Hacking Humans – How Little Data Reveals a Lot
Podcast: Hacking Humans
Host: N2K Networks (Dave Bittner, Joe Kerrigan, Maria Varmazes)
Episode Date: September 11, 2025
Overview
This episode dives into the insidious ways social engineers and cyber criminals exploit even the smallest pieces of information ("metadata"), with firsthand stories and the latest research on how data brokers, scammers, and malicious actors turn minimal data into powerful tools for manipulation, extortion, and breaching privacy. The hosts share personal anecdotes about scam attempts in crisis situations, examine a disturbing new infostealer malware capable of real sextortion, and unpack just how revealing basic metadata can be. The episode is rich in practical lessons and cautionary tales for anyone navigating today’s information landscape.
Key Discussion Points and Insights
1. Facebook Scams During Real-life Crises
Maria’s Story – Metadata in Action
- Maria recounts a frightening incident near the University of Massachusetts Lowell involving a shelter-in-place during a suspected shooter situation. As a parent living nearby, Maria sought real-time updates via Reddit and Facebook.
- She observed that within minutes of public posts about the event, scammy comments appeared inviting people to click suspicious links to supposed “videos” of the incident.
- These pages used “newsy” names and embedded phishing links masked as video previews.
- Scammers “ambulance chase” breaking news, preying on public anxiety and rapid information sharing.
Maria (04:04):
"Within minutes the scammers are showing up on the public comments and trying to divert people to very obviously scammy pages. This was very personal for me because I literally was trying to figure out what the heck is going on..."
- Discussion: How do scammers latch onto these posts so quickly?
- The hosts theorize automation through the Facebook API, keyword monitoring, or detecting trending posts.
- Volume and speed suggest organized, possibly semi-automated efforts.
- Lesson: During fast-moving situations, scam comments can closely mimic legitimate user updates—vigilance is crucial, especially when emotions run high.
Dave (13:31):
"When you’re looking for information, when it’s something that’s literally happening right now and minutes count ... the spammy comments, if you’re panicking, especially as I kind of was ... they can look pretty much in line with some of the legitimate stuff."
[Timestamps: 04:04–14:15]
2. Modern Sextortion: Infostealers Make the Threat Real
New Malware: Stellarium
- Dave introduces research from Proofpoint about “Stellarium,” a new infostealer malware with a sextortion feature:
- Scans browser histories for keywords like “sex” or “porn.”
- Takes a screenshot of the activity and a simultaneous webcam photo.
- Sends both to attackers, making the “I saw you through your webcam” threat real, not just a bluff.
- Stellarium is open source, with the author claiming it’s for “educational purposes only.”
- Proofpoint has seen this malware distributed, but no public victim reports yet.
Dave (17:04):
"When it sees [certain keywords], it takes a screenshot of what you’re looking at. It snaps a picture of you through your webcam at the same time and sends the paired pictures straight to the hacker."
- Advice:
- Always cover your webcam when not in use.
- Avoid downloading unknown software; keep antivirus software enabled.
- Don’t shame victims—privacy violation is the real crime.
Joe (21:11):
"Regardless of how you feel about it, you don’t compound whatever wrong you perceive by piling another wrong on top of it..."
[Timestamps: 14:50–22:15]
3. Metadata: Small Data, Big Insights
Joe’s Machine Learning Class Anecdote
- Joe shares what he learned in his Master’s program:
- His instructor provided a year of personal browser metadata: just timestamps and domain names.
- Analysis revealed:
- Daily routines (wake-up, commute, work hours, bedtime).
- Work habits, commuting patterns.
- Hints at life events (e.g., house hunting—thanks to frequent visits to real estate sites).
- Minimal metadata leads to substantial inferences about one’s life.
Joe (31:34):
"I got that information from two pieces of data extracted over a year ... and actually it wasn’t even the domain piece, it was just timestamps … I told that whole story of his daily life."
- Real-world application:
- Data brokers claim anonymization, but cross-referencing “anonymous” location data (e.g., where you spend nights and days) makes it trivial to re-identify individuals and build deep profiles—where you work, worship, socialize, and more.
- Even “just metadata” (call logs, locations) enables profiling, targeted ads, and more.
Dave (33:01):
"But I’ll just use you, Joe, as my example. I know where you work and I know where you live...all I have to do is look for a device that spends its night where you live while you’re asleep and spends its day where you work while you’re at work ... I have a device id ... and then I tell them, give me every location that this device ID has been ..."
- The U.S. lacks federal data privacy laws regulating metadata collection.
[Timestamps: 23:45–41:18]
4. Social Engineering in Metadata and Data Brokers
- Maria and Joe further discuss how metadata from devices and network traffic is commodified, sold, and used for advertising and surveillance.
- Even “anonymized” datasets can be de-anonymized by tying together location and activity patterns.
- Tools to help:
- Use devices’ privacy features (location controls, app permissions).
- Be wary of “janky” apps often used to vacuum up personal data.
- For real privacy, individual actions have impact, but systemic legal change is needed.
[Timestamps: 36:20–40:52]
5. Catch of the Day: The Illuminati Brotherhood Email Scam
- Dave shares a classic scam email inviting recipients to join the “Illuminati Brotherhood.” The only requirements: first name, last name, contact info (no upfront fees!).
- The crew pokes fun at scam weirdness and logic holes:
- "If you’re the Illuminati, why do I need to tell you my first name, last name, country address and phone number?" – Joe (43:19)
[Timestamps: 41:26–46:33]
Notable Quotes & Memorable Moments
- Maria (09:06): "I can't believe within minutes of these things being posted, the scammers are already all over it, trying to direct people to get phished."
- Joe (31:34): "Everything you just said is 100% correct ... from two pieces of data extracted over a year ... just the timestamp data. I told that whole story of his daily life."
- Dave (33:00): "Organizations, the data brokers will often say, 'all this data is anonymized' ... But I'll just use you, Joe, as my example. I know where you work and I know where you live … all I have to do is look for a device that spends its night where you live while you’re asleep and spends its day where you work while you’re at work."
- Joe (43:19): "You’re the Illuminati. Why do I need to tell you my first name, last name, country address and phone number? You should know that."
Concluding Advice
- Vigilance in Crisis:
In fast-moving, high-emotion situations, slow down and scrutinize links/comments—even in familiar community groups. - Metadata is Not Harmless:
Never underestimate what can be learned from “just” your metadata. Advocate for privacy law and use available technological safeguards. - Webcam Precaution:
Cover webcams when not using them; treat any device sensor as a potential privacy risk. - Critical Appraisal:
Be alert for scams that play on ego, panic, or taboo topics (“exclusive” offers, urgent crisis updates, sextortion threats). - Push for Change:
The systemic issues of privacy and data exploitation require political engagement and broader legal reforms.
This episode is an eye-opening primer on why little data can reveal a lot—and how small lapses in caution can have outsized consequences in the digital world.