A

You're listening to the Cyberwire network, powered by N2K. Do you know how the space and cybersecurity domains connect T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis, host here at N2K CyberWire and I'm excited to share that T minus is back now as a weekly podcast, the T minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T minus Space Cyber Briefing, new episodes every Sunday.

B

Hello everyone and welcome to the Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi Dav.

B

And our N2K colleague from the T minus Space Cyber Podcast, Maria Vermazes. Maria.

A

Hello Dave. And hello Joe.

B

And our very special guest, Kieran Heumann, lead CyberSecurity Engineer at ThreatLocker. Kieran, welcome.

D

Thanks for having me.

B

We've got some good stories to share this week. We don't have any follow up this week, so let's take a quick break here to hear from our sponsors, which happens to be threatlocker. When we come back, we'll dive into our stories. Stay tuned. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing, configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right, we are back and I am going to kick things off for us here today. I've got a story. This comes from the FBI and this is an interesting little escalation of social engineering. This is from the folks over at Bleeping Computer whose story we're referencing. They are saying that the Silent Ransom group, also known as srg, they're targeting US law firms, but beyond just regular social engineering and trying to break into people's accounts. They're using in person data theft tactics. Says they're using social engineering, pretending to be internal IT support through phone calls and phishing emails. So nothing unusual there. But if those remote access attempts fail, they might actually send someone to the office, to the victim's office to put a malicious USB drive or plug an external hard drive into their computers.

A

That's some high touch scamming. Kind of quaint.

D

Yeah.

B

So before we dig into some of the details, what do we all make of this? Kieran, you're new with us here. What's your take on this?

D

I mean, I'm quite surprised that they're sending the in person people. That's much higher risk, especially against the government. But I mean, it's a classic, classic thing trying to get someone to plug in that malicious usb. I've done many, many presentations with just how much damage you can do by quickly plugging in a single usb.

B

Yeah. You know, this reminds me that. How do I say this? I have done this.

A

You have gone to an office and posed as it.

B

No, no, even worse, even worse, I've let the person in.

C

Oh no, Dave.

A

All right, yeah, I click links, but come on.

B

Well, so here, just a couple weeks ago, I was here at our stud studio space, which is a share, we're sort of behind the scenes here. Cyberwire is part of an incubator space called Datatribe and so we have some space here, but it's also shared with a bunch of other different startup organizations and that sort of thing. So I was here one morning all by myself, which is not unusual, especially in this day of remote work. And the doorbell rings and I go and I answer the door and there's a perfectly normal looking gentleman there and he says hi, he says, I'm here to fix the mini split air conditioner in the server room. And I gave him a once over and he had tools on his belt and you know those little.

C

Did he have a ladder, a hard hat ladder.

B

But he did have clipboards. You know those little pressure tool little pressure meters that H VAC guys have. Sure, yeah, he had a set of those.

C

Okay.

B

So I was like, come on in. So not only did I lead him to the server room, I unlocked the server room door for him, let him in.

A

So nice of you.

B

Yeah, just, you know, now moments after I did this, the office manager showed up and she was happy to see that I had let this person in and into the room and all that kind of thing. So disaster averted.

C

He was supposed to be there Then

B

he was supposed to be there. It was a planned appointment. I didn't know anything about it. But my point is how easily any of us. Maybe this is just me. I'm very trusting. Right. And I also don't want to be. I don't want to confront this person. I don't want to be adversarial. It's just not in my nature. So I basically let this guy in and handed him the keys to the digital kingdom.

A

Pen testers love you.

D

Yeah,

C

it's easy to do. I mean, the reason I ask if he had a ladder. And, Dave, I think you've heard this before because you laughed at that. But you can get anywhere if you just carry a ladder around.

B

Yeah. It's better than a clipboard. Right.

A

Clipboard will get you in just about anywhere, though, Right.

B

But a ladder, people will actually hold the door for you, right?

A

Oh, yeah. So nice.

B

Yeah.

C

I've seen videos of people getting into movie theaters with ladders. Just walk into the theater and, like, as soon as they do that, the guy taking tickets just opens the little velvety ropes.

B

Yeah.

C

And says, come on in this way.

B

Yeah.

C

I don't know.

A

We don't usually give people pro tips on how to do this kind of stuff, but I feel like. All right, I'm writing that one down.

B

You just set the ladder outside the theater, then you just go in and.

C

Yeah, I don't know. I think you'd have to hide the ladder, else they might know something's up.

B

Right, right.

C

The cost of a movie theater ticket is a lot less than the cost of a ladder.

B

That's true. Yeah, that's true. A couple other details here. This Silent Ransom group, they also go by the name Luna Moth or Chatty Spider, depending on which defensive organization you ask.

C

You ever seen a Luna Moth?

B

Yes, I have. They're huge. They are. Yes. They're quite beautiful.

C

Yes.

B

We have them around here. This group has been active since 2022, and they seem to focus on legal and financial organizations. And the FBI again sent out this notification that they're targeting law firms through callback, phishing, and social engineering attacks. So, I don't know. I mean, what's the best way to protect against something like this and take your own advice? Because evidently I'm no good at it.

C

This is the same thing that it always is similar to. I think my story touches on this a little bit today, but it's process. It's process and policy and training. Yeah, and training. It's the people side of the equation. So this is definitely a social engineering hack. So you come in and you say, hey, I'm here from the company. I'm here, you know, your IT service provider. I'm here to take care of the computers. A lot of these law firms are going to have what's called an msp, which is a managed service provider. Yeah, I used to work at one of these before they were called MSPs, back when we were just called value added resellers. And we had service contracts with people and they would call us and we would have somebody there within four hours, or if they paid more, we'd have somebody there within two hours. Or if they paid enough, we just have somebody that would show up as soon as we got the call.

B

Right.

C

But now everybody has MSPs and they are not unexpected. They'll show up and it could be a different guy every single time. Because MSPs can be larger companies.

B

Yeah, yeah. What do you make of this, Kieran? What's an appropriate level of resistance to give someone who comes knocking on your door?

D

I mean, one thing is at Threat Locker, we do have storage control to stop those pesky USB devices, But in general, a lot of the time it's just verifying who they are. It doesn't matter. I know you said you don't like confrontation, but when it comes to security here at ThreatLocker, we have everyone has a badge and you have to wear it at all times, visible. Even if you're a visitor, you get a visitor badge, you have to check in with security to get that badge. So at least for us, if someone comes knocking, we bring them over to security and they can go through those necessary checks. And I do think that is very, very important.

C

That's a great idea.

B

So outsource the confrontation, right?

A

Yeah, yeah, yeah. We had had a lot of similar training in my RAPID seven days years ago. And we went through all these different processes for what happens if you forget your badge at home that day or lose it when you're out to lunch. And I remember once I actually had to deal with that on the receiving end and I had to deal with that confrontation. There was an elevator in the building that we were in at the time that was kind of only known to us employees as sort of like the other way to get in, not the main office way to get in. And so a lot of us on our lunch break love to go that way. And there was someone in the hall to enter our office on the correct floor who was like, I lost my badge. Can you just let Me in. And I kept telling him, like, you gotta go. Like, I reminded him of the process that we'd been trained on, and he got really angry at me. And I remember thinking at the time, like, people are trying to walk into our office all the time. Like, pen testers want to pwn a security company. Like, they want to do it so badly. But this guy got like, red in the face. He's like, I work here. You've seen me a million times. I'm like, that might be true, but you still need to go to the front desk. And this guy was like, twice my height because I'm 5:1, so everybody's taller than me. So it's like, really? He was trying to, like, impose himself on me and get really up on my face. And I listen, just. Just do the thing. So I was. I really hope that guy was actually a pen tester, right? Yeah, I really hope. But it was very uncomfortable. Like, I'm 10 years later. I still remember how uncomfortable that made me dealing with that confrontation of this guy getting so mad about it.

B

Yeah.

C

Did you ever find out if he was an actual employee?

A

I. You know what? We were. We don't know how much I want to disclose of this. He was supposedly with our sales team, and sales guys come and go. Yeah. So to be honest, like, I couldn't keep track of all the sales guys that we had in the. In the bullpen. So he might have been. But he had definitely. If he was a real employee, he had been trained on what to do, and he was getting real mad at me. So. Too bad. Yeah.

C

I'd have reported him to security just out of spite, you know.

A

Oh, I did. I did. Don't you worry. I was like, by the way, someone was trying to get in without a badge in the back elevator, and that's not good.

C

I've told the story about when I had, you know, we were in, like, this little vending machine room, and a woman I knew was in there, and somebody else walked in, and she looked at him and she said, hey, where's your badge? And he goes. He grabs his chest and he goes, oh, I left it at my desk. And she goes, let's go. Walk back and get it. And she walked out with.

A

Together.

C

Right, Together.

A

And.

C

And. And she's like, I'm very sorry. And his response was, you did exactly what was right.

A

That's right.

C

And that is the proper response to that challenge. And if somebody. If somebody doesn't respond that way, they're either a pen tester or they need to be

A

re.

C

Educated, reeducated? I wasn't going to say that, but retrained, possibly disciplined by hr? I don't know. You know, because you cannot do that. The security of an organization like that has to be, you know, it has to be the first concern of everybody's position. And where I work now, we have to have badges on all the time. And we are told often that it's everybody's responsibility. If you see someone without a badge, ask for the badge.

A

Yep.

B

Yeah, I got in trouble once in an elevator for having the wrong badge. Actually, I was working at the Newseum down in.

C

This is a good story.

B

D.C. and the. The chief engineer asked me to go up into where there's a part of the facility called Master Control, which is in a broadcast facility, is where all the machines are. And he asked me to go up to Master Control to take care of something. I didn't have normal access to Master Control, so he handed me his badge. Because you needed to. Badge in the elevators. I went to the elevator, badge in has him. And like, seconds later, the elevator stops. And they're like, who are you? Oh, I was like, dave, why? They're like, you were not afraid?

A

I can't do that, Dave.

B

Yeah, right. They're like, you are not Dennis. I'm like, no. I said, where's Dennis? He gave me his badge. All right, you and Dennis need to come down here right now. And, you know, they stopped the elevator. Well, I didn't know that the elevator had video cameras built in. And whenever you attached yourself on the elevator down at security, the picture came up of who it was supposed to be, and it got tagged for me not being that person. So me and Dennis both got a good talking to that day. We both learned a valuable lesson that day about sharing badges on a very

C

special episode of Dave and Dennis.

B

Yeah, Dennis. Dennis was one of those. God rest his soul. He's no longer with us, but Dennis was one of those folks who just didn't really care about rules, you know, like, he was like, you know, they're talking to. He's like, okay, go ahead, fire me. Do you want your show to go on the air tonight? All right, Are we done here? Okay, fine. You know, that kind of thing. I was much meeker and did not follow through. All right, we will have a link to this story in the show notes, but in the meantime, particularly if you're a law firm.

C

Yeah. Keep your eyes out.

B

Right, right. All right. That's what I've got this week. Joe, what do you have for us, Dave.

C

My story comes from a listener named Michael who lives in the continent country of Australia. Oh, we have a lot of listeners, Dan.

B

Under. We do, yeah.

C

And he actually wrote this as a letter, and he says, I'm gonna start with what I want to start with here. He says, Dave, Joe and Maria, first love the podcast Hacking Humans as well as a daily podcast.

B

Dave.

C

So he listens to you every day.

B

Very nice.

A

May I recommend the Sunday show T minus Space Cyber Briefing? I just maybe add that to your rotation. Okay.

C

And here's my favorite part. My daughter is obsessed with the chickens, and apparently they have 15 in a small residential area. So really love hearing Joe's updates and her and. And telling her about them. Well, I'm glad that your daughter likes hearing about the chickens, which is awesome. Anyway, he got called. Called upon to help fix a problem that was happening at his daughter's employer, which is a dental surgery outfit.

B

Huh.

C

And he is actually a patient there as well. So he gets an email from the dental surgeon, and it is actually from their email address, and it is saying that this is a document. We need you to look at this document. But the document is too big to send. And also you need to read this document on a desktop or a laptop. It will not be readable on mobile.

B

Huh.

A

Again, hears it. Okay.

B

Right, right. Like flags. Red flags going up.

C

Yep.

A

Make sure to install Adobe Flash. Wait a second.

C

Michael does in fact work in security, so he says his spidey senses were triggered. So he sought some clarification from his daughter, and after a while, she responded that the dental surgery's computer had been hacked. Somehow he assumed that it did not have, like, multifactor authentication enabled or something, and it got caught. But what had happened was they had received an email from another dental surgery, which is common practice, sharing a link to a document. The email address, again, legitimate, and this is a normal request to share patient details as they're not allowed to send these documents.

B

Right, right.

C

So you can't send them an email because that's phi. I don't know what they call it in Australia, but, you know, you can't just email patient health records around.

B

But you can send a fax here back in 1987.

C

Right.

A

We're in Japan.

C

Yeah.

A

Japan also loves faxes.

C

So what happened when Michael's daughter's practice received the email is the receptionist clicked on the link, it opened a blank screen, and that was all it did. So they thought it was just an error, and they thought no more about it. They were done. But the next day about 2000 of their patients received an email just like the one Michael had received with a link to a document going to the same URL. After the investigation, it appears when the original link was clicked, it caused a silent install of something called Screen Connect, which is one of these remote access tools. Yeah, it's a legitimate software, so it didn't fire any alerts, no virus, things went off. It was a silent install, so nobody noticed anything. Then here's what's really interesting. At about 7:30 in the morning, before anyone came into the office. And he notes that they had a security camera which showed the computer A fake Windows Update screen was displayed on the machines monitor. And behind the scenes the attackers were extracting the contacts from the mail system. The contacts, all the, all the patients email addresses from the mail system.

B

Wow.

C

Creating a mail merge with Excel. And they found the file, the Excel file that had. That was created around the same time. And then sending the emails with the malicious link to groups of about 200 people at a time.

A

Huh.

C

The clients who received the email and clicked the link were prompted for login credentials for their email. And he notes that's anecdotal. In other words, they called a couple of clients and said hey, you didn't click the link, did you? And they were like yeah, we clicked the link but it asked us for our email credentials. They could also have. Michael notes that they could also install the Screen Connect as well. So this looks like it's a manual spreading of this backdoor or this remote administration software.

A

Yeah. Cause groups of 200 would mean that they wouldn't get hit with those like the spam rules. Right. Essentially you can still. It's still a person to person email as opposed to a mass email. So. Wow, that's so much work.

C

Yeah, it is. What I found so interesting about the attack, Michael writes, is they used a legitimate software and process to first bypass any MFA and gain access and then create the, the spam mail to try and trick others. True. Living off the land, which is. Yeah, they're, they're doing that. I mean they're not technically living off the land. They're actually downloading and selling software. But it's not malicious software.

A

Yeah, yep.

C

And because it's a, because it's a recognized software again not going to trigger a, an av, an antivirus check. They have for now disabled the services and removed the files for screen connect, change passwords and will increase user access control in Windows to ensure that any software install requires approval, which is A great idea. And he says, I'm not sure how the average person can avoid this other than extreme paranoia. Well, that's what I advocate. So it's interesting that he points this out, but that's exactly right. If you're on the receiving end as a patient from one of these, one of these compromised companies, what do you do? I mean, if it's going to do a silent install on your system. I don't, you know, I'm not. I've lost my Windows administration capabilities years ago. So I don't know if that.

A

Someone took the keys away.

B

Completely atrophied.

C

Right, Completely atrophied. So I don't know if I could stop this from happening to me if someone sent a, you know, some kind of drive by download like this.

B

Well, let's back up. And I want to get Kieran's take on this sort of from the outset. I mean, what do you suppose was going on with this original. I'm using air quotes here. Empty email that started all of this.

D

Yeah. So, I mean, we've seen attacks like these before. I mean, I've even made some example ones where I look on the computer if you have 7 zip. If not, download it and ransomware your computer. So it's likely just going to be. When you try and open it, it runs that executable. One thing I do want to note is you'd mentioned, I think that they were limiting the installations. You want to take that a little further and make sure to do allow listing. Small difference, it seems like, but actually huge capability difference.

C

Like whitelisting, you're saying?

D

Yeah, whitelisting, yeah. Yeah. We ran actually a webinar, myself and Chief Product Officer Rob from ThreatLocker earlier last year and I had five ransomware samples. I was a user, not an admin, couldn't install anything, all five ran. So it's super, super important to do allow listing, whitelisting, whatever you call it, and then don't be clicking on links.

B

Maria, you're listening.

D

Tough. That's why you can never really, no matter how much training you have, users are going to do what users do.

C

Users are going to do. Users.

A

Users are going to.

B

Users going to use.

D

Yes. Layer eight issues will happen.

C

Right.

D

So you want to make sure to put those controls in place so that whatever they do, do we control.

B

What do we suppose they're ultimately after here? I mean, it seems like the part that we have visibility into was about expanding their reach. But there's nothing in this story about any sort of monetary theft or Anything like that. Kieran, do you think they're just biding their time?

D

Yeah, I would think that eventually they would try and pivot into extracting money. One thing we see common with a business email compromise, something like that, is where they will then reach out to a vendor or someone trying to make a payment and say, hey, your payment information has changed. Send it to this bank instead. So I could really see that being one of the targets. Or also, depending on what information that vendor has, it could be more sensitive information like your bank account information, your address, email, any sort of government ID that you provided could be included in your information.

B

Yeah, I guess medical information is more valuable than just run of the mill personal information, right?

C

It is. It's like seven times the value on the black market.

D

And they can get really, really, really targeted phishing attacks instead of, hey, so and so, you know, here's something. It's they give you a call a day before your dentist appointment that, you know, they now have access to know, hey, we've changed to this, or you need to update your information or whatever it may be. They get that really, really specific data on you.

B

Right, right.

A

Yeah. Nobody's really expecting a scam or a fish from their dentist office. That just feels wow. Because it's like nobody likes going to begin with.

B

So there's enough pain as it is.

A

Yeah. Dang.

C

Now I have to go pay them in advance to hurt me. Yeah, make my gums bleed.

B

I happen to be friends with my dent and I've known him for probably, I don't know, 20, 30 years now. And I was recently at his office and he has this really cool X ray scanning thing that does this panoramic view of your entire jaw. And the printout of it or the view of it on the computer is in 3D, so you can move it all around. But it looks kind of like the creature from Alien.

C

Like a xenomorph.

B

Yeah, you look like a xenomorph with all. You're like, oh, that's scary, but a little mouth inside. Right?

A

Well, put little names in your feet.

B

Some of us do. Yeah.

C

Right.

B

But on the machine that did this was a little sticky note with the username and password.

C

I'm gonna irradiate a lot of people.

B

I said, doc, I know. Like, you know, it's probably okay, but just humor me, right?

C

Please don't have this sitting on there when I come in.

B

Yeah. I can't let it go without just saying something. And when I'm done saying it, do what you Will, but just you have been warned.

C

So finally, Michael says he loves the podcast and he loves the chickens. So, Michael, I'm happy to talk about my chickens whenever I can, but not this week. We're not doing it this week. Except for the fact that some of our listeners just love hearing about the chickens.

B

Karen, since you're new to the show, you're probably scratching your head and wondering what the heck we're talking about, about when it comes to chickens. Joe actually raises chickens on his vast palatial estate.

C

Yes.

B

And so we've been sort of monitoring his journey from starting with his chickens to where he is today. And it's about 50, 50. About half of our listeners really enjoy hearing the chicken updates, and then the other half we get letters from saying, please get to the show. So

A

how do the hosts feel about it?

B

Oh, I like the chickens.

C

I like the chicken stories.

B

I like the chicken stories. I'm just, you know, someday maybe my friend Joe will bring me some eggs.

C

Dave, you know what? I will bring you some eggs next week. Sorry about that, Dave.

A

Bribery.

B

I just didn't give into it. Right.

C

I brought some eggs in for one of my co workers today and she was very excited.

B

There you go. Some fresh eggs.

C

Yes.

B

All right, we will have a link to that story in the show notes. Let's take a quick break here to hear from our show sponsor. We'll be right back after this message. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. Maria, you are up. What you got for us this week?

A

I've got a short story today. I feel like a lot of my segments are what is AI doing now? And how is it making scams a lot worse.

B

What's that crazy AI up to?

A

Yeah, I mean, it's, it's, I try not to have it be every week here's a new thing that people are using AI to do terrible things with. But here, that's what my story is this week because I've been seeing this specific story making it all in, making the rounds in very mainstream media. And that always catches my attention when that happens. Mainly because it's nice to see these stories making their way in, you know, in the non infosec spheres. It's good for awareness and it's good for people to understand what's going on. So some of our listeners may be like, I knew about this one, but listen, your family might not have, so please tell them about this.

B

Okay, Right.

A

So we've talked a bunch of times about how voice cloning with AI is trivial, like can be done in seconds. Heaven knows, all of us on a podcast, there's a lot of material for AI to work with and I've had to have this conversation with my loved ones ones many times about what we need to do about that. So there's a, there's a scam that affected a woman in San Francisco where she lost $5,400 to scammers because of an AI voice cloning scam. This one specifically said the scammer used artificial intelligence to mimic the voice of her 37 year old daughter. And I'm just going to read the quote from her. She said it was my daughter's voice having an absolute panic attack, scared, telling me, I love you mom, I'm so sorry, I'm so scared. And then they, the scammers just cut her off. So essentially the scammers were posing as kidnappers and the whole scam call was basically saying, your daughter's been kidnapped and you know, if you want her to be alive, you gotta pay us this ransom money. Now on the outset, I'm sure a lot of us might be very skeptical going, who would fall for something like that? But if you hear a voice that sounds really realistic, this was actually, I'm very glad I found this story because it really prompted a really good conversation with my family because I sent it around on the group chat. It's one of those things like if, even if you think you know how you could tell, oh it's, I know my loved one wouldn't sound like that. I could totally tell if it's AI. If you think they're having a panic attack and also they're being held at gunpoint for ransom. All of that fear would just completely override your common Sense circuitry. And so I was just like, yeah. I've had all these conversations with my family about how we would try and figure out what's real and what's not. And this one made me go, you know what? I think people easily fall for it.

C

Yeah. Because I would feel, like very high in this one.

A

I mean, you get that one wrong, it's catastrophic.

C

Yeah, absolutely. And I mean, this is like the ultimate, you know, the ultimate short circuit for any parent's brain. Yeah. And it's. You know, these people are just horrid people. I mean, first off, they're scammers, but they're like. They're not even respectable. They're worst kind of scammers.

A

Yeah. Yeah. So the woman in question, her name is Deborah Del Mastro. And I'm naming her because she's been really brave in going off on national news, including Good Morning America, telling people about what happened to her. So she. She, again, she lost that money to scammers. Her daughter's fine. She. After she wired the money to the scammers, she actually then called her daughter's phone just to verify, like, actually was that real. In an ideal world, the two things would have been switched, but I can completely understand why that didn't happen.

B

Right.

A

So to me, this is like flavor of the week of what people are doing with AI because again, I know for many of us, we have, like, code words or other things, but if you think that person's being held at gunpoint and they're having a panic attack, I could totally believe them. Not being able to get a code word out if they've got, like, two seconds to talk to you. So that's pretty. Pretty gross. I just wanted to make sure people knew about this one. And definitely I've seen this in People magazine. It's been on Good Morning America. So it's a good thing to talk to your family or friends about because this one's pretty nasty.

B

What do you make of this one, Kieran? Something as human and person to person as this. Yeah.

D

I mean, one thing that you said that I really liked, where she's. I believe her name was Deborah, is speaking out about this. Like, anyone can fall for things like this. We've had engineers fall for phishing scams. You're not an idiot just because you click the link. And it's really good to talk about it, educate people. It sparked conversation like these where, you know, we're able to talk about it. But AI, unfortunately, for better or for worse, it's here and it's just going to get better. These scams are going to get easier, quicker, all of that. So you just have to have those conversations and try your best. I mean, there is no real great answer because like you said, when you're in that panic attack, you're panicking. Your daughter was just kidnapped and held at gunpoint. It's really, really tough to act rationally.

A

Right.

B

Yeah. You say, let me put you on hold while I call my, you know,

A

let me externally verify. I'll call you back. Kidnappers.

B

Right, right, right. I mean even saying, you know, what's the password? What's the password? If the scammers say, I can't remember and it's in your daughter's voice, what are you gonna do? And what's the risk reward here? I mean, I'd turn over the money.

D

Yeah, and it sounds like they hung up right after faking having the daughter say that. So it's not like there was even time for some back and forth con happen.

A

Yeah, they were doing the whole, hey, we're just telling you this, we're dropping this bomb and we're out. So there's no, you know, there's no chance of them messing it up after that point. They're just done. So. Yeah, what a nasty one. It's just super nasty.

B

Yeah, I'm trying to think, I mean like, Joe, can you think of any way to short circuit this? I, I just can't.

C

The family password is one way, but again, you're right, it is, it is such a high stakes thing. You know, I mean, my tactic would be, I don't know what my tactic would be in this situation. I have fortunately never been targeted by this, but you know, saying, hey, look, I don't have that kind of cash just laying around. It's gonna take me a day to sell some money markets and then I can wire the money tomorrow.

B

Right.

A

Delay, delay. Yeah.

B

See if that'll help. Yeah, yeah, that's smart.

D

One thing you can also do is honestly, people really shouldn't be answering the phone to unknown numbers super often. You know, if you are expecting a call from your doctor, whatever, you can add those to your list, your contact list. If someone needs you, they can leave a voicemail for me. Honestly, I don't really answer unknown numbers. I'm actually really lucky. I have a phone number from when I moved from a couple cities away. So any phone number that's actually from my zip code, I don't answer because those are almost always going to be phishing. But in general, just not answering the phone, wait for that voicemail and then respond. You know, that way it wouldn't be. So on the moment, you know, the scammers, or, you know, in this case, the fake kidnappers are not on the line and you're thinking that your daughter's there, you're able to kind of have a moment, collect yourself, listen to it, take action.

C

Yeah, that's a great idea, Karen. This reminds me of an old 80s standup bit where a guy says he had got an answering machine. It was the best thing in the world. And he just doesn't answer the phone anymore. And his friend said, hey, I called you and you never called me back. He says, well, you didn't leave a message. Your message is the opportunity for you to plead your case as to why I should pick up. Which I think I mean, while humorous, that is exactly right. I mean, because if somebody calls you and they say, we have your daughter, you're not calling them back. You're calling your daughter first. Right?

A

Yeah.

C

Are you okay? Okay, I can delete this message.

A

It's like the concept, Kieran. It's a great thing that you just mentioned. It's like the concept, like, I just got one of those devices that helps me block a bunch of apps on my phone. The idea of building in friction in our lives to just slow down a lot of stuff. What you're suggesting is a great way of doing that, too. Just building in a little bit of friction to give yourself some time. And as Joe said, plead the case for the scammers. And I wanted to add a little addendum because I just saw this quote in the People magazine story. This is again from Del Master, and she said, I'm a Navy veteran and I'm usually very good in a crisis. And I totally, totally believed this guy had my daughter. So, again, truly, I just want to give her kudos for going so publicly.

C

Yeah. Deborah, thank you so much for coming forward with this. This sucks that this happened to you, but, you know, the fact that you come out and you say what happened to you and you lay it all out, that's the only way we solve these things.

D

Yeah.

A

Information sharing.

B

You know, we all think about how we would try to handle something like this, but none of us know.

C

Yeah.

B

None of us know how we would actually respond to an emergency situation.

C

I'll bring it up again. Kieran hasn't heard this story, but I got a scam call from someone impersonating my county sheriff department.

B

Yeah.

C

And I handled it properly, but it was not as psychologically easy as I thought it was gonna be.

B

Yeah.

C

It took me going. My cognitive processes and me leaning into them and not letting any emotional processes take over, but that was a struggle. As unemotional as I tend to be, Robot Joe, Right.

B

Robotic and heartless as you are.

C

Yes.

B

That day, your heart grew through three sizes.

C

Yeah.

D

The problem with. As the defender, you have to be right every single time, whereas the attacker only has to be right once.

C

Yep.

A

Yeah, exactly it.

B

And I guess, kind of to Maria's point, or actually to Kieran's point also, about not answering the phone, I'm guessing that the bad guys in this case are not going to leave a message.

A

Right.

B

They'll just.

A

Hello, we are kidnappers. Please call us back at the following number.

C

Yeah, but they've gone through the. Through the. Through all the legwork of cloning a specific person's daughter. Daughter's voice.

A

So that, I'm sure can be automated in milliseconds. Now, though, I mean, I cannot. I mean, you just need a second or two of audio from anyone to make a voice clone. It doesn't take very much. So I'm sure this is all automated. I can't imagine there's a real person doing all that.

B

And they might just keep calling and calling and calling till out of exasperation, you're like, what?

C

What do you want?

B

Any of you have a friend who does that, where if you go to voicemail, they immediately call you back again?

C

In our family, that's the code for, there's an emergency I need you to pick up. So, you know, like, if I'm in a meeting and I see that my wife is calling, I decline the call. If she calls, I'll step out of the meeting to answer it. Yeah, because that's the system we've set up. But, no, if I had someone in my life like that, I'd weed them out.

A

Yeah, I was gonna say that's the someone's in a hospital level of call. Don't bother me. Otherwise. That's crazy.

D

Warning Pride, wolf.

A

Yeah, seriously. Exactly.

B

Exactly. All right, well, we will have a link to that story in the show notes. Joe, Maria, Kiran, it is time to move on to our catch of the. So, Kieran, you should read the part that is in gray. I will read the part that is in green. And it goes like this.

D

Are you free tomorrow?

B

On a plane to Anchorage.

D

This is n. Is this Nicole's new number?

B

Nicole died last week.

D

Oh, my God. I just checked the number. I think I entered it wrong. Your number is very similar to my friend's. I hope I didn't bother you.

B

No bother.

D

Sorry for the misunderstanding. Thank you for understanding. You are such a kind person.

B

I'm the one that killed Nicole.

D

Okay,

B

well, that took a turn.

C

Yeah. Hard, right?

B

Yeah.

A

My dark humor. I was like, okay, that's awesome.

C

This is someone just copying pasting the standard I entered the wrong number script. Like when the person says, nicole died last week, they don't even bother acknowledging that. They just go, oh, I checked the wrong number or I entered the wrong number. You know, they just go on with the script.

B

Right, Right. Yeah. So obviously this is someone's valiant attempt at short circuiting that and cutting it off, which I think they probably effectively did.

A

Yeah, that or they just told them it's a real number and now they're going to get lots more spam.

B

Right, Right. Absolutely. All right, well, we would love to hear from you. If there's something you'd like us to consider for our catch of the day, you can email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threat Locker enforces default deny at execution, blocks unknown apps and limits what trusted apps can stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K CyberWire. We want to thank our very special guest, Kieran Heumann, lead cybersecurity engineer at ThreatLocker, for joining us. Kieran, hope you had a good time.

D

I did. Thank you very much.

B

No, great. Please come back anytime. Time. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

D

And I'm Kieran Heumann.

B

Thanks for listening.