Loading summary
Transcript334 lines
- [00:02]
Maria Vermazes
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Dave Buettner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.
- [00:30]
Joe Kerrigan
Hi, Dave.
- [00:31]
Dave Buettner
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Maria.
- [00:37]
Maria Vermazes
Hi, Dave. And hi, Joe.
- [00:38]
Joe Kerrigan
Hi, Maria.
- [00:39]
Dave Buettner
We've got some good stories to share this week, and we will be right back after this message from our show sponsor.
- [00:59]
Sponsor Voice
And now a few thoughts from our sponsors. At Threat Locker, the tactics used by cyber criminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back.
- [01:26]
Dave Buettner
All right, before we dig into our stories this week, we have a few bits of follow up here. You want to start us off? Joe?
- [01:33]
Maria Vermazes
Yeah.
- [01:33]
Joe Kerrigan
I saw this come across the news feed today when I was looking for a story for today, and it was a vin swap scam. We've been talking a lot about vin swap scams, right? This is an actual case of a guy in Nevada. He lived in Las Vegas. His name is Sherman Habibian, and he found a GMC truck for sale on Facebook Marketplace, negotiated a deal, and then when he went to register it, cops pulled up behind him and said at the. At the VIN verification or the VIN inspection site. And they lit him up, you know, and he's like, oh, sure enough, the car had been stolen. Now, the good News is that Mr. Habibian had asked for the driver's license of the guy that was selling the car for him, and the guy gave him a fake ID and he took a picture of it, but that was enough evidence to find the guy, and the police have arrested him. I don't know that Mr. Habibian will get his money back, though, because it took three days for the police to find him. And that money is probably already into somebody else's hands. The cops are saying this is a. He's a middleman, a guy that goes out and sells the car, takes the cash and goes. So there's somebody else behind this who is making the money here. And the person that got arrested is just, you know, a person of opportunity.
- [02:56]
Dave Buettner
Huh? And do we, we think that maybe the truck will find its way back.
- [03:01]
Listener Voice
To Its rightful owner.
- [03:02]
Joe Kerrigan
Oh, the truck is going back. Yes. Okay, that, that is, that is probably going to happen because it is a. It was a stolen vehicle when Mr. Habibian bought it and took it to the VIN inspection station. They say at the VIN inspection station they see this happen about three times a week. Three times. That's a lot.
- [03:18]
Maria Vermazes
Jeez.
- [03:19]
Joe Kerrigan
And they recommend that if you're going to do this, if you're going to buy a truck from somebody, do it at the VIN inspection station, that you can have the VIN inspected there, make sure it's valid, make sure it's not a stolen car, make sure that all the VINs match up, and then you can go ahead with a transfer. And if they say, no, no, we're not going to the VIN inspection station, you say that I'm not buying the car from you.
- [03:40]
Dave Buettner
Oh, that's good. No, that's a great advice. Huh. Okay, well, we got another bit of follow up. Some kind clarification and correction from one of our listeners.
- [03:53]
Maria Vermazes
This is appreciated.
- [03:54]
Listener Voice
That's right.
- [03:55]
Dave Buettner
This is from someone who goes by Lippard on Mastodon, who I believe follows me on Mastodon. And they write, listening to the latest hacking humans. It's not accurate to make a blanket statement that bank participation in FinCEN reporting is voluntary. Banks are required to submit suspicious activity reports to FinCEN under the Bank Secrecy act and to respond to law enforcement requests under the Patriot Act. What is voluntary is participation in patriot act section 314. Proactive information sharing between financial institutions and with law enforcement. Okay. Also raised on this episode is whether you can pay taxes with cryptocurrency. You can for state taxes in Colorado and Utah, but virtually no one does it, which does surprise me.
- [04:47]
Maria Vermazes
Voluntary taxes, really.
- [04:50]
Dave Buettner
And I just can't help thinking like paying your taxes in cryptocurrency would be some kind of a red flag, right?
- [04:58]
Joe Kerrigan
Yeah. It just sounds like a bad idea to me.
- [05:00]
Dave Buettner
Right. It's like pulling up to the IRS headquarters and trying to pay your taxes in rolls of pennies, you know?
- [05:07]
Maria Vermazes
Oh, you know, someone's done it.
- [05:09]
Joe Kerrigan
That does sound like someone's done that. I'm Free Stater Melissa's compliance.
- [05:14]
Dave Buettner
Yeah. Yeah, it's interesting. I mean, you know, we're gonna, we'll see what happens with the coming administration because incoming President Trump has said that he's going to be very friendly with cryptocurrency. So I suspect we could see more access to those options with his coming administration.
- [05:35]
Listener Voice
So time will tell.
- [05:36]
Maria Vermazes
And more scams.
- [05:37]
Dave Buettner
Yes, and a lot more Scams.
- [05:38]
Joe Kerrigan
It will probably result in more scams.
- [05:39]
Listener Voice
Probably.
- [05:40]
Dave Buettner
Yep, probably. All right, well, we would love to hear from you. If there's something you'd like to share with us, you can email us. It's hackinghumans2k.com let's jump into our stories here. And, Joe, why don't you start things off for us?
- [05:54]
Joe Kerrigan
Dave, I have a story from none other than Stu Shauerman, CEO of KnowBe4, a longtime sponsor of the show.
- [06:01]
Dave Buettner
That's right.
- [06:02]
Joe Kerrigan
And it is the title of this is real Social engineering. Attack on KnowBe4 employee failed.
- [06:10]
Listener Voice
Foiled.
- [06:10]
Joe Kerrigan
Foiled.
- [06:10]
Listener Voice
Sorry.
- [06:11]
Joe Kerrigan
Yeah, it says foiled. For some reason, whenever I see the word foiled, I read it failed.
- [06:15]
Dave Buettner
Okay, you failed at reading foiled.
- [06:17]
Joe Kerrigan
I did. I've been foiled by foiled.
- [06:21]
Dave Buettner
That's right.
- [06:24]
Joe Kerrigan
The person is named. We're just gonna call him David B. Apparently, and he is the vp.
- [06:28]
Listener Voice
Hold on, hold on.
- [06:31]
Dave Buettner
It's not me.
- [06:32]
Joe Kerrigan
No, it is not you. Okay, I didn't even take that connection, Dave.
- [06:38]
Dave Buettner
Yeah, keep going.
- [06:40]
Joe Kerrigan
He is the VP of Asia Pacific in Japan, and he experienced this sophisticated attack where late one night, he got a call from somebody impersonating the head of hr, Chro, if you will. And they started with phone calls, and all he could hear was, the connection is bad. The connection is bad. And they're spoofing the chief hr. His name is Ani. They're spoofing Ani's phone number. So in one of the calls, the scammer says, look, I'm on a plane, and it's not letting me do WhatsApp audio or video. Let me just text you this information, right? And David says, okay, fine. And he starts this conversation with this scammer. And at some point in time, the scammer asked for some money. He says, I need at least 30,000 Singapore dollars in my account because I can't access my account. And David says, I got to hit the fish alert button, right? Which is a Know before product that everybody who works at Know before should know about. And this guy pretending to be the HR guy didn't know about it. So David was like, huh, that's. Well, that's a little odd. So he starts asking about. About. About plans for dinner in. In Singapore, and. And knowing that Ani has this love for this. This local dish that's only available in Singapore, I guess. But the. The scammers didn't know anything about it. So Ani was like, okay, fine. I know this is a scammer, and I'm done. And he terminates the call and blocks the guy or terminates the text conversation and blocks the guy. So that's how it works. When it works. Well, this guy reached out. David recognized a couple of red flags like you don't recognize. First off, here's something where I should. If I were a regular user of our products, I would be hitting the fish alert button. I'd be using some interface and the guy doesn't know about it. So there's two things right there, right. I think I should hit the Phish alert button. And the guy doesn't respond with anything that, you know, like, yeah, all right, that's what we need to do here. And then when he doesn't know the dish. This comes to a discussion that I had yesterday, actually. I was on a meeting with some local people out of Howard county, and we were talking about the capability of us to be impersonated like us, the three of us.
- [09:18]
Listener Voice
Okay.
- [09:18]
Maria Vermazes
Because nobody could ever imitate you, Joe.
- [09:20]
Joe Kerrigan
Yes, they could, very easily. Just by taking the last five minutes of audio where I was sitting here droning on about this story.
- [09:28]
Dave Buettner
Yeah.
- [09:28]
Maria Vermazes
And then in person, your words, but not your essence.
- [09:31]
Joe Kerrigan
Yes, that's right. Yeah. And that's kind of my point here, is it could sound like me. And I've actually had this conversation with everybody in my family. And another person on the meeting yesterday said they'd done the same thing where I will never call and ask you for money. That's not going to happen. If I'm going to ask you for money, I'm going to be there in person. I'm going to make the effort. Right. Hopefully I never have to ask anybody for money.
- [09:55]
Dave Buettner
Right. Yeah.
- [09:56]
Joe Kerrigan
But, yeah, I'm not going to call and ask you for money. And if I do, that's probably a scammer. So think like that. Think, think in terms of, of how, how you would if someone's calling you. And even if you think you know them, these, these voice modifiers are getting really good and almost real time. So have a password or ask some knowledge based, do some knowledge based authentication. You know, hey, what are you going to do with the, this weekend with the trip or something like that, or. My favorite thing that I was thinking of today is somebody calls you from your bank. I was thinking this on the way over, and this doesn't really apply to an interpersonal thing, but somebody calls you from your bank and says, hey, I'm from your bank. And you go, bank of America. And they say, yes, I don't have an account with bank of America. So you pick an account, a bank where you don't have an account and ask if they're from that.
- [10:50]
Maria Vermazes
Yeah. Yep. I remember as a kid. Yeah, I remember as a kid there was a advice. I think kids are still being given this advice. Have a password between you and your parents. If somebody says, hey, I'm here to pick you up after school. They don't let people do that anymore, but when I was a kid, they did. They used to just let anybody pick up a kid.
- [11:10]
Dave Buettner
They're like a stranger, Billy. Yeah.
- [11:13]
Maria Vermazes
As long as they know the password.
- [11:15]
Joe Kerrigan
He says you're. He says he's your uncle.
- [11:17]
Maria Vermazes
Yeah, yeah, yeah, I'm sure. I'm sure he's related to you somehow. He looks like you. Yeah. So I actually had that conversation with my mom. Hey, do you remember that password that we talked about when I was a kid? She didn't remember, but I got to refresh her memory. It was a nice little trip down memory lane.
- [11:32]
Joe Kerrigan
I'd like to know what the password was.
- [11:34]
Maria Vermazes
I'm not telling you.
- [11:38]
Joe Kerrigan
Because I'm going to send someone to abduct Maria or her mom.
- [11:42]
Dave Buettner
You tried to social engineer me just now. Kidnapped Maria's mom would have been a.
- [11:46]
Maria Vermazes
Very, very bad one.
- [11:48]
Dave Buettner
Just to teach her a lesson. Kidnap her mom?
- [11:51]
Joe Kerrigan
Yeah.
- [11:53]
Maria Vermazes
What?
- [11:54]
Dave Buettner
Yeah, you never should have shared that password, Maria.
- [11:57]
Joe Kerrigan
A better mom puts up much less of a fight than she does.
- [12:01]
Maria Vermazes
Oh, my God. Can we leave my mom out of this?
- [12:03]
Dave Buettner
Too late, too late, too late.
- [12:06]
Joe Kerrigan
I would never harm a hair on your mother's head, Maria.
- [12:10]
Maria Vermazes
Listen, have you ever pissed off a Greek lady? I don't recommend it.
- [12:12]
Dave Buettner
No, probably. Probably not. Probably. Probably would not go well.
- [12:16]
Joe Kerrigan
Probably just as bad as making an Irish woman mad, which I do on a regular basis.
- [12:21]
Dave Buettner
Oh, I see. I see. Yes, yes, I understand. All right, well, we will have a link to that story in the show notes. Maria, what do you have for us this week?
- [12:32]
Maria Vermazes
Another gold bar scam, which I'm amazed to see these and saddened. Just to be clear. This was one I.
- [12:42]
Dave Buettner
Let me interrupt you for a second, Maria, before you get into this. Have either of you ever laid hands.
- [12:47]
Listener Voice
On a gold bar?
- [12:49]
Joe Kerrigan
Funny.
- [12:49]
Maria Vermazes
And sure, I've never even seen one.
- [12:52]
Dave Buettner
Joe.
- [12:54]
Joe Kerrigan
I laid hands.
- [12:55]
Maria Vermazes
This is what gets me about these.
- [12:56]
Joe Kerrigan
A friend of mine and I were talking and he was talking about how he has some gold bars laying around as you do. And I was like, I'd like to see them.
- [13:07]
Dave Buettner
Okay.
- [13:07]
Joe Kerrigan
And he showed them to me and they are 1 oz bars. They are small bars.
- [13:11]
Dave Buettner
So like the size of A fun size Hershey bar.
- [13:14]
Joe Kerrigan
Is that like, not that big?
- [13:16]
Dave Buettner
Okay.
- [13:16]
Joe Kerrigan
And he has gold and silver.
- [13:17]
Maria Vermazes
Oh, really?
- [13:18]
Joe Kerrigan
It's not an unusual amount. You know, it's not like all my money is tied up in gold and silver.
- [13:25]
Dave Buettner
Right.
- [13:25]
Joe Kerrigan
Because that's not. But it is a. How can I say this? It's something he has that he wants to have around the house.
- [13:33]
Dave Buettner
Yeah.
- [13:33]
Joe Kerrigan
And.
- [13:34]
Maria Vermazes
Okay, well. Yeah.
- [13:35]
Dave Buettner
Just in case.
- [13:36]
Joe Kerrigan
Just in case.
- [13:37]
Dave Buettner
Right, right.
- [13:38]
Joe Kerrigan
So I get it. And who knows? Maybe one day he'll be. He'll be. Right. But I think if you're. If you're looking at that kind of thing, the thing to have lying around the house is iron and lots of it.
- [13:48]
Listener Voice
Really?
- [13:48]
Joe Kerrigan
Yeah.
- [13:49]
Dave Buettner
Go on.
- [13:50]
Joe Kerrigan
Yeah. If civilization collapses.
- [13:52]
Maria Vermazes
Screw my story. I want to hear this.
- [13:53]
Joe Kerrigan
Gold's not going to be of much worth. Iron will be much more useful also much more accessible.
- [13:59]
Dave Buettner
Like. Okay, well, I mean.
- [14:03]
Joe Kerrigan
Yeah, I guess it would be more for smelting. Yeah. For forging, probably. You probably wouldn't be able to smelt. Yeah. You need a lot of civilization smelt.
- [14:11]
Dave Buettner
Yeah.
- [14:13]
Maria Vermazes
Save some bronze while we're at it.
- [14:14]
Joe Kerrigan
Right.
- [14:15]
Dave Buettner
Joe is holding back to us. He's actually paving the sidewalk up to his new home in gold bars.
- [14:20]
Joe Kerrigan
That's right.
- [14:22]
Maria Vermazes
I always thought they were sort of brick sized. You're telling me they're Hershey bar size.
- [14:25]
Joe Kerrigan
I mean, the 1 ounce ones there are brick ones.
- [14:28]
Dave Buettner
Oh, yeah. I mean, the bricks are the ones you see in movies. And like whenever somebody talks about Fort Knox, you see these gold bricks.
- [14:35]
Maria Vermazes
That's my mental model of them.
- [14:37]
Dave Buettner
Yeah.
- [14:37]
Maria Vermazes
I've never seen a real one in person. Yeah. I don't even know where I would get one. Like, how do you even acquire these? I have no idea.
- [14:44]
Dave Buettner
That's a good question, Joe. Do you know where you buy. Where does one get a 1oz gold bar? Can you go to the bank and.
- [14:50]
Joe Kerrigan
A 1 oz gold bar.
- [14:51]
Maria Vermazes
Is it on Amazon?
- [14:52]
Joe Kerrigan
I don't know that I'd buy it on it. You can go to a gold dealer and buy it. Some jewelers may have it.
- [14:57]
Dave Buettner
Yeah.
- [14:58]
Listener Voice
Oh, a jeweler.
- [14:58]
Dave Buettner
Okay, that makes sense.
- [15:00]
Joe Kerrigan
Yeah. But you know, make sure that you're paying. If it's just a gold bar, make sure you're not paying very much over the price of an ounce of gold when you buy it. I mean, like when you go to buy jewelry that is so overpriced.
- [15:11]
Dave Buettner
Yeah. Interesting.
- [15:14]
Joe Kerrigan
And don't buy diamonds. Diamonds are a scam.
- [15:18]
Dave Buettner
All right, so I'm sorry, Maria. That was a. That was a. That was much More of a rattle than I thought it was going to be. So back to you.
- [15:26]
Maria Vermazes
I'm still stuck on blacksmithing. That's just where my. I know a few people who work a forge and have an interesting conversation with them later. I was just, I'm just amazed by the proliferation of gold bar scams because as we've all been talking about. Okay, Joe, you're the exception, Dave, and I don't know how you know where one gets these and yet there's so many scams with these now, I guess to avoid wire fraud because people have caught onto that a little bit more. So I just, I think if anyone just comes in asking for a gold bar at this point, that's a giant red flag that something bad is going on. But anyway, anyway, so there's this, this new story about yet another gold bar scam. This is happening in you all's neck of the woods. In Maryland and Bethesda. There was a couple that had given 36, $7,000 in gold bars to a person that they believed was with the FDIC or the Federal Deposit Insurance Corp. They had been told that this money was going into a safe locker. But they started to suspect after some time when people went quiet that maybe that money was not so safe. So they went to the police. And here is the story that unfolded. As you can imagine, it was a scam. This, 70. These, this couple of 75 year olds were initially targeted by one of the bazillions of text scams that we all tend to get nowadays. This one said that their Apple ID had been compromised and that someone had made a small unauthorized purchase with their Apple ID for around a hundred dollars. So not a catastrophic amount for most people, but enough that you're going, okay, well that's not good. So the text message advised them to call an Apple rep. And then when they were on the phone with the Apple rep, they got passed along that chain that we've talked about so many times where it just kind of kept escalating at every step. So first the scammer Apple rep told them to download a remote access app on their computer. So the next scammers I guess could see what was going on on their computer. And then the couple was told that their Charles Schwab account had been hacked. So then they get passed along again, this time to a Charles Schwab representative. I don't know why an Apple guy would have the Charles Schwab guy's right phone number, but apparently they do. They all are, they're all buddies and Then Charles Schwab said, well, actually, $41,000, $41,500 of your money has already been used to purchase child pornography. You've been compromised. You're being reported now if, to the Federal Trade Commission. So again, now they're being passed along again. And at this point, the couple's then told they need to start withdrawing huge sums of money over $200,000 a piece, convert it to gold bars, and then hand it over, as mentioned earlier, to the FDIC for safekeeping, or else hackers would take their money and then use it to fund Russian missile suppliers. So we've.
- [18:13]
Listener Voice
Wow.
- [18:15]
Maria Vermazes
Right. So child pornography threats and Russian missile supplier threats all in one story. That would terrify a lot of people, understandably. So that's the point here.
- [18:28]
Joe Kerrigan
When you hear child pornography, or as I like to prefer to call it, csam, because it's not as jarring as the. What it actually is. And when you hear that, immediately you're like, what? You're. No, I'm not involved. You become immediately defensible because this is one of the most reprehensible things that people get busted for.
- [18:49]
Maria Vermazes
Agreed.
- [18:50]
Joe Kerrigan
Right, Agreed. Nobody wants to be associated with this at all. So even mentioning this is going to have a real impact on your thinking capability.
- [19:00]
Maria Vermazes
Yeah, you're gonna want to clear that up right away. Whatever it takes. I'm dropping everything. I'm getting this cleared up right now because I don't want any of this near me because no. No reasonable person ever would. So you're going to do whatever it takes to just get this to go away.
- [19:11]
Joe Kerrigan
Right. And while you're still worried about that, they pile on with the Russian missile suppliers.
- [19:17]
Maria Vermazes
Right. Which we've. We've talked about stories like this where when we read it back, it just sounds so funny to hear it in this context, but.
- [19:24]
Joe Kerrigan
But it doesn't feel that way.
- [19:27]
Dave Buettner
I'm imagining, like, the scammers with one of those big wheels that you spin that goes click, click, click, you know, like, what's it going to be? Russian missile suppliers. All right.
- [19:37]
Joe Kerrigan
You know, like, who's the next one? Iranian.
- [19:44]
Maria Vermazes
I hate the bargain.
- [19:45]
Joe Kerrigan
Avoidance.
- [19:46]
Dave Buettner
Yeah. Just in the call center. They're like, spin the wheel. Yeah.
- [19:52]
Maria Vermazes
Oh, my God. So then there's subterfuge that's always layered in with this where, you know, don't tell anyone about this, because then you'll compromise this whole mission that we've got you on because we need you to participate and cooperate. Otherwise this all goes south and then you're implicated. So, of Course they're not supposed to. They're not talking about it to anybody who could help them. And then the additional subterfuge of, hey, there's going to be this handoff. It's going to be very spy movie. We're going to have you do, you know, buy these gold bars, hand them to this FDIC person who's going to ask you for a password. The passcode is 2525. And as long as he knows it and you know it, then you know it's legit. And even though it's in like an old Navy parking lot, this is a completely legitimate transaction when you hand this money over to a total stranger. Anyway, so eventually, as we mentioned at the top, the police did get involved because they kindly told this couple, hey, you are getting massively scammed. The police actually worked with this, this couple and created a situation where the scammers would come back to do another pickup, basically of the gold bars. And a young police detective posed as a 75 year old woman. And I guess the person doing the pickup did not question this whatsoever and just sort of fell for it themselves. And when the scammer picked up the gold bars and went back to New York City where they were based, they were arrested. And the thing that I found interesting about this person, his name is Yong Xian Huang. He's 23 and speaks only Cantonese. And his attorney is saying basically because he speaks no English, how on earth could he be involved in a scam as complicated as this? He's just a patsy. And I questioned if even he knew what he was doing. Maybe he was just told, go to this place, show this number and drive. He may not have even known what he was doing.
- [21:34]
Joe Kerrigan
Yeah, he's a mule.
- [21:36]
Maria Vermazes
Yeah, essentially. Exactly.
- [21:37]
Dave Buettner
I mean, he got hired for a courier job.
- [21:41]
Maria Vermazes
Yeah, he had no idea. So thankfully, it sounds like this particular scam the police are trying to investigate more. Who's at the center of it? We can probably take some wild guesses, but in Montgomery county alone, they've actually uncovered a number of these stories that we've talked about on the show. They said that gold bar scams have totaled 6 and $6.6 million in losses already that they've seen. And this is just in that one county. So this is a lot of money and people live in that county. I went to the fdic. What was that?
- [22:12]
Joe Kerrigan
I have family lives in that county.
- [22:14]
Maria Vermazes
I mean, I'm just. If this is just one, one county, you've got to wonder how much money is flowing in gold Bars in these scams all over the country. I mean, this is quite a lot of money. I went to the FDIC's website also because I was just curious what I know they know about all these scams. So they actually have something front and center on their website, just sort of reminding people what the FDIC does and does not do. And they make a point of saying, we will never send you unsolicited correspondence asking for money, and we will never threaten you. No government agency will ever demand that you pay by gift card, wiring money or digital currency. I think they should probably add gold bars to that list. And the FDIC would never contact you asking for personal details such as bank account information, credit and debit card numbers, Social Security numbers, or a password. So, I don't know. Gold bars just should be a red flag for anybody at this point. But this is just wild that this. These keep. These keep happening. There's so many around the country, and Montgomery county seems to be focusing on them a lot. But I'm sure there are other places where it's even worse.
- [23:15]
Joe Kerrigan
At one point in time, Montgomery county was like, in the top five wealthiest counties in the country.
- [23:20]
Dave Buettner
Yeah.
- [23:21]
Joe Kerrigan
Very wealthy.
- [23:22]
Maria Vermazes
I'm sure that's why it's being. Yeah, that's why it's being targeted. Yeah, for sure.
- [23:27]
Dave Buettner
I mean, I guess also, gold bars are comparatively easy to move around the world. Right. Sort of universally valuable.
- [23:37]
Joe Kerrigan
Yeah. And it's, you know, not only that, but I can take a gold bar and modify it so it doesn't have the same numbers on it. I can take the. I can have the gold. I can do something to the gold bar that makes it not the same thing. Right. Like, you can't do this with like $100. I could smelt it. Right.
- [23:56]
Maria Vermazes
Just take it to your forge friends.
- [23:58]
Joe Kerrigan
Right.
- [23:59]
Dave Buettner
Maybe throw in a little iron.
- [24:00]
Joe Kerrigan
Yeah, I've seen, actually, I've seen people that have. Have these. These gold forges in. In their house. They're like small ovens that just get really, really hot with it with a graphite crucible inside of it. So you could. You can do this and then pour in. Pour the gold directly into some other mold and make another ingot that doesn't have any tracking information on it and then move that wherever you want. I mean, it. It's pretty easy to do this. I mean, it doesn't require a lot of skill to move this stuff around. It's like. It's almost like cryptocurrency, except it's less trackable.
- [24:33]
Maria Vermazes
It's very Primitive. And I don't mean that disparagingly. It's just.
- [24:36]
Joe Kerrigan
Right.
- [24:36]
Maria Vermazes
We're talking about smelting and crucibles.
- [24:38]
Joe Kerrigan
It's very low level, Right?
- [24:40]
Dave Buettner
Yeah.
- [24:41]
Maria Vermazes
It's kind of impressive that we've all gone full circle on this.
- [24:44]
Joe Kerrigan
Right.
- [24:45]
Dave Buettner
Joe, you and I are around the same age. Do you recall in science class when you were coming up sort of casually playing with mercury?
- [24:58]
Joe Kerrigan
No.
- [25:00]
Dave Buettner
We did.
- [25:03]
Maria Vermazes
I was not allowed to do that. No. We heard the stories, though.
- [25:05]
Joe Kerrigan
Was that in elementary school? You heard that?
- [25:07]
Dave Buettner
No, this was in high school.
- [25:08]
Joe Kerrigan
No, in high school, we. We were told that now in high school, they actually gave us radioactive material.
- [25:15]
Dave Buettner
Yeah. It explains a lot about both of us. But I'm not joking.
- [25:20]
Joe Kerrigan
They brought in little. I remember what they looked like. They were little tiny discs with radiation in them.
- [25:24]
Dave Buettner
Right, right.
- [25:25]
Joe Kerrigan
Radioactive stuff in them.
- [25:26]
Maria Vermazes
Did you lick it or.
- [25:28]
Joe Kerrigan
You weren't even allowed to eat anything while you were in the class.
- [25:32]
Dave Buettner
We had a hot tub full of mercury. And actually, we had. So here's the thing. You get a little container of mercury. Okay.
- [25:46]
Maria Vermazes
A little. Don't do this.
- [25:48]
Dave Buettner
No, don't do. Ladies and gentlemen, mercury is a neurotoxin, in case you.
- [25:52]
Joe Kerrigan
Yeah.
- [25:53]
Dave Buettner
It's very hard these days. If you spill mercury, the fire department comes and, you know, it's a hazmat situation. But it used to be, you know, mercury. Just Mop it up. Yeah. Get a paper towel.
- [26:03]
Joe Kerrigan
Get a paper towel.
- [26:04]
Dave Buettner
Clean that up, toss it up.
- [26:05]
Maria Vermazes
It's like a liquid slinky. You can just pass it between.
- [26:08]
Dave Buettner
Yeah, exactly. And let me just tell you, it is very fun to play with. So one of the fun things that we did in science class is you could. Because you could float quarters on it. Right. Cause it's so dense.
- [26:21]
Maria Vermazes
Oh, my God.
- [26:22]
Dave Buettner
That you can float heavy things on the mercury. So that's the kind of thing we would do.
- [26:26]
Joe Kerrigan
You put that quarter right back in your pocket.
- [26:28]
Dave Buettner
Yeah. Or your mouth. We just lick this clean. There we go. Mm. Wow.
- [26:37]
Maria Vermazes
It's amazing you both are still alive.
- [26:39]
Listener Voice
I know.
- [26:39]
Dave Buettner
I know. We are both much, much smarter.
- [26:42]
Joe Kerrigan
I'm gonna tell you another horror story.
- [26:44]
Dave Buettner
So. But here's how I'm gonna bring this home. One of the kids in the school, one of the girls floated a gold ring in the mercury.
- [26:54]
Joe Kerrigan
Yes.
- [26:55]
Dave Buettner
And it turns out mercury is also highly reactive. Well, a highly reactive is overstating it. They are reactive. It doesn't. Like, the gold didn't disappear, but the gold changed. The gold absorbed the mercury, reacted with the mercury, and it makes the gold Very brittle. Where gold is typically fairly strong.
- [27:16]
Joe Kerrigan
Right. And soft.
- [27:17]
Listener Voice
Right.
- [27:18]
Dave Buettner
So she gets, you know, gets the little tweezers and gets the gold ring out of there, and it's a different color and has a different patina to it, and it crumbles in her hand, and she's like, oh.
- [27:33]
Maria Vermazes
Why did she have that bright idea in the first place as it was?
- [27:36]
Dave Buettner
Well, I mean, I bet it was curiosity.
- [27:39]
Joe Kerrigan
Well, I know gold's pretty dense. Will my gold ring float on top of it?
- [27:42]
Dave Buettner
Exactly. Exactly. I mean, how many of those kinds of active chemical reactions do you see in a given day? Not very many.
- [27:48]
Joe Kerrigan
I didn't know that gold was reactive with mercury for some reason.
- [27:51]
Dave Buettner
Yeah. So it turns out there is a way to remove the mercury from the.
- [27:57]
Listener Voice
Gold and get the gold back.
- [27:59]
Dave Buettner
But it ain't gonna be in ring.
- [28:00]
Listener Voice
Form anymore when you.
- [28:01]
Dave Buettner
When you get it back. So, anyway, that's my story, Joe. What's your story of dangerous chemicals?
- [28:07]
Joe Kerrigan
I got a chemistry set when I was a kid.
- [28:09]
Dave Buettner
Of course you did.
- [28:10]
Joe Kerrigan
You know what was in that chemistry set?
- [28:11]
Listener Voice
Oh, I don't know.
- [28:12]
Dave Buettner
Arsenic, cyanide.
- [28:13]
Joe Kerrigan
Ferrocyanide. Dave, it was ferrocyanide.
- [28:17]
Dave Buettner
Cyanide.
- [28:18]
Joe Kerrigan
I opened that up, or I. It had a little key on the side of it. My dad's looking through it with me. He goes, oh, this will kill you, cyanide. It'll kill you very quickly not to have all the fun. I was, like, terrified of this thing. I was like, you know, it's like, you know, the old. The old adage. You're not afraid that you're going to jump off, fall off the building. You're afraid you're going to jump. You know, I know I don't want to use that stuff, but.
- [28:43]
Dave Buettner
Yeah.
- [28:43]
Joe Kerrigan
What if one day I get really stupid? You know, I don't even want it around. I don't know what happened to the chemistry set I just got thrown into the trash at one point in time.
- [28:51]
Dave Buettner
It's in a landfill somewhere. Yeah.
- [28:53]
Joe Kerrigan
Ferrocyanide leaching out into the land.
- [28:55]
Dave Buettner
Yes. Yeah. Just seeping into.
- [28:56]
Maria Vermazes
I'm sure there's no problem with that.
- [28:58]
Joe Kerrigan
I hope not.
- [28:58]
Maria Vermazes
That's great.
- [28:59]
Joe Kerrigan
I don't know if ferrocyanide and cyanide are the same thing. It was very, very dark blue. I do remember that.
- [29:04]
Dave Buettner
Huh. What did it taste like?
- [29:05]
Maria Vermazes
I'm jealous. All my generation got was microplastics.
- [29:09]
Dave Buettner
Right, right. All right, well, you know what? This is a great time for us to take a break. We're gonna take a Break to hear for a message from our sponsor. We'll be right back after this.
- [29:34]
Maria Vermazes
So.
- [29:34]
Sponsor Voice
Let'S return to our sponsor. ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker, allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust endpoint protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
- [30:45]
Dave Buettner
Okay, my story this week comes from our friends at the FBI. This is a public service announcement that they put out about a week ago. This is from the IC3. The what is the Internet Crime Complaint Center. And this is a warning about how criminals are using generative AI for financial fraud. And so the FBI goes through a number of different things that they're seeing. Obviously AI generated text, that's probably the most obvious one. And Joe, you and I have talked about this and Maria as well, where the dead giveaways that used to be there in lots of phishing emails are gone.
- [31:28]
Joe Kerrigan
Are gone.
- [31:29]
Dave Buettner
Yeah, yeah. Because AI can just make it sound.
- [31:32]
Joe Kerrigan
Perfect and grammatically perfect.
- [31:34]
Dave Buettner
That's right, that's right. And it also allows the scammers to operate at a higher velocity. They can send more stuff because the AI engines can just generate multiple multiple versions.
- [31:47]
Joe Kerrigan
And it can be automated.
- [31:49]
Dave Buettner
Right. You can say to the AI, you know, generate 50 versions of an email that does this and it'll do it. Which makes them harder to catch in spam filters. They also talk about AI generated images. These are for things like social media profiles, for fake ID documents. I never really thought about this. Someone could have the AI generate probably a pretty convincing looking like government employee id.
- [32:20]
Listener Voice
Right?
- [32:22]
Dave Buettner
Photos. They use them to make images of celebrities, folks who are famous on social media. All those kinds of things the AIs can do. Of course, we already talked about voice cloning in Joe's story, so that's available. And even just recently now the video tools have become much more widely available than they were before. And so people can again make depictions of public figures. But, you know, even people you might know, you can take a photo and turn it into a moving image now and make it look like somebody you know. So the FBI has some tips here to protect yourself. And number one on the list is create a secret word or phrase with your family to verify their identity. As we talked about earlier in the show, such a good idea.
- [33:14]
Maria Vermazes
Don't say it on a podcast.
- [33:15]
Joe Kerrigan
Don't share it with your podcast co host.
- [33:18]
Dave Buettner
Once more, Maria, what's yours with you? You and your mom.
- [33:22]
Maria Vermazes
And that point I'm still not telling you. And that is not the phrase.
- [33:28]
Dave Buettner
Getting back to the FBI here, they say look for imperfections in images and videos, particularly hands and feet. There's teeth, eyes, ears. There's just little things that don't seem quite right.
- [33:44]
Joe Kerrigan
Those will all go away.
- [33:45]
Maria Vermazes
Stuff in the background.
- [33:46]
Dave Buettner
Yeah.
- [33:47]
Joe Kerrigan
All those tells will disappear.
- [33:49]
Dave Buettner
Yep, Yep. They say verify the identity of the person calling you by hanging up, researching the contact of the contact of the bank or organization, and call the phone number directly. And of course, they say never share sensitive information with people you've met only online or over the phone. Don't send money, gift cards, cryptocurrency or other assets. And we're going to add gold, gold to people you do not know.
- [34:16]
Maria Vermazes
And maybe also mercury or iron. I don't know.
- [34:19]
Joe Kerrigan
Right.
- [34:19]
Listener Voice
I hadn't thought about.
- [34:21]
Dave Buettner
Yeah. I wonder what mercury goes for these days. I don't know. Probably is as expensive to handle the transport of it is.
- [34:29]
Listener Voice
It's very heavy also.
- [34:32]
Dave Buettner
But tasty. And they say if you believe you've been a victim of financial fraud, please file a report with the FBI's Internet Crime Complaint center that is@IC3.gov and give them as much information as possible. I know from experience and talking to the folks in the FBI that I've had the opportunity to interview that you probably should not expect a rapid reply from the FBI when you put something into this system simply because they are so overwhelmed.
- [35:11]
Joe Kerrigan
There's a lot that goes into that system. Yeah.
- [35:13]
Dave Buettner
And they just don't have the resources to directly respond all the time. But know that it does get logged and it does help them go after the things that they do. They do use the information. They do work on it. So if you submit something, it is helpful, even if it might not be completely satisfying with the response that you get. So we will have a link to that in our show notes. It's actually direct, I guess you call it a press release from the FBI. And there's quite a lot of good information in there. And it's one of those things pretty concise. It also is authoritative. So it's a nice thing to send around to your friends and family to say, look, here's what the FBI says and maybe you'll help prevent them from getting scammed. All right, let's move on to our catch of the day.
- [36:14]
Joe Kerrigan
Dave, Our catch of the day comes from someone who just goes by a. Fonzie. Yeah.
- [36:20]
Dave Buettner
A.
- [36:20]
Joe Kerrigan
They didn't provide us with, with their actual name, so. But they say this, they thought this was a funny one. And it's. I'll give you. I'll. I'll do a little spoiler, Dave. It looks very much like an advanced fee scam, but it's got a lot of moving parts.
- [36:38]
Dave Buettner
Okay, it goes like this.
- [36:40]
Listener Voice
Attention. We sincerely apologize for sending you this sensitive information via email instead of certified mail, post mail, phone or face to face conversation. It's due to the urgency and importance of the security information of our citizens. I am Assistant Special Agent in Charge Chad B. Yarbo from the Federal Bureau of Investigation field intelligence groups. We intercepted two consignment boxes at Dallas Fort Worth International Airport, Texas. The boxes were scanned but found out that it contained large sum of money and also some backup documents which bears your name as the beneficiary. Receiver of the money investigation carried out on the diplomat that accompanied the boxes into the United States said that he was to deliver the fund to your residence as overdue payment owed to you. Meanwhile, we cross check all legal documents in the boxes. But we found out that your consignment was lacking an important document and we cannot release the boxes to the diplomat until the document is found. Right now we have no other choice than to confiscate your consignment according to Internal Revenue code in Title 26. Also contain reporting requirement on Form 8300 Report of cash payment over $10,000 received in a trade of business money laundering activity may violate 18 U.S. 1956, 18 U.S. 1957, 18 U.S. 1960 and provision of title 31 and 26 U.S. 60501 of the United States Code. This section will discuss only those money laundering and currency violation under the jurisdiction of the irs. Your consignment lacks proof of ownership. Your consignment lacks proof of ownership certificate from the joint team of IRS and irc. Therefore, you need to reply back immediately for direction on how to procure this certificate to enable us relieved the charge of evading the law on you, which is punishable offense in the United States. You are required to reply within 72 hours. At that point, I will walk you through the process of clearing and claiming the money. Failure to comply may lead to your arrest, interrogation and or you being prosecuted.
- [38:41]
Dave Buettner
In a court of law for tax.
- [38:42]
Listener Voice
Evasion and or money laundering. We will also dunk you in Mercury.
- [38:47]
Joe Kerrigan
No, I made that part up.
- [38:50]
Listener Voice
You are also instructed to desist from further contact with any banks or persons in the United States, the United Kingdom or any part of the world regarding your fund because your payment has been confiscated by the Federal Bureau of Investigation here in the United States. Yours in service, Agent Chad B. Yarbo, Assistant Special Agent in Charge, FBI Dallas Area Division.
- [39:14]
Joe Kerrigan
Pretty good.
- [39:15]
Dave Buettner
So pretty good.
- [39:16]
Joe Kerrigan
It's basically a trunk box scam, right?
- [39:18]
Dave Buettner
That's what I was going to say. Yeah.
- [39:20]
Joe Kerrigan
If you start talking to them, they're just going to say you need to pay this fee and this fee and this fee and this fee.
- [39:26]
Dave Buettner
You know trunk box scams go back to like pirates. Yeah.
- [39:31]
Joe Kerrigan
It's very old school.
- [39:32]
Dave Buettner
Hundreds of years old. Yeah.
- [39:34]
Maria Vermazes
And they still work. Amazing.
- [39:35]
Joe Kerrigan
Yeah.
- [39:37]
Dave Buettner
There's basically no punctuation in this either.
- [39:39]
Maria Vermazes
No, no.
- [39:40]
Joe Kerrigan
And here's my thinking. Why is it like this? Why did they not use the generative AI to produce this? Is that because they are still just writing these themselves in the hopes of getting someone who. Uh. We'll skip over all the things because we've, we've heard that in the past that part of the reason these things work is because of their bad grammar.
- [40:03]
Listener Voice
Right.
- [40:04]
Joe Kerrigan
That somebody who is going to overlook the grammar is the same kind of person that will fall for these scams. So it's like self selection. Um, so maybe that's a value to the scammers.
- [40:15]
Dave Buettner
Yeah. The only other thing I can think of is that it might somehow make it more likely that it'll get through some kind of spam filter by having.
- [40:25]
Listener Voice
Odd run on sentences.
- [40:27]
Dave Buettner
It could be.
- [40:28]
Maria Vermazes
I don't know, maybe. I mean, what about the huge long codes of provisions and titles? I mean, does that actually scare. I mean, does anyone believe that? I mean. Oh yeah, USC 18, 1957. I'm intimately familiar with that one. I definitely know what this is referring to.
- [40:45]
Dave Buettner
That part strikes me as being copy pasted off of the IRS website or something just to throw some legalese in there.
- [40:54]
Joe Kerrigan
Yeah.
- [40:54]
Dave Buettner
Make it seem more official.
- [40:56]
Joe Kerrigan
I didn't take the time to look at these codes Maybe I should have. You know.
- [41:01]
Maria Vermazes
Maybe you should.
- [41:02]
Listener Voice
Maybe I should.
- [41:03]
Joe Kerrigan
Maybe the listeners can go look them up. But no, it's just there to make it seem legit. These are probably real codes. These are probably real sections of the US Code.
- [41:15]
Dave Buettner
Oh, you know what? Chad Yarbo is actually an FBI person. Yeah. I'm looking up here. On September 23rd of 2024, he was named assistant Director of the Criminal Investigative Division. Yeah.
- [41:28]
Joe Kerrigan
So they've done the research on this.
- [41:30]
Maria Vermazes
Can you Google any of this? Yeah, it'll come up as very plausible. And you go, oh, this must be real.
- [41:35]
Listener Voice
Yeah.
- [41:35]
Dave Buettner
So he's actually AT headquarters in D.C. but he did recently serve in the Dallas field office. So really, There you go.
- [41:43]
Joe Kerrigan
So they're actually impersonating a real FBI agent.
- [41:46]
Listener Voice
Right.
- [41:46]
Joe Kerrigan
I wonder if that's legal.
- [41:50]
Maria Vermazes
Maybe this email's real. Maybe this is actually happening. Oh, my God.
- [41:53]
Joe Kerrigan
It's not at all legal.
- [41:54]
Dave Buettner
Wouldn't it be funny if that was the thing that they got busted for impersonating an FBI?
- [42:00]
Joe Kerrigan
Yeah. Maybe Chad Yarborough will hear this podcast and go, hey, somebody's impersonating me and using my name as a trunk box scam and advanced fee scam.
- [42:09]
Dave Buettner
That's the last straw.
- [42:10]
Joe Kerrigan
Yeah. Let's go find out who this is.
- [42:12]
Dave Buettner
Right. Since I got my promotion, right? I have resources. Now that I'm at headquarters, there's no more messing around with the Chadster.
- [42:23]
Maria Vermazes
I hope Chad listens to this podcast.
- [42:25]
Joe Kerrigan
I want to come on the show.
- [42:26]
Maria Vermazes
I would love that so much, Chad. Please reach out if you listen.
- [42:31]
Dave Buettner
Yeah. Yes, Chad, thank you for your service to our country. Please don't come at us.
- [42:38]
Joe Kerrigan
Thanks, Chad.
- [42:38]
Dave Buettner
Sir. Yeah. All right, as always, we would love to hear from you. If there's something you'd like us to consider for our catch of the day, you can send it to us. It's hackinghumans2k.com.
- [42:54]
Sponsor Voice
And, of course, we want to thank this week's sponsor, ThreatLocker. Go to threatlocker.com HH and check out their Zero Trust endpoint protection platform. That's the words threat, threat, and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.
- [43:24]
Dave Buettner
That is hacking humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in.
- [43:50]
Sponsor Voice
The public and private sector.
- [43:52]
Dave Buettner
From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams.
- [44:04]
Listener Voice
While making your team smarter.
- [44:05]
Dave Buettner
Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Buettner.
- [44:19]
Joe Kerrigan
I'm Joe Kerrigan.
- [44:21]
Maria Vermazes
And I'm Maria Varmazes.
- [44:22]
Listener Voice
Thanks for listening, Sam.