
Maria Varmazas
I don't know.
- [42:28]
Joe Kerrigan
First of all, there's no such thing as I pay, okay? Apple pay.
- [42:31]
Maria Varmazas
How would I know what that is?
- [42:36]
Joe Kerrigan
Yeah.
- [42:36]
Maria Varmazas
Not an avid iPhone user. I have one for work now, but I really hate it.
- [42:43]
Dave Bittner
All of your tests. I'm big on the Apple ecosystem and even I didn't know that, I everything I would just assume it's legit because. Why not?
- [42:50]
Maria Varmazas
Yeah, why not? It certainly could be.
- [42:53]
Joe Kerrigan
What strikes me about this is there are so many of the telltale things here. There's the, you know, you have to call now and if you don't, you'll be charged something that will not be able to be reversed.
- [43:03]
Maria Varmazas
Yep. And that looks like suspicious to us. That's my favorite sentence, right?
- [43:07]
Joe Kerrigan
That looks like suspicious to us. Yes, that looks like suspicious to us.
- [43:11]
Maria Varmazas
Raoul notes that he sees a lot of this happening in people close to him, and he knows a lot of people have been targeted. And he's still shocked that a lot of people don't understand whether or not these are real. Yeah. And, you know, we see this often. Like, for example, in my story today, Mrs. Swan, who has lost $10,000 to a deep fake Elon Musk scam for crypto. I get exactly why that works. And I don't think, I hope, at least I never, I never start thinking that. Why does this continue to work? It's just. It works because people are humans and, you know, it's just something will make sense to somebody and everybody's vulnerable to something. At some point in time, there's gonna be something that comes up and it's gonna get me. I've talked about how things have gotten me before in this show.
- [44:00]
Joe Kerrigan
We've all been got.
- [44:01]
Maria Varmazas
We've all been got. Yeah.
- [44:02]
Joe Kerrigan
Everybody's been got.
- [44:03]
Dave Bittner
Yeah. Oh, yeah.
- [44:04]
Joe Kerrigan
And we'll be got. We'll be got again. Yeah.
- [44:06]
Maria Varmazas
I'm sure I will be.
- [44:07]
Joe Kerrigan
Just try to minimize.
- [44:09]
Maria Varmazas
Right? Exactly. Yep. And you're right, Maria. We talk about it.
- [44:13]
Joe Kerrigan
That's right. Yeah.
- [44:14]
Dave Bittner
And we'll talk about it. And if we want to rename the show, we should call it that Looks like Suspicious to Us instead of act.
- [44:23]
Joe Kerrigan
See, that could be our spin off show.
- [44:25]
Dave Bittner
There you go.
- [44:26]
Joe Kerrigan
That Looks like Suspicious to Us. We should do T shirts. All right, well, thank you, Raoul, for sending that in. And I have to say, I think your family members are lucky to have you looking out for them and having their back. So we do appreciate you sending that in. And of course, we would love to hear from you. If there's something you'd like us to cover on the show, you can email us. It's hackinghumansn2k.com we want to thank all.
- [44:54]
Unknown Sponsor
Of you for listening. And of course, we want to thank our sponsors at KnowBe4. They are experts in helping users do the right thing through new school security awareness training.
- [45:11]
Joe Kerrigan
That is our show. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpie is our publisher. I'm Dave Bittner.
- [46:04]
Maria Varmazas
I'm Joe Kerrigan.
- [46:05]
Dave Bittner
And I'm Maria Varmazas.
- [46:06]
Joe Kerrigan
Thanks for listening.