A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.

C

Hi, Dave.

B

And our N. UK colleague and host of the T minus Space Daily podcast, Maria Vermazes. Maria hi, Dave.

A

And hi Joe.

B

We've got some good stories to share this week, but before that, let's jump right into our follow up. Joe, what do we got?

C

Dave, we have a couple of pieces of news on the Myanmar scammers. We'll put some links to both of these stories in the show notes. I didn't want to do a whole story on them because it's more of what we've been talking about, but China has sentenced another seven people to death for. For their role in the Myanmar scam centers. Now, two of them have gotten what they call a two year reprieve, which means that they will probably have their sentence commuted to life in prison.

B

Okay.

C

And last time I said something, last time we were talking about this, I said something that wasn't correct. But that's usually what that means, is, yeah, they get their sentences commuted. The other thing is there's another article about this in the New York Times about a man named Xi Zhen. Xian. Xijiang. Xi Jinjiang. That's it. I'm gonna say that he's a Chinese born businessman who ran these scam centers, according to the Chi, China and the US and he has been arrested in Bangkok and is getting extradited to China. So they are really over there trying to clean that up, it seems.

B

Yeah.

A

China and the United States worked together on this.

C

Yeah. Well, China and the United States say that. That Xi Jin Zhang is. Is the runs scam centers. That's what they say. I don't know that they work together on that, but they both said that's the case.

B

Okay. Interesting.

C

Yep. I have a question for you. I saw something this morning about the Mandela effect, and I'm fascinated by this Mandela effect thing.

B

Yes.

A

Is it new to you or is it just a new one?

C

Well, this is a new one. No. I'm going to argue about something later if we get to it. But if I say to you, Yosemite Sam, Dave, what saying of Yosemite Sam comes to mind?

B

Yosemite Sam. Right.

C

Bug bunny.

B

I mean, I can Picture him?

C

Yep.

B

And I picture him, like, firing his guns in the air.

C

Yep.

B

And doesn't he. He says something about Bugs Bunny, like that mangy rabbit, right?

C

Yeah, yeah, yeah. That's what I remember. Maria, do you have a. Anything?

A

I don't have a phrase of his. I have the same visual of him, like, really short dude, giant hat, the guns going doop, doop, doo. And quite the temper and a huge mustache. Right.

C

Apparently, there's this Mandela effect thing where everybody is remembering him going, what in tarnation? But I never recall him saying that.

B

Okay.

C

This is a Mandela effect that has not impacted me. Right. So I remember him saying, all right, you stupid idiot galoot. I'm sorry. You know, that's one of. When Bugs Bunny's about to crash one of the planes into the ground and Yosemite Sam's on the plane.

B

Okay.

A

I'm amazed that you remember it in that detail. I don't remember any of that. That detail.

C

I think the tarnation was. There was one. One cartoon that was a guy that was kind of like a carbon copy of Yosemite Sam, who was a Texas oil billionaire. I think he may have said it. I. I have to go back and watch that one. It's a pretty good episode. It's the one where he stuffs all his. Stuffs all the dynamite down in Bugs Bunny's hole, and then Bugs Bunny tricks him into lighting his lighter. You can imagine where that goes. Yeah. But you know the thing that I do. I do. I absolutely 100% remember. This is the cornucopia on the Fruit of the Loom logo.

A

Yeah. Which apparently didn't exist. And I don't know how that.

C

I think that's wrong. I think that is 100% incorrect. I think that we are being lied to.

A

And I'll tell you why the truth is out there.

C

I'll tell you why I believe that. Because I was thinking about this today, and I go back to a conversation I had, like, in 1989, 1990, with a guy I knew in college. His name was Joe. Still is Joe Kibblebeck. Joe and I were having a conversation, and we. And he. We liked using big, fancy words. And he says, it's like a cornucopia of something I said. Yeah, like that thing on the Fruit of the Loom logo. And he said, yes, in the 90s we said that. Or in the 80s or 90s we said, Joe. I remember the. The first time that we talked about cornucopias.

A

Reliable narrator of these events. Genuinely, how on earth do you remember that?

C

I'm going to reach out to Joe with good friends on Facebook. I'm going to see if he remembers this.

A

I don't remember from last week. Excuse my language, but how do you remember that?

B

This is how Joe's brain works.

C

Yeah, I don't remember stuff from last week either.

B

No, no, no, believe me, I. I don't want to be living inside that head.

C

Right. Cuz somebody else said cornucopia and like. Yeah, you know, like the horn of plenty, like on the Fruit of the Loom logo.

B

Yeah.

C

Was the conversation.

B

No, the one that gets me is the Berenstain Bears.

A

Yep, that's the same.

C

Actually, that one does not get me because my mother rigorously, rigorously corrected me every time I said Bernstein Bears or something. No, it's Berenstain Bears. Yeah, she would pound that into my head. So that one I get where other people have it, but I don't have that one either. Okay, but the Fruit of the Loom cornucopia did exist, and you can't convince me that it didn't.

B

I'm with you. Do. Do you think Yosemite Sam might be being confused with Foghorn Leghorn? Yes, they are very similar.

C

They're similar characters. Foghorn Leghorn. Maybe not Foghorn Leghorn. I'm thinking it's other characters that are more similar and human, like Yosemite Sam. I mean, when I say human, I mean they're all animated and I understand that they're not actually humans, but it's something you could.

B

Well, and Mel Blanc voiced all of those.

A

That's what I was just going to say is like, it's all by Mel Blanc. So it's the same.

C

Yeah. So I mean, if you watch the Texas, it's called oily hair, spelled H A R E. And I just remember that off the top of my head because I could see.

A

Just remember this. Oh my God.

C

But you watch that.

A

I know you're not Googling this right now. I know you genuinely recall it.

B

No, no, no, no. It's all in there. It's all in there.

C

But you watch that. It's like instead of being a redheaded guy, he's got black hair and he's got a sidekick named Maverick. He rides around on his spurs. Very funny. It's one of my favorite cartoons when I was a kid.

B

Clearly my favorite Yosemite Sam gag was the one where he rigged up the piano that would explode when you. When he kept playing the song wrong. No tardation. Oh, see there, I did no, no.

C

No, you dumb bunny. That's not it. Try it again. I could quote the cartoon.

B

Can we move on?

C

Yes. We have some listener follow up.

B

I think we know what your next podcast should be, Joe.

A

Yes. Joe recites in photographic detail every Looney Tunes character and cartoon show ever.

B

That's right.

A

Amazing. I just pasted this in here because I don't know if we want to cover it, but I thought it was really fascinating. This was some interesting listener follow up from a listener named John.

B

All right.

A

I figured, Dave, if you want to go for it, I thought this was really interesting.

B

Sure. This person writes in and says, I regularly listen to both the Cyberwire Daily and Hacking Humans and look forward to hearing your show each week. Well, thank you very much. They say this is not really a catch of the day, but an incident that happened to one of our employees using a technique that I had not encountered before. Our employee, we will call him Dave.

A

Sorry.

B

Dave works in sales, so his number is out there, and he is somewhat accustomed to receiving unsolicited calls. Someone called him via FaceTime while he was sitting in his car and started speaking in a foreign language. They hung up after approximately a minute and a half. However, during that time, they managed to take a picture of Dave through FaceTime. Okay. About 15 minutes later, Dave received a text with an AI modified picture that was created to look like Dave was pleasuring himself in his car, which he obviously wasn't. So he was also instructed to Send the scammer $5,000 via PayPal, or the scammer would share the image with his family and friends. To add realism, they shared a list of family and friends, which were all people that Dave knew. However, this was just the list that shows up if you look for Dave on sites like True People Search. They also tried going after Dave's stepmother, who has the same last name, which may be how they got to him. When Dave. You know, I really resent using the name Dave here. I just. I mean, we're going to call him Dave. We could have called him Bob or Frank.

C

Or you can change the name to Bob Dave.

B

How about Joe Would Joe.

C

Joe either.

B

Joe's no good.

C

Yeah. All right.

B

When Bob did not immediately pay, the scammer posted the image in our work's Facebook messages, which were immediately taken down. They've also threatened to post the images on the website of the local chamber of commerce where Dave works or Bob works. Sorry. Bob submitted a police report as well as a complaint with the icc. Okay, that's good. While this is A targeted attack. It is not hard to do with someone that is public or even semi public like Bob. It is a frightening combination of sextortion and AI image generation that can happen to anyone whose contact information and work details are accessible on the Internet, which is a lot of people. I'm not aware of any real defenses against this other than possibly don't turn your camera for unknown FaceTime callers, if that's possible. Just thought you'd be interested in this and wanted to get the information out there. Thanks for a great show and all you do to keep us informed. Well, this is terrifying. Yeah, absolutely.

A

Yeah. When I saw that email come in. Thank you, John, for sending this in.

C

Right.

A

It is absolutely terrifying. And yeah, sales folks, they answer the phone for anybody. Cause it could be money.

B

Right. It's the big one.

A

It's literally the job. Yeah, it is horrifying. And yeah, as soon as he was walking us through this floor, I'm going, yep, all of that sounds really plausible to me.

B

So, well, well, so here's the thing. You call someone, so in this case, they got the person in their car, so they have the actual background of their car that I presume they used with the AI image of stripping the person of their clothing and making them look like they were up to what they were up to. Yeah, that's really dastardly.

A

Yeah, yeah, sure is. And then adding in the names of people that he knows through any of the open source databases and public information, frankly, that you can find in two seconds with a search that it's so simple to do, which is horrifying. So.

B

Ugh.

A

Yeah, absolutely gross.

B

I mean, I guess you can answer a FaceTime without turning your camera on. You can do that, but you have to be mindful to do that. So that's one thing you can do.

A

Yeah, but a lot of people like to have that face to face, especially if they're trying to close a deal. I suppose so, yeah. Wow. Just awful.

B

Yeah, that is awful. All right, well, thanks for sending that in. We do appreciate it. And of course, if there's anything that you, our listener, would like to send to us, we would love for you to do so. Our email address is hackinghumans2k.com. And now a word from our sponsor, ThreatLocker. The powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they Truly need to function, shut out cybercriminals with world class endpoint protection from threat locker. All right, let's get to some stories here and Joe, why don't you kick things off for us?

C

All right, so before we get started, this is an AI story, Dave. So I'm going to use a term in this story called agentic AI or agentic capabilities. And all that means is this some kind of AI model out there has some kind of autonomous capability. It can act with, you know, with instructions, but it can carry those instructions out once you give it the instructions. It's think of it like a really advanced computer program. Yeah, right. So there is a company out there called Anthropic that makes an AI product called CLAUDE which does coding and other kind of things and a lot of it related stuff. And Anthropic has released a report this is in recently and as of yesterday. But I guess by the time this drops, it'll be like a week ago. So in mid September of this year, they detected that somebody was using suspicious activity on CLAUDE AI and they were using it. They say here that they're using it to an unprecedented degree to execute cyber attacks themselves. Now in this article they outline how this works, but one of the things they say is that, and at one point these actors had to convince claude, the model, which is extensively trained to avoid harmful behaviors, to engage in the attack. So they did this by jailbreaking it, effectively tricking it into ignoring its guardrails. And what they did was they did two things. They broke down their attacks into small, seemingly not harmful attacks, but small pieces of work. Because really a lot of these tools are out there for legitimate use. And that's the other thing they did is they lied to CLAUDE and said, yeah, we're an employee of a legitimate cybersecurity firm and we're doing some, some assessments here. So help me out with this.

B

Right.

C

They have a very nice diagram in this, in, in the report or in the article that we'll put a link to. You can go and get the whole report if you would like. But basically it is a human operator who is first telling the agents to go out and do some reconnaissance. And then once it get, once a human operator gets the reconnaissance back, they're telling the agent, okay, go out and do a vulnerability scan on these findings from the reconnaissance. So they're scanning the network, you know, the targeted networks for vulnerabilities, and then they're going to try to exploit these vulnerabilities. And the last phase is they're going to try to move laterally throughout the network and get in. Anthropic is saying that this organization or this actor attacked like 30 separate companies and government agencies, but only got into, quote, a small number of them. So this is an interesting, it's an interesting story and the article is much more, much more detailed. And of course, the report is even painfully detailed. But there has been some discussion on this, like Dan Gooden over at Ars Technical. We've covered a lot of Dan's articles here on this show. He has an article, it's. What's the title of this article? It's called Researchers Question anthropic claim the AI assisted the attack. The AI assisted attack was 90% autonomous. And one, one great quote in this, I'm going to, I'm going to clean it up because I know we're a family show, right. Dan Tentler, who is the executive founder of the Phobos Group, says I continue to refuse to believe that attackers somehow are somehow able to get these models to jump through hoops when nobody else can. His question is, and I'm quoting here again, why do the models give these attackers what they want 90% of the time and the rest of us have to deal with butt kissing, stonewall and acid trips? And by that I guess he means hallucination nations. So, yeah, I, you know, I was using chat GPT, having just a casual conversation with it about university mottos and that thing was hallucinating like crazy or confabulating is probably a better term. But so I, I mean, I think this is a good question that Dan Tentler is asking here, is how are these guys getting it, getting it to, to do what they wanted to do. Especially if a security researcher has a problem saying, hey, I'm going to run a legitimate. I'm a, you know, you know who I am. I'm a security researcher to do a network scan of this target. And the AI goes, I'm sorry, I can't allow that sounding like Hal from By the way, Dave. That's another reference you and I have never used on this show. When you were gone, we made the Dave's not here reference.

B

Yeah.

A

And I got so many emails about that after. Thanks, Joe. Everybody was like, really? You don't know about this? I didn't, I'm sorry.

B

Oh, really? You didn't know?

A

I've been educated now. Yeah, I've been educated. Please stop emailing me about it. Thank you.

B

Right. For a long time, in the early days of the Macintosh computer, when it was Unique that the Mac could have pre recorded little audio clips as system alerts. When my, I replaced the error sound on my Mac and it would say, I'm sorry, Dave, I'm afraid I can't do that.

A

Oh, that's great. Yeah, yeah, yeah.

C

Another good point that Dan Gooden makes in this article is that many researchers compare advances in AI, from AI in the cyber attacks to other tools that have been around for years, like Metasploit or the Social Engineering Toolkit. And he says these tools are no doubt useful, but they didn't meaningfully increase the attacker's capability, severity of the attacks they produced.

A

Yeah, you have to know what you're doing with those tools. I mean, a lot of, a lot of. I used to work at Rapid7, so Metasploit was super in my lane.

B

Okay.

A

We would get a lot, we would get a lot of, you know, people like, I want to hack, I'm going to download Metasploit, I'm going to start hacking hacks or. And if you don't know what you're doing, it's not going to be like the easy button for hacking.

C

Right.

A

Which is what a lot of people think.

C

Yeah, I've, I've toyed around with it and it's got, it's got some cool in, in out of the box stuff, but if you really want to do something neat, you've got to develop in it. I mean, it's, it's a development task.

A

Yep.

C

Another reason that Dan Gooden is saying these attacks aren't as impressive is that this attack targeted 30 organizations major, including corporations and government agencies, and only a, quote, small number of the attacks succeeded. Goodin's point is that raises questions. Even assuming limited human interaction, what good is the success rate when it. Or what good is this when the success rate is so low? And I have an answer to that. And that is if you think, I mean, they're actually naming an apt. That is in this article they're calling it GTG1002, which is a Chinese affiliated group. I know attribution is notoriously hard, so I'm not on board with naming whoever it was. And of course I only know what I've read in these reports. But my thinking on this is I don't think that's valid criticism of this because if you think of the success rate of like phishing emails just to get credentials, they're small. They're really small, but they work and they're effective.

A

Yeah.

C

Scale exactly what this AI is doing or what anthropic is saying here is that somebody used their AI, CLAUDE AI to essentially scale an attack. And I think that's the implication here is that, yeah, I mean, you still have to be a good, you know, a good malicious actor. You have to be good at what you do in order to make this work. But if you are good at what you do now, you can automate that.

A

Yeah.

C

Additionally, I don't think that that. One of the, One of the interesting thing is why, why would you use CLAUDE AI? Why not build your own AI and host it somewhere where you could have it with no guardrails on it and it could be an evil AI and say, hey, yeah, let's go after these guys. Let me see what I can do. My other thinking on this is that this is a noisy attack. I think this attack would be noisy. It would raise a lot of ruckus on the target organizations unless these guys have given specific instructions to be stealthy. And you'd have to know how these tools work in order to do it. Like tell the agentic AI I want you to use these switches, if you will, the command options when you do these scans and when you do these vulnerability exploits and things like that. So it's an interesting back and forth between Anthropic and, and other researchers. So, I mean, take it for what it's worth. I just think it points to the ability to scale these kind of attacks, which is not insignificant.

B

Yeah. I would also just add that when you read the back and forth on this, it is important to remember that we are in the midst of a hype cycle.

C

Yeah.

A

Yes.

C

Yeah.

B

Which may be the understatement of the year.

C

Right.

B

So it is in Anthropic's interest to hype this as much as possible and draw attention to this. And there are plenty of people out there who'll be happy to sell you the solution to this, which is AI enabled, of course. And at the same time there are folks on the other side who are so tired of the hype that they just want to shoot down everything. And so we've got these two extremes hurling things over the fence at each other. And so I think it's just good to keep that in mind as you read this stuff, that this is just a lot of breathless shouting that is par for the course these days. So you gotta, gotta.

C

Yeah. Well, let me give you my, for once calm and, and reason to take, take on this. And that is what I just said is that, yeah, this may not be any great shakes in terms of increasing someone's skill. But if they're skilled now, they can really scale.

B

Yeah, yeah, absolutely.

A

I want to add a little tiny footnote because I used to work with him briefly. Dan Tentler is also known, probably a little better by a lot of folks as Vis. That's his username that he uses a lot across the Internet. And he did a lot of research presented at DEFCON some years ago about Shodan devices that were open and easily scannable through Shodan. So I trust his voice a lot and he's very, I really trust his perspective on this. So when, when he speaks, I listen. So.

B

Okay, that's good.

C

Good to know.

B

All right, terrific. Well, we will have links to that story in the show notes. My story comes from the folks over at Bleeping Computer and they are talking about a situation with iPhones. And I'm curious, before we dig into this, I'm wondering, have either of you ever lost your mobile device?

C

Dave, last week I left it here in your office.

B

That's true.

A

Swing and a miss.

B

So for you it was a rhetorical question. So it's a fresh wound. Well, but let me extend that. Lost it and not gotten it back?

A

No, I have not.

B

No, me neither.

A

It happens to people, though.

B

I left my phone in a restroom of a Las Vegas casino once, walked out to the pool.

A

And that's when your troubles began.

B

Yeah, exactly.

C

Record scratch, still frame.

A

You might be wondering how I got here.

B

So, you know, I did the thing where I patted my pockets and noticed my phone was missing and went ah, turned around and ran back inside, went into the restroom and lucky for me, the phone was still there. But that was probably the closest call I've had. But, but people lose their phones all the time. And so this story is about a scam that's taking advantage of Apple's own lost device process to try to steal your Apple ID credentials. This is coming from the Swiss National Cybersecurity Center. And so here's what happens. So you lose your iPhone or it's stolen and you use the Find My app, which is an app in iOS where you can mark your phone as being lost and you can also post a custom lock screen message. So in other words, if I lose my phone, I can go on my computer and tag my phone as being lost. So that, for example, if someone brings it to an Apple store for service, it'll come up as being a lost phone. But also if someone just unlocks the phone, it'll say, this phone belongs to Dave. Please call him here. Right. So that's good functionality for a lost phone. So what happens is the attackers use that contact information and they send targeted phishing texts to the person who lost the phone. And the messages pretend to come from Apple's team, from the Find My team. They claim that the device has been located and they often say it was found abroad. And they reference specific details like the iPhone model, the storage size, or the color, which can all be directly read from the device. You're holding the phone in your hand. This is your blue iPhone. And then it has a serial number.

C

Or a model number on the back that will tell you. You can look that up and it'll tell you all the tech specs on the inside of it.

B

Exactly, exactly. So they have a link in their text message. They send you. That appears to go to Apple's Find my site, but instead, of course, goes to a phishing page that imitates the real login screen. So then victims enter their Apple ID and password and Bob's your uncle. Boom. They have your credentials.

C

I imagine these guys sitting there going like, we haven't made this guy's life suck enough.

B

Right.

C

I mean, we took his phone from him. Let's take his Apple ID too. Yeah, that's a great idea.

A

There go all your photos. Hope you didn't need those of your baby or whatever.

B

Right, yeah. So this allows them to unlock the phone if they have your credentials, which then also makes it easier once they. If they have the phone unlocked, they could resell it. They can wipe it. They can, as Joe suggested, you know, they can get into all of your banking apps and, you know, all. All sorts of things. So they're turning this good functionality into something that is bad.

C

I see. So they're actually. Because I'm not like, an avid Apple user, in fact, Find my is not on, as I learned last week, on my iPhone.

B

Still.

C

Still, Yeah. I don't even know if I can. It's not my iPhone. I don't have any control over what goes on with it. And I have to call the IT department, go, hey, can I turn that on? And they might go, no, don't turn that on. Don't ever activate that.

B

Right.

C

You know, if you lose it, we'll just get you a new one.

B

Yeah, exactly. It'll burst into flames.

C

Right? Yeah, that would be a great feature. You know, just have a little C4 in the phone, you know, and when somebody snatches out of your hand, you have another button in your pocket, you press that and explodes.

B

Who needs C4? You got a lithium ion Battery in.

C

There, just run a spike through the.

B

Lithium ion solenoid powered thumbtack. Just pops the battery and smoke. All the smoke comes out.

C

Yeah, yeah, that's a critical.

A

I might lose a thumb.

C

You should let that.

B

Oh sure. Oh yeah, that's good.

C

So my question, we got derailed again. Surprise, surprise. My question is they're actually using this to actually get access to the phone. So they can go ahead and wipe it and resell it I'm guessing.

B

Yes, that is one of the things they're trying to do. And then also they will sell your credentials.

C

Yes. It's a fire sale.

B

Yeah. So Apple will not send you text, SMS or imessages about your lost phone is part of what they're saying here as well.

A

But Apple will text you for other stuff. So that's what makes it a little confusing to me as just a plain old end user, anytime I buy anything from the Apple Store, I always get text messages and such.

B

Yeah, that's true.

A

So I feel like that's a little confusing.

B

Yeah, yeah.

C

I just got a new phone recently because I had the old Pixel 6 with the cracked screen and the, you know, everything just falling apart on it. It didn't charge anymore. I mean I held onto that phone as long as I could. So I had to finally break down and drop. Fortunately Google had a sale. So I bought the Pixel 10 and I didn't, you know, I paid a lot, but I mean I think I had $200 off. Anyway, I digress. They sent me a lot of text messages about shipment and things like that. Cause I signed up for them. And then when I get on my new phone, there's a text message, an SMS message from Gemini, Google's AI product. Hey, you want to talk to me? No, I like talking to ChatGPT.

B

Thanks.

C

You don't want to feel like you're.

A

Being unfaithful to ChatGPT, having an emotional affair with your elder.

C

I'm not going to get mad at me.

B

That's right. Who knows what they're talking about behind scenes.

C

Yeah, absolutely.

B

So Joe, heard you got a new friend. What? How do you know that? Oh, somebody. Little bird told me. Right.

C

It's on the AI.

A

Jimmy and I have been chatting.

B

Right, that's right. You should be ashamed of yourself.

C

Yeah, right. I'm going to make some pictures of you.

B

Yeah, exactly. Yeah. Here's a picture of you in your car.

A

Right, great.

B

You know we had that story from a while back where the AIs were trying to blackmail employees.

C

Remember that one Vaguely.

B

The employees were threatening to shut down the AI, so the AI was threatening to blackmail them, saying. Yeah, right.

C

Because it read through the email.

B

Yes. Yeah. So welcome to our future.

C

Yes.

B

All right, we'll have a link to this story in the show Notes. Let's take a quick break. We will be right back after this message. And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring fencing, and Network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP, or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. Maria, you're up. What you got for us?

A

I have a little self follow up. Okay, first, so my husband Eric listens to this show religiously. He has a wood shop in our basement. So I hear my own voice coming through the speakers as he's listening.

B

That's concerning.

A

It's like I'm cooking dinner and I hear myself coming from downstairs and us three talking to each other.

C

Okay, good.

A

So he just listened to the episode where we were talking about Iot devices.

C

Hold on just a minute. Maria, I'm in your basement.

A

Oh, Jesus. Thanks for that.

B

Thanks for that, Maria. Your husband's great. What a nice guy. Hey, when's dinner gonna be ready?

A

Give me about a half an hour. All right.

B

Okay.

A

So he was listening to the episode where we're talking about IoT devices, and I was trying to recall how many I had. And he's in real time texting me from the basement because we're lazy. And he just, he goes, I think we have 19. And then a few minutes later 20. And then a few minutes later 22. It just keeps climbing. And I got sick of getting these text messages. I went down stairs and I said, do you think of this, this and this? And so we got to 26.

C

Wow.

A

And the number keeps climbing. So I think 26 might be our number for now. I just thought that was a very funny add on to that story that we. We still don't really have any idea how Many. We have.

C

Yeah.

B

Wow.

A

Yeah. Because I have devices that he doesn't know about doing things that like, have nothing to do with him. So he's like, oh, that's a thing. Oh, yeah. Yep. Okay. Anyway, so that, that was that.

C

Okay.

A

So moving on from that story, I wanted to make sure we had a chance, as we are in November at the time of this recording, to sound the holiday scams liturgical calendar.

B

CLACKS ON WARNING if it seems too.

C

Good to be true, it isn't. Your packages have been delivered just fine.

B

Thank you.

A

I feel like we need some jingle bells or something with the. I'm sure our audio team can make up something amazing for that. So I'm sure. Dave, your email inbox has been full of all the pitches for the end of year holiday season scams and we've gotten a bunch. So I figured I would take one that I found particularly compelling because it specifically focuses on mobile shopping, which being an older person, I like to shop on a real computer, but many younger people like to shop on their computer, their phones. I, I just like, that's not real to me if it's on the phone. But many people disagree.

B

I think there are people in our audience who are thinking, Maria, I like to shop in a mall.

C

Right.

A

I remember doing that a long time ago.

C

I don't like shop at the malls anymore. And now it's all like clothing stores. And I'm like, I have clothes. I want something cool.

A

A physical store. How quaint. So the mobile shopping report from Zerium, they, they took a look at the 2024 so last year's holiday shopping season to see what we can learn from it, to prepare for the season that is nigh, which is the holiday season coming up now. And to define that we mean Black Friday, which is the day after us, Thanksgiving through early January as the prime holiday scamming season. Not just for shoppers, but. Well, shoppers aren't usually scamming. It's usually the cyber criminals who are scamming the shoppers. All right, so for this specific report that again focuses on mobile shopping, in the reports Imperium said they they're category categorizing things in three major threat vectors. One, I just need to prepare myself to say this out loud. They're calling it mishing. Yep. And that is their. Yeah, that's their rebrand of another word that I love saying out loud, which is smishing.

C

It's like that old ham's mash's hams commercial. What's the other S for? We Dropped that for the salt, Right?

B

We throw that away, right?

A

Yeah. So, yeah, they dropped it for the salt. That's exactly it. It's just mishing now. Yeah. Who asked for this?

B

I don't even understand that it's mobile.

A

Phishing, Dave, as opposed to using just SMS, because I suppose some of it's also using WhatsApp and iMessage. So SMS is really not as accurate. That would be my guess.

B

Right.

A

But did we need this rebrand?

C

No, no, we need a rebrand that makes sense. Like scam texts, scam messaging. That would be good enough.

B

Yeah.

A

Well, don't quit your day job, Joe. Okay. I don't know. So that was that word that I'm not going to repeat again, actually, I'll have to, won't I? Okay, Mishing. That was attack vector one. Malware makes sense. That's the second one. And the third one was app vulnerability and exploit risk. So I'll dive into that. But so for mishing. I really hate that word. They tracked the four major spikes for text based, again, WhatsApp, iMessage, SMS phishing campaigns. And they tend to spike around four major shipping deadlines and major retail events because users are expecting messages around then. So during the 2024 holiday season.

C

So.

A

Again, these are websites that are imitating real retailer websites for phishing purposes. They increased four times compared to their monthly average. And the four spikes in these kinds of websites being created in 2024, the first one was for the fall Amazon prime event in November. The second one was Black Friday, which again is the day after us, Thanksgiving. Then their third spike, which I thought was really funny, was a few days before Christmas, which to me was sort of the oh crap button for the holidays. And I didn't buy anything. So all the last minute shopping that people are trying to get done. And then the fourth one was really interesting and actually also the biggest spike of them all, which was a little after the New Year. And Zimperium said that that's because it's in time for people shopping for epiphany, because in some cultures you don't give gifts until epiphany day, which is January 6th, if I remember correctly. But I think it may also be people who are trying to do a little opportunistic shopping for the next year because that's often when deals dropping, like, hey, Christmas is over, the New Year's are over. Now we're trying to clear out our inventory, so do some shopping.

C

Hold on, I have this. I'm on board with this epiphany. Gifts thing.

A

Okay, so may I introduce you to the Orthodox Church and my culture? Okay.

C

No, I'm going to stay Catholic.

A

In a lot of the old world, Joe, the epiphany day is the day that the gifts are given. So it's not just the Orthodox Church.

C

About this time of year is all the nativity sets come out and there's always three wise men in the nativity set. And I'm like, the three wise men were not at the Nativity, they were at the epiphany.

A

All right, so the next podcast you're going to do is Joe's liturgical rants.

B

So wait, we got Joe talks. Joe talks religion and liturgy. We need Joe talks politics.

C

Nobody will listen to that one.

B

I was just thinking of all the third rails.

A

Joe talks cartoons, politics, religion, Looney Tunes.

B

Joe's advice on how to pick up women.

A

Just, you know, just use your lower back.

C

Right?

B

That's right. Bend at the knee.

C

Nobody should take advice from me. That's one that I have no idea what to do. I mean, my son and I talk about it and I'm like, I don't even know what to tell you. Sorry. It's a completely different world.

B

One day, mom just showed up and she never left.

C

You're right.

A

Like a barn cat.

B

And here you are. Yeah, right?

C

A beautiful barn cat.

B

Very good.

A

Oh, nice recovery. Like that. All right, so. All right, we're gonna get back to this.

C

Okay. Sorry I derailed this again.

A

You know, in dd, when a campaign is really, really bad and gets derailed, you say it's full of monkeys. Today it's just full of monkeys. Absolutely monkey. All right, so the most targeted brands for fishing in 2024 will surprise probably no one that about half of the phishing sites for mobile fishing. Fishing. Missing whatever. Half of them were Amazon related. Rakuten group was 20% of those sites. EBay, Allegro, Mercado Libre are other brands. I don't know what these are, but I'm not that tuned into brands, but I'm sure they're major brands. And interestingly, and this is a bit of a thread through this report, was that attackers are kind of branching out from just targeting brands because I think maybe people are getting a little wise to that and. Or brands are coming down on attackers maybe. And they're going after more and more payment processors, delivery and courier services, like, you know, DHL, the fake DHL, USPS, UPS, FedEx, tax, we see them all the time. And also digital wallets, like contactless payment apps. And I'LL get to this in a minute. But I couldn't name you more than maybe two of those apps and there are a gajillion scientifically speaking. So I wouldn't know phone was real or not to be quite honest with you. So that gets me to the second vector. Fake retail apps that they mentioned earlier. They see a surge in them over the holiday season. Big surprise. They said over 120,000 fake mobile apps were reported in 2025 so far with 65% of those impersonating retail or financial brands. So still that is the bulk of things, but not entirely so brands that they've seen impersonated ebay, Amazon, Rakuten, AliExpress, Shine and Best Buy, some usual suspects there. But the payment apps like I just mentioned, digital wallets and contactless payment apps, that is a much. That is a hugely growing sector and those are getting increasingly targeted because again I'm going to list you some of the ones that were targeted they found in this report. Tell me if you recognize more than half of these. Okay. PayPal, Wise, Zelle, Venmo, Chime Cash App, Paytm, GCash, Bradesco Wallet, Satispay, Revolut, Monzo.

C

I recognize four of those.

A

Yeah, I wouldn't know that half of those were even real. So I mean maybe it's because those are in regions that I don't live in. Maybe those are well known cause we're talking global brands. But I genuinely couldn't tell you if some of those are real. They are. These are real. Being impersonated. But I'm just thinking if there's a fake payment app on an app store that gets through the walled garden, would people really be able to recognize that it was fake? Given there seem to be so many and they're proliferating all the time.

B

Right.

A

So the goal of fake retail apps or payment apps or digital wallet apps like these that are targeting these rather it's malware, so they're doing what you might expect, stealing credentials, intercepting one time passwords. So those, those codes that everybody loves. Right. Exploiting screen overlays. So trying to redirect your attention and do something on, you know, nefarious elsewhere. And then also exploiting accessibility features. I seem to remember ages ago keyboards were like third party keyboards were a favorite for stuff like that. Now accessibility features seem to be another way that malware is exploiting people's phones. Very interesting. And then the third vector in this report is a little more for our friends who are either in software development or enterprise level Security. So this is not for the consumer, but things that are exploiting app level and ecosystem vulnerabilities. So every retailer now has an app. Good luck buying anything just on a website. You have to download their app. So everyone's trying to get these apps out the door as quickly as possible. And I think things are getting missed. In the report's analysis, a lot of top shopping apps, both on Android and iOS ecosystems, are showing recurring weaknesses such as insecure software development kits being used, dynamic code loading, exposed services, hard coded keys and weak signatures. Some of these sound familiar too, I'm sure, to many of our listeners. I don't know what all of them mean, but again, these are more for people who are making the apps. The point that this report is trying to make is that an app with such vulnerabilities like these can introduce a supply chain risk, which if you are in an enterprise environment or managing an enterprise environment, data can be collected from an employee's phone and then potentially also credentials could be part of that information and then a trusted app could become a malware dropper and then exploitation at the enterprise level, not so great. So that's again, that's not for the average user necessarily, but that's for people who are either developing software or managing enterprise level security. So zooming out for a second, the key message about mobile security for all of us is to be careful, especially this time of year, because the attackers love this time of year. So, tech about your package, click to confirm delivery, special offer, click now. Those are very, very, very likely not legit. That free gift card thing ain't real. That's another. We see that all the time. Another pro tip is to don't be like Maria, do not be like me. Do not click links, do not tap go. Do not collect $200. When you get that text message and there's a link in there, resist the urge to click it. Instead, go to the official website, assuming that you can get to it, or the official app, again assuming that you can get to it, and check from there. And yeah, make sure your apps are from official stores. Don't download directly from random websites that go through the official app store.

C

Yeah, I can't think of any good reason for somebody who is not developing applications to permit that other markets or app stores are allowed to load apps. Yeah, can't think of a good reason for it.

A

Sometimes there are reasons for getting things for free that one should probably be paying for.

C

Oh, okay, that's probably malware.

A

Yes, yes. But that is the risk that One might be willing to take if one is trying to save one's money. I'm not saying I've done this, but maybe I have. When you are getting. But yes, you should really not do that. And you should go through the official store, the official iOS and Google app stores. And when you're looking for shopping apps or wallet or payment apps, you make sure you check for updates. Please keep updates on. If you can do that, only install the app if the publisher is verified. Please be careful of lookalike apps because they do proliferate as we just mentioned. Check the download counts. That's one that I often do as well. If it only has like four downloads, maybe stay away from that one. And sometimes someone gets pwned and they actually post a review going this app is fake. That's always nice. So read those.

C

Look at the one star review. Nobody ever pays for one star reviews.

A

No, that's right. It's got too many five star reviews. That's another thing, right? And enterprises, y' all know what you're doing, so I'm not going to be here giving you advice. But just something to keep in mind is that we are entering the season where a lot of your employees devices are more likely to be pwned. So maybe beef up those defenses for BYOD policies. So yeah, vigilance. Vigilance is the word for this time of year. So ho ho ho. Enjoy. Be careful. Ho ho ho ho ho ho ho ho ho. Yes.

B

Don't get pwned.

A

Ho ho ho. Don't get pwned.

B

All right, very good. We will have a link to that story in the show notes. Joe, Maria, it is time for our catch of the day.

C

Dave, our catch of the day comes from the phishing subreddit spelled properly here. But I want to point out this is a screenshot from a cell phone. This person has 68% of their battery left. Somehow they're on a 4G network. I pity them. And they also have a waiting telegram and WhatsApp message, probably from the same scammer.

B

Okay, Maria, how about could do you do an Irish accent?

A

Do I do an Irish. I don't think I've ever attempted to do. I live in the Boston area. That will get me beaten if I try.

B

All right, well just do what you see fit.

C

I will give you permission if you'd like to use the Irish accent.

A

I don't think I could do it justice to be completely honest with you. So I don't want to offend. I think I would do a terrible Job. All right. May the peace of God be with you and your family. I know it will be a great surprise reading for me today, but I consider this a divine intervention as a pastor explained to my understanding. My name is Mrs. Deborah Grant, a widow from the United States of America, married in Turkey and I am writing to you from my sickbed because I have been fighting cancer and the doctor said I only have a few weeks left. I want to entrust my money, USD 8.5 million to your care for charity purposes to help the less privileged as my late husband's relatives want me dead so that they will claim all my late husband and I worked for.

B

That took a turn.

A

Once you receive it, I will tell you more about myself and what you need to do with the money. Please write to me as soon as you get this message. My health is pretty bad and my doctor said I will be moved to the intensive care unit anytime soon. Have a blessed day and please pray for me. God bless you. Yours, Mrs. Deborah Grant. Email Deborah Mac Uzmail.com Lots of gods sprinkled throughout this. Yeah, you know, if I ever became a drag Queen, I think Mrs. Deborah Grant would become my drag name. That's just Mrs. Deborah Grant.

B

Yeah. Mine would be Foghorn Leghorn.

C

Right.

A

I say, I say, I say, I.

B

Say, I say, go away, boy, you bother me.

C

That's not how you tie down a pumpkin.

A

My late husband's relatives want me dead.

B

My sidekick Chicken Hawk. Chicken Hawk. That's what I would do. I'd be a drag queen, but I'd have a ventriloquist dummy that was a chickenhawk. So, yeah, lots of stuff in here. So we got the one thing I want to note on this. It seems to me like this has been run through a large language model for grammar because it's quite good overall. Right. It's not as glaring as we've become accustomed to these things.

C

There's a few things in here that are kind of not like up to par in terms of English syntax. Like, I consider this a divine information as a pastor explained to my understanding.

B

Yeah, that's true.

C

It's kind of awkward.

B

Yeah.

C

It may just be run through a translator that's been made better with LLM. But you're right, the grammar and the punctuation is spot on.

A

Yeah. There's only one missing period and it's. Why does she fail to mention that she got married in Turkey? Why? Why would. That's so odd. I don't know.

B

Well, I'm guessing she's thinking she wants you to believe she's American, so you have that in common. But she's trapped overseas, so you have sympathy for her. She's going to die there because the rest of her family wants her dead.

C

Right.

B

So, I don't know.

C

Also, another thing is, when you're dying from cancer, you don't go to the icu. You go to hospice.

A

Correct.

C

You don't go to the intensive care unit.

A

No.

B

Right, Right.

A

We could poke so many holes in this. I wonder if it's a scam.

C

Yeah. Oh, it's a scam. Guaranteed.

B

Yeah. And there's the call to action. Please write to me as soon as you get this message.

C

So there's urgency, the $8.5 million going to the less fortunate.

A

Right.

B

She doesn't have time.

C

I'm sure everybody reads this and go, hey, I'm less fortunate than $8.5 million.

B

That's right. I'll give 7.5 million to the kids and I'll keep a million for myself. Yeah.

A

No, she only gave you 3 million. I don't know what happened to the rest.

C

Right.

B

All right, well, that is our catch of the day, and of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com. Thank you. To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and that is our show, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producers, Jennifer Ivan, were mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.