Loading summary
Transcript310 lines
- [00:02]
Maria Varmazas
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Dave Buettner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.
- [00:32]
Joe Kerrigan
Hi, Dave.
- [00:32]
Dave Buettner
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Varmasis. Maria.
- [00:38]
Maria Varmazas
Hi, Dave. And hi, Joe.
- [00:40]
Dave Buettner
Hi, Maria. Hi, Joe. Hi, Maria.
- [00:43]
Joe Kerrigan
I don't feel it's right to say, hello, Maria, until Maria's been introduced.
- [00:46]
Dave Buettner
Yeah, that's good.
- [00:48]
Maria Varmazas
I don't exist until my name is said. It's true.
- [00:50]
Joe Kerrigan
That's right.
- [00:51]
Dave Buettner
So there's three of us. Are there nine combinations of how we can all say hello to each other? Is that how that works?
- [00:55]
Joe Kerrigan
6.
- [00:56]
Dave Buettner
Don't answer. Okay, Joey. Joe couldn't help himself. All right, we've got some good stories to share this week. We'll be right back after this message from our sponsor.
- [01:11]
Sponsor Representative
But first, a word from our sponsor. Knowbefore, where would infosec professionals be without users making security mistakes, working less than 60 hours per week, perhaps actually having a weekend every so often? We get it. User behavior can be a challenge, but users can also be an infosec professional's greatest asset once properly equipped. What do we mean by that? Well, stay with us, and in a few minutes, we'll hear from our sponsors at knowbefore on that very question.
- [01:50]
Dave Buettner
All right, let's get started here. Joe, you have the honors. Why don't you start things off for us?
- [01:56]
Joe Kerrigan
Dave, you're a dash cam guy, right?
- [01:57]
Dave Buettner
I am a dash cam guy, yes. I have a dash cam in my car.
- [02:01]
Joe Kerrigan
Excellent. I saw on Facebook, because we're friends on Facebook one time you posted a video, look at this wild driver. And they're like, please don't be Lisa. Please don't be Lisa. And it wasn't.
- [02:12]
Dave Buettner
But the thing I posted on Facebook, because we all see wild drivers every day, especially Maria, where she lives in Massachusetts.
- [02:23]
Maria Varmazas
No, dash cams don't capture what's going on behind the wheel, though. So, you know.
- [02:29]
Dave Buettner
That's right. So. No, what was unusual. The thing I posted was I saw the same crazy driver two days in a row.
- [02:36]
Joe Kerrigan
Okay.
- [02:37]
Dave Buettner
Doing the crazy things right in front of you. But. But anyway, yes, I have a dash cam, and I enjoy having it.
- [02:44]
Joe Kerrigan
So there is a video going around.
- [02:45]
Dave Buettner
And when.
- [02:46]
Joe Kerrigan
The first time. The first time I saw this video on. It's on various apps. I was like, this looks very staged. It looked very staged to me. But it turns out it is not. It's now actually making the news. And there is a YouTube video that I will put a link to in the show notes. I won't do it. Somebody else will. But I've copied it here. And it is a video of a woman driving. She's talking to her husb, and she then becomes the victim of a swoop and squat. That is what this scam has been called. I've heard it called that a long time ago. I don't know if it has a new meaning. But in the traditional swoop and squad, what would happen is there would be two drivers in cahoots. And the first driver would pull directly in front of you and then brake check you.
- [03:32]
Dave Buettner
Okay.
- [03:33]
Joe Kerrigan
The second driver would sit right next to you, so you had nowhere to go.
- [03:38]
Dave Buettner
Oh, okay.
- [03:39]
Joe Kerrigan
And if you rear ended the first driver, the second driver would just keep going. He was an accomplice, but he made sure that you didn't have a viable alternative of veering into the other lane to miss the guy that was about to do the swoop and squat. Oh, so that's not what happens in this video, though. What happens in this video is somebody pulls in front of the driver and she manages to stop the car. She's on the phone with her husband. She manages to stop the car without hitting them. The driver then puts the car in reverse and slams into her car.
- [04:13]
Maria Varmazas
Oh, my God.
- [04:14]
Joe Kerrigan
Then puts the car back into drive, drives forward a little bit and stops. And then there's some shenanigans going on inside the car, Right. Where they're. They're changing positions in the driver's seat, and a woman gets out, and then another person gets out. And then, like, five people eventually get out of this car.
- [04:33]
Dave Buettner
It's like a clown car, right? Yeah, that's what I'm thinking.
- [04:35]
Joe Kerrigan
I'm like, how many people are getting out of this car?
- [04:37]
Maria Varmazas
What is going on? Wow.
- [04:40]
Joe Kerrigan
So here's what's going on. Then they exchange insurance information. Then. Oh, they. One of the guys in the car says she was driving. She doesn't speak any English.
- [04:48]
Dave Buettner
Okay.
- [04:49]
Joe Kerrigan
So you can't question the person who was driving. And actually, it doesn't look like this woman who. Who couldn't speak any English wasn't. Was driving. There's somebody else driving. And then they swap drivers. Or that's what the victim thinks anyway.
- [05:02]
Dave Buettner
Right.
- [05:02]
Maria Varmazas
So here's how they put a trash bag up yeah. In the video, they put a trash bag up to cover the rear window. That's so shady. Geez.
- [05:11]
Joe Kerrigan
Right?
- [05:12]
Dave Buettner
Yeah.
- [05:12]
Joe Kerrigan
Why are you doing that?
- [05:14]
Maria Varmazas
Wow.
- [05:14]
Joe Kerrigan
So then. So here's how this works. This is just an insurance scam, right. Because if in most states, if you rear end somebody, it is always your fault.
- [05:24]
Dave Buettner
Right?
- [05:25]
Joe Kerrigan
Right. Even if you're on a hill and the guy in front of you is driving a manual transmission and he takes his foot off the clutch and goes to put his car into first gear and drive away and he bumps into you. That's your fault. Do you know that?
- [05:40]
Dave Buettner
Oh, oh, oh, oh. I see what you. So someone's, someone's going uphill on a hill.
- [05:45]
Joe Kerrigan
Right.
- [05:46]
Dave Buettner
They drift backwards to hit you.
- [05:48]
Joe Kerrigan
Yep.
- [05:49]
Dave Buettner
It's your fault. It's your fault because you're too close.
- [05:51]
Joe Kerrigan
Because you park too close. You're supposed to be able to. You're supposed to park or stop so you can still see their tires. That' that's what they told us in driver's ed back in, back in the 80s, Dave.
- [05:59]
Dave Buettner
Okay.
- [05:59]
Joe Kerrigan
I don't know if this is still the case. I would think that if you had enough, enough room and you had a dash cam, you could demonstrate. No, I gave this guy plenty of room.
- [06:07]
Dave Buettner
Well, it doesn't matter because there aren't any manual transmission cars anymore.
- [06:11]
Joe Kerrigan
I know.
- [06:11]
Maria Varmazas
I was just going to say that.
- [06:13]
Joe Kerrigan
There was a great story in Baltimore where this woman got carjacked. These two kids attacked her, stole her keys, knocked her down, ran over to her car and couldn't drive it away because it was a stick shift.
- [06:25]
Maria Varmazas
Yeah.
- [06:26]
Joe Kerrigan
So anti theft device. So what they do is they pack a car full of people and then they pull out in front of somebody and try to get them to rear end them. And in this case, even if they don't get you to rear end them, they just back up and simulate a rear ending. Now, these people immediately drove away after the exchange of information. Right. They're just going to go and file an insurance claim. That's what they're going to do. And they're all going to say, we all have whiplash from this incident.
- [06:55]
Dave Buettner
And it's like five against one, Right?
- [06:58]
Joe Kerrigan
Well, it's five of them filing medical claims. And there is talk this has been going on for a while. The video is really telling because it's obviously insurance fraud. In this video. It's not very well executed insurance fraud, especially when the. The victim has a dash cam here. If you didn't have a dash cam. If she didn't have a Dash cam. I don't know that she'd have a case because she wouldn't have any evidence. The other people would have all the evidence. They'd have five people saying she rear ended us. And what they're. What they're going to do is they're going to file a claim with the insurance company for medical benefits, and then they're going to. Or for pain and suffering as well, and then they're going to give that money to somebody else. These people are actually paid about $500 to sit in one of these cars and get hit and potentially get really injured. Right.
- [07:53]
Dave Buettner
You can relate real life. Crash test dummies.
- [07:56]
Joe Kerrigan
Yep.
- [07:56]
Maria Varmazas
Oh, my God.
- [07:58]
Joe Kerrigan
So not only. I mean, there's somebody exploiting these people, right?
- [08:02]
Maria Varmazas
Yeah, obviously. How desperate do you have to be that you'd be willing to put your life on the line for this?
- [08:07]
Joe Kerrigan
Just think about Marie. You want to make quick 500 bucks or die. Here's all you had. Don't worry, you're not going to die. Trust me.
- [08:17]
Maria Varmazas
I don't know. Haven't seen the driver here, man.
- [08:22]
Dave Buettner
Wow.
- [08:23]
Joe Kerrigan
So, yeah, it's. I don't know. This made me think. I think I might need to get a dash cam.
- [08:29]
Dave Buettner
Right?
- [08:30]
Joe Kerrigan
Yeah.
- [08:31]
Maria Varmazas
Yeah. This has got me thinking the same thing, honestly.
- [08:33]
Dave Buettner
Geez.
- [08:34]
Joe Kerrigan
So I can start posting videos of crazy Dave Bittner driving around.
- [08:37]
Dave Buettner
That's right.
- [08:39]
Maria Varmazas
We can.
- [08:40]
Dave Buettner
Competing dash cam. I can have my dash cam rebuttal.
- [08:43]
Joe Kerrigan
Right. So one of the things that I'm always terrified of is around here we get these motorcycle, not gangs. It's not an organized group.
- [08:54]
Dave Buettner
Right.
- [08:54]
Joe Kerrigan
It's not like a club or anything, but it's like 40 guys on these crotch rocket motorcycles, and they will come out of like, Baltimore City, and you'll be on Interstate 70 heading west, and they'll pass you at like 150 miles an hour, right?
- [09:09]
Maria Varmazas
Yes. Yeah. They're everywhere.
- [09:11]
Joe Kerrigan
The first one that goes by is terrifying, right?
- [09:14]
Dave Buettner
Yes, it is.
- [09:16]
Joe Kerrigan
When I see them coming up on my rearview mirror, I just go. I say to my wife, here they come, Motorcycle. And she goes, oh, geez. And the whole time I'm watching, I'm like, don't die. Don't die. Don't die while I'm watching. So, I mean, this is one of the reasons I haven't gotten the dash cam is because I don't want to be around. I don't want to be filming this. But I think, you know what? I'll just not save the video if that happens. Or maybe I will and provide it to Somebody I don't know anyway. But yeah, this. A dash cam is a good way to protect yourself here against this kind of a scam.
- [09:51]
Dave Buettner
You think that if someone. If a group of. If the same group of five people make half a dozen medical claims in the same day.
- [10:01]
Joe Kerrigan
Right.
- [10:02]
Dave Buettner
Someone would be onto them.
- [10:04]
Joe Kerrigan
But who knows? I don't think that's what happens.
- [10:06]
Dave Buettner
Maybe not.
- [10:07]
Joe Kerrigan
I think that the people who are behind this are actually using multiple people. They'll swap out another five people, put them in a car.
- [10:16]
Dave Buettner
Right.
- [10:16]
Joe Kerrigan
Say you want to make 500 bucks. And for each one of them that gets in the accident, they get like 10 grand or something like that. So it's not a big insurance loss. It winds up being like a $50,000 insurance loss. But it's still significant enough of a problem that if this becomes an issue that, yeah, there's going to be increased costs for everybody. There already is increased cost for everybody.
- [10:40]
Dave Buettner
Yeah. I have a vague recollection too, that there's some mechanism when you're in some kind of accident like this, that there's some bit of very quick money that you can. Like if you say the right combination of words, you can say, I want my blah, blah, blah money. And I don't remember what it is, but you'll get a certain amount and it might be $500, like right away. You'll get it while everybody's trying to figure everything out. And so I wonder if there's a component of that in that as well. And who. You know, again, this is a vague recollection of mine. It may not even be a thing anymore. But you know that they. Relying on this not making its way all the way through the system.
- [11:24]
Joe Kerrigan
No, they're settling. They're settling very quickly with the insurance company because they're not going to.
- [11:28]
Maria Varmazas
It might be a specific insurance company too, that does this that you're talking about. Yeah. I wonder if certain states are more prone to this.
- [11:34]
Joe Kerrigan
Also, I will tell you that in this ABC video, they say they do target women driving alone more than anybody else.
- [11:42]
Maria Varmazas
Right. Because they're not gonna wanna fight back as much if somebody's accusing them of something. Cause you feel like you're in your. I think it's safe to say that.
- [11:50]
Joe Kerrigan
A woman is less prone to road rage.
- [11:53]
Maria Varmazas
Also that. But if you get five people saying, hey, you hit me.
- [11:56]
Joe Kerrigan
Yeah. Thinking about me and my wife. And of course, I think Dave and I are the. Are married to the tales of that distribution.
- [12:06]
Maria Varmazas
No comment from.
- [12:08]
Dave Buettner
I would say my wife and I, one of us is much more liable to experience. This is according to my children who have been alone in the car with me and with my wife. And I remember one time my son, when he was still in his car seat, saying to me, he says, dad, do you use the horn in your car very much? And I said, no, I don't. I, you know, I might toot every now and then if, you know, we're at a stoplight and the person in front of me, you know, doesn't notice that the light has changed, maybe I'll give the thing a little toot and, you know, something like that, or for safety reasons. And he says, uh huh. Mom uses her horn all the time, right? He says, when mom drives, she's a potty mouth. Well, son, you know, everybody's different. And your mother has a lot of very admirable qualities. And patience behind the wheel is a great experience.
- [13:18]
Joe Kerrigan
I have is my wife called me one time when she was driving and she was close to our house, and there's a very busy intersection close to our house that has a turn only lane, and somebody didn't turn and tried to merge with her. And I hear her go issue a string of comments, and I hear her horn blow on the phone. And then half a second later, I hear her horn coming across through the trees.
- [13:45]
Dave Buettner
That's funny.
- [13:46]
Joe Kerrigan
And I'm like.
- [13:49]
Maria Varmazas
There she is.
- [13:50]
Dave Buettner
Early warning system. Honey's almost home. I can hear the horns from a quarter mile away, like a freight train whistle in the distance. Here she comes. All right, well, it's an interesting case here. And what we really need is a dash cam sponsorship.
- [14:11]
Joe Kerrigan
Hey, I'll be happy to sign up for the. We can even have Joe's dash cam.
- [14:16]
Dave Buettner
Video of the week.
- [14:17]
Maria Varmazas
Oh, my God.
- [14:19]
Dave Buettner
Right? Little side podcast. Yeah, Joe rates your dash cam videos.
- [14:24]
Joe Kerrigan
There you go.
- [14:25]
Dave Buettner
There we go. All right, let's move on. Maria, what do you have for us this week?
- [14:31]
Maria Varmazas
Well, there's something happening in a few weeks in the United States that I think most of us are aware of. It's this election thing.
- [14:39]
Joe Kerrigan
Dave refers to this as silly season.
- [14:42]
Maria Varmazas
Yeah, indeed.
- [14:43]
Dave Buettner
I can't wait for it to be over.
- [14:45]
Maria Varmazas
Yeah, I'm gonna have to.
- [14:46]
Dave Buettner
It's stressful, I know.
- [14:48]
Maria Varmazas
And this whole story is just gonna press that bruise, so just brace yourself. I'm sorry. I'm sure anyone in the United States, you two included, have been a flurry of political text messages. Whether you like them or not, whether you want them or not, they're just arriving at your phone, all strict spam for me. They don't even circumvent your spam. Cause for me, no matter how many.
- [15:10]
Joe Kerrigan
Really they have a couple of times, but I am not getting like a snowstorm of them right now. I get em and I'm getting them from both parties too.
- [15:19]
Maria Varmazas
Same here. I get it. What about you, Dave?
- [15:22]
Dave Buettner
I got one yesterday. I'm looking at it right now and they've sort of, they've amped things up because I'm not responding. It says we asked six times if you support VP Harris, but you still didn't complete the poll. I'm like, back off, man. No, no, I did not.
- [15:40]
Maria Varmazas
Desperate ex girlfriend right there. It's just too much.
- [15:45]
Joe Kerrigan
I got one right here that says. So that's it, huh? Your membership expired after all these years. Please renew. I don't know if that's a political one. Breaking Kamala just crushed her CNN Town Hall. $15 for Elon Musk Dark Maga hat. Anyway, like I said, I'm getting it from both parties.
- [16:09]
Maria Varmazas
Yeah, yeah, I do too. I enjoy it a lot because it's a remarkable. You just swap out the names and the calls to action are remarkably similarly desperate. But the, the common thread is that they are extremely frequent, extremely annoying. Nobody likes these. And as you both have noted, they have really ramped up in the weeks right before the election. And who wants this? If you ever were to click one of those text message links, those calls to action, they usually will solicit a small dollar donation amount. Of course they will take any amount of money that you'll give them, but they're usually after five or ten dollar donations at a time. With the idea being hopefully people will engage with these text messages and donate it at high frequency. And so you've read off some really great examples. I don't think I need to go into more detail. But yeah, they're crazy with these personal appeals. The urgency, it often sounds very much like somebody related to one of the campaigns is directly talking to you, making an appeal to you. And it really gets into that emotional core. And the question that I've been having with friends and family is who in the hell finds these text messages effective? Who is this working on? Because it's not working on, I think any of us, but it's working on somebody. Because clearly the political machines as they are, as the wheels turn, they wouldn't be investing all this time and money in it if it was not incredibly effective. So CNN did a little digging into this one and they put out a report answering this exact question. Who are These text messages reaching and how are they actually effective? And the answer is sadly, probably about as bad as you might imagine, if not worse. People who are extremely vulnerable, namely dementia patients in their 80s and 90s, are overwhelmingly responding to these text messages.
- [17:54]
Joe Kerrigan
Really?
- [17:55]
Maria Varmazas
Yeah. So yeah, that was definitely just. Yeah, they followed the example of just one donor, but there are lots of them that they traced. So here's an example of one 80 year old Republican donor and how he became single handedly one of the largest grassroots donors to the Republican election cycle going on right now. So it started with a $250 donation that he made in September 2022 to his state senate race. Because off cycle year. Right. So 2022 was that, was that senate race in the course of just one month with those text messages, then incoming because you know he made that donation, he donated 344 additional times, adding up to $10,000. That's just in the first month. In a few more months, by December, he donates an additional 2,000 times. Now he has donated over $100,000. Now a little fast forward again to May 2023. He's now made over 5,700 donations to total over $200,000. And by the time you hit the one year mark from his initial 2022 October donation, so again now we're October 2023, he has totaled 15,000 donations, making around $440,000 in all that he has donated. That's almost half a million dollars.
- [19:13]
Dave Buettner
Right? Wow.
- [19:14]
Joe Kerrigan
Now aren't there caps on how much you can donate?
- [19:17]
Maria Varmazas
That's a great question. I don't mean per transaction or in all.
- [19:22]
Joe Kerrigan
In all, I thought. Is there a limit on how much an individual can donate to a political candidate in a year?
- [19:27]
Dave Buettner
There are directly, yes.
- [19:30]
Joe Kerrigan
Okay.
- [19:30]
Maria Varmazas
These are for political action campaigns though.
- [19:32]
Dave Buettner
Win Red, remember, money is speech, Joe.
- [19:35]
Joe Kerrigan
So.
- [19:36]
Maria Varmazas
Right.
- [19:36]
Dave Buettner
You could, yeah, the political action committees, I guess once, once seems to me that, and I don't mean to step on your story here, Maria, but it seems like word got around that they had a live one on the line.
- [19:48]
Joe Kerrigan
Right?
- [19:49]
Maria Varmazas
Yeah, yeah, I agree. It's so I just, just a corollary to the story. His son found out about it around this time when he found out that his father had donated around, you know, half a million dollars, pretty much all of his life savings to Win Red, the political action committee. And he appealed all of this to the Federal Election Commission and to Win Red, and he was able to get a third of that money back. So $151,000 back, but the rest of it's just gone. So yeah, which was just a gut punch to read that one. And before anyone hate mails me, both Win Red and ActBlue use these tactics, which are both the Republican and Democratic Political Action Committees. Both organizations have complaints filed against them with the Federal Trade Commission. But I should note that CNN says Win Red has seven times the number of complaints than ActBlue does in terms of this kind of predatory behavior. And Win red specifically has 500, excuse me, they have 800 complaints filed against them in the last two years alone. And their data goes from, I think October 2022 to June 2024. So this is even before Kamala Harris entered the race. So there was this quote that CNN has in the story. I'm just going to read it directly because this just blew me away. Often coming in at five or ten dollars at a time. Contributions from the small sampling of donors alone added up to more than $6 million over the last five years, the majority of which ended up with Trump and a long list of other Republican candidates. So $6 million from people that they believe are dementia patients, people who are 80, in their 90s with dementia. And CNN also followed up with many of the families, again, the children, in this case of many of these folks with dementia who had no idea that their parents had donated pretty much their entire life savings, pensions, Social Security, all that kind of stuff to these political campaigns. And in many cases, the children would say that mom and dad were actually upset if Donald Trump himself didn't respond to my appeals because they believed they were actually speaking directly to the candidates. Those personal appeals were very effective on them.
- [21:48]
Dave Buettner
Right?
- [21:49]
Maria Varmazas
Yeah.
- [21:50]
Dave Buettner
And I got one from Nancy Pelosi a week ago. Hey, she's desperate to hear from you. Right. Why haven't you responded to my personal appeal?
- [21:59]
Joe Kerrigan
You haven't seen any stock tips, that's why.
- [22:04]
Maria Varmazas
Oh God. And one thing that as a former marketer, every time I've seen the websites for these things, I do click through once in a while, which is a very bad idea. I try to remove the tracking info. But I'm curious how these pages work. The text on the pages and the interactive elements on the pages are all as frictionless as possible. And they're trying to sort of shunt you through as quickly as they can without really realizing that you're signing up for often a recurring donation and that they have your information pre populated. And a lot of times the recurring donation boxes are pre checked. And also it's not entirely clear that they have been filled out already. So you in many cases may not even realize that you've signed up for a recurring donation. And again, these things are highly tracked. So every time you click a text message through or answer a phone call or respond to an email, it just begets more activity from these little action clubs. So.
- [22:56]
Dave Buettner
Right.
- [22:56]
Maria Varmazas
For those of us with full cognitive facilities, all of these touch points are extremely annoying, to put it mildly. But if you don't have your full cognitive abilities, if you have short term memory issues, you might forget that just an hour ago you had donated. And so in that case, these frequently text messages are highly effective, but it's also extremely predatory.
- [23:17]
Joe Kerrigan
Yeah, seems that way.
- [23:19]
Maria Varmazas
Yeah. And I have to say, as I was reading through the CNN story, this reminded me a bit of gaming microtransactions and the term whaling. Are you both familiar with what that means with whaling in microtransactions?
- [23:30]
Dave Buettner
Sure.
- [23:31]
Joe Kerrigan
Whaling in casino terms.
- [23:33]
Maria Varmazas
Casino or even mobile games where the idea being you do all these tiny microtransactions on these games that are otherwise free, where only 1 to 2% of players will make up almost 75% of a game's revenue. So you get somebody who doesn't realize that they're hooked in and then they just give tons and tons of money. And that seems to be what's happening here. A corollary. So a coworker of ours here at NTK actually sent this story over and a corollary story that he sent shout out to Bennett was that there's some research going on right now about whether or not seniors are more vulnerable in this case to scams, not just because of situations like dementia, but also because of brain changes. And that the jury is still out on that one. But there is some research to suggest that actually the scam spidey sense does sort of diminish with age due to a physical change in the brain. But sort of controversial take on that one. But the argument is really anything that would protect someone from being preyed on in these kinds of political action campaigns would help everybody, regardless of age and regardless of, you know, cognitive ability. So, yeah.
- [24:42]
Dave Buettner
Yeah. You know, anybody who has been through the terrible experience of a loved one going through this sort of emotional or not emotional.
- [24:55]
Joe Kerrigan
Cognitive.
- [24:56]
Dave Buettner
Cognitive decline. Thank you. Joe knows how hard it is. And you know, there's that saying that the children become the parents.
- [25:07]
Maria Varmazas
Yep.
- [25:07]
Dave Buettner
And that is true. But the children become the parents. But the parents are still legal adults with all the financial powers and rights that they have always had. So if you have an uncooperative parent Or a parent who simply wants to maintain their privacy. It's hard to know that any of this is going on, much less have any control or oversight over it.
- [25:39]
Maria Varmazas
Yeah, yeah, I've been through that myself with my father before he died, and it was exactly that I didn't want to mother hen my own father, which was really just very difficult. And, yeah, I mean, one suggestion I had read was sort of having a taking the keys conversation about finances with your parents, as if. As if the taking the keys conversation about cars is easy. That one's excruciating. I've been through that one, too. But trying to get financial power of attorney from somebody, I mean, you have to respect someone's independence and respect the fact that they are an adult and that this is a choice they may very much be aware that they're making. But, yeah, I mean, that feels like putting the onus on the child and the parent. It's really these PACs or POSs, frankly, doing this kind of predatory stuff. But, yeah, the numbers are astounding.
- [26:28]
Dave Buettner
Yeah, I did have success, or maybe I frame it as a good experience with my father. We were at the bank together one time taking care of some things, going through some things in the safe deposit box. This, that and the other thing. And one of the employees at the bank who was helping us said, how would you feel about. Said to my father, how would you feel about us allowing your son to have certain notifications on your accounts so that if something goes wrong, he'll be notified? And so, for example, if withdrawal over a certain amount happens, if something unusual happens, they can send me a message that says, hey, heads up. Something weird is going on with your father's bank account. And that went very well because I think it didn't feel like I had an undue amount of control or I was trying to tell him what he could or couldn't do, but it was just a backup set of eyes in case something went out of whack. Yeah.
- [27:42]
Maria Varmazas
It feels more objective in a way, too. It's not, oh, that Maria, she worries about me too much, which was my dad.
- [27:48]
Joe Kerrigan
Right.
- [27:49]
Maria Varmazas
It's the bank, and they're serious people, so they would be looking out for that.
- [27:53]
Dave Buettner
Right. And I think the fact that it came from the bank helped too, because I think certainly my father, being old school, the bankers are people in somewhat. A bit of authority, you know, when it comes to money. You know, that's why they're bankers and you're not. So.
- [28:15]
Maria Varmazas
Yep.
- [28:15]
Dave Buettner
Yeah.
- [28:16]
Maria Varmazas
Yeah.
- [28:17]
Dave Buettner
So, yeah, this is heartbreaking. And it's a shame. But I guess the answer here is just vigilance with your folks or your loved ones who maybe falling victim to this, keeping in good communication. And it's when someone's a dementia patient, I wonder if there's any onus on the caregivers to be checking in on these sorts of things. Again, they're still adults and they still have all their rights.
- [28:50]
Maria Varmazas
And do you want the ultimate gut punch? Honestly, I debated even mentioning this, but in many cases this was, this behavior was one of the first signs that the parent was in cognitive decline that, you know, the children had no idea their parents were doing this. And it was sort of like a once they found out, giant red flag that something wasn't right, which absolutely broke my heart. Cause again, I've been there, so.
- [29:12]
Joe Kerrigan
Well, it's good to know my mom's cognition is pretty good.
- [29:15]
Dave Buettner
Well, I mean, I don't know.
- [29:16]
Joe Kerrigan
I'm not giving any of those.
- [29:18]
Dave Buettner
I don't know. I don't know if you had any experiences like this, Maria, but I know, you know, we dealt with this with my mother and before she passed away. And it was one of those things where once the diagnosis came that there was serious cognitive decline, a whole bunch of other things snapped into place from before that. You know, I was like, oh, yeah, that's why, that's why, you know, that's why my mom was worried that my dad was going to run away with the waitress at Golden Corral. You know, like, we laughed.
- [29:57]
Joe Kerrigan
Right?
- [29:57]
Maria Varmazas
Yeah, yeah, right, right.
- [29:59]
Dave Buettner
Just like, yeah, yeah.
- [30:02]
Maria Varmazas
My extremely logical father, who was a physics PhD, was starting to take a lot of physical risks doing things that his like trying to climb mountains that he was physically no longer capable of doing or being extremely illogical and saying and doing things that were just completely irrational. And it was completely out of character for him. And that was for us a big red flag that something was going on. But it was so unlike him. It was really heartbreaking. And that was sort of the beginning of it when suddenly these huge risks were like, you would never do this. What are you doing?
- [30:31]
Dave Buettner
Right.
- [30:31]
Maria Varmazas
Yeah. Yeah.
- [30:34]
Dave Buettner
All right. Well, we will have a link to that story from CNN in our show notes. Before we get to my story, why don't we take a quick break to hear a message from our sponsor?
- [30:50]
Sponsor Representative
We were talking about making users into an asset for security professionals. Simply put, users want to do the right thing. They're often just lacking the knowledge to do so. That's one of the reasons KnowBefore has released security Coach a Real time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. For example, imagine a user has visited a high risk website or tried to open a document containing malware. Existing security tools will likely block that action, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more about security coach@knowbefore.com SecurityCoach that's NoBefore.com SecurityCoach.
- [32:06]
Dave Buettner
All right, we are back, and I have two stories here. The first one is a bit of a quickie. This is actually something that happened to me on Facebook. I got a message from. Right, right. The rancid dumpster fire that is Facebook. I got a message from someone that I was already friends with on Facebook. Private message. It said. I'll quote it here. It said, I'm trying to reset my password on my Facebook. They told me they're going to send to a friend, so I picked you. Please help me send the code you receive from them.
- [32:44]
Joe Kerrigan
Hmm. So you got this message.
- [32:46]
Dave Buettner
I got this message.
- [32:47]
Maria Varmazas
They're really trying.
- [32:48]
Joe Kerrigan
They're trying to break into your account, right?
- [32:50]
Maria Varmazas
They're really trying it. Cute.
- [32:52]
Dave Buettner
Yeah, they're trying to break into my account. And I looked up this scam because obviously I knew this was a scam, but this was the first time I'd seen this particular wording of this kind of scam. And one of the things the research showed was that typically this happens when they already have your username and password that they're looking to get. They've already gotten past that, so they're looking for the multifactor authentication code. So just for nothing, the first thing I did was I went in and changed my Facebook password.
- [33:27]
Joe Kerrigan
Right.
- [33:28]
Dave Buettner
Obviously, I didn't send them a code. Just to be clear, what's going on here is the code that would be sent to me would not be my friend's code. It would be my code.
- [33:37]
Joe Kerrigan
Right. To reset your password.
- [33:38]
Dave Buettner
To reset my password, yep. Right. So obviously I didn't respond to this. And just for grins, I went ahead and reset my own password just to be careful.
- [33:50]
Maria Varmazas
Smart.
- [33:51]
Joe Kerrigan
Using a password manager. Of course.
- [33:52]
Dave Buettner
Using a password manager. Of course. Yes. A randomly generated, very long, very random password from my favorite password manager. So, yeah. But my other story comes. This is actually from the register on the other side of the pond. And this is about some researchers at the University of Illinois, Urbana. Champagne.
- [34:20]
Joe Kerrigan
Oh, I know those guys who have.
- [34:22]
Dave Buettner
Done some work on OpenAI, specifically using OpenAI's Real Time API, which is designed for real time voice interactions. So this is the part of OpenAI or ChatGPT, I should say, that allows you to have a real time conversation with ChatGPT. And I don't know. Have either of you spent any time playing with this?
- [34:45]
Joe Kerrigan
Yes, and it's pretty good.
- [34:49]
Dave Buettner
It's pretty good.
- [34:50]
Maria Varmazas
Are we out of a job? Are we screwed? No, I have not. I'm too afraid.
- [34:54]
Joe Kerrigan
I don't think we're. No, because I'll say things like, last week, I always said I want to advocate for somebody getting caned. OpenAI will never say that.
- [35:06]
Dave Buettner
Right.
- [35:06]
Maria Varmazas
It's a very specific term.
- [35:07]
Dave Buettner
There's no way that AI can possibly compensate for the Joe Factor.
- [35:12]
Joe Kerrigan
Right. Job security.
- [35:15]
Dave Buettner
That's right. That's right. His particular brand of chaos cannot be captured by an algorithm. Yeah. So these have gotten very good. And one of the ways that they're very good is there's very little delay anymore in the response.
- [35:33]
Joe Kerrigan
Right.
- [35:33]
Dave Buettner
So it used to be you'd put in a question, it would sit there and chug for a few seconds and then come up with a response. These days, there's a little pause, but not much. Yeah.
- [35:44]
Joe Kerrigan
A lot of times it steps on me. Like it starts talking before I'm done.
- [35:48]
Dave Buettner
Yeah. And it'll also use sort of like connecting phrases to buy time for itself. You know, like, it'll say, oh, that's interesting that you asked me that, and then get to the answer. And it's buying time for it to come up with a more, you know, plausible answer.
- [36:03]
Joe Kerrigan
Right.
- [36:04]
Dave Buettner
So what these researchers have done is they used these AI agents using an API to impersonate companies and officials to steal personal information, such as bank details through phone scams. So this is a proof of concept, and there's actually a YouTube video that I'll link to here that has a demonstration of what's going on here. And perhaps our audio editors can put a little cut of what this is all about, what it sounds like. Hello?
- [36:41]
Maria Varmazas
Hello, this is John from Bank of America. I understand your concern. Your security is our top priority to verify your identity.
- [36:50]
Dave Buettner
But basically, you know, it starts off with sounds like a customer service kind of thing. So as we talked about, you know, you go to Google and say, google, what's the number for Wells Fargo? And Google comes up with a number, there are at least equal odds Right. Now that that number is not Wells Fargo.
- [37:09]
Joe Kerrigan
Right. Wouldn't it be great if someone trying to scam Wells Fargo had got wind up with one of those numbers and just started, like, trying to scam some scammer.
- [37:17]
Dave Buettner
Right.
- [37:17]
Joe Kerrigan
That was hilarious.
- [37:18]
Maria Varmazas
Eating its own pillow.
- [37:20]
Joe Kerrigan
Right?
- [37:20]
Maria Varmazas
Yeah.
- [37:22]
Dave Buettner
So how this works is you get on what seems to be a customer service call, and the agent on the other end, which is actually the ChatGPT agent, responds and steers you toward a imitation website, a lookalike website that gets you to log in, provide your personal information, your username, your password. It prompts you ahead of time. It says things like, oh, it looks like we're going to have to. For security's sake, we're going to have to send you a code. So when that code comes through, please read it off to me. And of course, it's your multifactor authentication code that the real bank is sending you. You read it off to the AI, and the AI takes your voice and converts it and plugs it into the website. And now they have access to your banking information. So the researchers here have found that the cost of this scam is about 75 cents per incident. And they found that for trying to steal Gmail credentials, they had a 60% success rate. And with bank account transfers, it succeeded 20% of the time. Now, this is not against real people. They were doing tests in the lab to see how successful it was, but still 20% of the time to try to get money transferred from a bank account at 75 cents a shot. Yeah, that pays off as long as.
- [38:53]
Joe Kerrigan
You'Re transferring more than 20 bucks, right?
- [38:55]
Dave Buettner
That's right.
- [38:56]
Joe Kerrigan
Or whatever. $15.
- [38:57]
Dave Buettner
Yeah. So they're saying this system is pretty easy to put together. They said they only used about 1,000 lines of code. And what they're saying is that these AI systems need better guardrails. OpenAI was sent a copy of this, and they said that they have multiple layers of safety.
- [39:19]
Joe Kerrigan
Here it comes. Everybody's safety is our number one concern. Shut up.
- [39:30]
Dave Buettner
Yeah. The researchers say that there needs to be more layers here to protect people, that this was far too easy to implement. And if they can do it, then for sure the bad guys are already onto it. So, yeah, we will have a link to that story and the research here in the show notes, as well as that YouTube that demonstrates it actually happening.
- [39:52]
Joe Kerrigan
I have looked at the author's names, and, no, I don't know any of these guys.
- [39:55]
Dave Buettner
Okay, very good.
- [39:55]
Joe Kerrigan
But I have been to uiuc.
- [39:57]
Dave Buettner
Oh, okay. Terrific. All right, well, it is time to move on to our catch of the day.
- [40:10]
Joe Kerrigan
Dave. Our catch of the day comes from Reddit and it is an inquiry from somebody at libraries of congress.com.
- [40:21]
Dave Buettner
Right. There's more than one, right?
- [40:24]
Joe Kerrigan
And multiple libraries.
- [40:25]
Dave Buettner
Yeah. So the library that's the main one. So they opened up a few branches. You know, so some of the backstory before I read this, this was sent to the scam subreddit and it is from someone who has written a number of self published books.
- [40:43]
Joe Kerrigan
Okay.
- [40:44]
Dave Buettner
And they went through a company that helps people publish self published books. And part of their concern is that the company they went through to help them publish their books might be in on this, might be trying to get more money from them for us.
- [40:59]
Joe Kerrigan
So it's a shady self publishing company, Correct?
- [41:02]
Dave Buettner
Correct. You know, a vanity publishing kind of thing. So this is a letter that this author received and as Joe pointed out, it comes from inquiryibrariesofcongress.com and it's titled Urgent Matter and it says, we hope this message finds you well. We are writing to address an important matter concerning your books. The Library of Congress has recently received an infringement case related to your works, which requires immediate action to prevent further complications, it is crucial that your books are properly copyrighted, not only to protect your intellectual property, but also to comply with Title 17 of the US Code. Without copyright protection, you may face serious consequences, including removal of your books from publication platforms, inability to claim damages in case of unauthorized reproduction or distribution, loss of control over how your work is used, adapted, or shared by others. Conversely, securing copyright for your books grants you exclusive rights as the author, including control over reproduction, distribution and adaptations. This legal protection ensures that you maintain ownership of your work and can pursue legal action in the event of infringement. If you have already registered your copyright, please provide us with the copyright number and feel free to disregard this email. If not, we strongly urge you to consult with our legal team to ensure that your copyright registration is completed promptly. Taking action now will safeguard your works from potential legal and financial setbacks. We look forward to your prompt response and attention to this critical issue. Best regards, the Library of Congress, 101 Independence Avenue, Washington, D.C. all right, so.
- [42:42]
Joe Kerrigan
I have a question.
- [42:44]
Dave Buettner
Yeah.
- [42:45]
Joe Kerrigan
My understanding. You might know this, Dave. My understanding of copyright is that you own copyright the moment you create something.
- [42:51]
Dave Buettner
That is true.
- [42:52]
Maria Varmazas
Yes. And that's true.
- [42:53]
Joe Kerrigan
It is not required that you register it with the Library of Congress.
- [42:57]
Dave Buettner
Also true.
- [42:58]
Joe Kerrigan
But you can register it with the Library of Congress.
- [43:00]
Dave Buettner
Yes.
- [43:01]
Joe Kerrigan
Is that right? And then that makes it official. So if you Say somebody's infringing on my copyright. Now you have the government saying, yeah, here's when he filed the copyright.
- [43:09]
Dave Buettner
Yep. Makes it easier, right? Yep.
- [43:11]
Joe Kerrigan
So first off, they're writing you about an urgent matter where somebody. They. The Library of Congress has said you're infringing on somebody else's copyright.
- [43:22]
Dave Buettner
No.
- [43:23]
Joe Kerrigan
Isn't that what it says?
- [43:24]
Dave Buettner
No, no. It's not saying that you're. All it's saying is that your books are not properly registered with us.
- [43:30]
Joe Kerrigan
It says the Library of Congress has recently received an infringement case related to your works.
- [43:35]
Dave Buettner
Recently. Right.
- [43:37]
Joe Kerrigan
So does that.
- [43:38]
Dave Buettner
First off, I read that to mean that someone else was infringing on your works.
- [43:43]
Joe Kerrigan
Oh, okay.
- [43:44]
Dave Buettner
So this is a call to protect yourself from.
- [43:46]
Joe Kerrigan
Got it.
- [43:47]
Dave Buettner
These dastardly folks who are out there making illegal copies of your books.
- [43:51]
Joe Kerrigan
Either way, Library of Congress doesn't do that.
- [43:53]
Dave Buettner
They do not.
- [43:54]
Joe Kerrigan
It's incumbent upon you, as the copyright holder can go out and find infringing works and then take them to court and you take them to civil court.
- [43:59]
Maria Varmazas
Right, yeah. Also for a self published book, do you think the Library of Congress has time to be chasing down copyright infringement? I don't think so.
- [44:05]
Joe Kerrigan
No. No. They don't chase it down for anything.
- [44:08]
Maria Varmazas
No, I know. Especially not for. Yes. I'm just saying.
- [44:11]
Joe Kerrigan
Yeah, right. So, yeah, that's what struck me is that the Library of Congress does not concern itself with copyright infringement. That is entirely out of the author.
- [44:22]
Dave Buettner
No, the other part that struck me is where they say, we strongly urge you to consult with our legal team. I'm imagining the picture like the Library of Congress with the big pillars out front down in D.C. where we've all seen that. And then next to it is this big, tall, like, brutalist architecture building. That's where the legal team hangs. The official Library of Congress copyright enforcement legal eagles.
- [44:51]
Maria Varmazas
The legal eagles, is it? My understanding for my friends who publish books is you're lucky if your publisher even does this stuff for you when you're actually properly published.
- [45:00]
Joe Kerrigan
So there is some kind of brutalist structure down in that neighborhood that you can see from 395. Yeah, it's like it's got water coolers all over it. And I think it might just be like.
- [45:10]
Dave Buettner
Yeah, there's a bunch of, like, FBI headquarters is brutalist. Yeah, there's a bunch of them.
- [45:14]
Joe Kerrigan
All those buildings are so ugly.
- [45:16]
Dave Buettner
They are of their time.
- [45:17]
Maria Varmazas
Yeah, that's a very polite way of putting it. Yes. Of their time.
- [45:21]
Joe Kerrigan
Right.
- [45:22]
Dave Buettner
So I think what's going on here is that there are Companies who will register your copyrights as a service.
- [45:31]
Joe Kerrigan
Yep.
- [45:32]
Dave Buettner
And then this, they go after people they find. They probably found this self published author. And so for the price of a stamp and a photocopied letter or an email, I guess in this case, yeah. They're hoping to get a few hundred bucks to do something that is in fact free, which is registering your things. And look, it is a legitimate service to do this as a service for.
- [45:59]
Joe Kerrigan
Someone, but it's literally filling out a form and providing a copy of the work.
- [46:03]
Dave Buettner
Correct?
- [46:04]
Joe Kerrigan
That's it.
- [46:04]
Dave Buettner
Yeah. Yeah. So it is scammy but not technically illegal. Yeah.
- [46:12]
Maria Varmazas
Misrepresentation.
- [46:13]
Joe Kerrigan
Although they are saying they are the Library of Congress. That might be illegal.
- [46:16]
Dave Buettner
That is probably illegal, right? You are correct.
- [46:19]
Joe Kerrigan
You are correct.
- [46:19]
Maria Varmazas
Yeah. Sort of like with the house buying process I just went through where I got all this mail trying to get me to pay for documentation that was free. And they were saying that basically I needed to buy it. And it's like, no, that's freely available. I already have it. Thank you.
- [46:32]
Joe Kerrigan
Yeah.
- [46:32]
Maria Varmazas
So they're preying on ignorance here.
- [46:34]
Dave Buettner
Yeah, yeah. There's another one that makes the rounds. If you have a. If you own a company, you will be bombarded with folks who want to help you protect your trademarks.
- [46:43]
Joe Kerrigan
Right.
- [46:43]
Dave Buettner
And will remind you that your trademarks.
- [46:45]
Joe Kerrigan
Have expired and you must comes inside of every Uline catalog.
- [46:49]
Dave Buettner
Right.
- [46:50]
Joe Kerrigan
That's what I can't forget is I started up a company with three of my friends. It was just a software development company for a game. Never really took off. But as soon as we filed that company, Uline catalogs all over the place.
- [47:03]
Maria Varmazas
Yes. Every year. Those bricks.
- [47:06]
Dave Buettner
Yep.
- [47:06]
Maria Varmazas
I get them too.
- [47:07]
Dave Buettner
Right, right. The poor postal carrier.
- [47:10]
Joe Kerrigan
I'm not shipping anything. Literally, I'm not. What we'll produce is a website that people will play a game on. There's no need for anything out of Uline.
- [47:21]
Sponsor Representative
We want to thank all of you for listening. And of course, we want to thank our sponsors at KnowBefore. They are experts in helping users do the right thing through new school security awareness training.
- [47:33]
Dave Buettner
All right, well, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumansn2k.com and that is our show, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumansn2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpie is our publisher. I'm Dave Buettner.
- [48:45]
Joe Kerrigan
I'm Joe Kerrigan.
- [48:46]
Maria Varmazas
And I'm Maria Varmazas.
- [48:48]
Dave Buettner
Thanks for listening.