A

You're listening to the Cyberwire Network, powered by N2K. Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Maria. Hi, I'm Maria Varmazes, host of T Minus Space daily here on N2K. And joining me is Joe Kerrigan. Hi, Joe.

B

Hi, Maria.

A

Hello. Hello. And listeners, Dave is off this week on a very well earned vacation. So it is just me and Joe today, and we have some interesting stories to share this week with you. But first, let's get into some updates and then later, some follow up. Joe, why don't we go to you first for your update?

B

Listeners may have heard me a couple times. I brought Fred into the studio. My dog Fred. Fred passed away on Tuesday.

A

Yeah.

B

At home, peacefully and painlessly. So he is, he is gone. So if any listeners are wondering how my dog is doing, he's gone.

A

I'm so sorry, Joe. All of us, like, my heart goes out to you, seriously, as a pet owner, and I'm just very sorry for your loss. So my heart's with you.

B

I'm always shocked how, how, how much I feel when one of these, when one of these animals goes, It's.

A

Yeah.

B

And you know, Fred was, we adopted him late, so it's not like I raised him from a puppy, but still, he was a good dog. He was a good boy.

A

I'm so sorry, Joe. And I'm sure our listeners are with you too. Many, many listeners. I've been right there with you. So our heart goes out to you, Joe, you and your family and Josie, your other dog.

B

Yes.

A

I'm very sorry for your loss.

B

Yep.

A

I have no good way to segue from that, Joe. So I'm just gonna just go ahead awkwardly.

B

Just do it. There is no segue.

A

There's no segue from that dog died.

B

My chickens are doing good. They're outside now. I got them moved outside.

A

The other question that I'm sure people are, how are the chickens?

B

They're outside. They're in the coop and they're doing well and they're loving it.

A

I'm so glad. Silver lining, if one can be in such a situation. So I'm glad your chickens are doing well. So please keep us updated on how they're all doing.

B

I will. I got to build a bigger run, but.

A

Oh, well, that sounds like a good, a good project to have.

B

It is, yeah.

A

Yeah, we're gonna need a bigger run anyway, so without further ado, why don't we get into some Listener follow up? And this was a really interesting listener follow up from. Let me make sure I get his name correctly. From listener Michael. And he sent this earlier today, actually. And he wrote, this is either a very clever new scam or a very poor way for Signal to communicate with users. I know that WhatsApp has its own channel from Corporate, but I've never seen one from Signal. If it was from Corporate, I don't think it would tell me to review carefully. Just cheers to you. Thanks for what you do. This could have been a catch of the day. But honestly, we've been talking so much about WhatsApp lately, I felt like this was more of a follow up, so.

B

Right.

A

I'm putting it at the front of the show for reasons that are completely arbitrary. So the message that Michael sent from. And it's a screenshot from Signal that he sent. The contact name says Signal Support. And the user says. Sorry, the message says, dear User, this is Signal Security Support Chatbot. We have noticed suspicious activity on your device which could have led to a data leak.

B

We.

A

We have also detected attempts to gain access to your private data in Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. Don't tell anyone the code, not even Signal employees. Okay, so yeah, that makes me go, this is very. And thankfully Michael knows this too is very obviously a scam.

B

I think it is. Yeah.

A

Yeah.

B

I'm opening a Signal app right now to see if I have anything similar.

A

Yeah, I cannot imagine in any universe Signal which is the super secure. As long as you don't invite the press to your chat groups. Super Secure encrypted chat messaging app. I cannot imagine they would ever have anything like this. And my suspicions were proven correct when I actually went to the official Signal FAQ just to check, because I'm sure they've tried to address something like this. So this is what Signal wrote. Signal Support will never reach out to you first. We will only respond if contacted. Contact with Signal or any Signal representative will only come from an signal.org email address, not from within the app. If anyone contacts you within Signal, claiming to be a Chatbot Security Support or representative from Signal, it is a scam. Immediately select Report and choose Report and block. So that is Signal's official line there. And Signal is again as secure as you can make it if you don't do anything silly. So don't do Anything silly.

B

It's a really good app. I have it. It's same. Yeah, I would love to love to love for this to be my only means of communication, but there's no way I'm getting my 80 year old ants to go into Signal install this.

A

It is tough. I have a lot of friends who are on it, some family as well. I was an early adopter of Signal when it was a little harder to use. They've made it a lot easier to use now and it's still very, very secure. So again, you can't do anything silly like again, inviting people into your chats that don't belong or getting or falling for scams if you can avoid it. But I'm very glad that Listener Michael knows that this was not trustworthy. And again, Signal says you will never be contacted this way within the app. So.

B

Right.

A

Listener beware.

C

And now a word from our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat locker.

A

Joe, you are up first today for our stories. Why don't you go ahead?

B

I've got three stories today, but they're all related, closely related.

A

Wait, you've got three?

B

They are all very. Okay, essentially one big story, but a.

A

Mega story if you will. Okay.

B

I first got the tip off from a listener and a guy I actually know personally in real life. His name is David. David. And I will not give his last name because I don't know if he would like to be. No, it's not David Bittner. No, it's not different. David.

A

David Beaton. Air. Okay. No.

B

Okay, so the story that he sent me is the last story I'm going to talk about, but the first story I want to talk about is from the New York Times and it says South Korea targets Cambodia's scam industry after kidnappings, torture and even one death. So this is talking about the South Korean government. They are dealing with some outrage, outrage in South Korea after 330 people have been reported missing in Cambodia this year, including one 22 year old university student who was later found dead.

A

Oh, my God. Okay.

B

Yeah.

C

Wow.

B

Others have been tortured and confined by those running a scam. And we've been talking about this for a long time, but now, now South Korea is Getting involved. The South Korean government is getting involved. They would like to repatriate about 60 people who have been detained by Cambodian authorities so they can get these people back into their. Back into their home country of. Of South Korea. And this article talks about all the. What they're used for. And of course, because they're South Koreans, what they're doing, what these Cambodian scam centers are doing, is they are calling back into South Korea and forcing these people to scam their countrymen out of money, which is how this works. It says here they stole at least $10 billion these. These Cambodian scam centers from the United States in the last year. The Treasury Department said that. And the South Korean nationals were defrauded of about $148 million in 2023.

A

Wow.

B

So that's the first story. The second story I have, which is suspiciously related. I mean, it's not suspiciously. They're all related. Is from CBS News. And this story is actually like a little bit of good news. The Federal government, the US government has seized $15 billion with a B.

A

With a B. With a B.

B

Yes.

A

Carl Sagan with the B in bitcoin.

B

After busting an alleged. This. This one of these global crypto scams. Wow. So who they. Who they have prosecuted, prosecuting is this guy named Chen G, who is the founder and chairman of Prince Holdings Groups. And they say the. The US Is alleging that this guy is the head of a vast criminal network in Cambodia built on forced labor. And. And they are responsible for extracting billions from the United States in terms of. In terms of. In scams.

A

Okay, quick question.

B

Yes.

A

Was this money in crypto?

B

It was. Yeah. They got the money out, out, out in crypto. So why.

A

Why am I not surprised?

B

Right. Cool. Because, I mean, that's the fastest way to get money from point A to point B.

A

That's right.

B

Is. If I can. If I can convince you to go drain. Like my story last week had a woman pumping $20,000 into a Bitcoin ATM.

A

Yeah.

B

And I did listen to the episode, and at one point in time, I'm embarrassed. But I did say ATM machine.

A

You know, I noticed that you did that, and I didn't want to say anything.

B

You let it slide. No. Call me on the carpet. Every time I do something like that irritates me.

A

Pin number? Non dot number? Chai tea. Any of those? No.

B

Yeah. Anything. Anything. I don't know what that one is.

A

Oh, bao is a bun. But a lot of people say bao bun, which is.

B

Oh, oh, oh, oh, oh.

A

D a o bao.

B

Did you put chai tea in there already?

A

I did put chai tea. I also put naan bread. Nan naan. Brett. Yeah, anyway, those are a lot of my. Yes, because irritated by.

B

I didn't know that chai is actually Hindi for tea. So when you say chai tea, you're saying T.T.

A

Yep.

B

It's also. Sahara is actually, I don't know which desert. Yeah, it's, it's, it might be Arabic for desert, I don't know, but it's, it's there in some language it means desert. So when you say Sahara desert, you mean desert desert.

A

Yeah. Right. Yes. Anyway, anyway, there we go.

B

Linguistics. Joe. So there's some quotes in this article that are, that I found interesting. Prince Holding Group's website, it lists, it is one of the largest conglomerates in Cambodia with businesses focused on ready real estate development, banking, finance and consumer services.

A

Okay. Okay. That is if you, if you look through that with a very dark sense of humor lens. Real estate development being these, these forced labor camps being banking being trans asset transfers of ill gained money finance same consumer services being scamming people.

B

Right.

A

Like it's so dark. Yeah, it's so dark. I'm laughing because it's just like. That is extraordinarily cynical. You almost have to tip your hat to it.

B

Yes.

A

Not that I have a hat.

B

I don't know that that's why, that's where they're cynical. What? They're what? I don't think they did this with cynicism. I think this is where, this is how they launder money through real estate development, banking and finance and consumer services. There was an independent research group that called, that is called Cyber Scam Monitor. They've documented more than 200 online scamming centers and casinos in Cambodia alone by Prince holdings, or actually it doesn't say by Prince Holding. But if these guys have casinos, that's like a license to launder money right there.

A

Yeah.

B

Especially if you don't have any. Know your customer requirements in a different country? I mean you could just say somebody came in, put a billion dollars down, lost it all, bet it all on black and they lost and we kept it and that's how we got this money. And the government goes, okay, done.

A

Yeah, right. What are, what are, know your customer requirements for casinos is that I don't know what that means.

B

So it, when I've, I don't go to casinos on a regular basis, I.

A

Don'T go to them at all. So I, this is totally unknown to me.

B

I haven't been to one. This was. I'll give you an idea. Last time I went into a casino, I went to Kansas City, and I went to Isle of Capri, which is a riverboat casino, which is where. Yeah, they were allowed to have riverboat casinos. So the way they.

A

Isle of Capri, Kansas City casino. Yep. All right.

B

And, you know, my wife and I each went in there. We each took, I think, 50 bucks in, and that was the plan to. To walk in, walk out. But we had to sign up smart. They had to. They had to have a driver's license from us, and.

A

Oh, okay.

B

We had to create an account with them.

A

Really?

B

Yeah. Now, they misnamed my account. They called me Joe Carrington. So I'm like, ooh, this is an opportunity for me to.

A

Yeah, there you go.

B

But I lost all 50 bucks, and that was the end of that.

A

So, yeah, it just. I. As someone who has never gambled at all, especially not in a casino, I have that. The movie James Bond mentality of what casinos are like, where you just walk again. You just walk in, you do the thing, and you leave.

B

Right.

A

So I didn't realize that they're not like that. So. Okay, interesting.

B

So, I mean, there was to tell you how long ago this was. We were there for a wedding, and the married couple's son has just graduated from high school recently. I think he's going to college now. So I have. That's how long it's been since I've been. Since I've done any gambling at any casino now I've been. There was a casino that opened here, Maryland Live, and I went into that casino, and they had. The minimum at that time for blackjack was $15 a table. I'm like, I'm not doing this. Goodbye. And I left, and that was it. And then I went over to Bass Pro Shop and bought something for Christmas. That was why I was there.

A

But this is a very detailed recollection. I just. I just have to hand it to you.

B

All right, anyway, so how. The question is, how did Prince holdings get away with this? Mark Taylor, who formerly worked on human trafficking issues in Cambodia for the nonprofit winrock International, said that Chen was embedded in the Cambodian elites and well protected by the government, showing a larger role that Cambodia has played as a safe center for these online scamming centers to prosper. So that's a quote from the article. So these. This government, Cambodia is. Is in league with these people. And my last story is from the BBC, and this is the one that David Sent me. He sent it to me in a blog post. But I found the original source here. And the story is about China. Now remember we were talking about China going into Cambodia and to Myanmar and trying to get these.

A

Yeah. Was that last week or maybe the week.

B

It was a couple weeks ago.

A

Recently. Recently, yep.

B

China has sentenced 11 members of. Of. Of mafia families to death over this.

A

They do not play.

B

They. China. Yeah. China does not play. That's right. The Chinese court has sentenced 11 members of a notorious crime family that ran scam centers in Myanmar, according to the Chinese state media. So this is the Ming family. Dozens of members were found guilty and there are varying degrees of, of punishment here. Some. Some of these guys are going to get executed like right away, forthwith. Some of them have a two year reprieve in which they can appeal their case. And then some of them got life in prison. I mean China has really these. They handed, they handed down sentences to 39 people in this case. So China's doing something about this. The United States is doing something about this. South Korea is doing something about this. I don't think this problem is going away anytime soon. But you know, the world is now watching this.

A

Yeah, it's a global problem. It's not. I know when I talk to people who live outside of the United States especially, there is still a mentality with some folks that I know that this is largely a problem for the Anglosphere or like the wealthy Anglosphere. And it's just not, especially with AI it's really. It is a truly global problem. So something like this does require a lot large international response. So it seems encouraging to me. But I'm with you. I despair a little bit. I just don't know how things are going to get much better because it seems just so much easier every time we're on this show. It just seems like there's just more tools in the toolkit for the criminals to do their terrible stuff. And it's like, oh my goodness, I'm just full of rainbows and sunshine today. Joe, Life is great. It's wonderful. That's it. Well, you know, I, I will say this. It is, it is nice. Question mark. Knowing that there's some justice is being done in some way. Although death penalty. Geez.

B

Yeah, I'm not a big fan of the death penalty.

A

Same. That's same here. I'm not a fan of that.

B

Right. But, but China gonna. China.

A

I feel like as an American I am in no place to throw stones, so.

B

Right, that's true.

A

Let's Leave that one there. All right, why don't we take a quick break and hear a few words from our sponsors?

C

And now back to our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core ThreatLocker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are Allow Listing, Ring fencing, and Network Control. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP, or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans.

A

Okay, and we are back. Joe, I just realized I kind of cut you off before we went to an ad break. Were you good or.

B

No, I was done. That was good. Yep.

A

Okay. All right, so I'm next because Dave's not here, so. Speaking of a barrel of rainbows, we've.

B

Never made that joke.

A

Which one?

B

Dave's not here, man. Are you familiar with that bit?

A

What is that from? Oh, no.

B

Well, listeners, we're. We're going. I'm going to educate Maria right after we record this podcast.

A

Okay, you can tell me now. Now I'm like, that's going to bother me.

B

It's from a very old Cheech and Chong bit.

A

Oh, I would not know Cheech and Chong bits.

B

Oh, okay.

A

Cheech and Chong. I know who they are. I. I know what the they are all about, but I. I don't have a knowledge of their.

B

We used to, back in the 80s and late 70s, we used to listen to their records and laugh and laugh and laugh.

A

Tell me about the old days, Joe.

B

We went to the record store and we buy a Cheech and Chong record and we get all the drug humor and you smoke a doobie and some stuff was just frankly racist.

A

No, no, that. No, definitely not. Not. Not back then. Never. All right, so, all right, no, Dave's not here and I didn't. I unknowingly wandered into a reference that I didn't know existed. So that's great. I learned something today. Thank you, Joe.

B

Yep.

A

So my story, it comes from our friends at malwarebytes, and they have a report about how AI driven scams are preying on Gen Z's digital lives. Now, this is something I have talked A lot about on this show. And it's not the premise of Gen Z being specifically at risk to some of these scams. I don't think is going to blow anyone's hair back in terms of news. But I thought it was interesting that there's some numbers to this report. So that is why I wanted to highlight this because again, for me, a lot of what I enjoy about this job is learning things that challenge my own perception of. Of scams. And I think before I started on this show, if you had asked me what generation is most susceptible some of these scams, I never would have guessed Gen Z. I never. And I just keep learning more and more that that's not correct.

B

Yeah, we had some early research, Dave and I, before you joined the show.

A

The premaria years. Yes.

B

Yeah, the premarilla years, that the people who are more likely to get scammed were the younger people, but the people who are more likely to lose money, lots of money, were older people. That makes sen. Younger people don't have a lot of money to lose. And older people.

A

And less life experience in general. Yes, Right.

B

And older people have more life experience, are more embittered by the by. You know, having been scammed before when they were younger, they can see a scam. But you know, as time goes on when, when you amass wealth and somebody calls you and scares you and then you lose a lot of money. So yeah, it's. There's two sides of this. Young people are more likely to get scammed, but they're more likely to also not suffer, you know, less likely to suffer grave losses. Old people are less likely to be scammed, but when they are scammed, it's devast.

A

Right, Grave financial losses. Correct, Specifically. But there are other kinds of losses. And to me, I always, I sound like such a doomer when it comes to AI. AI is making this eve a lot worse so quickly. And I'm a little cynical about this report. Not to throw any shade at malwarebytes, but it was sort of like talking about how AI is making this problem so much worse, especially for Gen Zers. And at the end they're selling an AI powered tool to try and help fight this. And I'm going, oh my God.

B

Okay, anyway, yeah, I mean, we will look at the research portion of this.

A

Yeah, yeah, let's look at the research portion of it. So the. What they found was 69% of victims and 64% of targets of extortion scams are either Gen z or millennial versus 52% of victims and 40% of targets of the other types of scams. So you don't have to keep track of all those numbers. It's just, it's. That's almost 70% of victims are Gen Z or millennial and 64% of targets. So that's, that just shows you where the targeting is going. Even to your point. They don't have as much money. They're clearly the scammers are seeing those folks as target rich. And it seems to be hitting 65% of the victims and 60% of the targets are male. 45% of victims and 41% of targets are parents. 53% of victims are not white. And 52% of victims and 46% of targets agree with the phrase I'm more likely to click a link on my phone than on my laptop, which I will say this as a millennial who is very much in the Certain tasks require a big computer. I can't do them on the phone. I feel a little vindicated on that one.

B

Right.

A

But I mean, a lot of people, all they have is the whole idea of even having a computer at this point is almost antiquated for a lot of people. So I get for. If the phone is your only way to interface with the Internet, then, yeah, you're going to get hit through that.

B

Yeah, I, I got some, some shade thrown, thrown my way when I told the, you know, a class full of people. I'm in a class right now, a data science class, a machine learning class, fascinating class, great instructor. I am the oldest guy in that class. Including the instructor.

A

Including the instructor.

B

Oh, yeah. He's a young guy and he, you know, he's smart and awesome. But yeah, I'm the oldest guy and I'm like, I sit here, hold on, I gotta plug my camera into my desktop tower. And everyone's like, what? I'm like, yes, of course. That's what I have. And that's. And I love this thing. I'm never gonna stop using it.

A

Are you the guy who used to bring the CRT to Starbucks and do your work?

B

No.

A

Legends. Anyway, yeah, no, I do feel a little vindicated that some things do require a big computer versus small computer. But again, for many people, their phone is it. So, yeah, that's the way you're gonna get hit. To your point about older victims losing more money, the damage for younger victims is different. So what malwarebytes highlights here, and I really appreciate this, is that the damage is largely emotional and deeply personal. So especially with AI in the mix the threats that folks are getting are personalized. And of course they're high pressure because that is the way to make extortion victims feel especially vulnerable and mobile. The victims of all mobile scams suffer serious emotional, financial, and functional fallout. Extortion victims experienced what they call an outsized impact. Where 9 out of 10 extortion victims reported emotional harm because of the scam they experienced, 35% experienced blackmail or harassment, 21% experienced damage to their reputation, and 19% faced consequences at work or at school.

B

Hmm. What does that mean?

A

You know, I don't entirely know.

B

Is it just social consequences or, I mean, because that, and I'm not belittling that, but.

A

Yeah, what does that. It's a very good question. Let me just double check the original source here, because that is a very good question.

B

Okay.

A

So one responded, is Gen Z. And they wrote, I didn't lose anything. I was just scared because they wanted to inform all my friends, family and employers how perverted I was because I spoke, supposedly watched porn. Now again, is that threat legit? Questionable. But it's, it's plausible, right? It's absolutely plausible that it is.

B

The way a lot of these sextortion scams work, it could be a legit threat. These guys will try to wreck people's lives. They will try to carry through on their threats because that makes the next victim that they have more ready to pay up, more willing to pay up.

A

I, I mean, I, I will go ahead and say it. I, I, I wish people didn't feel shame about watching porn and we could just take that part away, but it's not something I do. But at the same time, like, you know, I don't, I, I, it breaks my heart that so many people have their lives ruined over just an allegation.

B

Yeah. This is not, probably not, I don't know if this is a sextortion thing, then what happens is these, these guys actively send images to these, particularly to these young men, and then they wind up, they wind up, you know, because when, you know, when I, you know, when, when a man is in his.

A

Youth, you know, Joe, you don't need to explain it.

B

Yeah.

A

You don't need, Right. I think everybody here knows.

B

Right. So, so I can, I can, I can totally empathize with how you got suckered into this.

A

Right. Yeah. And, and of course, again, it AI videos being generated. It can be a fake video, but if it looks real enough, it can still be extremely embarrassing.

B

Absolutely.

A

And it's horrifying. And like a lot of people of all like famous people, non famous people, lots of people are experiencing this and it's just absolutely horrific. So yeah, I can absolutely see why this would be really just damaging and in the long term, not like a temporary, slightly embarrassing. Like this could really haunt somebody.

B

Yeah, absolutely.

A

Especially a young person who might have like a really outsense sense, outsized sense of shame over something like this.

B

Right.

A

It just. Yeah, I could, I could absolutely see that. So.

B

Or if you're part of a religious community.

A

Yes. You know, where, where these things, like my opinion is one thing. Other people's opinion is very different on, on this sort of stuff. So that you could be ostracized.

B

Correct.

A

And certainly if you work for an employer who has certain feelings about certain things. Like I'm trying to be very circumspect here. But yeah, I could absolutely see some horrible things happening. So it's awful. It's awful. It's awful. It's awful.

B

It is.

A

Anyway, so malwarebytes has a very interesting little mnemonic that they are, I thought was nice that I wanted to surface about a scam response framework that people can try and use. They call it simply stop or S stands for slow down, as in don't let urgency or pressure push you into action. That's great.

B

Absolutely.

A

T is test them. If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, like you know, a deep fake pretending to be someone that you know, that kind of thing. Ask a question only the real person would know. Something that can't be found online. I highly Recommend Using the old 80s trick of have a family password that you don't put anywhere. Back when they used to let any old person pick up a kid from school, this was a thing that I remember as an 80s kid. They would say, make sure you have a family password.

B

I can't believe that we actually had to be trained. Don't get in the car with somebody who says they know you're right.

A

You want this kid? Go take them. Yeah, I remember that my family had a password and only people who were trusted would know that password. So if that stranger coming to pick you up from school is like, oh, I'm a friend of your mom's, I'm here to pick you up. And they didn't know that password then, don't get it right. It sounds nuts saying that now because it's just like now. Now schools are like a maximum security prison practically. Right. Just like back then they're like, yeah, just take the kid. But Yeah. A family password is a great idea. Make sure it's something that can't be found online. Or my favorite is if you speak a second language. While the AI might be able to figure it out, like there are some. Sometimes there's tells in how you speak that language.

B

Yep.

A

Like if somebody's a second language, like their Spanish is suspiciously perfect. And at home you speak Spanglish, that kind of thing.

B

Yep.

A

I don't know. I always thought that was an interesting way to go about it. O is opt out if it feels off, hang up or end the conversation. You can always say that the connection dropped. If you need a cover story and P is prove it. Confirm that the person is who they say they are by reaching out yourself through a trusted number, website or method that you've used before. So, yeah, these deepfake phone calls, videos, that kind of stuff. Trivial to make, trivial to deploy. I hate saying that. So you have to have some sort of offline way to authenticate the person that you're speaking to is legit. Yeah. So, yeah, let's bring back the 80s style family passwords.

B

I agree. I agree. I've already had to have the conversation because we do this podcast.

A

Yes.

B

You know, tons of my voice is out there.

A

Yep.

B

So I have. I have gone to all of my family and I've said, listen, if you ever get a call from me and it sounds like it's me asking you for money, it's not me asking you for money, hang up the phone. I will not call you and ask you for money.

A

I have, I have done very similar with a lot of my family and friends. It's for the exact same reason. And it's not like we're not like big celebrities or anything. If you have ever been, you don't need to be. If you've ever been on a webinar, you know, with 20 people attending, guess what, your information's on the Internet.

B

You want information to spoof your voice.

A

That's right.

B

And we hear stories about this happening all the time. And the places these people are getting the voice samples, they can go to Facebook and grab a video. You make a video that you make, and then they can spoof your voice.

A

Yeah, not only that, but many. And something that I didn't surface in what I was reporting here about the malwarebytes scam, but not scam about the malwarebytes report. Something that I guess I will mention now. Many of the scams are also being perpetrated in communities where there's a high level of parasocial trust like Discord and Twitch, where again people are streaming or they're. If you're playing massively multiplayer online role playing game MMORPG and you just have the mic running while you're gaming with other people, that's a great way to get somebody's voice.

B

Absolutely. You're providing samples to the world.

A

Yeah. It's not even necessarily public. It's within your community. But if somebody has infiltrated your community. And let's be real, some of these Discord communities have like a million plus people.

B

Yeah. Just assume this is a zero trust thing. Assume the brief reach. Assume that your information is out there.

A

Yeah. So I really like the acronym, the STOP acronym that malwarebytes has. Here it again is slow down, test them, opt out and prove it. Those are stop and just kudos. I really like that. And thank you malwarebytes for yet again busting my preconceptions about who's really at risk. I appreciate that. So yeah. Okay, let's move on now, Joe, to catch of the day. So let's jump into our catch of the day now and we're gonna. This is a really interesting catch of the day that came from a listener, Dark Prophet 6. And what I'm gonna do is I'm gonna read the email and Joe, you're gonna give context into what's being said here. Cause this is a fascinating. Little more technical than our usual catch of the day. But I thought it was really neat, so I wanted to surface this. So our listener went to a website that is about a military ID card called a cac. I guess a, a cac. Okay. And there's a malicious URL. I'm not gonna say what it is cause we don't want people going there. And someone pretending to be Cloudflare brought up a page asking me to verify that I'm not a robot, but slightly different. I knew it was a fake. Great, good job. But drilled down to see what they were trying to do first. They wanted me to copy a string and paste it into terminal.

B

Okay, so, so let's start with the beginning here. Cac. And this is another one of those things like CAC card. Don't say CAC card because CAC stands for Common Access Card. It is a US government id. When I was very. I've. I've known people that have. Have this and what it is, it's. It's essentially certificate based authentication that's protected with a pin. So people who are in the government or government adjacent have CACS when you want to access one of these facilities, frequently websites, you can put the CAC into a CAC reader, enter a pin, and it will send a challenge response to the cac, which validates that you do in fact have the CAC in your possession.

A

Okay, so extremely important piece of identification that only very specific people would have.

B

Correct. So it's interesting that that Dark Prophet 6 got targeted by this. And I'm wondering, it sounds like he does have a cac, which means that. Now I have an underlying concern here, an underlying concern of like, how do they know he has a cack? And. Oh, that's. That's.

A

Now.

B

That would be my question that I. That I would take away from this. But so, but the. Then the next part is he goes, and somebody's impersonating Cloudflare on this website.

A

Right? The thing that Cloudflare being the service that basically is a. What's the acronym for that? They basically, their service tries to prevent sites from getting ddosed, to put it in a simple way. So sometimes when you go to a website that's suddenly very popular, you will get a Cloudflare sort of front page that says, we need to verify that you're a human by completing a captcha. And then it'll let you go, as opposed to letting a flood of bots go crash a website that's.

B

Normally for me, it's just click this box and I click the box and it lets me in. But sometimes it'll say, hey, look at these pictures and tell me which one of them have. Which one of them have. Right, the captcha. Find the bikes or the bus or the crosswalks or the bridges or the steps. Those are all the ones that pain in the mind.

A

Yes.

B

So this is obviously not a Cloudflare, but they want him to copy a string and paste it in the terminal. I would never do this.

A

Never ever.

B

No, it sounds like he's on a Mac or maybe a Linux machine. But no, don't ever do this.

A

Never paste anything into Terminal for any reason that some random website is telling you to do. Please never do that.

B

Right. Cloudflare will never ask you to paste something into the terminal.

A

Yeah. And our listener kindly provided some screenshots of what they were seeing. And I just want to read what the fake Cloudflare thing says because some of it sounds familiar and some of it is the needle scratch. Unusual web traffic detected. Our security system has identified irregular web activity originating from your IP address. Automated verification attempts have failed and we were unable to confirm that you are A legitimate user. To proceed, please follow these steps for your operating system. Step one, Press command, whatever that doohickey is on the Mac, it's the Apple.

B

It's just a command key.

A

The command. Press Command plus space to open Spotlight. Step two, type Terminal and press Return. Step three, click the Copy button below to copy the command. And the displayed copy is I am not a robot, cloudflare, verification ID and a whole bunch of numbers. And then step four, paste command +v the command into Terminal and press returns. So my goodness. Okay, so continuing the email, it looked like they wanted me to copy an innocuous looking string, but when I clicked the copy button and pasted it into TextEdit instead. Thank you, thank you.

B

Right.

A

I then got a long base 64 string that would be decoded and then passed into Bash for execution. Please translate that, Joe.

B

Okay, so I'm looking at this right here. This is a bash. It's essentially a bash script with what's called pipes. So it echoes this base 64 string to base 64 decode, which then echoes that output to curl, which is a, essentially a text based a command line, web browser or web resource fetcher that will then create a connection looking for a PHP page. But then it goes piping that to a no hup, which is an operating system term for no hangup bash. So in other words, it's opening a shell somewhere. This is probably a reverse shell is what this is.

A

Yeah. What does that mean, a reverse shell?

B

So in other words, this is a common hacking technique or a lot of malware will do this. When you install it, it opens a reverse shell, which means it calls out to some page or to some server out there, and it, it will open a shell on your computer that gives a remote user access to your terminal. Access to your computer.

A

There you go. Yep. So it sort of opens a persistent connection to your specific machine, Correct? Yeah.

B

And because of the way firewall rules work, usually these just go right through. A reverse shell connection is essentially your computer asking for a connection to a remote server. So the firewall says, oh, this is the user inside wanting to connect to something outside. Let's go ahead and let that happen. It's not like the nefarious, hey, somebody outside is trying to get access here. No, it's the user inside trying to get out. Unfortunately, this is malicious software. This would be malicious software.

A

Yeah. So the call is coming from inside the house, quite literally.

B

Right.

A

And you are all, and you unknowingly, if you were to do this. Thankfully, our listener didn't you would be leaving your front door and back door wide open. Just like, come on in anytime. Right. So he. Sorry, I shouldn't assume. Our listener said, I copied only the decode part and pasted that in the terminal to see what it decoded into. Got a website, as you said, that would be passed to Bash for execution and then run in the background, kind of like a persistent remote shell. But I wasn't about to run it to find out. Well done. And our listener said I did go to virustotal to see what they thought about the URL. And some thought it was malicious.

B

Yeah, I, I was, I was wrong about this. This is just essentially the, the, the, the code. This is not a return that he sent. This is actually. Or a carriage return line feed. It's just a curl command that opens up the connection and that would run when you, when you run the command that echoes the base 64 string to the decode and then. And then echoes it and runs it. So it's really just a really simple, really simple command that would give someone access to your computer.

A

Yeah, Yep. And our listener said that on VirusTotal, many, but not all of security software providers, to put it mildly, do flag this website as malicious, but many of them don't, which was interesting.

B

A lot of them might not do it, but 11 of them found it to be malicious. And that would be enough for me to go, yes, we're not doing this.

A

This is true. This is true. And they said when I did go back to the original website, the malicious URL, it came up clean. Probably thought that if I came back to the site that I was wise to them, so they went away. So it's very interesting that it remembered that you were there and they're like, I'm not going to give you that same challenge again, because you probably either figured out that we're a scam or already did the thing we asked you to do. So you're good.

B

Yep.

A

That's amazing. Wow. Joe, have you ever seen anything like this where it's asking you to put something into terminal?

B

No, this is the first time I'm seeing this and this is pretty bold and brazen.

A

Yeah, it is. I thought this was really fascinating. So many thanks to Dark Prophet 6, our listener, for sending this in, because my jaw dropped when I saw this and I just thought it was very interesting also that the URL is specifically targeting people who would have this very important sense of id. And I would really hope if you have a cac, you would never, ever run some random website's command into terminal. Please, please, please don't do that. Please don't do that. Okay, so let's take a quick ad break before we close out.

C

Thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com.

A

All right, and that is Hacking Humans. Brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, the technology and the ideas shaping the future of secure innovation. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher, and I'm Maria Varmazes.

B

I'm Joe Kerrigan.

A

Thanks for listening.