New tools, old problems.

Maria Varmazes

You're listening to the Cyberwire Network, powered by N2K.

Dave Bittner

Season's greetings caveat listeners. We're taking a little downtime, but we've picked one of our most loved episodes to keep you company during the holidays. Thanks for being with us and we will see you in the new year. Hello, everyone, and welcome to N2K CyberWire Hacking humans podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Kerrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Kerrigan

Hi, Dave.

Dave Bittner

We got some good stories to share this week and we are joined once again by our N2K colleague and host of the T Minus Daily Space podcast, Maria Vermasis.

Maria Varmazes

Maria, hi. Good to be back.

Dave Bittner

Great to have you back. And we will all be back right this message from our show sponsor. All right, Joe, before we jump into our stories here and Maria as well, we've got some feedback. Joe, you want to kick things off for us here? Yeah.

Joe Kerrigan

Alan wrote in with some feedback about episode 278, specifically about Maria's story about Charlotte Cowles. Still not sure if I'm saying that right. And how she was scammed out of $50,000 by putting it into a shoebox that someone pulled up in front of her with a. In an SUV to take or a suburban right to. To drive off with it. Dave, you want to read this one?

Dave Bittner

Sure. It says, hi, Dave and Joe, thank you both and Maria, for your recent coverage of the $50,000 in a shoebox scam. In the Scamming the innocent episode, my sister in law was nearly victim to something that sounded similar because she came to me very early on. I never quite figured out what the scam was and where it was headed. The scam started in a similar fashion. We live in Australia. My sister in law was contacted either by instant message or phone in early December 2023. They started off with the same technique of building authority and trust. This time around, the scammers posed as members of the Chinese police investigating a money laundering operation to which they claimed my sister in law was suspected to be involved. And he writes, I should add here, if it's not already obvious, that they have absolutely zero jurisdiction down here and any Chinese investigations on our soil would have to go through an MoU with the local authorities being the Australian Federal Police.

Joe Kerrigan

I like how Australians say down here because that's what we say is down there.

Dave Bittner

Down there.

Joe Kerrigan

Down under.

Dave Bittner

Down under, that's true. Anyhow, they used the same spoofing trick to establish their authority. They asked her to Google a police station in Shanghai and to look at the phone number. Then they proceeded to call her from this number and convinced her that they were the Chinese police. They convinced her to take part in a video call via Skype. They were even wearing police uniforms during the Skype video call to further cement their credibility and authority. I'm picturing, you know those like haphazardly pasted on sort of like Instagram filter things or.

Maria Varmazes

Halloween costume.

Joe Kerrigan

Yeah, that's what I'm picturing is the Halloween costume. And they went to the Halloween costume place and got the pop up thing and they just got like fake badges and stuff.

Dave Bittner

Turns out they're dressed dressed as like U.S. forest Service soft or something. This is where she revealed to them details of her driver's license and passport. There was the usual don't tell anyone threats and they said they would call her every few hours to check in and make sure she was okay. At this point, there was nothing about any money. My sister in law called me about a day later because she felt something was off and asked for advice. I work in the field of computer forensics in the public sector. I'm glad she went with her gut and decided to reach out as it could have ended quite badly.

Maria Varmazes

Yeah, oh yeah.

Dave Bittner

Because they hadn't gotten to the money part. I wasn't clued in as to how the scam was going to unfold. I thought it could have been an attempt at identity theft, but this was a lot of effort to go into to get the credentials of one person's identity. We played it safe and she went and got replacements for her license and passport, as well as registering herself with a local nonprofit support organization set up to assist those with identity theft concerns. Well, everywhere else in the world has good things but us.

Maria Varmazes

Yes, but you said it.

Dave Bittner

I was thinking it too.

Maria Varmazes

Like that sounds like a great service. Why don't we have that?

Joe Kerrigan

I want to talk. We're going to talk about that. This website afterwards because there are good resources on it.

Dave Bittner

Okay. I also advised her to ignore all further comms from the scammers and explain to her how easy it was to spoof the number that pops up on the phone. I really wish telcos would just fix this already.

Maria Varmazes

Amen to that. Oh my gosh.

Dave Bittner

It wasn't until I listened to the Scamming the Innocent episode of your podcast where you spoke about the scam from Start to finish. That helped me learn as to how this particular scam was going to play out. So thank you for that. There are times when I think about being a target for one of these scams. But instead of handing over a sealed box of cash, I'd fill it with something juvenile like week old chicken bones or something. Did someone say glitter bomb?

Joe Kerrigan

So thank you, Alan, for sending that in. First off, the website that Alan mentions is ID Care. And it's very Australia and New Zealand centric. So. But it does have a. What is a resources site. It's a. It's a. Got some videos on there that walk you through these scams, and those are not particularly New Zealand and Australian centric. They're universal. They have some. Some cheat sheets or, you know, like flyers. Those are pretty much specific to the area. But the videos are definitely worth checking out. So you can send any family members to this. I also want to say this. I also have the same juvenile urges here.

Maria Varmazes

No, you.

Joe Kerrigan

But the thing is, I want everybody to remember with the scam with Charlotte, the bad guys knew where she lived and they showed up at her house with an SUV that probably had more than one person in it. These are not somebody you want to mess with. These are not. These people are criminals. They're coming after $50,000. They want really badly. The best thing to happen is what you did here. And it's just hang up the phone and don't acknowledge him anymore.

Dave Bittner

Yeah.

Maria Varmazes

Yes.

Dave Bittner

Yeah. We got some more follow up here.

Joe Kerrigan

On the same story. We have Clinton writing in. He says all three of the hosts missed the most important detail of the story that could have stopped it in its tracks.

Dave Bittner

Well, thanks for writing in, Clinton.

Joe Kerrigan

Clinton raises an important point.

Dave Bittner

Yeah.

Joe Kerrigan

He says the entire scenario began when they called her and the verification was accomplished when they called her. At any point in time, the journalist in question hadn't said. Had insisted on hanging up the phone and verifying the number on her own and initiating a call herself. The scenario would have failed. Therefore, as I see it, the most important takeaway is never accept anything told to you by anyone unless and until you initiate a phone call. And that beyond, you know, beyond a doubt that you're talking to the person or entity you believe you're talking to, any or all other cases, you should believe this is a scam, period. Couple of things about this. Number one. That's right. That's a best practice. I'm going to say that. But we had a story a couple weeks ago about a guy who was working with. I Think it was Capital One Bank.

Dave Bittner

Yeah.

Joe Kerrigan

And he called Capital One and. And tried to tell them what was going on, and they had no idea what was going on. And then the scammers called him back.

Maria Varmazes

Yep.

Joe Kerrigan

So he had done something like that and still got mixed. Mixed up in this and wrapped around the axle.

Dave Bittner

Yeah.

Maria Varmazes

Yeah. It is. The absolute best way to think about things is if someone calls you just don't trust it. But, I mean, real life is messier than that. And I feel like we're sort of setting people up for failure if we're like, never trust any inbound phone call because your phone is just an attack vector at this point. So just ignore anything that comes in.

Dave Bittner

Right.

Maria Varmazes

I mean, okay, that is the ideal if you can operate that way. But I think that is a very difficult way for a lot of people to live. And again, it wasn't like this was one phone call and she was done. This was hours and hours and hours of them working for her, working at her. And I mean, I've received phone calls where people that were legit, where they were asking me to verify PII for things like pharmaceutical calls, that kind of thing. And I'm going, this is a really bad practice, but this is pretty standard for the healthcare industry.

Dave Bittner

Yeah.

Maria Varmazes

I mean, where do we draw the line with never trust any inbound phone call? I mean, plus, they had her pii, so I don't know. They weren't asking her for stuff. They already had it.

Joe Kerrigan

Yeah, it's. It's. And again, we're sitting here with the. Yeah. I don't want to say the. What Clinton said is not correct because it is correct. That is a best practice to hang up the call and say, I'll call you right back. And he's right. If. That, If, If. If Charlotte had done that, this probably would have stopped right in his tracks.

Maria Varmazes

It's really hard to do that. I mean, it's just. Especially if they have all your information and they're not asking her for it. They already have it. And they're saying, we're just checking that this is correct. That for a lot of people would go, oh, all right. Well, you know, they don't want anything from me because they already have everything they need.

Joe Kerrigan

Right, right.

Dave Bittner

It short circuits your skepticism. Exactly.

Joe Kerrigan

And that's where I was going, is that your skepticism gets short circuited because they've actually fired off the fight or flight response, and you do not think clearly and you do not consider other options. You know, this is the old case. I always like to point out of the bear. I tell this story in a lot of talks where I saw the bear on the bike ride, and I don't remember a lot about that portion of the bike ride. I remember the bear and that's all I remember. And that's the exact same physiological response. We're all laughing because it's hilarious because I had the crap scared out of me by a bear. But that is exactly the same thing that they're exploiting here.

Dave Bittner

And that is why Joe is no longer welcome at the Yogi Bear ride at Kings Dominion. I will add here just a little side note, and I'm pretty sure I've talked about it here before, that one time I had a credit card issue and I pulled my credit card out of my wallet and I turned it over and I dialed the 800 number on the back of the card and I was halfway down a phone tree before I realized it was a scammer who was on the phone with me because I had misdialed the number. And so the scammers knew what the bank's number was. And I guess they had just bought up every fat fingered close number, you know, almost by one. Yeah. Or flipping a couple of numbers or whatever. And it sounded like I was at the bank and something tipped me off and I hung up and called back and. And that time I was much more careful. I dialed the right number. So, you know, I think, Maria, your point is great, that, yes, there are best practices, but at the same time I always, you know, joke and say, meanwhile, here in the real world.

Joe Kerrigan

Right.

Dave Bittner

It's much more complicated than that.

Joe Kerrigan

Yeah, it is.

Maria Varmazes

Yeah, it is.

Joe Kerrigan

I like your. I like your explanation, Maria, that it gets real. Life is much more messy than that.

Dave Bittner

Yeah.

Maria Varmazes

I mean, I could go on and on about it forever, honestly. But I just think of all the phone calls I get during the day, 70% of them are spam that I ignore, but the other 30% are from people I don't know that are calling me for legitimate reasons. And am I supposed to not trust any of that? I mean, maybe, one could argue, maybe never trust any phone call. But, you know, I. It's. Especially if you've got like a lot of family around or something. You're gonna get random phone calls and you don't really know what it's gonna be about all the time.

Joe Kerrigan

Yeah.

Dave Bittner

All right, well, let's jump into our stories here and I guess I'll kick things off for us. My story this week comes from Brian Krebs over at Krebs on security. A very well known security journalist, I suppose is the best way to describe Brian. And he was writing about some malicious hackers who are targeting people in the cryptocurrency space. And they're using the online calendar scheduling app Calendly.

Maria Varmazes

Oh my gosh.

Dave Bittner

Yeah. So Maria and I are having a shared moment of terror because we both use Calendly for.

Joe Kerrigan

Is this the one where somebody says, hey, make an appointment on my calendly and I'll get back to you?

Maria Varmazes

I live on Calendly. That's, that's how I do most of my job.

Joe Kerrigan

I don't know, I find it off putting when someone sends me that and, you know, tells me to get on their calendar and well, I'll tell you.

Dave Bittner

In a professional environment, it is a huge time saver and lifestyle upgrade because what it does is it lets me, for example, to just put little chunks of time throughout my week when I will be available to do things like interviews for the Cyber Wire or hacking humans. And then if someone wants to do that, one of our producers can send them the link to that calendly and then they can choose when they want to sign up for a slot. So what it avoids is all the. What about Tuesday? Well, no, I can't do Tuesday. Can you do Wednesday? Well, how about 2:00? No, 4:00.

Joe Kerrigan

I agree, it's an elegant solution.

Dave Bittner

Yeah. All of that back and forth goes away. I agree. It's a little weird, I think in a personal situation like, you know, hey, would you like to go out for a date? Sure. Here's my calendar.

Joe Kerrigan

Maybe that's the problem with it I have is I just take it too personally.

Dave Bittner

Yeah.

Maria Varmazes

Can you imagine?

Joe Kerrigan

I should appreciate the improvement in process.

Dave Bittner

Right, right. So this story follows someone who got scammed. And so because of that, Brian Krebs is not using their real name. And so he's referring to this person as Doug. And Doug was reached out to by someone on a. Someone on Telegram. And Doug was active in the cryptocurrency world and he got reached out to by someone who's claiming to be someone named Ian Lee from an organization called Signum Capital. And evidently if you're in the crypto world, both of those names mean something and to me they do not. But it is a well known real person and place that has a reputation that is good in the cryptocurrency world.

Joe Kerrigan

Ah, okay.

Dave Bittner

So this person reached out and said, hey, I understand you have a startup, I like to fund things, we should talk. And they Engaged via Calendly. Now, one of the things that calendly allows you to do, and before we were doing this show earlier today, I was poking around on my calendly to just figure out, like, does it do that? Yeah, it does that. It allows you to include an extra link with the event. So, for example, Joe, like, if you wanted to book an interview on the Cyberwire, you could do so. And once it sent you the invite, that invite could also include a link, but the link would be through calendly, so it looks legit.

Joe Kerrigan

So it's like having a little bitly right in there with it.

Dave Bittner

Yeah, but you're gonna trust it because it says calendly. It says calendly. And you've already done business through Calendly to make all of this happen.

Joe Kerrigan

Yeah.

Dave Bittner

So you're gonna trust it.

Maria Varmazes

Okay.

Dave Bittner

Right. So that's how things got started. Then, ultimately, when it was time for the two of them to have essentially a zoom meeting, this person, Doug clicked on the link. But instead of opening up a video conferencing app, a message popped up on his Macintosh saying that the video service was experiencing technical difficulties, but no problem. It said, we're working on a solution. Please click here as a temporary solution. So what happened then was it downloaded a script to his Mac, which ran the script, which is just. I believe it was just a applescript.

Joe Kerrigan

Script, which is sort of bash script.

Dave Bittner

Yeah, it's Apple's version of that. It's a scripting language that comes. It's part of Mac OS that lets things. Allows you to just run. Yeah, run the automator. Right, Exactly. Thank you, Maria. Yeah, yeah, it's like an automator. And so that downloaded and executed a malicious Trojan. And at this point, Doug figured out what was going on, and he went into panic mode in a good way. Backed up all of his documents, changed his passwords, and reinstalled the OS on his computer. Brian Krebs points out this is a perfectly sane response, but it means we don't have the actual malware that was pushed to his Mac by the script because he basically wiped his Mac clean.

Joe Kerrigan

Right.

Dave Bittner

Some other security researchers seem to have an idea of what was going on here. What the different types of malware that was installed. Evidently, this is some group who goes by the name Blue Noroff, which Kaspersky Labs is part of. The Lazarus Group, which is a very.

Joe Kerrigan

That all adds up, actually.

Dave Bittner

Yeah, yeah.

Joe Kerrigan

Big crypto, guys. The Lazarus Group.

Dave Bittner

Yeah. So it's an interesting little pathway. And the Calendly link was not one that I'd heard of before. So I guess the bottom line here, it's just another example of be careful that just because a link comes from a platform that you trust, that doesn't mean that the link is trustworthy.

Joe Kerrigan

Yeah. These things are just little link translators or link obfuscators. Just like all the other ones. Like Twitter puts their own link shortener. It's like a link shortener service. Yeah, that's the actual name of it. So it's a link shortener service built into the app.

Dave Bittner

Yeah. And taking advantage of legitimate functionality.

Joe Kerrigan

Right.

Dave Bittner

Yeah.

Joe Kerrigan

Right.

Dave Bittner

Yeah. Maria, any thoughts on this one?

Maria Varmazes

Nothing really to add. No, not for me.

Dave Bittner

You're looking for another calendar scheduling?

Maria Varmazes

I'm a little. I'm a little. I'm. Yeah, I'm a little nervous now because, I mean, Calendly is. I'm literally looking at my Calendly account right now. Right. Oh my gosh. Well, that's great.

Dave Bittner

Trust no one. Don't take any incoming calls.

Maria Varmazes

Don't take any Calendly links.

Joe Kerrigan

Don't click any links.

Maria Varmazes

God, just get off the Internet.

Dave Bittner

Soon it's going to be pens and paper all over.

Joe Kerrigan

I'm going to go out and buy some land and just farm.

Maria Varmazes

It really does make you want to just live in a cabin in the woods. It really does.

Joe Kerrigan

Yeah, it does.

Dave Bittner

Maria, what's your story this week?

Maria Varmazes

All right, so speaking of don't trust a phone call. So my story is not so much about a scam as it is about a possible solution to a scam. And I'm question marking all of the things that I'm saying because I'm not really sure that it is a solution, but it is someone trying a thing. And this actually uses AI as a possible clunky solution to one of the oldest scams in the book, especially in Japan and increasingly elsewhere, where scammers will call up an elderly person and convince them to make a cash transfer using an ATM. And I put a little LinkedIn. Sorry, not a LinkedIn. Wow.

Dave Bittner

That's.

Maria Varmazes

My brain's at. Put a little YouTube link in our. In our script here you can see there's a video and the first seven seconds are what will display on an ATM in Japan if a person walks up to the ATM while holding a cell phone. And I don't know if you've. Yeah, it's very attention grabbing.

Dave Bittner

So the security camera on the ATM is using, I guess, AI.

Maria Varmazes

Yes, it is.

Dave Bittner

You know, if you have a phone to your ear.

Maria Varmazes

Yep.

Dave Bittner

And if you do, then it Plays this video.

Maria Varmazes

Yes. And the video translates to warning that phone call is a fraud. Hang up right now. And it's very like alarms and red and blinky and meant to get your attention. And this is actually being rolled out by Japan's National Police Agency, and they're working with Japan's Post office Bank, which is a lot of Japan's Post Office actually has a bank. So a lot of people get their cash through the post office in Japan, especially elderly people. So this is AI trying to come to the rescue and helping people who are commonly being scammed out of their money. And in this case, they're actually enabling some celebrity help with this guy. I actually happen to know who he is. His name is Keita Tachibana and he's a former, basically boy band member who has since retired, but he's now working with Japan's National Police, trying to help them clamp down on all these scams that are targeting the elderly there. And.

Joe Kerrigan

Oh, good.

Maria Varmazes

Yeah. Which is nice. I was like, I don't know if this will actually help because as far as I can tell from the video, literally anyone walking up to the ATM with a phone to their ear is going to get this message of any age. I don't know if it really matters, but I imagine that might get really annoying really quickly if you're just having a regular phone call, like you're on.

Joe Kerrigan

The phone with your. Your. Your significant other, your D is a scam.

Maria Varmazes

Hang up right now.

Dave Bittner

Right now.

Maria Varmazes

Yeah, it's like, I. I admire the attack.

Dave Bittner

Why do you keep hanging up on me?

Maria Varmazes

Why are you calling me a scam? What? I was, I. I was. When I was looking, I saw this story because this just rolled out a few days ago. I was trying to figure out what a little bit of the backstory here for these scams in Japan because again, this is not just Japan seeing elderly people being targeted. Certainly, as our world gets grayer and a lot of our. Our national populations get older, this. This is happening to a lot of people. I'm still intact. I'm trying to be tactful. Listen, I'm not as young as I used to be. The backstory for a lot of these scams happening in Japan specifically is that these bank accounts that are being used for fraud for the cash transfers are actually being sold in the black market by foreign citizens living in Japan who are often coerced or sort of forced by unfortunate circumstances to sell their bank accounts in the black market. So a lot of times these are people in real distress who Maybe have no money because they've lost their job often. The pandemic saw a huge increase from this. Many of them apparently are, according to a report from NHK Japan, they're citizens of Vietnam. So there are people who are often trying to raise money to go back home or send home, and they're selling their. They're being solicited to sell their bank accounts online by crooks, basically, and they're not sure what that's for. And then if they leave the country and then try to return to Japan, they. That that person is being arrested for fraud. Right. So it's like it's. It's. It's making a bad situation a lot worse.

Joe Kerrigan

Yeah. That's the thing about organized crime is it's usually victims all the way down.

Maria Varmazes

Sure is. Yeah. And what was another little interesting wrinkle to this story is, I don't know if you heard about this last year, but the. The Japan's National Police Agency actually floated an idea of closing off all ATM access to any Japanese citizen over the age of 65 to try and prevent this kind of ATM cash scam from happening. Which people were like, that's not going to happen. That's really a bad idea. But that's how bad this problem has become, where people are just sending loads and loads of money to scammers so that they were thinking like, well, maybe we just close off the ATMs instead of trying to stop this problem. So.

Dave Bittner

Wow.

Maria Varmazes

Yeah. So this. This video at an ATM, at national ATMs across Japan is rolling out right now, apparently. And I'm just. It's an interesting idea to try and stem this problem, but I wonder if people are just gonna ignore it as an annoyance.

Joe Kerrigan

I watched this video first, and I had absolutely no idea what was going on because I don't speak any Japanese.

Maria Varmazes

That's fair.

Joe Kerrigan

Yeah.

Dave Bittner

Yeah. It reminds me of the training that in store cashiers are getting when it comes to gift cards.

Joe Kerrigan

Right.

Dave Bittner

You know how if you walk up to the counter at your local drugstore with a dozen Apple gift cards, the cashiers now are trained to say, to ask you questions, to make sure or to try to help that you're not being scammed. But I suppose in the same way that if you're under the scammer's spell, who's on the other end of the phone in Japan? I can imagine the scammer saying, now listen, as you walk up to the atm, they're going to show you this video. And that's just there to trick you. Don't fall for it, that sort of thing or whatever. They'll come up with some. Some work explanation for it.

Maria Varmazes

Yeah, yeah, yeah. There often is. Yeah. Yeah. And what's interesting is to me, this something I was thinking about in the previous story also. Sorry, not the previous story. The. The listener response about the Chinese police agency scam person. If they're speaking Chinese to a person in a country where Chinese is not the main language that can build trust, you're going, oh, this person's speaking my native language. And that's not normally what happens here in Japan. If you hear someone speaking fluent Japanese, you might go, well, this person's clearly not like a foreign scammer trying to get money out of me, so I'm going to trust this person inherently. Yeah.

Dave Bittner

Yep. Interesting. Well, I mean, I wish them well. I hope it works like you said, Marie. I think I could imagine this just becoming background noise very quickly. If you see it over and over again, you just ignore it. You know, it's like those. Have you ever been to one of those gas stations that plays ads while you're pumping your gas?

Joe Kerrigan

Ah, I have the solution makes you.

Dave Bittner

Want to set the solution.

Maria Varmazes

That's why I have an electric. Electric vehicle. Honestly, not the reason, but it certainly help.

Dave Bittner

Yeah.

Joe Kerrigan

Can I tell you what you do there, Dave?

Maria Varmazes

Oh, yes.

Joe Kerrigan

So on either side of the screen, there's usually a row or column of four buttons on both sides.

Dave Bittner

Yeah.

Joe Kerrigan

Second button down on the right is mute.

Dave Bittner

Yeah.

Maria Varmazes

There you go. News you can use. Yeah. In Japan's case, this is a huge problem with the elderly getting scammed out of cash. So I know they're trying everything they can to try and stem the tide of this happening, but it's been going on a long time and it's just only getting worse. So, yeah, it's an interesting thing that they're trying.

Dave Bittner

Yeah. All right, well, interesting story. And we will have some links for that story in the show notes. Before we get to Joe's story, let's take a quick break here to hear a message from our sponsor. All right, we are back. And, Joe, what do you got for us this week?

Joe Kerrigan

Dave, Last week from. Actually, from. We got so much over the course of the last week, so much email, that I decided I was going to share some listener stories this week.

Dave Bittner

Okay.

Joe Kerrigan

The first one comes from Jax, who says that over the 2023 holidays, he received a text message from Chase bank that said, this is a fraud alert. Did you approve this purchase? He's like, I don't have an account with Chase. This is obviously a scam, but he doesn't do anything. Right. But then it gets the best of him. He gets a little bit worried about it, and he types no and replies to the text with a no, thinking, either I'll start to see a scam here or something else will happen. But what happens is he gets a message back that says, you've already responded to this alert, which is weird. So he actually gets on the phone and tries to call Chase. Cause that. That. That doesn't satisfy him. So he calls Chase and he says that he has to go through their. Their automated phone screening ringer. Right. Which is just a miserable experience. And there is no option for. I don't have an account, but I still want to talk about fraud. Right.

Maria Varmazes

That doesn't fit in the phone tree. Yeah, he.

Joe Kerrigan

He eventually penetrates to bureaucracy and he gets through to somebody, and they are ultimately able to confirm to him that, yes, that message did come from them, but there wasn't any more information they could give him. He had to go to a Chase branch, which the closest one to him is an hour away.

Maria Varmazes

Oh, my God.

Joe Kerrigan

He's not gonna go to a Chase branch. Right. So the next thing that happens is he said he got another one in recently, like within. In the month of February, and now he's wondering, should I have gone to the Chase branch? Here's what I think is happening. Somebody has erroneously entered a phone number into their text alerts. Or maybe, Jax, have you recently acquired that phone number? And that's somebody's old phone number, and it's still getting the text alerts from somebody, the fraud alerts from Chase for somebody else's account. Because these are coming from Chase.

Dave Bittner

Yeah.

Joe Kerrigan

So that's my best guess.

Dave Bittner

But if someone had already responded to.

Joe Kerrigan

It, it goes to two phones. The text gets sent to two phones.

Dave Bittner

Oh, I see what you're saying. So you could have your account set to send all messages to two different phone numbers.

Joe Kerrigan

Right.

Dave Bittner

And so the person who was on the other phone number has already responded. I could see that happening. It would just being a wrong number. Yeah.

Joe Kerrigan

Essentially it's a wrong number. Or maybe somebody has entered something wrong. They've mis. Entered their spouse's phone number or something.

Maria Varmazes

Yeah, it could happen.

Joe Kerrigan

Cause I don't. I had to make a conscious effort to remember my wife's phone, actual phone number, instead of just going to my favorites and pushing on her face on the phone. Right. That's.

Dave Bittner

Say romance is dead.

Maria Varmazes

Pushing on her face.

Joe Kerrigan

I have pictures for all the Content.

Dave Bittner

Honey, I can't wait to bring up your picture every time I call you. That's why I push on your face.

Maria Varmazes

Modified version of that Monty Python song.

Dave Bittner

Soon your dulcet tones will be in my ear.

Joe Kerrigan

Oh, you have just brought back childhood.

Dave Bittner

Moving on.

Joe Kerrigan

Well, I wanted to say, Jax, if there's a thing that says reply stop to stop these messages, I would try that. I don't know if there is for these kind of things, but Rodney has a twofer. Rodney actually got a phone call when he was at work and it was his mom calling from his aunt's number. And he says, I'm kind of in the middle of a call right now. Is this urgent? She goes, yes. And she proceeds to say that her dad, his dad had clicked on an ad, a pop up alert about Microsoft warning for viruses. And of course, they then got access to his computer and showed him that. Showed them is in quotes, all the traffics to these porn sites and money laundering. And they were going to try to help them. They said they tried to isolate him, said they can't use any devices, not even their landline for 10 hours. Which is why mom went out and got the. Got the aunt's phone number. Apparently the aunt lives next door, so it was really convenient. So he said, yes, that is a. That is a fraud. And he, he actually got them to get in touch with the bank. The bank said, you gotta come in here. And they, they put fraud alerts on all three credit bureaus and they closed their accounts as open new accounts. Good job on the bank's part there. Yeah, he did let. He did let them know the scammers are playing a. Playing pulling from a playbook. Here is what he says. And they create this crisis, they manufacture the panic, and then they come in with the solution. So good work for Rodney and good work for Rodney's mom realizing something's up and calling Rodney, who is a help desk technician.

Maria Varmazes

Yeah, absolutely.

Dave Bittner

This happened to my dad once. The Microsoft. I think I talked about it here. The Microsoft message popped up on his Mac.

Maria Varmazes

Well, I mean, it's technically possible if you're running Microsoft on your Mac, but if it looks like Windows X on your Mac, it's a little.

Dave Bittner

Yeah, that's.

Maria Varmazes

Yeah, exactly that. It has happened to my parents, too.

Dave Bittner

I've.

Maria Varmazes

I've received screenshots, put in a Microsoft Word document, and then forwarded to me in my email saying, is this legit?

Dave Bittner

There you go.

Joe Kerrigan

Right. The second story Rodney had is actually two. Two really sad stories. And he talks about these Women that he knows, they are tangentially, you know, friends of friends that have been scammed in romance scams. And one of them, it turns out, had actually only realized it was a scam after she had, on her own traveled to South Africa and then traveled to Canada to meet this guy. Presumably, I'm thinking that this was to meet him when he wasn't expecting her. But she walked into where she was expecting to meet somebody, and the receptionist there said, yes, this happens frequently. This is a scam.

Maria Varmazes

Yep.

Joe Kerrigan

So, but the other one is somebody who is ongoing right now, is still getting scammed out of. Out of money on a regular basis. And she is now targeted by four different people, which he suspects, which Rodney suspects may be the same guy, but it may be four different guys in the same gang. And no matter what they tell this woman, she doesn't believe that this is a scam.

Maria Varmazes

Yep.

Joe Kerrigan

And it is, it is really tough. And Rodney wanted to, wanted to point this out. This is again, part of the psychological conditioning for this. And I don't know that I can easily relate to this one, but there's no way I'm going to sit here and say that this woman should know better. She doesn't. She's being victimized by at least one person and they're just taking her money from her. I don't know what the solution is here for this when you have somebody that you know is being victimized this way. And Rodney points out this woman is not some average person off the street. She is a CPA and a former CFO for a company and she's getting scammed out of money by romance scammers.

Maria Varmazes

Yeah. When you want to believe it's true, you can't convince somebody that it's not true. I mean, that's. I have personal experience with this one. Very, very close family and friends I know have fallen for this. And I should also mention I know someone who worked at the Nigerian consulate for years and, sorry, the American consulate in Nigeria. And literally their job was a lot of it helping Americans who had traveled to Nigeria only to realize the person they were there for was non existent. And no matter how many times that intervention happened, people still, even if they were there in Nigeria and lost a lot of money, people still believed that that person was. That they were waiting for was real. So it's a very difficult problem. And I, I have, as I said, I know people who have fallen for the scam as well. And I've been part of interventions trying to help this person. I've Tried to, you know, lean on any of my expertise that I have to say, hey, this is definitely not a real thing. If people are convinced it's real, there's, in my experience, I, I, I don't have any happy tale to say here. It's nothing I have ever said has worked. I wish I had.

Dave Bittner

Yeah, that's what I was gonna ask about. Like, what is a high enough authority for someone that they would, that you could, you know, put some sense into them? Could you, if I'm thinking, like, do you bring in a police officer? Could you bring in an FBI agent? Could you get their priest or their rabbi or, like, who?

Maria Varmazes

So can I tell you what we tried? And then this is the person who I know who fell for this scam. We brought in that person' we bought in that person's priest, we bought in that person's siblings, and we brought in that many people in the sort of the broader family network of which I am a part. We brought in pretty much everyone we could think of, including the person I know who worked at the consulate in Nigeria. And literally none of that worked. And the priest was the person we were hoping would be most effective, as that is a very esteemed person in this person's life. And none of it worked. Like, none of it worked. I honestly, even the bank stopped her and said, you're being scammed, ma'am, and it just didn't. So I have to say this scam is the one that really terrifies me because I don't know of many success stories where people have been able to get through to someone and say, hey, you're being scammed. I know it really hurts, but this is not real. It's a really tough one.

Dave Bittner

Yeah, I mean, I guess, as Joe and I have talked about time and time again, is if you can try to get to them before it happens and inoculate them, then you have a better chance of it not happening. But I think, to your point, Maria, once they're down that path, it is so hard to bring them back.

Joe Kerrigan

They are fully vested.

Maria Varmazes

They sure are. It was really eye opening to be part of an intervention for such a situation. This was many years ago, and I just couldn't believe it because we actually tried inoculating this person previously because it was a concern that many of us had had that, that this person would be potentially a victim. And it just did not seem to help.

Joe Kerrigan

Is this person still being victimized?

Maria Varmazes

No, they are not. They're, they're okay now. But I, I, I think basically the Scammer lost interest. I think the, the process got. We managed to extend things enough that the scammer just kind of left this person alone. But it was a very, it was many dicey months of just trying to figure out how to keep this person from causing harm to herself financially, and, and heartbreak was inevitable. But it was, it was really tough. And every time I read about these, I, I go, I, I remember how hard that was. And you're right, it can be a very well educated person who intellectually knows that this is a scam, but emotionally it's a different story. And then correct that disconnect.

Joe Kerrigan

That's a very important distinction.

Maria Varmazes

Yeah, yeah, it's very difficult.

Dave Bittner

All right, well, Joe, you got one more here, right?

Joe Kerrigan

I do. We can go into it if we have time. This is from Zero X Scion. God.

Dave Bittner

Okay.

Joe Kerrigan

One of those really cool hacker names.

Dave Bittner

Not their real name.

Maria Varmazes

Not their real name. Not on the birth certificate that way.

Joe Kerrigan

But he says that wallet drainers like Inferno Drainer and others are constantly using fishing sites to steal millions. And he has an example of a fishing site that was designed to trick users into a wallet draining app by faking a legitimate wallet security extension. So this is a wallet security plugin called Wallet Guard. And it looks like a Twitter tweet. A tweet or an X or whatever it's called now, who knows? It says, luckily I'm on time. Thanks, Wallet Guard, for saving my tokens. But in the bottom, there's a link to what is actually a. Just something that drains your wallets. Just goes in, gets your private keys, sends the private keys out. Then I guess the person who receives the information drains the wallets.

Dave Bittner

So you sign up for something to protect your wallet and instead.

Joe Kerrigan

Yeah, I don't even know if you sign up for it. I think you just download it and. Right, yeah, that's all that happens.

Dave Bittner

But I would imagine part of the process here is giving it access to your wallets, which makes perfect sense if you're trying to protect your wallets.

Joe Kerrigan

Right. I don't know how much of a use case I would have for Wallet Guard itself. I don't know. There's a better security practice called cold wallets, where you keep things off of computers and you get a hardware wallet and you put. If you're the kind of person that has a lot of cryptocurrency, you don't keep that all in one software wallet.

Dave Bittner

No, I mean, it seems like this is clearly targeting the unsophisticated cryptocurrency investor Right.

Joe Kerrigan

Well, which I'll bet there are a.

Maria Varmazes

Lot of those didn't want to say.

Dave Bittner

All right. Pregnant paws. All right, well, good stories and. But now it is time to move on to our catch of the day.

Joe Kerrigan

Dave. Our catch of the day comes from Zach, who writes. Hey, guys, great show. Got this in the mail today. My wife actually purchased this item and initiated a return through Amazon. I saw it on the counter and asked if she had done anything with it and if she had not responded to it. He says he finds this hilarious. A real phishing message you can hold in his hands. Now, Dave, I'm gonna describe the picture. Here it is. Looks like it comes on Amazon letterhead.

Dave Bittner

Right.

Joe Kerrigan

There are a couple of pictures of a model or two models wearing tights. I guess in the US we might call these pantyhose. But these are. What's interesting to me right off the bat is that his wife has already returned these tights.

Dave Bittner

Yeah. So I'm wondering where. Well, let me read it and then we'll get to our questions. So it reads like this. It says, dear valued customer, thank you for purchasing our fleece lined tights on Amazon. We hope the product is working well for you. Congratulations. You are chosen as the lucky customer to have a $15 PayPal payment by sharing your shopping experience. Get your PayPal payment now. Write a review and take a screenshot. Email us the review. Screenshot. A PayPal payment will be sent to you within 48 hours after your review is live online. Any concerns about the product, please feel free to contact us via mail. We'll get back to you in 24 hours. During working days and satisfying solution is promised. Attention for your account security, please don't attach pictures of this letter when you leave a product review. Hope you enjoy our products. Thank you for being one of our valued customers and for your great trust. Looking forward to hearing from you soon. Yours sincerely, customer after sales team.

Joe Kerrigan

And it says here there's an Outlook address. So here's what I think is going on here. This is just a. This is actually from the seller on the Amazon site. And they are just trying to buy a five star review.

Dave Bittner

Yes, exactly.

Maria Varmazes

Yeah.

Joe Kerrigan

So, Zach, if you really want to mess with them, you can just send this directly to Amazon. Which is why he says here, for your account security, don't attach this letter to your reviews because then Amazon go, ho, ho, ho. Hold on. You can't do that. That's against our terms and conditions.

Dave Bittner

Have you ever gotten one of these?

Joe Kerrigan

I have never gotten one of these.

Dave Bittner

I have.

Maria Varmazes

I'VE gotten tons of these.

Dave Bittner

Yeah, tons.

Maria Varmazes

They come with almost everything I get now. It's amazing.

Dave Bittner

Is that right?

Maria Varmazes

Yeah. I mean I don't. I try not to shop on Amazon as, as much as I can. I try to avoid it, but when I do it, there's often something like this in there saying, don't tell them we asked you to leave a five star review. We'll incentivize it in some way. It's so common now. It's.

Joe Kerrigan

Yeah, I got one. I bought a box of collar stays.

Dave Bittner

Okay.

Joe Kerrigan

Like 500 collar stays.

Maria Varmazes

And they said that is a lot of collar stays.

Joe Kerrigan

Yeah. You know what? I'm already out.

Maria Varmazes

You lose them every time.

Joe Kerrigan

I do. I already have. I was like looking at my box this morning. I'm taking the long ones and breaking them off and thinking to myself, I gotta buy more collar stays.

Dave Bittner

Okay. Wow.

Joe Kerrigan

But I got an email that said, hey, would you mind giving us a review on your collar stays? There wasn't a promise of anything else.

Dave Bittner

Right.

Maria Varmazes

You review a collar stay.

Joe Kerrigan

Right. So I wrote the most sarcastic review.

Dave Bittner

It's a piece of stars collar.

Joe Kerrigan

Right. These collar stays are great.

Dave Bittner

I mean I've, I've fallen down the trap of using substandard collar stays. And let me tell you, a man walks with confidence when he has the right collar stay.

Joe Kerrigan

You laugh, Dave, but I actually do have a story about using the wrong collar stays.

Maria Varmazes

Oh my gosh.

Joe Kerrigan

That you'll see in some stores, high end stores, they'll sell metal collar stays. Oh, never ever buy those.

Maria Varmazes

That seems very dangerous.

Joe Kerrigan

It's essentially like jamming a knife into your shirt.

Maria Varmazes

Oh, okay.

Dave Bittner

I also imagine is you have a hard time getting through airport security.

Joe Kerrigan

Yeah, that too. That was a concern one time. So yeah, don't buy the metal ones. Just get the cheap 500 plastic count or, or wearing button down collar like Dave's wearing right now. But Dave, I want you to look here. Right here, right where the heck with the collar stay.

Dave Bittner

Oh, look at that.

Joe Kerrigan

Look at that. I had to break it off at the end. Now I gotta.

Dave Bittner

Now that's one sharp looking collar there, Jay. I gotta say you're on the other.

Joe Kerrigan

Side because I pulled this one out.

Dave Bittner

Man. Every girl's crazy about a sharp dressed man. There you are, Joe, with your, your collar stays. Oh boy. You can take that collar stay out and you can use it to press against your wife's face on your phone. Be irresistible.

Joe Kerrigan

Then it won't call.

Dave Bittner

Right. Well, what are you going to do? Nothing's perfect.

Joe Kerrigan

Yeah.

Dave Bittner

All right. Well, thank you for from Zach for sending this in. We do appreciate this is a good one. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hacking humans2k.com.

Joe Kerrigan

Foreign.

Dave Bittner

That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more@n2k.com our executive producer is Jennifer Iban. This show is edited by Trey Hester. Our executive editor is Peter Kilpe. I'm Dave Buettner.

Joe Kerrigan

I'm Joe Kerrigan.

Maria Varmazes

And I'm Maria Varmazes.

Dave Bittner

Thanks for listening.