Podcast Summary: Hacking Humans – "Happy Hour Hacking"

Release Date: November 7, 2024

Hosts: Dave Buettner, Joe Kerrigan, Maria Vermazzis
Produced by: N2K Networks
Podcast Description: Deception, influence, and social engineering in the world of cybercrime.

Introduction

In the "Happy Hour Hacking" episode of Hacking Humans, hosted by Dave Buettner, Joe Kerrigan, and Maria Vermazzis, the trio delves into the nuanced world of social engineering, drawing parallels between everyday interactions and cyber threats. The episode focuses on identifying various social engineering tactics, examining contemporary scams, and providing actionable insights to protect against such exploits.

Joe Kerrigan [00:14]: "Each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world."

Sponsor Segment

The episode includes a brief sponsorship message from KnowBe4, emphasizing the importance of integrating security awareness training with existing security stacks to bolster organizational security culture.

Sponsor Voice [01:04]: "KnowBe4 delivers the world's largest library of security awareness training, but they also provide a way to integrate the various elements of your existing security stack to help you strengthen your organization's security culture."

Segment 1: Tech Support Scams and Screen Lock Exploits

The hosts discuss an increase in tech support scams where scammers lock users' computer screens, compelling non-tech-savvy individuals to call fraudulent phone numbers, leading to further scams.

JJ, a regular correspondent [01:53]: "I've recently come across an increasing number of tech support scams that are locking up the computer screens of users."

Discussion Points:

• Screen Lock Techniques: Maria mentions instances where malicious web pages expand to full screen, resembling kiosk mode, making it difficult for users to exit without specific keystrokes.

  Maria Vermazzis [02:29]: "I have seen where there's a webpage that has been expanded fully out and the user has a hard time getting rid of it unless they know the right keystrokes."

• Preventative Measures: The hosts advise educating friends and family on how to exit such screen locks and emphasizing the importance of not calling suspicious phone numbers.

  Joe Kerrigan [03:57]: "Remind them, never call the phone number."

Segment 2: Deanne Lewis’s Blog – Five Types of Social Engineers Encountered at a Bar

Dave Buettner introduces a blog post by Deanne Lewis, a bartender aspiring to become an infosec expert, titled "The Five Types of Social Engineers I Met Tending Bar." The discussion highlights how everyday interactions can mirror sophisticated cyber attacks.

Dave Buettner [05:06]: "There are five types of folks that you can see at the bar who will teach you something about social engineering scams."

The Five Types:

1. Information Gatherer (Chatty Regular)

   • Description: Individuals who know everyone’s business, paralleling cyber attackers who gather information.
   • Security Lesson: Control information leakage.

   Dave Buettner [05:30]: "This person's mouth is always flapping, but they also know everything."

2. Credential Masquerader (Do You Know Who I Am?)

   • Description: People claiming to know everyone to gain trust, similar to phishing attempts.
   • Security Lesson: Importance of verification protocols.

   Dave Buettner [07:20]: "This is the human version of a phishing email with a PayPal logo."

3. Emotional Engineer (Sympathy Player)

   • Description: Individuals using elaborate sob stories to manipulate emotions and gain favors.
   • Security Lesson: Emotions can bypass logical security measures.

   Dave Buettner [08:19]: "This guy... manipulation through emotional leverage."

4. Tailgater (My Friend’s Just Inside Guy)

   • Description: Those attempting to bypass security by following someone through access points.
   • Security Lesson: Importance of physical security in cybersecurity.

   Dave Buettner [09:58]: "Think of your friendly pen tester pretending to be the guy who just forgot his badge outside the door."

5. Social Pressure Artist (Group Manipulator)

   • Description: Individuals using crowd pressure to influence decisions, akin to groupthink in security breaches.
   • Security Lesson: Awareness of social dynamics affecting security decisions.

   Joe Kerrigan [12:04]: "Maybe it's like the drink, drink, drink kind of thing."

Analogy Highlight: The hosts compare these social engineers to real-life bar interactions, emphasizing how peer influence and lowered inhibitions can facilitate exploitation.

Maria Vermazzis [15:20]: "Alcohol suppresses the activity of the prefrontal cortex."

Segment 3: AI-Generated Hoaxes and Viral Misinformation

Joe Kerrigan explores the phenomenon of AI-generated content, specifically hoax images depicting scenarios like cars being egged, which are often shared to trigger empathy and outrage.

Joe Kerrigan [16:29]: "These posts are viral, right? They spread like wildfire."

Key Insights:

• Identifying AI Fakes: Unusual details, such as hundreds of uncracked eggs magnetically attached to car hoods, indicate AI generation.

  Maria Vermazzis [17:58]: "If a rooster laid an egg on your hood, would it roll towards the front of the car or the back?"

• Economic Impracticality: The cost of real-world execution of such hoaxes (e.g., thousands of eggs) makes these posts highly unlikely to be genuine.

  Joe Kerrigan [18:09]: "Nobody's spending that kind of money to hit somebody's car."

• Emotional Manipulation: These hoaxes exploit users' emotions, encouraging engagement despite being fraudulent.

  Dave Buettner [25:02]: "The thing that gets me with this AI Slop stuff is a lot of people... still engage with it and enjoy it as if it's fine."

Segment 4: JP Morgan Chase’s Infinite Money Glitch ATM Scam

Maria Vermazzis highlights a scam involving fraudulent ATM transactions where individuals deposit large checks and withdraw significant sums before the bank detects the fraud.

Maria Vermazzis [28:05]: "JP Morgan Chase is Suing Customers Over Infinite Money Glitch ATM Scam."

Discussion Points:

• Mechanism: Scammers exploit ATM systems to deposit inflated checks and withdraw excessive funds.

• Legal Repercussions: Chase is pursuing litigation to recover substantial amounts lost to these fraudulent activities.

  Joe Kerrigan [31:10]: "Perhaps you should open an account at Chase, right? Seriously, where we're known for our loose ATM machines, man."

• Preventative Measures: Emphasizing the importance of adhering to withdrawal limits and monitoring account activities to prevent such scams.

Segment 5: Pigeon Drop Scam in Prince George's County

Maria Vermazzis reports on a recent pigeon drop scam targeting elderly individuals in Prince George's County, leading to significant financial losses.

Maria Vermazzis [32:40]: "In Prince George's county, four people have been charged in a pigeon drop scam targeting old people."

Scam Breakdown:

• Methodology: Con artists present a seemingly valuable item (e.g., a bag of cash) to the victim, proposing a split of the proceeds.
• Convincing Tactics: Scammers pose as trustworthy professionals (lawyers, bankers) to gain the victim's confidence.
• Outcome: Victims are coerced into providing collateral, leading to financial loss when scammers disappear with the funds.

Maria Vermazzis [35:07]: "This woman wound up handing over $40,000 to these guys."

Preventative Tips:

• Skepticism: Maintain a healthy doubt when approached with unsolicited offers involving valuable items.
• Verification: Always verify the identities and intentions of individuals proposing such deals.

Dave Buettner [35:00]: "You keep walking."

Segment 6: Car Selling Scam – "Catch of the Day"

The hosts dissect a scam targeting individuals selling cars online, where scammers request reports from dubious websites to extract personal and financial information.

Joe Kerrigan [37:30]: "This is about somebody trying to scam somebody who is selling a car."

Scam Details:

• Fake Reports: Scammers direct sellers to websites like titlehistorydna.com, charging for reports that either do not add value or siphon information.
• Financial Risks: Sellers may unknowingly provide credit card information or other personal data to fraudulent sites.

Joe Kerrigan [43:11]: "It might be a way for companies called lead generators to get information which they sell to third parties."

Advice from Hosts:

• Use Trusted Services: Opt for reputable services like Carfax for vehicle history reports.
• Avoid Unverified Sites: Do not engage with or send information to unfamiliar or unverified websites.

Joe Kerrigan [45:12]: "These are a type of scam. All right, well, we all learned something today."

Conclusion

The "Happy Hour Hacking" episode offers a comprehensive exploration of social engineering tactics, highlighting both traditional and modern scams. Through relatable analogies and expert insights, Dave, Joe, and Maria equip listeners with the knowledge to recognize and defend against deceptive practices in both digital and real-world environments.

Dave Buettner [46:30]: "Thanks for listening."

Notable Quotes:

• Joe Kerrigan [12:04]: "Maybe it's like the drink, drink, drink kind of thing."
• Dave Buettner [15:20]: "Alcohol suppresses the activity of the prefrontal cortex."
• Maria Vermazzis [35:07]: "This woman wound up handing over $40,000 to these guys."
• Joe Kerrigan [45:12]: "These are a type of scam. All right, well, we all learned something today."

Resources Mentioned:

• Deanne Lewis’s Blog: The Five Types of Social Engineers I Met Tending Bar
• Federal Trade Commission (FTC): Steering Clear of Vehicle History Report Scams

For more insights and updates, visit hackinghumans2k.com.