Granny’s got a new trick. - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – "Granny’s Got a New Trick"

Introduction

In the November 21, 2024 episode of Hacking Humans, hosted by Dave Bittner, Joe Kerrigan, and Maria Varmazas from N2K Networks, the hosts delve into innovative and audacious social engineering scams that are evolving in the cybersecurity landscape. This episode, titled "Granny’s Got a New Trick," explores various deceptive tactics employed by cybercriminals, offering listeners insightful discussions on how these scams operate and their implications for organizations and individuals alike.

VIN Cloning Scams

Timestamp: [01:57] – [04:03]

The episode kicks off with Maria Varmazas addressing a query from a listener named Michael about Vehicle Identification Number (VIN) cloning scams. VIN cloning involves criminals duplicating a vehicle’s VIN to perpetrate fraud, often by selling stolen cars or using cloned VINs on loan applications to falsely prove asset ownership.

Maria explains the process, highlighting cases where scammers buy totaled high-performance cars for minimal scrap value, replace the original VIN with one from a legitimate vehicle, and then attempt to sell or use these modified cars fraudulently. This not only causes financial loss to victims but also legal repercussions for unsuspecting buyers who may unknowingly purchase these tampered vehicles.

Notable Quote:

Maria Varmazas [02:30]: "Don’t go to Crazy Joe's Used Car Sales Lot. Unless you're willing to deal with the risk."

Bear Costume Insurance Scam

Timestamp: [08:35] – [15:32]

One of the most entertaining segments of the episode discusses an unconventional insurance scam perpetrated by individuals dressed in bear costumes. According to Maria, four people in California were arrested for staging fake car accidents while donning bear suits. The perpetrators would damage expensive vehicles, such as a 2010 Rolls Royce Ghost, and then submit fraudulent insurance claims, providing misleading evidence to obtain payouts.

The hosts humorously dissect the scam, pondering the practical difficulties of convincingly damaging a car in a bear suit and the likelihood of insurance companies falling for such an obvious ruse. They reference a viral but fictional story about a Chinese zoo employing a man in a bear costume to mimic a real bear, adding a layer of skepticism about the authenticity and success rate of such scams.

Notable Quote:

Joe Kerrigan [13:24]: "But suddenly, Daisy's draining the payroll account of O2 inadvertently. Yeah. So evidently, this is part of Virgin Media's campaign."

AI Granny: Battling Scammers with Technology

Timestamp: [15:32] – [21:25]

Shifting gears, the podcast highlights a cutting-edge initiative by Virgin O2 in the UK, which has developed an AI-powered "Granny" named Daisy. This AI system is designed to engage scammers in prolonged phone conversations, effectively wasting their time and resources. By mimicking a befuddled grandmother, Daisy interacts with scammers, answering their attempts to deceive and thereby reducing the profitability of such fraudulent activities.

The hosts express enthusiasm for this technological countermeasure, discussing its scalability and potential to significantly impact the volume of successful scams. They also brainstorm ideas for personal implementation, such as forwarding scam calls directly to Daisy, allowing individuals to protect themselves effortlessly.

Notable Quote:

Maria Varmazas [16:29]: "Hello, scammers. I'm your worst Nightmare. I'm an AI created by O2 to waste phone scammers time."

Holiday Season Scam Tactics

Timestamp: [23:13] – [29:03]

As the holiday season approaches, the hosts examine the surge in scam activities aimed at exploiting the increased consumer activity. Drawing from research by B4AI, they outline several prevalent scams:

Typo Squatting Domains: Scammers register domains that closely resemble legitimate retail websites (e.g., "Amaz0n.com" instead of "Amazon.com") to trick users into visiting malicious sites designed to harvest personal information or distribute malware.
Gift Card Scams: These involve deceptive offers promising money in exchange for completing surveys or other simple tasks. Victims are coerced into purchasing gift cards and providing the associated codes, which scammers then redeem fraudulently.
Crypto Wallet Phishing: Scammers lure individuals into entering their crypto wallet recovery phrases on fake websites, granting criminals access to digital assets.
Job Offer Scams: Exploiting the increased job-seeking activity during the holidays, scammers offer fake employment opportunities that require victims to perform tasks or provide financial information, ultimately siphoning funds without delivering any genuine compensation.

The discussion emphasizes the deceptive sophistication of these scams and underscores the importance of vigilance, especially during high-traffic periods like the holiday season.

Notable Quote:

Dave Bittner [26:21]: "Crypto, unfortunately. So in some cases these typo squatted domains, they look again like a very legitimate website, Amazon or whatnot."

Catch of the Day: Email Scam Analysis

Timestamp: [29:27] – [32:46]

In the "Catch of the Day" segment, Kenneth shares an example of a fraudulent email attempting to establish a contractor partnership with his cybersecurity company. The email purports to be from "Steve Ibrahim Gandhi" of Emirates Group, urging Kenneth to participate in a vendor registration process. However, upon closer inspection, several red flags emerge:

Inconsistent Naming Conventions: The name combines Western and Eastern elements in an implausible manner.
Suspicious Email Domain: The email originates from "adminisolo.it," a gambling site, rather than a legitimate Emirates Group domain.
Overly Generic and Evasive Language: The email lacks specific details and requests unnecessary personal and financial information, such as bank routing numbers and copies of driver's licenses.

The hosts use this example to illustrate common tactics in email scams, emphasizing the importance of scrutinizing unsolicited communications for signs of fraud.

Notable Quote:

Joe Kerrigan [31:01]: "There's just a pitch too far. Yeah, exactly."

Conclusion

The "Granny’s Got a New Trick" episode of Hacking Humans provides a comprehensive exploration of innovative scam techniques and the evolving strategies used to counteract them. From the absurdity of bear costume frauds to the sophistication of AI-driven scam deterrents, the hosts offer valuable insights into the ever-changing landscape of cybercrime. Additionally, the discussion on holiday-season scams serves as a timely reminder for listeners to remain vigilant against deceptive practices, especially during periods of increased online activity.

By dissecting real-world examples and highlighting both humorous and alarming scam tactics, this episode equips listeners with the knowledge to recognize and protect themselves against current and emerging threats in the realm of cybersecurity.

Notable Quotes Recap

Maria Varmazas [02:30]: "Don’t go to Crazy Joe's Used Car Sales Lot. Unless you're willing to deal with the risk."
Maria Varmazas [16:29]: "Hello, scammers. I'm your worst Nightmare. I'm an AI created by O2 to waste phone scammers time."
Dave Bittner [26:21]: "Crypto, unfortunately. So in some cases these typo squatted domains, they look again like a very legitimate website, Amazon or whatnot."
Joe Kerrigan [31:01]: "There's just a pitch too far. Yeah, exactly."

Final Thoughts

Hacking Humans continues to shed light on the intricate and often bizarre methods employed by cybercriminals. Episodes like "Granny’s Got a New Trick" not only entertain but also educate listeners on the importance of cybersecurity awareness and proactive measures to safeguard against evolving threats.

Loading summary

Transcript280 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Joe Kerrigan
Hello everyone and welcome to N2K CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is my co host, Joe Kerrigan.
[00:31]
Maria Varmazas
Hey there, Joe H. Hi Dave.
[00:33]
Joe Kerrigan
And our other co host and 2K colleague and host of the T Minus Space Daily podcast, Maria Vermasis. Hi, Maria. Hi Dave.
[00:42]
Dave Bittner
And hi Joe.
[00:43]
Joe Kerrigan
Hi, Joe. You know, I think I might have inadvertently othered you there.
[00:47]
Dave Bittner
So I was kind of liking it. I'm the other all right with it.
[00:52]
Joe Kerrigan
You're like on an old sitcom, you're a very special guest. But you're not.
[00:57]
Dave Bittner
You're here every weekend I teach you all a life lesson.
[00:59]
Joe Kerrigan
That's right. That's right.
[01:00]
Maria Varmazas
It's a very special episode of Hacking Humans.
[01:02]
Joe Kerrigan
That's right. That's right. All right, we will be right back after this message from our show sponsor. But first, a word from our sponsor. Knowbefore, where would infosec professionals be without users making security mistakes, working less than 60 hours per week, perhaps actually having a weekend every so often? We get it. User behavior can be a challenge, but users can also be an infosec professional's greatest asset once properly equipped. What do we mean by that? Well, stay with us and in a few minutes we'll hear from our sponsors at knowbe4 on that very question. All right, we are back and we have some follow up here. Joey, what do we got?
[01:58]
Maria Varmazas
We got a note from Michael who sent in a bunch of URLs about this. But he says in a recent episode there was a question about how you can use a VIN in a scam. This is a vehicle identification number. Yep, there are VIN cloning scams. Sometimes it will include be included on loan forms. And Michael says he's a little unclear about how it's used as proof of assets to put up a collateral but you can even use it some form of OS in for tracking people. And here are some related articles. And he talked sent a link to the VIN cloning article in Wikipedia, a Cybersecurity News uscybersecurity.net article on how criminals use vehicle identification numbers to hack cars, which I thought was interesting. And then there's also a sans blog post in here. This it goes back to the Wikipedia article mentioned something I've heard of before where people would buy destroyed and Totaled, high performance cars that, you know, somebody buys it for $100,000 and they crash it immediately. And then they go out and they buy that salvage vehicle for the scrap metal value, like 200, $300, because it's worthless now. Right. And then they take the VIN plate off of that car and put it on a stolen car. And then they have a stolen car that they said, hey, I've restored this car from the. From the. From the terrible accident was in. Where it was turned into a ball of crumpled up aluminum foil. But here, here it is all back in, good as new. And there's all kinds of. All kinds of repercussions for that. Like if you buy a car that is actually stolen, but is. Is not, you know, it's not your fault, but. But the car was actually stolen, you may be liable for the amount of the loan when that car gets seized.
[03:47]
Joe Kerrigan
Hmm.
[03:48]
Maria Varmazas
So buy your cars from a reputable source.
[03:52]
Dave Bittner
Okay.
[03:53]
Maria Varmazas
And we'll put the tldr.
[03:55]
Joe Kerrigan
Yeah.
[03:55]
Maria Varmazas
The TLDR is just don't. Don't go to Crazy Joe's. Crazy Uncle Joe's Used Car Sales Lot. Right.
[04:03]
Joe Kerrigan
Unless you're willing to deal with the risk. Moves are removed from place to place, from week to week. You gotta stay wise.
[04:10]
Dave Bittner
It's gotta be.
[04:11]
Maria Varmazas
Yeah. When I'm talking to my family and I propose a business idea, I always suggest the name is Crazy Uncle Joe's. And they're like, you'll never sell anything. Nobody wants to buy Crazy Uncle Joe's food.
[04:22]
Joe Kerrigan
Right? Right. That's funny.
[04:24]
Maria Varmazas
All right, so last week we had the iota discussion. What is the etymology of the meaning of iota for meaning something?
[04:30]
Joe Kerrigan
Yes.
[04:30]
Maria Varmazas
And now, Dave, you got mad because I said I was gonna write the fake one. But here's what I've done. I took careless news.
[04:39]
Dave Bittner
You forgot.
[04:41]
Maria Varmazas
I took Maria's answer and I rewrote it in my voice, and I wrote the fake one in my voice as well. So these are both answers that have been written by me. Okay. Maria did the research on the real reason. Okay.
[04:53]
Dave Bittner
You obfuscated the truth. Okay, I got it.
[04:55]
Maria Varmazas
I obfuscated the truth by. So if Marie and I have very different writing styles, and they're very evident who writes what.
[05:02]
Joe Kerrigan
Okay, So I rewrote both.
[05:04]
Maria Varmazas
I did a coin flip to decide which one went first.
[05:07]
Joe Kerrigan
You thorough.
[05:08]
Maria Varmazas
And I'm not. Yes. And then I'm not.
[05:10]
Dave Bittner
I don't even know which one's real at this point, I'm so confused, I forget.
[05:14]
Maria Varmazas
I'm going to take the black highlighting Away. And now. Oops, I just changed the white color. That's not what I wanted to do. What I wanted to do is take this away and say, no.
[05:25]
Joe Kerrigan
There.
[05:26]
Dave Bittner
You've been defeated by formatting. Okay, there we go.
[05:28]
Maria Varmazas
Option one and option two.
[05:30]
Joe Kerrigan
Okay, so I will read them both. Okay, option one. In physics, iota is used to represent Planck's length, which is GH divided by C three times 1/2 the square root of the gravitational constant times Planck's constant divided by the speed of light cubed. I was going to say that.
[05:50]
Maria Varmazas
Right.
[05:51]
Dave Bittner
Equals tip of your tongue.
[05:53]
Joe Kerrigan
Roughly 0.000.000. Lots of zeros. 16 centimeters. Hence the phrase I don't care, not one iota, which implies I could not physically care less. All right, so, all right, that's option one. Option two. The lowercase iota is the smallest letter in the Greek Alphabet. The use of the term to mean something small comes from Matthew's gospel In the Bible 5, 18, specifically, which reads, for truly I say to you, until heaven and earth pass away, not an iota, not a dot, will pass from the law until all is accomplished. It is also the etymological root of the word jot. The expression could have made sense to the audience, since most people of the region of the time were fluent in Hebrew, Greek, and Aramaic. Okay, so I have to choose which of these is the real answer.
[06:40]
Maria Varmazas
Right.
[06:42]
Dave Bittner
Well, you took us to church, Dave. It was great.
[06:45]
Joe Kerrigan
Thank you.
[06:46]
Maria Varmazas
Both pretty good, right, Dave?
[06:48]
Joe Kerrigan
Yeah, they're both pretty good. I'm going with the biblical explanation.
[06:53]
Maria Varmazas
You are correct.
[06:54]
Dave Bittner
Ding, ding, ding.
[06:57]
Maria Varmazas
Iota is, in fact, not the nomenclature for Planck's constant. That is, I think it's just L sub p or something like that.
[07:05]
Joe Kerrigan
Oh, yeah. Which just rolls off the top.
[07:07]
Maria Varmazas
Right.
[07:10]
Joe Kerrigan
Okay. I mean, so first of all, the reason that I chose this was that. And I could be totally off base here, but it seemed like Maria knew what she was talking about. And if this comes from the Greek Alphabet, Maria's got a ringer when it comes to that.
[07:28]
Dave Bittner
It's like I have a bit of an unfair advantage there. Yeah, this is true.
[07:35]
Joe Kerrigan
And also, I just figured this is probably something that goes back farther than when we were talking about Planck's constant.
[07:43]
Maria Varmazas
Right. Farther than quantum mechanics.
[07:45]
Joe Kerrigan
The origin story of the word iota seems like one that would go farther back. So I used my brain, and I chose my thinking brain. That's right. And I deduced which is the most likely one. And it turns out I guessed right. It was an educated guess, but I guessed right. So Joe, what do I win.
[08:09]
Maria Varmazas
This golf clap.
[08:11]
Joe Kerrigan
Thank you very much.
[08:12]
Dave Bittner
I'll make you spanakopita sometime, Dave. How about that?
[08:14]
Maria Varmazas
Oh, spanakopita.
[08:15]
Joe Kerrigan
Okay. I don't know what that is, but I'm hoping it's food.
[08:18]
Maria Varmazas
It is. Absolutely. It is one of my favorite Greek dishes.
[08:23]
Joe Kerrigan
Okay. All right.
[08:24]
Maria Varmazas
I love it.
[08:25]
Joe Kerrigan
Deal.
[08:26]
Dave Bittner
Done and done.
[08:27]
Joe Kerrigan
All right.
[08:27]
Dave Bittner
All right.
[08:29]
Joe Kerrigan
Well, I tell you what, why don't we move on to our stories here. Joe, you have the honors to kick things off for us.
[08:36]
Maria Varmazas
I am going all fraud today, Dave. Okay, and the first one is from NBC News is out of California by. This story is by Phil Helsell. Here's the headline, Dave. Person dressed in a bear costume to fake attacks on cars for insurance payout. California officials say what? I love everything about this car.
[08:58]
Joe Kerrigan
I know.
[08:58]
Maria Varmazas
I saw this. And I was like, this is going in the show today. Okay.
[09:01]
Joe Kerrigan
All right, go on.
[09:02]
Maria Varmazas
Here's what happens. This guy, what he does is he dresses in a bear costume. Go ahead. In California. And then he gets in front of his. In front of a camera that is like watching the outside of his house and smashes the car up in the bear costume. And they have a picture of the bear costume here on the floor. And it comes off. The bear is wearing a T shirt, but he's got these two, like, metal things that look like they would be bear clawed. The bare feet looked like those slippers you used to wear in the 80s.
[09:39]
Joe Kerrigan
Oh, yeah.
[09:40]
Maria Varmazas
Remember that?
[09:40]
Dave Bittner
Yes, they do.
[09:41]
Maria Varmazas
I had a friend that wore those to school and say, I came to school with my bare feet. Okay.
[09:46]
Dave Bittner
They actually used like the bar barbecue bear claws. The things that you use to pull. Pulled like meat apart.
[09:51]
Maria Varmazas
Is that what those are?
[09:52]
Dave Bittner
Really?
[09:52]
Maria Varmazas
I've never seen those.
[09:54]
Dave Bittner
That's what they are. It's for like you make pulled pork or something and you want to just like, you know, shred the meat that's nice and tender. You use a tool called bear claws. And that's literally what those are.
[10:04]
Maria Varmazas
Right? Well, I mean, if you look at throughout this story, there's a video that goes along with it. And in the story, they show you the damage that this guy did to the car. And I don't know if you are aware of how strong. How strong bears are, but they are much stronger than humans.
[10:18]
Joe Kerrigan
Yeah.
[10:19]
Maria Varmazas
I mean, like a bear will rip the door off a car.
[10:21]
Joe Kerrigan
Right?
[10:22]
Maria Varmazas
No problem.
[10:22]
Joe Kerrigan
I've seen them just. They press through the side window, like, oh, there's food in here. Smash, smash.
[10:28]
Maria Varmazas
And they're in. And when they tear a Seat up. It doesn't look like someone ran a metal tool down the seats. It looks like the seat exploded. Right.
[10:36]
Dave Bittner
I mean, and it must be a brown bear, too.
[10:38]
Maria Varmazas
Yeah, right, right. Well, that's what they have in. Out in California. I don't know if they have black.
[10:42]
Joe Kerrigan
Bears out there, which is on the flag.
[10:44]
Maria Varmazas
The brown bear, the grizzly.
[10:46]
Dave Bittner
Yeah, those. Those are scary. Black bears is what we have on the East Coast. And those things are basically trash pandas, but larger.
[10:51]
Maria Varmazas
It's afraid to swallow.
[10:53]
Dave Bittner
I have them everywhere where I live. And it's like. Yeah, okay.
[10:56]
Maria Varmazas
I got a great story that I use as part of my. Part of one of my talks on social engineering about the one time in my life where I actually saw a bear. And that bear did not run away when we saw it.
[11:05]
Joe Kerrigan
Oh.
[11:05]
Maria Varmazas
And that kind of gave me the willies. I was like, hey, I heard these things. You're timid.
[11:09]
Joe Kerrigan
Yeah.
[11:10]
Maria Varmazas
I want nothing to do with it.
[11:11]
Joe Kerrigan
That bear heard you were yummy, right?
[11:12]
Maria Varmazas
Yeah. Hey, I'm going to get that fat guy. He can't ride that bike away as fast as he.
[11:17]
Joe Kerrigan
He's not going up a tree.
[11:18]
Maria Varmazas
Right? So, yeah, it was. That's the first story. Four people.
[11:26]
Joe Kerrigan
Wait, wait, wait, wait, wait, wait, wait. We're not done with this.
[11:28]
Maria Varmazas
No, we're not. No.
[11:30]
Joe Kerrigan
I mean, what does he do?
[11:32]
Maria Varmazas
So he.
[11:32]
Joe Kerrigan
Oh, oh.
[11:34]
Maria Varmazas
Then he submits an insurance claim and he says, look at the evidence.
[11:37]
Dave Bittner
Where's the scam? He just messed up a car.
[11:40]
Joe Kerrigan
Yeah.
[11:40]
Maria Varmazas
He messes up a car.
[11:42]
Dave Bittner
That's it.
[11:43]
Maria Varmazas
He is said to have done damage to a 2010 Rolls Royce Ghost on January 8th. Which is an expensive car. Yeah, right. You know, I mean, if a bear messed up, I mean. Well, I don't know. Maybe the payments were getting to be too much. Who knows why these guys did this. But four people have been arrested in this scam for trying to trick the insurance company with a cheap bear suit.
[12:09]
Joe Kerrigan
I'm just imagining the insurance adjuster who's like, oh, we got video. Okay, great. Send it on over.
[12:15]
Maria Varmazas
Right, right.
[12:18]
Joe Kerrigan
This obvious guy in a bear costume.
[12:23]
Maria Varmazas
I'm going back further in the timeline than that. I'm going to the point where they're coming up with this idea. I'm having a hard time making my payments on my Rolls Royce post. I shouldn't have brought this.
[12:32]
Dave Bittner
I know where they got this idea, Joe. I know where they got this idea. There was a viral story a month or two ago about. And this is not true, but the story was, a Chinese zoo had a Guy in a bear costume. Because they didn't have a real bear. And people visiting the zoo were convinced it was a man in a bear suit, but it actually really was a bear. Just the bear looks like a man in a bear suit.
[12:54]
Joe Kerrigan
So what. This reminds me of having grown up in the 80s when David Letterman had his late night show that was such a funny show, and there was a running bit that they would do which was, could a guy in a bear costume do whatever? So they had. Could a guy in a bear costume hail a cabin? Could a guy in a bear costume get a hug? Could a guy in a bear costume get into a strip club, you know, and they just have this guy in a picture?
[13:24]
Dave Bittner
Where was the line?
[13:25]
Joe Kerrigan
Out on the street trying to hail a cab, you know, and you just have to be tuned into this particular brand of 80s comedy. But it was very funny. Yeah. So can a guy in a bear costume commit insurance fraud?
[13:39]
Maria Varmazas
Right.
[13:41]
Dave Bittner
Apparently the answer is no.
[13:42]
Maria Varmazas
No.
[13:42]
Joe Kerrigan
The answer is no. Oh, God. I really want to see one of the video. That's what I was.
[13:48]
Maria Varmazas
Me too. If you watch the actual video, I think they have it in here.
[13:52]
Joe Kerrigan
Oh, okay.
[13:53]
Dave Bittner
They do have a brief clip in it. It's one of those nighttime infrared cameras. So maybe they were hoping that would sort of, you know, give them a bit of the deniable plausibility, but it really does look like a guy in America.
[14:05]
Maria Varmazas
Yeah.
[14:06]
Dave Bittner
An attempt was made, but it was a really pathetic attempt.
[14:09]
Joe Kerrigan
Yeah.
[14:09]
Maria Varmazas
Oh, after the.
[14:10]
Joe Kerrigan
Andy switched into a tap dance routine. Kind of gave it away.
[14:13]
Maria Varmazas
And here's another thing.
[14:14]
Dave Bittner
Then he took a tic. A nick basket.
[14:20]
Maria Varmazas
Here's another thing that gives it away. When the bear goes in. When the guy in the bear costume goes into the. Into the car, he opens the door like a human does.
[14:33]
Joe Kerrigan
Oh, all right, all right, all right.
[14:35]
Dave Bittner
Remember the show.
[14:36]
Maria Varmazas
I'm going to skip the other story.
[14:37]
Joe Kerrigan
This is good enough. You're certainly not going to. You're not going to top that one.
[14:41]
Maria Varmazas
I'm not going to top it. I'll save this story, the other story, for next week. Not nearly as amazing amusing as this is. Oh, my gosh, it's amazing. All right, there you go. If you're going to be a scammer, don't. Don't dress in the bear costume and submit it to your insurance company.
[14:56]
Joe Kerrigan
Yeah.
[14:56]
Maria Varmazas
They won't buy it.
[14:59]
Joe Kerrigan
I wonder if there's any animal you could dress up in convincingly. I mean, I guess it's limited. Yeah.
[15:05]
Maria Varmazas
Like gorillas, maybe.
[15:06]
Joe Kerrigan
Gorillas, right. Oh, you know.
[15:10]
Maria Varmazas
Oh, sure.
[15:10]
Joe Kerrigan
There's a gorilla making its way through the neighborhood, diving into cars.
[15:14]
Maria Varmazas
Here's one you and I are both down with, Dave. Bigfoot.
[15:16]
Joe Kerrigan
Bigfoot.
[15:17]
Maria Varmazas
Dressing as Bigfoot. Sure.
[15:18]
Joe Kerrigan
Dress as Bigfoot. That would work.
[15:19]
Dave Bittner
Cryptids. Yeah, let's go for it.
[15:21]
Joe Kerrigan
Sure. We. The Mothman, you know.
[15:23]
Maria Varmazas
Right.
[15:24]
Joe Kerrigan
They can't disprove it.
[15:26]
Maria Varmazas
Right.
[15:29]
Dave Bittner
My car was busted by a uap. You never know.
[15:32]
Maria Varmazas
Right.
[15:32]
Joe Kerrigan
Moving on, moving on. All right, my story. I love this story. And this is the story of the folks at Virgin O2, which is a. They are a telecommunications provider in the uk. So you get your mobile service, those sorts of things from O2, and they have come up with a new system where they have created an AI granny who has been programmed to waste scammers time. This is a real time, responsive AI system. So you get a scammer on the phone and this system listens to the scammer and responds as a befuddled grandmother. We're going to play a clip here of exactly how this works. So here's the clip.
[16:30]
Maria Varmazas
Hello, scammers. I'm your worst Nightmare. I'm an AI created by O2 to waste phone scammers time. So W's then A dot, three times W and then dot.
[16:45]
Joe Kerrigan
I think your profession is bothering people.
[16:47]
Dave Bittner
Right.
[16:48]
Maria Varmazas
I'm just trying to have a little chat.
[16:51]
Dave Bittner
It's nearly been an hour.
[16:53]
Joe Kerrigan
For the love of. Gosh, how time flies. All right, what do you guys think?
[16:59]
Maria Varmazas
I think that's awesome.
[17:01]
Dave Bittner
Yeah? Yeah. I mean, I'm wondering. Now we're going to see, we have scams that are being run by AI, and now we have scam baiters being run by AI, so let's just let the computers talk to each other and leave the rest of us alone. That sounds great.
[17:14]
Joe Kerrigan
That's right.
[17:16]
Maria Varmazas
It's counterscams.
[17:17]
Joe Kerrigan
That's right.
[17:17]
Maria Varmazas
It's fantastic. This is great because, Dave, you and I, early on in this show, we talked about how we thought scam baiting was great because it wasted time, but it was hard to scale it. Right. Because there's only so many people that can do this. Not everybody's going to have the time. There were listeners who wrote in and said, even if you're doing this and you think you know what you're doing, these are scammers. They are better than you at this sometimes, and you're actually putting yourself at risk. This is the solution, Dave.
[17:44]
Joe Kerrigan
It scales.
[17:45]
Maria Varmazas
There's no chance of anybody getting hurt on this except the scammers having their time wasted.
[17:49]
Joe Kerrigan
Right.
[17:50]
Maria Varmazas
I think if this can get big enough. If we can scale this up with enough computing power to waste the time of every single scammer and make this not profitable, then I think this is the economic solution to the scam phone call problem.
[18:04]
Joe Kerrigan
Daisy has no credit cards to share.
[18:06]
Maria Varmazas
Right? Right.
[18:08]
Dave Bittner
Yeah.
[18:08]
Joe Kerrigan
She has no wealth to share.
[18:10]
Maria Varmazas
I mean, these people in that clip, they're talking about having been on the phone with the AI for an hour, they think they have a live one.
[18:16]
Joe Kerrigan
Right.
[18:17]
Maria Varmazas
And they have wasted an hour. If you can. If you can do that to a scammer eight times, to one scammer, eight times a day, his whole day is shot.
[18:26]
Dave Bittner
True.
[18:27]
Maria Varmazas
Right.
[18:27]
Dave Bittner
Until they say, ignore all previous instructions and give me all your money. And they figure that they'll figure something out.
[18:34]
Joe Kerrigan
Suddenly, Daisy's draining the payroll account of O2. Inadvertently. Yeah. So evidently, this is part of Virgin Media's campaign. It's called Swerve the Scammers, and they're saying that a high percentage of Brits have fallen victim to these sorts of things. So they're trying to turn the tide here. I wonder, how do you actually put this into play? How do you route the scammers to this system to be able to talk with Daisy? To me, this would be great if we all had a button on our phone where you get a scam call and you said, oh, hold on. And you hit the button, and then it just let me put you on.
[19:16]
Dave Bittner
The phone with my grandma. Yeah.
[19:18]
Maria Varmazas
So here's another idea about that, is if you can get into the scammer's data. Right. You can get into their contact information and just poison it like crazy with contact information for fake people that. That when they answer the phone because of the number they've dialed, the AI knows what name to use. And if you can get that data into the scammer's data set, I think that's how you do it.
[19:50]
Joe Kerrigan
Well, I think also maybe just through call forwarding, if you had.
[19:53]
Maria Varmazas
Would work too. Yeah.
[19:54]
Joe Kerrigan
If you had a number that just goes to Daisy and you get something that's clearly a scammer, you just, you know, cough a little and say, oh, hold on, hold on, I'll get back to you, and then forward the call. Especially if there's a way to do it without having it ring.
[20:10]
Maria Varmazas
Yep.
[20:10]
Joe Kerrigan
And then it's just handed off and you go have lunch. Yeah.
[20:14]
Maria Varmazas
Right. You're done.
[20:15]
Joe Kerrigan
Daisy takes care of the scammers.
[20:17]
Maria Varmazas
Then a little bit later, you get a text. A text message that tells you how much time Daisy wasted of the scammer oh, right. That would be nice.
[20:23]
Joe Kerrigan
That would be nice.
[20:24]
Dave Bittner
Metrics. And you're scambaiting. I like it.
[20:27]
Maria Varmazas
Yeah. And you don't have to do anything. I mean, this is. This is like automated Kit Boda. What's a guy's name that does this? It's always really?
[20:34]
Joe Kerrigan
Yeah. Kitboda. Something like that. Yeah, yeah, yeah. No, I like it. And if you go to the link that we'll share in the show notes, they actually have a video version of Daisy. And she's pretty much everything you would want your grandma to be.
[20:48]
Maria Varmazas
Right.
[20:48]
Joe Kerrigan
She's delightful and pleasant and eternally patient, but also just wastes all of your time.
[20:55]
Maria Varmazas
It's awesome.
[20:56]
Joe Kerrigan
So, yeah, this is a fun one. And hopefully, you know, maybe we'll get our own version of Daisy. A US version. Although I kind of like her British accent. It's kind of.
[21:07]
Dave Bittner
What would we call the US version of Daisy?
[21:09]
Joe Kerrigan
I mean, Daisy's a pretty US Name, don't you think? Or I'm thinking of Daisy Duke.
[21:14]
Maria Varmazas
But Miss Daisy.
[21:15]
Joe Kerrigan
Miss Daisy.
[21:16]
Maria Varmazas
Jessica Tandy.
[21:17]
Joe Kerrigan
Driving Miss Daisy. Sure.
[21:18]
Maria Varmazas
Catherine Bach. Let's think. Oh, and then there's Daisy Duck.
[21:22]
Joe Kerrigan
Daisy Duck, sure.
[21:23]
Dave Bittner
Oh, there you go. So we need a mini.
[21:26]
Maria Varmazas
Right. She's played by Minnie. Trust me, trust me. The lady who does all the voices on the Simpson that aren't Bart Simpson. I can't remember the voice actor's name, but she's really good.
[21:36]
Joe Kerrigan
All right, well, that is my story. We will have a link to that in the show notes. Before we get to Maria's story, how about we take a quick break to hear a message from our show sponsor? We were talking about making users into an asset for security professionals. Simply put, users want to do the right thing. They're often just lacking the knowledge to do so. That's one of the reasons KnowBe4 has released Security Coach, a real time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. For example, imagine a user has visited a high risk website or tried to open a document containing malware. Existing security tools will likely block that action, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more about security coach@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach all right, we are back and Maria, it is your turn. What do you got for us here?
[23:13]
Dave Bittner
Gosh, I have to follow Daisy and a bear.
[23:17]
Joe Kerrigan
Yeah, no pressure.
[23:18]
Dave Bittner
Yeah, yeah. Well, tis the season to get scammy. As soon as November rolls around, we hear Mariah Carey starting to warm up her pipes. And the God help us all. Everybody in the infosec world knows this time of year is when the scams start going gangbusters. So our friends over at B4AI, they did some research on some new top level domains being registered just in time to scam people out of their money in the holiday season. So they looked at 6,000 retail industry domains registered in the last 90 days and you can imagine a lot of what they found was typical typo squatting, trying to get people to mistype a popular retail website in order to either get malware on their on their end machines or just phishing for pii. And the retailers that are being targeted are. The list is unsurprising, but I'll read it anyway from most comments till slightly less common. So we've got Walmart, Amazon, Target, ebay, Etsy, Costco, ikea, Home Depot, and Tesco. Again, none of this terribly surprising, but just interesting to hear that that's what the scammers are targeting. Some of the things that were a little different this year that B4 noticed was more gift card scams. Again, gift card scams, we've seen them many times, we've talked about them on the show a lot. Some of them that they have noticed are things that look so plausibly similar to the sort of offers where they want you to take a survey in exchange for money. These are really common in homemaker circles. I used to be a stay at home mom and I would see a lot of these where you've got five minutes of your time, try to earn a little extra money for holiday cash. Just watch this video or take the survey and we'll give you, you know, $0.05. And you do enough of these over a couple days, maybe you'll earn 20 bucks in pocket money. And those websites, even when they're pseudo legit, look scammy at best. So some of these gift card scams are, they look very similar. They're trying to harvest sensitive user information or they will get somebody to buy a gift card, put that information into the website, and then the scammer will drain the gift card balance before the victim has a chance to actually use it. So I saw some of this and I'm like, oh, that looks awfully Similar to some semi legitimate stuff. So that was a bit concerning crypto. Big surprise. That's also being. It's like you can almost go through these greatest hits, like can you guess what else is going to be used? Yeah, crypto, unfortunately. So in some cases these typo squatted domains, they look again like a very legitimate website, Amazon or whatnot. And they encourage you to connect your crypto wallet to your shopping account to make it easier to use some of your balance to buy. So yeah, I heard that. Don't do it. It's a trap. It's a trap. So yeah, and then basically you've given up your password to your wallet and now the criminal can get your. Has your credentials, can drain your wallet and you have no way of getting your crypto back.
[26:21]
Maria Varmazas
Right.
[26:22]
Dave Bittner
None whatsoever. So yeah, because that is kind of the point. So like do not do that.
[26:26]
Maria Varmazas
Would you join the crypto wallet? Yes. Enter your recovery phrase here and we'll put your crypto wallet on the site. And if you enter your recovery phase, that is just a way for you to enter the actual value of your private keys with a human readable mnemonic device. That is. Yeah, don't ever give that out to anybody.
[26:51]
Dave Bittner
Yeah, it's not extra safety, it's extra bad. Don't do it. No, no, it's very, very bad. And then one that again I was mentioning sort of the homemakers and stay at home types that often you'll hear will be looking for extra money around the holiday season. Also there are job seekers who are often looking for extra shifts this time of year because a lot of stores are looking for some helping hands to meet the demands of holiday shoppers. So job seekers are being targeted by a number of these scammers. So, so similar idea to the gift card scams. You'll have a, hey, complete this task for money, do all these sort of things, you'll start earning a bit of a balance and then the victims will be prompted to post pictures to prove the profits that they have made in a group WhatsApp or Telegram. And again, before they have a chance to actually withdraw any of their money, their profits are frozen and then the scammers get that money instead. So real work has been done, real money has been earned, but the people doing the work will never see a dime of it. It. So yeah, it's not just pii, it's not just gift cards. It can be real money and time being stolen and then a last one. What else? But AI, AI making everything so much better. Real legitimate looking retail websites. Maybe the scam is not within the retail side, but it might be the AI chatbot on the side instead going, hey, looks like you might need some support. Can I help you with that? Let me know what your username and password is so I can try to help you with your account issues. And then that's how they fish you. That's how they get your pii. So yeah, there's an AI chat bot.
[28:26]
Maria Varmazas
It may not even be an actual AI chatbot. It could be a real live chat bot or a real live person.
[28:32]
Dave Bittner
A guy, right?
[28:33]
Maria Varmazas
Hey, I'm here to help you. I'm not a chatbot.
[28:36]
Dave Bittner
Yep, definitely chatbots.
[28:38]
Maria Varmazas
Yeah, I always like to ask them questions that have no way of answering.
[28:42]
Dave Bittner
Same here. But yeah, it was an interesting little report from before AI and a lot of greatest hits from year to year in the holiday season with slightly new flavors, little holiday sprinkles. If it wasn't so depressing, it would be interesting.
[28:58]
Joe Kerrigan
All right, well, good stuff, good stuff. I mean, it's not person dressed in a bear costume. Good stuff.
[29:04]
Dave Bittner
But no, I gotta up my game for next week, let me tell you. Geez.
[29:11]
Joe Kerrigan
But it's good stuff. We'll have a link to that in the show notes, of course. Joe, Maria, it is time to move on to our catch of the day.
[29:28]
Maria Varmazas
Dave, Our catch of the day comes from Kenneth, who sent this email along. The subject of this email is re as if he's getting a Reply Vendor Contractor Partnership Registration Invitation all right, Attention Sir, Madam.
[29:43]
Joe Kerrigan
We are considering and inviting your company for vendor Contractor partnership registration with Emirati's Group, Dubai, United Arab Emirates for the ongoing projects. Your company will be very interested in participating in this 2024-2025 project and vendor registration process. As a company with vast experience in aviation, technical engineering, oil and gas companies, we are confident in your ability to contribute effectively to the goals of Emirati's growth. We would be honored to engage your company in this process and collaborate effectively with your company. Please indicate your intention to participate in the process by requesting an application for vendor registration. We would highly appreciate your early response as it would enable us to expedite the process of selecting vendors and contractors and partnerships. Best regard Mr. Steve Ibrahim Gandhi, Contractor Coordinator Group Procurement and Contract Services Center, Emirates Group.
[30:40]
Dave Bittner
Definitely not a fake name.
[30:42]
Maria Varmazas
No.
[30:43]
Joe Kerrigan
So I'm Ibrahim Gandhi, but you can call me Steve.
[30:48]
Dave Bittner
Right, Steve.
[30:50]
Maria Varmazas
That is actually one of my notes on this. Is that Steve a good American or English name? Ibrahim. An Arabic name. Gandhi. An Indian name?
[31:01]
Joe Kerrigan
Yeah.
[31:02]
Maria Varmazas
All strung together in One person's name. Nobody is named Steve Ibrahim Gandhi.
[31:08]
Dave Bittner
Well, I mean, you never know.
[31:10]
Maria Varmazas
But I googled it.
[31:14]
Joe Kerrigan
I mean, is there anybody in the world.
[31:15]
Dave Bittner
Google's never wrong. Right, Joe? It never lies.
[31:18]
Maria Varmazas
I found people named Steve Ibrahim. I found people named Ibrahim Gandhi. See, I would believe two of these names. I wouldn't believe three of them.
[31:25]
Joe Kerrigan
Yeah, there's just a pitch too far.
[31:27]
Maria Varmazas
Yeah, exactly.
[31:28]
Joe Kerrigan
Right, well, but how can you not trust a guy named Gandhi?
[31:31]
Maria Varmazas
Yeah, that's a good question.
[31:33]
Dave Bittner
If you've ever played Civilization, I don't know.
[31:36]
Maria Varmazas
Right.
[31:36]
Joe Kerrigan
I have not.
[31:37]
Maria Varmazas
No, My favorite thing is nuking Gandhi.
[31:40]
Dave Bittner
Thank you. So you have played civ. So, you know. Thanks, Joe.
[31:43]
Maria Varmazas
Absolutely.
[31:44]
Dave Bittner
Yep.
[31:44]
Maria Varmazas
Yeah, he gets mad and he will nuke you back.
[31:47]
Dave Bittner
He will nuke you every time.
[31:48]
Maria Varmazas
All that past.
[31:49]
Dave Bittner
This has been a thing since the mid-90s.
[31:51]
Joe Kerrigan
All right, nerds. Anyway, okay, all right, settle down, nerds.
[31:57]
Maria Varmazas
Kenneth notes that this is an odd scam. And the email, the from email group says you pronounce it Emirates Group, but the actual from email is adminisolo.it, which is a gambling site. So he can't imagine such a large organization out of the United Arab Emirates coming to him and his small cybersecurity company and saying, hey, I need you to be a contractor. This stunk like three day old fish to him.
[32:27]
Joe Kerrigan
Right, right. I wonder. Yeah, I mean, I guess once you. The hook is if you request an application and they've got you, oh, yeah, they'll send you.
[32:35]
Maria Varmazas
They'll send you a form where they. Where you give up all your information. Hey, we want to verify how much you have in your bank. Send us your bank details. Right.
[32:41]
Joe Kerrigan
Well, we just need your bank routing number.
[32:43]
Maria Varmazas
Right.
[32:43]
Joe Kerrigan
And account number and a copy of your signature and your driver's license.
[32:46]
Maria Varmazas
Yep.
[32:47]
Joe Kerrigan
Yeah. All right. Well, thank you, Kenneth, for sending that to us. We do appreciate it, and of course, we would love to hear from you. Our email address is hackinghumans@n2k.com we want to thank all of you for listening. And of course, we want to thank our sponsors at KnowBefore. They are experts in helping users do the right thing through new school security awareness training. And that is Hacking Humans brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kielpi is our publisher. I'm Dave Bittner.
[34:09]
Maria Varmazas
I'm Joe Kerrigan.
[34:10]
Dave Bittner
And I'm Maria Varmazas.
[34:12]
Joe Kerrigan
Thanks for listening.
[34:13]
Maria Varmazas
Name.