Loading summary
Transcript340 lines
- [00:02]
Dave Buettner
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Joe Kerrigan
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.
- [00:31]
Maria Vermazzis
Hi, Dave.
- [00:32]
Joe Kerrigan
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazzis. Maria.
- [00:39]
Dave Buettner
Hey, Dave. And Hey Joe.
- [00:41]
Maria Vermazzis
Hey, Maria.
- [00:42]
Joe Kerrigan
Hey, Joe.
- [00:42]
Dave Buettner
Hey, Maria.
- [00:45]
Joe Kerrigan
I wonder how long that is gonna continue to amuse us, right? I'm sure our listeners are already sick of it.
- [00:51]
Maria Vermazzis
Yes. All right, we've said all six greetings.
- [00:54]
Joe Kerrigan
Yeah. We've got some good stories to share this week. But first, a message from our show sponsor.
- [01:05]
Sponsor Voice
But first, a word from our sponsors at knowbefore we're not talking conspiracy theory when we say it's all connected. When it comes to infosec tools, effective integrations can make or break your security stack. Though not as common, the same should be true for security awareness training. Not only does KnowBe4 deliver the world's largest library of security awareness training, but they also provide a way to integrate the various elements of your existing security stack to help you strengthen your organization's security culture. Stay with us and in a few minutes we'll hear from our sponsors at KnowBe4 about how you can integrate security awareness with your tech stack like never before.
- [01:54]
Joe Kerrigan
All right, before we dig into our stories, we got a little bit of follow up here from a friend of the show, jj, who is a regular correspondent here with me behind the scenes. JJ says I've recently come across an increasing number of tech support scams that are locking up the computer screens of users. Since the non tech savvy person often does not know how to get out of a lock screen situation, they wind up calling the scammer phone number and, well, getting scammed. I'm curious, Joe, Maria. Have either of you had experience with this thing where your computer screen locks up and you cannot get out of it?
- [02:30]
Maria Vermazzis
I have seen where there's a webpage that has been expanded fully out and the user has a hard time getting rid of it unless they know the right keystrokes.
- [02:39]
Joe Kerrigan
Yes.
- [02:40]
Dave Buettner
Yeah, I don't. Yeah. No personal recent experience, but I've certainly seen it. But not on my own machines.
- [02:46]
Maria Vermazzis
But yeah, yeah, not on my own machines either. But I haven't seen somebody where something where they actually do like the windows lock or The Apple lock of the screen. Is that what this is talking about or are they talking about.
- [02:55]
Joe Kerrigan
No, I think this is the web browser thing where they take this thing full screen. There's no close button. They put it in into like kiosk mode and. Yeah. And it's been a while since I've seen this. I think partially what's happened is if you have popups in particular blocked, that that takes care of a lot of this.
- [03:18]
Dave Buettner
Yes.
- [03:20]
Joe Kerrigan
But I think JJ is right. If folks don't know how to quit out of this, then it can be problematic. And I believe on Windows is just control, alt, delete. Right, right.
- [03:32]
Maria Vermazzis
And then you can go and close processes.
- [03:34]
Joe Kerrigan
Yeah, yeah. So, yeah, that's a tough one. So I would say this is one of those things where if your friends or family you believe are susceptible to this, it's easy enough to look up what it takes to get out of this on any platform. So just maybe do a little write up for them or show them how it works.
- [03:57]
Maria Vermazzis
Right.
- [03:58]
Joe Kerrigan
But remind them, never call the phone number.
- [04:00]
Maria Vermazzis
Yes. Oh, never call the phone number.
- [04:02]
Dave Buettner
Yeah. Don't do anything. Talk to me first. Usually the advice we've given our family, do nothing. Yeah.
- [04:09]
Joe Kerrigan
All right, well, we would love to hear from you. Our email address is hackinghumans2k.com why don't we jump into our stories here? Maria, you want to start things off for us?
- [04:20]
Dave Buettner
Yeah. I don't know about you all, but I could definitely use a drink after the election cycle being what it has been.
- [04:28]
Maria Vermazzis
Hey, by the time this episode. Episode drops, that'll be behind us.
- [04:31]
Dave Buettner
Indeed. I have that front and center in mind right now. So instead of doing, you know, a hard, terribly depressing news story, which I often seem to like doing, there's a really interesting blog post here written by Deanne Lewis, who is a bartender who is working on becoming an infosec expert herself. And she wrote a post that I think we might find fun to take a look at called the five Types of Social Engineers I Met Tending Bar. And what they taught me about infosec and infosec for people who don't know is what us infosec people will call cybersecurity.
- [05:06]
Maria Vermazzis
Right.
- [05:07]
Dave Buettner
Because we don't like to say cyber. Cause it makes us feel like icky.
- [05:10]
Maria Vermazzis
Right.
- [05:10]
Joe Kerrigan
Short for information security.
- [05:12]
Maria Vermazzis
Right.
- [05:13]
Dave Buettner
Yeah. But we don't say cybersecurity because it makes us feel like, oh, well, that's for the Muggles. So we see in the Muggles.
- [05:24]
Joe Kerrigan
Everybody has a lingo to tell the insiders from the outsiders Right.
- [05:28]
Dave Buettner
The shibboleths, if you will.
- [05:29]
Joe Kerrigan
Yeah.
- [05:30]
Dave Buettner
Yes, Another one right there. All right, so there are five types of folks that you can see at the bar who will teach you something about social engineering scams. So I figure let's just go through some of them. One of them, number one, is the information gatherer or the chatty regular. And so this is the guy who knows everybody's business. And the security parallel is how information gathering works in cyber attacks. And the security lesson is the importance of controlling information leakage. I hate the word leakage, but, yes, the point still stands.
- [06:02]
Maria Vermazzis
At my age, I hate it, too.
- [06:05]
Joe Kerrigan
Maybe only worse than leakage is seepage. Seepage.
- [06:08]
Maria Vermazzis
Oh, yeah. That's some matter of injury or just lack of control.
- [06:13]
Joe Kerrigan
Right.
- [06:15]
Dave Buettner
Well, this person's mouth is always flapping, but they also know everything. I guess they give a little and they get a lot back. So this is not. This one feels innocuous at the bar. Innocuous enough, but they can be pretty dangerous. I don't know. It feels like a good parallel there. There. The second one is the Credential Masquerader, the aka, the do you know who I am? Guy. Do you recognize yourself?
- [06:38]
Maria Vermazzis
That's what I say when I walk into a bar.
- [06:41]
Dave Buettner
I'll be with you in a minute.
- [06:42]
Maria Vermazzis
Hey, do you know who I am? No.
- [06:43]
Joe Kerrigan
Does everybody say Joe? Like they greeted Norm. Right.
- [06:49]
Maria Vermazzis
This never happens.
- [06:50]
Dave Buettner
Does it actually work, Joe? Does it?
- [06:51]
Maria Vermazzis
No, it has. No, no.
- [06:54]
Joe Kerrigan
It's like that joke when you.
- [06:56]
Maria Vermazzis
I don't actually do this, but you.
- [06:57]
Joe Kerrigan
Take your son out for his first drink when he's age 20, and you take them to the bar and everybody already knows him. They're like, hey, Joe. Hey, Joe. Welcome back. Welcome. Good to see you again.
- [07:06]
Maria Vermazzis
Right, right.
- [07:08]
Joe Kerrigan
Yeah.
- [07:08]
Maria Vermazzis
Yeah. That happened with the liquor store. Walked into the liquor store, Joe. They're like, who's this guy? My daughter would like to buy something from the liquor store.
- [07:18]
Joe Kerrigan
Good to see you. That's funny.
- [07:21]
Dave Buettner
Yeah. This is the bar version of this, as you said, claims to know everybody, although maybe they don't. Obviously, sometimes they may know some people enough to give them sort of the credibility that they might be a connected person, but they often are lying. And then the security lesson parallel there that Deanne wrote is verification protocols and why they matter. And she also wrote this is the human version of a phishing email with a PayPal logo. Imagining that guy.
- [07:46]
Maria Vermazzis
I'm going to take issue with this. And you're right that if you're looking at this through a malicious lens, she's Absolutely right. And she's probably looking at this through a malicious lens. But there are people out there, and I can't remember what the. What the Malcolm Gladwell in the Tipping Point called them. They weren't mavens. Mavens collected information, but these were the people that collected people. And it was facilitators. Networkers, something like that. Yeah, networkers essentially is what they are. And they. They can put you in touch with just about anybody if you have someone that's valid. But yeah, you have to validate what they're talking about.
- [08:19]
Dave Buettner
Yeah, these people there are good people like that and that are. That love to make those connections. But then the malicious version of them, through the looking glass are the people who either do know everybody, but they. They do so with malicious intent or they lie about it. I don't know which one is worse. The people that actually know folks but they do bad stuff, or the ones that pretend that they know everybody. Or the latter. Yeah, there you go, weasel. Exactly. Sometimes brevity will do. Number three is the emotional engineer or the sympathy player. I feel like a lot of women are very familiar with this version. The elaborate sob story for a free drink. The most creative excuses you've ever hear, manipulation through emotional leverage. And the security lesson is how emotions bypass logical security measures. And this is a guy like, please, please come home with me, I broke up with my girlfriend. Or please let me buy you a drink. That guy. A lot of us know that guy. Not a fan of that guy.
- [09:18]
Joe Kerrigan
Trying to think if I've ever been that guy. If I.
- [09:22]
Dave Buettner
It did get a little awkwardly quiet. I won't lie, when I was describing this.
- [09:25]
Joe Kerrigan
No, I was just looking back over my life. I mean, in colle, before I was married, like, was there ever a time. I certainly had moments that I wish I could have back in college bars, but I'm not sure if that was one of them.
- [09:42]
Maria Vermazzis
I have seen this perpetrated recently, but the long sob story. But it was a woman doing it.
- [09:50]
Dave Buettner
Yeah. I'm certainly not saying only men do this.
- [09:53]
Maria Vermazzis
Yeah, of course not.
- [09:54]
Dave Buettner
No.
- [09:54]
Maria Vermazzis
This is a manipulator tactic and they come in all shapes and sizes.
- [09:59]
Dave Buettner
Indeed it does. Indeed it does. I feel like some of the pro tips I got when I first went to college was to watch out for that type of guy specifically so that will play on young ladies sympathies. That kind of guy. Number four is the tailgater or the my friend's just inside guy. This is my least favorite guy. Really, really hate this guy. He's trying to skip the liner chart. Yeah, but that's okay. It's Costco.
- [10:28]
Maria Vermazzis
My wife's just to decide. And then I'd look at my wife and she'd yell to the guy, I don't know that guy. I'd be like. I'd look at her and she'd laugh and the guy would go, go ahead, just get away.
- [10:40]
Joe Kerrigan
Get out of my sight.
- [10:41]
Maria Vermazzis
Right.
- [10:42]
Dave Buettner
Or like just hold up any Costco card with a grainy one pixel picture of some person in black and white. Can they really tell that it's you or not? I mean, really?
- [10:49]
Maria Vermazzis
Apparently now they're scanning them. Have you seen that?
- [10:52]
Joe Kerrigan
What?
- [10:54]
Maria Vermazzis
I've only heard it. I haven't been to Costco since I heard this. I have to check it out.
- [10:57]
Dave Buettner
They might get you. I don't know.
- [10:59]
Maria Vermazzis
I'm about out of a pallet of soap, so I need to go get.
- [11:02]
Joe Kerrigan
Some, you know, six pack of lawn tractors.
- [11:06]
Maria Vermazzis
Right.
- [11:08]
Dave Buettner
How many BMWs can you buy shrink wrapped? It's pretty amazing. Yeah. So as we've sort of identified as the security lesson is why physical security matters in cybersecurity. So think of your friendly pen tester pretending to be the guy who just forgot his badge outside the door. I hate that guy so much. I've been the person who's been on the receiving end of the pen tester trying to wheedle their way into the office. And they're really, really aggressive when they're trying to get in. I hate it.
- [11:35]
Maria Vermazzis
They're persistent.
- [11:37]
Dave Buettner
Yeah. That is the job, isn't it? And then number five, the social pressure artist or the group manipulator. This one I kind of was struggling to think of an example. But maybe, maybe it's just my personal life. I haven't encountered this one much. Uses crowd pressure to get their way. So group, the story is how social dynamics affect security decisions. So I was kind of trying to figure out how peer pressure would play in on that one. That was only when I was struggling.
- [12:02]
Joe Kerrigan
A little bit on this contest in a bar.
- [12:04]
Dave Buettner
Yeah. Is this like the drink, drink, drink kind of thing?
- [12:08]
Joe Kerrigan
Well, I mean, I could be. I could also imagine the poor guy getting his group of friends all behind him to say, to kind of back him up of what a sad sack he is and how, you know, he just needs some attention and everybody, you know, come on, come on, come on, just have a drink. Come on over, have a drink.
- [12:29]
Maria Vermazzis
Don't cut him off. He's.
- [12:31]
Joe Kerrigan
Yeah, just follow him.
- [12:32]
Dave Buettner
He's a good guy. Oh, the wingman. Are we saying a wingman is his version of that?
- [12:36]
Joe Kerrigan
Oh, no. Yeah, it's like multiple wingmen. Like a squad wingman.
- [12:40]
Dave Buettner
Yeah, your cheer group, Right? Or a keg party, you know, something like that.
- [12:45]
Joe Kerrigan
Yeah.
- [12:46]
Maria Vermazzis
I have never had enough friends to pull this off.
- [12:49]
Dave Buettner
Maybe that's my problem too, Joe. That's why I'm not familiar with this one. No, I'm sad.
- [12:55]
Joe Kerrigan
I'm just never really comfortable in bars. I just didn't spend a lot of time in bars.
- [12:59]
Maria Vermazzis
Yeah, I did. I did. When I went to college, there was a couple of bars that I went to. But then, you know, at one point in college, I just stopped altogether. Just stopped drinking and wow, my grades really improved.
- [13:16]
Dave Buettner
Were there no bar visits post college for either of you? It was just a college only thing for you?
- [13:21]
Maria Vermazzis
Yeah, yeah.
- [13:22]
Joe Kerrigan
I don't know. I mean, I've been to bars, but I guess the reason for going to bars shifted after I got married.
- [13:30]
Maria Vermazzis
Right?
- [13:30]
Joe Kerrigan
Like, I was never on the prowl. I was never looking for to meet someone or have. I guess I have. Since I got married, I have never gone to a bar with the intention of making a new friend.
- [13:43]
Maria Vermazzis
Right, right.
- [13:44]
Joe Kerrigan
Like, I've only gone to a bar to either just have a drink by myself quietly, or to meet some friends for something social. I have been to a bar, or I guess the way to say this is I've sat at the bar to have a meal and have struck up a conversation with the person next to me.
- [14:06]
Maria Vermazzis
I've done that. When I'm traveling.
- [14:07]
Joe Kerrigan
Exactly, exactly.
- [14:08]
Dave Buettner
Right.
- [14:09]
Joe Kerrigan
When I'm traveling.
- [14:09]
Dave Buettner
That's the best. Yeah, right.
- [14:10]
Maria Vermazzis
That's fun.
- [14:11]
Joe Kerrigan
Except for the time when I met the guy who was all about chemtrails. That was not.
- [14:16]
Dave Buettner
That's not the best.
- [14:19]
Joe Kerrigan
That was the best.
- [14:19]
Dave Buettner
In fact, that is the worst.
- [14:21]
Joe Kerrigan
Please. Well, I'll tell you what the worst is.
- [14:23]
Maria Vermazzis
It's the Amway guy.
- [14:24]
Joe Kerrigan
Yeah, yeah, that'd be bad too.
- [14:26]
Maria Vermazzis
That would be worse. I'd rather listen to someone talk about chemtrails than Amway.
- [14:30]
Joe Kerrigan
So which of these categories do we think Cliff Clavin falls into? You know, the mailman from Cheers?
- [14:38]
Maria Vermazzis
Oh, that is the second one. The Credential Masquerader.
- [14:42]
Joe Kerrigan
Okay.
- [14:43]
Maria Vermazzis
He knows everybody.
- [14:44]
Joe Kerrigan
The know it. All.
- [14:45]
Maria Vermazzis
Right.
- [14:46]
Dave Buettner
Yeah, well, everybody knows your name. Da da da da da da.
- [14:50]
Joe Kerrigan
Right, Right. Yeah.
- [14:53]
Dave Buettner
Huh?
- [14:53]
Joe Kerrigan
No, I like this. This is a good analogy or a series of analogies, I guess.
- [14:58]
Maria Vermazzis
Yeah, it's good observation. I mean, you're seeing the same kind of social dynamics that work in social engineering. Just seeing them in a bar situation where people may not be trying to scam somebody, but they might be after some kind of advantage or some kind.
- [15:10]
Dave Buettner
Of gain, and then their inhibitions are low because they're inebriated. So you get to see humanity at its absolute best.
- [15:17]
Maria Vermazzis
Alcohol suppresses the activity of the prefrontal cortex.
- [15:21]
Dave Buettner
Yeah, we brought science into that. That's great. I have found that bartenders tend to be fantastic at sniffing out social engineering. So it's not surprising to me that deanne is looking to move into infosec because this is some great life experience that she's bringing to bear. So I hope she stays in touch and lets us know how it goes.
- [15:39]
Joe Kerrigan
Yeah, I like it too. All right, we'll have a link to that story in the show notes. I'm going to go next here. My story is about something that's been making the round on Facebook and I love this description of AI slope that's been a. And it seems like it's catching on. This term for stuff that's been generated by AI, like ChatGPT, one of the large language models for the purposes of just filling content, of creating content, content, content, content cheaply and effectively. And in this case, this has to do with folks complaining that their neighbors egged their car.
- [16:29]
Dave Buettner
Oh, I've seen this one so many times. Oh, my gosh. Glad you're doing this story. This won't drive me crazy. I've seen it so much lately. I don't get it.
- [16:40]
Joe Kerrigan
Yeah, and this especially this made the rounds, not surprisingly, in the run up to Halloween. This has to do with Mischief Night, which. Are you guys familiar with Mischief Night? Have you heard of Mischief Night?
- [16:53]
Maria Vermazzis
I've never heard the term Halloween.
- [16:54]
Dave Buettner
No, I've never. I never heard of that. No.
- [16:55]
Joe Kerrigan
Oh, yeah, I learned about it when I was probably, you know, 10 years old or so. I had a neighbor, a kid moved into town, you know, lived across the street, and on Halloween Eve, he was like, gotta go out tonight. Mischief Night. I was like, what are you talking about? He's like, it's Mischief Night. Gotta go out and do what? He's like, toilet paper trees? I was like, I'm not doing that. What?
- [17:18]
Dave Buettner
Mischief?
- [17:20]
Joe Kerrigan
Mischief? Yeah. So as the name implies, you go out and you. That's when you throw eggs in toilet paper trees and just generally vandalize your poor innocent neighbors. And that's what this post is about. The viral post which is titled My Neighbor Threw Eggs at My Car because it Blocked the View of His Halloween decorations. And what they have here are Descriptions of the alleged event. But they have photographs of a car sitting in front of a home. And the car has hundreds of eggs on it.
- [17:57]
Maria Vermazzis
Right.
- [17:58]
Joe Kerrigan
Most of them not cracked. Now, let me just point out here also, if you go out to your car with an egg and you lay it on the hood of the car, what's going to happen to that egg?
- [18:10]
Maria Vermazzis
It's going to roll off.
- [18:10]
Joe Kerrigan
It's going to roll off? Yeah. The hoods of these cars, dozens of uncracked eggs just sitting there on them as if magnetically attached to the car. So that's an indication that this image is AI generated.
- [18:23]
Maria Vermazzis
It reminds me of the old question, Dave.
- [18:25]
Joe Kerrigan
Yeah.
- [18:26]
Maria Vermazzis
If a rooster laid an egg on your hood, would it roll towards the front of the car or the back of the car?
- [18:32]
Dave Buettner
What rooster can't. Leon.
- [18:34]
Maria Vermazzis
Egg roost. There you go, Maria. Thank you.
- [18:38]
Dave Buettner
Can't operate on this boy. He's my son. Okay, yes, that's fine. Got it.
- [18:45]
Joe Kerrigan
Anyway, sorry for stopping the show.
- [18:51]
Dave Buettner
The thing with these images is this would cost so much money if this was real, these eggs.
- [18:56]
Joe Kerrigan
Well, so, yes, and I'm glad you brought that up, Maria, because in preparation for this story, I actually went and looked up what the price of eggs is right now.
- [19:06]
Dave Buettner
In which state? Yes.
- [19:08]
Joe Kerrigan
Well, the thing is, the price of eggs has been all over the map. And it was one of those things, especially during the pandemic when inflation was, you know, front of mind. It's like Bitcoin eggs were one of the things that people were tracking as to what, you know, what was out of control with inflation. So as we record this, the average price of a dozen eggs in the United states is around $3.
- [19:31]
Dave Buettner
What? Are you serious? Where I live, it's like almost three times that. In some cases, easily.
- [19:37]
Maria Vermazzis
Are you buying organic, cage free, humane eggs?
- [19:40]
Dave Buettner
In Massachusetts, you cannot buy eggs that are not cage free. So our eggs are easily like $8 a dozen. I mean, it's very expensive here. Yeah, yeah, yeah.
- [19:50]
Joe Kerrigan
Well, we have ghetto chickens down here in Maryland.
- [19:55]
Maria Vermazzis
Right. I was like three times.
- [19:59]
Joe Kerrigan
I'm actually not. I'm not making that up. The Eastern shore of Maryland is all about chicken farming.
- [20:04]
Maria Vermazzis
So it's great to drive by those houses on a hot day.
- [20:07]
Joe Kerrigan
Yeah. So anyway, yeah, I did. I did look it up. The average price is around $3 a dozen for just regular old egg, run of the mill eggs. But still, that's. Nobody's spending that kind of money to hit somebody's car. This precisely because there are hundreds of eggs on each of these cars and around the cars and, you know, so what's the point here? Why create these viral posts? And let me. These posts are viral, right? They go. They spread like wildfire. And the people who mostly share them are old people.
- [20:47]
Dave Buettner
Yes, yes.
- [20:48]
Maria Vermazzis
Well, I mean, the original sharers here are people like USA Story. Then there's one Lolo Discovery and Volleyball Women. Oh, and here's my personal favorite. World of Farts.
- [21:02]
Joe Kerrigan
Yeah, World of Farts.
- [21:04]
Dave Buettner
Who is liking a page called World of Farts?
- [21:08]
Joe Kerrigan
Yeah. Well, I mean, yeah, I mean, that.
- [21:13]
Maria Vermazzis
Seems like a Twitter handle to me, doesn't it?
- [21:15]
Joe Kerrigan
Yeah, that's true. But I guess it's a Facebook group. I don't know. But obviously known for their high quality content, right?
- [21:23]
Maria Vermazzis
Yeah. Everything's great there.
- [21:26]
Joe Kerrigan
Yeah.
- [21:26]
Maria Vermazzis
We're bringing the world together, Dave.
- [21:28]
Joe Kerrigan
Kind of a sulfur smell. So this. These things spread like wildfire because they trigger people's empathy and outrage. Right. And you know what I suspect also, because I really don't think egging is kind of a thing anymore. You know, I think egging was more of a thing like Joe, when you and I were teenagers, it seems to me like egging was more of a thing than it is today. I haven't heard of anybody being egged anytime recently. Maybe it's just that eggs are expensive.
- [22:00]
Maria Vermazzis
Yeah. I don't think I ever egged anybody.
- [22:03]
Joe Kerrigan
I never egged anybody, but I certainly heard about it, like on Halloween, you know, news would go around the neighborhood that the, you know, the Jablonovich's house got egged or their car or something like that.
- [22:14]
Maria Vermazzis
I did one time take a. Take an egg out into the street and just chuck it down the street to see how far I could throw it.
- [22:19]
Joe Kerrigan
Okay.
- [22:19]
Maria Vermazzis
Just more of a scientific experiment than anything else.
- [22:22]
Dave Buettner
Did you do the can I fry it on the sidewalk thing? That's just cooking.
- [22:27]
Maria Vermazzis
I was going to try to do that with two birds with one stone.
- [22:29]
Joe Kerrigan
I said, I wonder, did you do the thing where. What is it? On the longest day of the year, if you stand an egg on end, it'll. Yeah, that one. No, no. Okay.
- [22:40]
Dave Buettner
I get so many comments on this episode.
- [22:42]
Joe Kerrigan
I know, I know. So what is this all about? This is all about driving people to low quality websites to get the rest of the story. And those low quality websites are hosting.
- [22:57]
Maria Vermazzis
Low quality ads and tons of them, I'll bet.
- [23:00]
Joe Kerrigan
And tons of them to ad views and ad clicks and all that kind of thing. Yeah.
- [23:06]
Maria Vermazzis
Do you remember when the Internet was great?
- [23:08]
Joe Kerrigan
I do.
- [23:09]
Maria Vermazzis
It's awesome.
- [23:09]
Joe Kerrigan
For about 10 minutes, right? Yeah.
- [23:12]
Dave Buettner
It was awesome, though.
- [23:13]
Joe Kerrigan
Yeah. I miss it, right?
- [23:16]
Maria Vermazzis
Yeah.
- [23:17]
Joe Kerrigan
Yeah.
- [23:17]
Maria Vermazzis
Connect to a web server. There'd just be the content you wanted. It wasn't all that fancy.
- [23:22]
Joe Kerrigan
Through a shell.
- [23:22]
Maria Vermazzis
Yeah, through a shell. You did through a shell.
- [23:25]
Joe Kerrigan
Right. So that's what this is about. And I guess the notion here is that if you see this sort of thing and as these are all over the place, remind yourself and anyone else that these are hoaxes. For a long time when I saw stuff like this, I used to just reply and say, this is a hoax. But I.
- [23:46]
Maria Vermazzis
That counts as engagement, Dave.
- [23:47]
Joe Kerrigan
I know. That means I get to see more of them.
- [23:49]
Maria Vermazzis
Right.
- [23:50]
Dave Buettner
So just scroll on.
- [23:51]
Joe Kerrigan
I don't do that anymore. Yeah, yeah, I know. It's too late for me. Go on. You go on. It's too late for me.
- [23:57]
Maria Vermazzis
I'm so tempted very often just to do that and to tell people not to interact with it, But I've just gotten to the point where I have to do exactly that. Scroll on. Because I know if I comment on how this is a load of garbage, that that just helps them.
- [24:16]
Joe Kerrigan
Right.
- [24:16]
Maria Vermazzis
Like, there was one thing on Facebook where it was. It was somebody trying to investigate. The video was. It was a guy in a mechanic shop and a girl whose car it was. They had taken the wheel off the car, and they were trying to get inside the car to see what was making the wheel sou. Weird when it ran.
- [24:34]
Joe Kerrigan
Okay.
- [24:35]
Maria Vermazzis
Took them 10 minutes to reach inside and pull out a stack of cash that they had planted there.
- [24:42]
Joe Kerrigan
It.
- [24:43]
Maria Vermazzis
Once you get that wheel on that mounting tool, it's seconds to get that tire into a place where you put your hand in it. It's not hard.
- [24:51]
Joe Kerrigan
Yeah, it's.
- [24:51]
Maria Vermazzis
I mean, I've done it. It's really not that hard. And so the more I watched it, the more frustrated I got, and I just. But that was. That was the problem. I watched it, Dave. That's what it's designed to do.
- [25:02]
Joe Kerrigan
Yeah.
- [25:02]
Dave Buettner
It's rage bait. Yes, it is literal rage bait. The thing that gets me with this AI Slop stuff is a lot of people, I think, or an increasing number of people, know that this stuff is completely fake, and they still engage with it and enjoy it as if it's fine. Like the hoax image of that little girl holding a puppy that came around on Hurricane Helene.
- [25:24]
Joe Kerrigan
Oh, yeah, right, right.
- [25:25]
Dave Buettner
That was all, like, propaganda, and it was very easily identified as an obvious fake. But a lot of people are like, you know what? I don't care. Because it represents the situation or whatever. And I've seen a lot of that kind of stuff where it's like fake nature pictures and people go, yeah, I know it's fake, but it's pretty. And it's like you're feeding this problem. You're making this worse and it's just really frustrating and I don't know what the solution is.
- [25:48]
Joe Kerrigan
This is why we can't have nice things.
- [25:50]
Dave Buettner
I know.
- [25:53]
Joe Kerrigan
All right, well, we will have a link to this story in the show notes. So if you want to check out these pictures, you can click through to that. If you have not already seen this online, these have made the rounds. That is my story. I'll tell you what, before we get to Joe's story, why don't we take a quick break to hear a message from our sponsor.
- [26:17]
Sponsor Voice
Back to the concept of integrations. Nobefor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, Cisco and dozens of others. Security Coach analyzes alerts your security stack generates to identify events related to any risky security behavior from your users. With this information, you can set up real time coaching campaigns to target risky users based on those events from your network, endpoint identity or web security vendors. These campaigns enable you to coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. With 35 integrations and counting, Security Coach delivers the insight you need to improve your organization's security culture. Learn more about security coach@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach.
- [27:30]
Joe Kerrigan
All right, we are back and Joe, you are up. What do you got for us?
- [27:34]
Maria Vermazzis
Dave? I have two today because they're really quick. Okay, you guys remember a couple of weeks ago we were talking about the JP Morgan ATM Infinite Money glitch?
- [27:44]
Joe Kerrigan
Yes, but remind me what that I remember the broad details, but what was going on?
- [27:49]
Maria Vermazzis
The broad details were that people could deposit fraudulent checks and then withdraw the money from an ATM owned by JPMorgan Chase. Oh, and you and I talked about this in passing, Maria. I think you were on this episode, right? Maybe it was one of the ones you were.
- [28:06]
Dave Buettner
I'm not sure, but I know of this one because I've seen videos of people saying like, hey, my husband got arrested because he tried doing this. And I don't know, and I don't know if that's real either. But I've seen the videos like on TikTok and Instagram about it.
- [28:19]
Maria Vermazzis
Well, that's what my story is about. Today, it's from npr. My first story, written by Alana Weiss, and the headline is, JP Morgan Chase is Suing Customers Over Infinite Money Glitch ATM Scam. So the one case. Yeah, you and I, Dave, we talked about this and we said, yeah, this is just fraud. Right?
- [28:37]
Joe Kerrigan
Right.
- [28:38]
Maria Vermazzis
And I said, right. When I was in college, I had a check and I deposited it and they were like. I noticed that my balance immediately went up. It was a small check, it was like 50 bucks, right? But there wasn't enough money for me to take money out of it. There wasn't 20 bucks in my account, so I couldn't take money out. But I put 50 bucks in, and then I could immediately withdraw 40 of it. And I remember thinking to myself, how much could I do this for? And then I remember thinking to myself, well, wait a minute, dummy. They know whose account this is. They have a picture of you operating the atm. They're gonna catch you. Don't do that. I'm like, yeah, but still, how am I. I'm not gonna do it, but. And I wonder. Well, it turns out there's one story in here, one that they're talking about a masked man who deposited a fraudulent $335,000 check into someone's account. And then they are still trying to collect $290,000 of that. So I'm at this point, how much.
- [29:46]
Joe Kerrigan
Cash does an ATM hold?
- [29:50]
Maria Vermazzis
There's a limit to how much money I can take out of my ATM in a day.
- [29:54]
Joe Kerrigan
Right.
- [29:54]
Maria Vermazzis
It is nowhere near.
- [29:55]
Dave Buettner
It's a lot lower than that number.
- [29:56]
Maria Vermazzis
$300,000. Jeez, I can't even go to like five ATMs and get out more than the limit. I can't do that. I can only do so many thousands of dollars. It's like, like a single digit number of thousands of dollars of withdrawals in a single day.
- [30:10]
Joe Kerrigan
Right.
- [30:10]
Maria Vermazzis
If I need more money than that, I gotta go inside and talk to somebody.
- [30:13]
Dave Buettner
Yeah. So, Chase, there's your problem. If people can withdraw that much. Geez.
- [30:18]
Maria Vermazzis
Yeah. This company is headed by one of the guys in finance I can't stand. So go ahead.
- [30:26]
Joe Kerrigan
All right, so this masked man who deposited this check, was he depositing in his own account or they don't see it selling someone else's account?
- [30:37]
Maria Vermazzis
They say it was into a def. Defendant's bank account at an atm.
- [30:40]
Joe Kerrigan
Okay.
- [30:40]
Maria Vermazzis
So I think they're suing the defendant, the person whose account it was, and I think the person with the account is saying, that wasn't me. Somebody just got access to It. Maybe that's what's going on, right? I don't know. But that's the way this is worded. It kind of makes me think that that is a plausible explanation. Or at least the guy that did it thinks that's a plausible explanation. One of those two things is probably true, right? Either somebody else's account or the guy is saying, no, that wasn't me. But anyway, don't do this, don't do this.
- [31:10]
Joe Kerrigan
I mean, what do you think's gonna happen? How does anybody think this is exactly.
- [31:14]
Maria Vermazzis
What I thought would happen right now? I'm shocked at the level of. At the magnitude of this. Seriously, this is unconscionable on Chase's part. If I were the judge, I would be like, you know, my bank will only let me take out $5,000. That's what you're entitled to collect.
- [31:30]
Joe Kerrigan
Perhaps you should open an account at Chase, right? Seriously, where we're known for our loose ATM machines, man.
- [31:41]
Dave Buettner
I so much as look at a check over $500 and my credit union makes me wait like a week. I mean, it's ridiculous.
- [31:47]
Maria Vermazzis
All right, well, your credit union is subject to different rules because it's a member owned situation, not a shareholder thing.
- [31:57]
Dave Buettner
So in other words, because it's not too big to fail.
- [32:02]
Maria Vermazzis
Right.
- [32:02]
Dave Buettner
Okay, gotcha. All right.
- [32:05]
Joe Kerrigan
Wow.
- [32:05]
Dave Buettner
I just love how people who thought that free money would not have a catch are getting really surprised that they're getting arrested and in a lot of trouble for this. Like, really?
- [32:15]
Maria Vermazzis
Yeah.
- [32:15]
Dave Buettner
You didn't think you'd get in trouble for stealing? Okay. From a bank.
- [32:20]
Joe Kerrigan
Yeah. On camera.
- [32:22]
Dave Buettner
Yeah, on camera.
- [32:23]
Maria Vermazzis
Right. On camera. So my next one is about. Is we talked about this a couple of weeks ago. Maybe it was last week or. No, it wasn't last week. It was a couple weeks ago. I talked about the scam where the Cantonese speaking woman was approached by other Cantonese speaking women.
- [32:40]
Joe Kerrigan
Oh, yeah.
- [32:41]
Maria Vermazzis
And it was a.
- [32:42]
Joe Kerrigan
In London.
- [32:43]
Maria Vermazzis
A curse. Yes. In London.
- [32:44]
Joe Kerrigan
Yeah.
- [32:45]
Maria Vermazzis
Well, Dave, right here. Here in the Maryland D.C. area, in fact, in Prince George's county, four people have been charged in a pigeon drop scam targeting old people in Prince George's County.
- [32:57]
Joe Kerrigan
Oh, okay.
- [32:58]
Maria Vermazzis
And this article has everybody's name. I'm not going to go through because we're going to put a link in the show notes. But these people are also not spring chickens. The youngest one is 36. The oldest one is 77. Of the scammers of the scammers. That's correct. All right, now I want to go over what the pigeon drop scam is, and there's a great article on Wikipedia that outlines the method. It involves two or three. Wikipedia says two or three con artists working together as a team. This, in Prince George's county, was four people. One will arrange to find a valuable item along with the mark or the pigeon, which is why it's called the pigeon drop. So they'll leave it on the ground for the mark to find, or they will bring it to the mark in their hands, and they'll say, hey, I found this. What do you think we should do with this? And then one of the conmen will pose as someone who's knowledgeable and trustworthy, like a lawyer or a banker or a business person. And they will say, oh, I can facilitate that. The three of us go and cash in on this item legitimately. And I'm essentially reading from Wikipedia here. But then the suggestion comes to split the proceeds three ways. However they will, Somebody will say, well, you know, I'm not going to trust you guys. I need some collateral here. And that's the ask of this scam. So they may leave the mark or the pigeon with the object that is seemingly valuable. But if they do that, it's worthless or it's been swapped out. And if you give them any money about this, then if you give them any money as collateral, they will then vanish with the money. And if they leave you with something, they will leave you with something worthless. That's how this works. What happened in this one was the two of the suspects approached an elderly woman pretending to have discovered a bag of cash and asked if it was hers. Dave, if someone walks up to me and says, hey, I found this bag of cash, is this yours? I'm like, I want no part of this.
- [34:59]
Dave Buettner
Yeah, you keep walking.
- [35:00]
Maria Vermazzis
You guys are going to wind up dead in that bag if you're not careful. That is not my money, and I don't want my fingerprints on it. Thanks.
- [35:08]
Joe Kerrigan
Yes, that is my bag of cash. I always wonder, oh, did I leave another bag of cash just lying around? Oh, silly me.
- [35:18]
Maria Vermazzis
They convinced the victim, this woman, to join them in donating the cash to charity. But with a twist, they persuaded her to withdraw money from her own account as collateral to keep the supposed donation untraceable. Now, I don't understand how that works, but again, these guys are the con artists. So this woman wound up handing over $40,000 to these guys.
- [35:41]
Joe Kerrigan
Oh, my word, it's a lot of money.
- [35:44]
Maria Vermazzis
Which I'm surprised at the magnitude of this one as well. But good news, all four of These folks were arrested when the subjects, the suspects rather, approached another elderly woman in the parking lot, reportedly attempting the same scheme. So if you've been victimized, there's a phone number for Prince George's police department to call. In this article, I won't belabor it because not a lot of people live around here. We have people all over the world, but this is going on right in our backyard. Dave.
- [36:14]
Joe Kerrigan
Yeah. Nobody's immune.
- [36:17]
Maria Vermazzis
Nobody is immune. And what's interesting, I like these. I like that. Well, I don't like this. I mean, I said something like that last time about last week, about something being great, but it wasn't great. It was actually a terrible thing that happened. But it was. When I say great, I'm talking about when I'm saying there's something about this I like. There's something about this, about the mechanics that I like. And not necessarily people doing evil acts, but it's interesting at least that these people are actually doing old school, in person scams and making bank on it.
- [36:48]
Joe Kerrigan
Yeah. Oh, yeah. No, I mean, we've talked about it before. Some of the things, the. What is it? The treasure box.
- [36:55]
Maria Vermazzis
Oh, yeah. Trunk box.
- [36:57]
Joe Kerrigan
Thank you. Trunk box scam that goes back hundreds of years.
- [37:01]
Maria Vermazzis
Right.
- [37:02]
Joe Kerrigan
So they're just modern twists on the old hits.
- [37:06]
Maria Vermazzis
Yep.
- [37:07]
Joe Kerrigan
Yeah. All right, well, we will have a link to those stories in our show notes. Joe, Maria, it is time to move on to our catch of the day.
- [37:24]
Maria Vermazzis
Our catch of the day comes from the Reddit scam group and it is somebody trying to scam somebody who is selling a car.
- [37:31]
Joe Kerrigan
All right, I will start off. It goes. Really interested in the Ford Econo line you have listed. Does it have a clean title? Just checking for any issues.
- [37:41]
Dave Buettner
Title is clean windshield has a crack by the wipers. That's been there since before I owned it but never had any mechanical problems with it.
- [37:49]
Joe Kerrigan
Has the vehicle ever been used as a rental, fleet or commercial vehicle? Where are you located exactly?
- [37:55]
Dave Buettner
The guy I bought it from had it for personal use. I think he bought it from a lady that used it to give Bigfoot tours in Bend. Other than that, I don't know where it all was used.
- [38:04]
Joe Kerrigan
All right, this is great to know. I appreciate it. In terms of seeing it, can we arrange something possibly tomorrow or what is best for you? If you can give me a time, I can make arrangements.
- [38:15]
Dave Buettner
I'm unavailable tomorrow, but will be around most of next week.
- [38:19]
Joe Kerrigan
Okay, I can make this work. Let me arrange the plans. And before I drive to you, I forgot to ask, could you give Me the THD paperwork and sticker to me.
- [38:30]
Dave Buettner
Not sure what you mean by THD.
- [38:34]
Joe Kerrigan
Check out this link. Titlehistorydna.com you can enter the VIN number and create a paperwork. If you can share that, I'll make arrangements. By the way, what's your name? Nice to meet you. I'm Bob. You can run the THD paperwork on your own vehicle. I'm waiting for the paperwork. Please email or text me the report before I leave or make further arrangements.
- [38:59]
Dave Buettner
Looks like this is about the same as Carfax. I'm not paying for a report, but I don't care if you run it.
- [39:05]
Joe Kerrigan
I understand Carfax, but that report does not show the sticker details such as options, packages, features and fuel economy safety ratings. I feel it's not an unreasonable request. It's a good sum of money we're talking about. Every vehicle is different. So the report you have showing the history, which is great. Thanks for sharing. I'm looking for all the features your specific vehicle has. To get an idea, please visit the website I provided.
- [39:29]
Dave Buettner
I've always had to run my own reports when I bought a vehicle. It's just part of buying a vehicle. If I had one for this van, I would share it with you. However, it was what I was looking for when I bought it, so I didn't run the report. If you are concerned enough to pull a report comma, absolutely go for it. Not sure why the silly phone typed out a comma.
- [39:48]
Joe Kerrigan
You're selling the vehicle. I didn't haggle or negotiate, nor do I need to. I'm paying someone to drive me out so I can drive back. And taking a day off. I'm serious to buy. I just want to make sure the window sticker is clean.
- [40:02]
Dave Buettner
Have a good day.
- [40:06]
Joe Kerrigan
All right. So Joe, you are on to what's going on here.
- [40:10]
Maria Vermazzis
Okay.
- [40:11]
Joe Kerrigan
What do you suppose is going on here?
- [40:12]
Maria Vermazzis
All right. So is title history DNA a scam website?
- [40:14]
Joe Kerrigan
I believe that's the case. I believe that's the case.
- [40:16]
Maria Vermazzis
Okay.
- [40:17]
Joe Kerrigan
Yeah. So I think what happens is they're trying to get this person to go to titlehistorydna.com and pay for a report.
- [40:27]
Maria Vermazzis
Right.
- [40:28]
Joe Kerrigan
And guess who makes the money off of the report being run?
- [40:32]
Maria Vermazzis
Titlehistory.com, the scammer.
- [40:34]
Joe Kerrigan
The scammer.
- [40:34]
Maria Vermazzis
All right.
- [40:35]
Joe Kerrigan
I think the scammer either spun up this or has an interest in this or can buy. Who knows, you know, it might be one of the scam as a service kind of thing. I suppose there's an off chance that titlehistorydna.com is totally legit and we're, you know, saying bad things.
- [40:56]
Maria Vermazzis
I'm looking at their website right now. Hold on, let me see if it loads.
- [40:58]
Dave Buettner
Is it also maybe I know nothing about cars, so bear with me on this one. I have two cars and I know nothing about them. The VIN number when you. Or the vin, I should say when you put the vin. Isn't the VIN something sort of. Not proprietary, but not information you want to just. You want anybody to have?
- [41:17]
Maria Vermazzis
Yeah, anybody walking by your car can see it.
- [41:21]
Joe Kerrigan
Yeah, it's in their windshield.
- [41:22]
Maria Vermazzis
It's in your windshield.
- [41:23]
Dave Buettner
Oh, it's in your windshield. Oh, okay.
- [41:24]
Joe Kerrigan
Yeah. So you can go to any car, but it does say like it's the code that unlocks all the information about the car. So you can go to a manufacturer's website and find out all sorts of information about the vin. But because of the vin, you can find out all sorts of information about the car, but it's basically the car's serial number. Like every car has a unique vintage and you must have a VIN to sell, buy, sell or register. Mostly register a car. I suppose if a VIN number was removed, you could. If you were gonna use a car on your farm, for example, you don't need a vin. But other than that, if you wanna drive it on the road, in order to get it registered, you gotta have a VIN number.
- [42:07]
Dave Buettner
Is there some sort of scam if somebody gets your VIN though, even though it's a serial number? I don't know. This is me just totally reaching. I have no idea. For some reason I have it in my head that you don't want that number getting out to just anybo even though it's physically accessible easily and you don't want it blasted everywhere. But I don't know.
- [42:24]
Maria Vermazzis
Right?
- [42:25]
Joe Kerrigan
Yeah, I don't know. That's a good question. I don't know off the top of my head of any VIN number related scams that wouldn't surprise me if there are any out there. So if any of our listeners know, please let us know if you know of any VIN related scams.
- [42:40]
Maria Vermazzis
So I'm looking at this website, titlehistorydna.com and one report for one car cost $27. Okay, so how much does a Carfax report cost?
- [42:52]
Joe Kerrigan
So a Carfax report is $45.
- [42:55]
Maria Vermazzis
Okay, so a Carfax report is more expensive.
- [42:58]
Joe Kerrigan
Yeah. Huh.
- [42:59]
Maria Vermazzis
So maybe. Yeah, that doesn't. Okay, so they're not just selling Carfax reports that they put their own label on. But I'LL bet there's a data source out there where you can get this information at a relatively low cost, and they're just driving business to it.
- [43:12]
Joe Kerrigan
Maybe. Maybe.
- [43:15]
Maria Vermazzis
If you can get somebody. If you can spend time on Facebook and you're in a country that has a lower gross domestic product than we do or gross income per capita than we do, and you can get 50 people a month to do this, you're doing all right.
- [43:29]
Joe Kerrigan
Well, I'm looking at the website of the Federal Trade Commission, and they have a page called Steering Clear of Vehicle History Report Scams.
- [43:38]
Maria Vermazzis
Ah. Okay.
- [43:39]
Dave Buettner
Okay, here we go.
- [43:41]
Joe Kerrigan
All right, so it says the FTC has been hearing about a new scam targeting people who are selling their cars online. They're getting calls or texts from people who claim to be interested in buying the car, but first want to see a car history report. They ask the seller to get the report from a specific website where the seller needs to enter some information and pay about $20 by credit card for the report. The seller then sends it to the supposed buyer, but never hears back. Weird, huh? Well, it gets weirder. When the car sellers go to one of these websites, they're automatically redirected to sites ending in vintage, which seems like it might be related to your Carl's car's VIN number, right?
- [44:14]
Dave Buettner
Yeah.
- [44:19]
Joe Kerrigan
The domain was intended to be used for sites related to wine, since vin is the French word for wine.
- [44:25]
Maria Vermazzis
Right.
- [44:27]
Dave Buettner
Oh, it's a francophone scam. I love it. Oh, my God.
- [44:35]
Joe Kerrigan
Says if you're selling a car online and someone asks you to get a car history report from a specific site, ask why and think twice. You have no way of knowing who operates the site. It might be a ruse to get your personal information, including your credit card account number. It might also be a way for companies called lead generators to get information which they sell to third parties. So the FTC's site doesn't outright say that this in particular is a scam, but the fact that the FTC has a page dedicated to exactly this thing makes me think it probably is.
- [45:10]
Maria Vermazzis
All right.
- [45:13]
Joe Kerrigan
So there we go. We all learned something today. Yeah, that these are a type of scam. All right, well, we would love to hear from you. If there's something you'd like us to consider for the catch of the day, you can email it to us. Once Again, it is hackinghumans2k.com and that is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's free, eminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode is produced by Liz Stokes, our executive producers Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilby is our publisher. I'm Dave Bittner.
- [46:29]
Maria Vermazzis
I'm Joe Kerrigan.
- [46:30]
Dave Buettner
And I'm Maria Vermont.
- [46:32]
Joe Kerrigan
Thanks for listening.