A

You're listening to the Cyberwire network, powered by N2K. Welcome to a very special Thanksgiving encore of Hacking Humans. In this encore, Dave, Joe and Maria break down everything from romance scams and the Madoff victim fund to Yubikeys, diamonds as crypto and a honey extension controversy. Plus a Reddit catch of the day that you won't want to miss. We hope that you enjoyed this encore of Hacking Humans, and we appreciate you listening. And for all those celebrating, have a safe and happy Thanksgiving.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Hey, Maria.

A

Hey, Dave. And hey Joe.

B

We've got some good stories to share this week and we will be right back after this message from our sponsor. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. All right, before we get to our stories, we have a couple items of follow up here. What do we got, Joe?

C

Dave, Ricky wrote in and commented on the fact that I kind of offhandedly said diamonds are a scam in one of our last episodes. Yeah, and I still stand by that. I think they are a scam.

B

I'm with you.

A

I'm with you on that.

B

And I'm not saying so. I have a reason to not buy them for my wife, right?

C

Here's a discussion I'd like to hear you guys ponder. Diamonds are the original cryptocurrency. Production and value are almost entirely based on mining difficulties used in illicit activities. And they are both tracked, allegedly by ledgers of sorts. They are oft used for anonymously conducting transactions. So that's an interesting observation and an interesting assertion. The only difference is that diamonds are not as fungible as a cryptocurrency like a bitcoin or a. Or whatever. Ethereum token. Yeah, they are very different. Each one is different. Each one can be mapped to and fingerprinted. They can Be engraved with identifiers. Although you can just sand those identifiers off, I guess.

B

Well, but you physically have to. It's a physical item, whereas crypto is not. It is not. Right. You couldn't.

A

It would be.

B

But let's. If we only had diamonds, the whole ransomware thing wouldn't be if. Wouldn't be what it is if it were diamond based.

C

Right.

A

Watch out. 2025. Maybe that's happening.

B

What's that, Maria?

A

Maybe that'll happen in 2025. We see ransomware. Diamond based ransomware.

C

Right. Because we're seeing gold bar based things.

B

Why not?

C

Why not?

A

Let's bring it all.

C

Why not? Diamonds, Right?

A

Yeah.

B

Right. No, that's interesting. I think Ricky makes some interesting points here.

C

Yeah, I agree.

B

I mean, the fact that it is based on mining. I mean, I have heard, and I think this goes to your point, Joe, that diamonds really aren't very rare.

C

Yes, they're not.

B

And it's. What is it? The De Beers company who makes them rare?

C

They keep them. They keep supply controlled.

B

Yes. Yes.

C

So it rains diamonds on Jupiter, actually.

B

Is that right?

C

Yes.

B

Okay.

C

Pressures are great enough that carbon forms into diamonds in the rain. Of course, those pressures are so high we can't get in there and collect the diamonds. I don't know how we ever would. But the theory is that it rains diamonds on Jupiter.

B

Huh. Okay, that's interesting.

C

Yeah.

B

Yeah. So I think this is an interesting idea. I think Ricky's onto something here, so thank you for sending it in. I'll be thinking about that for a little bit. Right. All right. What else do we have, Joe?

C

Dave, we have another one. I'd like you to read this one because I have a response to this one. This is actually directed at another one of my comments.

B

Okay.

C

Apparently people don't like my stupid comments.

B

They just like your smart comments, Joe, not your stupid ones.

C

Oh, I make a lot of SM comments too, if you get my point.

B

Unfortunately, it's up to them to decide which is which. Right. All right, it goes. Hey, guys. And Maria, Just a bit of feedback for Joe for a comment he made regarding Yubikeys for organizations. He said something to the effect that each new hire should be issued two keys, about US$90 when starting with the company. While I like the idea of issuing Yubikeys, two per employee is overkill, we rolled out Yubikeys for a client and you can include management tools that integrate with active directory only. Requires one per employee and a couple of spares for the administrators. Yes, it Requires some upfront work to set up the integration with ad I guess it's active Directory.

C

Active directory, yeah.

B

But once it's in place, we helped a client roll this out and it works like a charm. It even works as the two FA for the staff until they or when they VPN in from home. Further, the client issued NFC keys to each employee when they rolled out Ubiquiti door locks. The Yubikeys doubled as their pass cards to get by the electronic locks. That's fun.

C

Yep.

B

This works as a great incentive not to lose your Yuba key. Put it on your little Maria brings a long overdue source of calm to help keep Joe from going too far down a rabbit hole.

A

I've never been described that way in my life, but thank you.

B

That's what they say every time you enter a room. Right, Maria? Oh.

A

Oh, yeah. Me calm.

B

That's. This sense of calm has just come over this room. What happened? Oh, it's Maria.

A

I'm here. Everything's great.

B

It's the aura of your presence. One thing, though, I do miss interviews that Dave used to do in the second half of the show. What happened to those. That's it. So long. From the Great White North. From Crow Child. Bob.

C

Yes. And Bob. So Bob is 100% correct. You do not need to buy two Yubikeys for every employee.

B

Yeah.

C

However, I recommend you do. And the reason is this is because this is the way Twitter rolled it out. Twitter bought everybody two Yubikeys and they said, here's two Yubikeys. Start using this on all your multifactor authentication.

B

Right.

C

And you're going to have to use it on your Twitter multifactor authentication. This was after that hack where the. The young guy convinced somebody that worked at Twitter that he was calling in from the help desk. And if they'd had Yubikeys, then this would not have happened.

B

Right.

C

So the point is that if you're going to equip people with Yubikeys and encourage them to use them in their personal lives. And what happens, like if you're using Yubikey for your Google account or your Facebook account, personal Facebook account, or any of these other accounts, and then you lose it, you lose the Yubikey, you may lose access to your account. Which is the. The reason I say it's worth the $45 to buy an extra one, even if you're just doing it yourself, is because it will save you the time and hassle of trying to contact these big tech corporations and trying to get them to respond to you, because that is like pulling teeth. It's. It is a terrible experience all around. It is worth the $45 to have two of them. And I think that if you're going to be a company that does this, maybe you want to consider going ahead and getting your employees two of them and encouraging everybody to do it. No, you do not have to do that. And Bob is 100% correct here. You could do it with one and a couple extra spares. And when somebody loses one, you just give them a new one. That's fine. And you can tell them, we don't care about your personal accounts, but that's essentially what you're going to be telling them.

B

Right. I like the idea of two. Now we use them here at N2K. And I was issued two when that happened. Obviously, I like having a backup, knowing myself as I do. But the other thing I think is that this is a measure of convenience for your tech support team, because in this case, if you issue two and somebody loses one, they can still limp along with the backup while you're taking care of replacing the lost one.

C

That's right. They don't lose access immediately.

B

Right. And it just makes it less of a important. We must fix this now, because I can't get into my accounts.

C

Right.

B

They can still get into their accounts. And you replace the lost one at your leisure.

C

And loss is not the only thing that can happen to these. You can damage them, too.

B

Yeah.

C

I'm very afraid that I'm going to damage mine because it's on the back of my backpack on a lanyard.

B

Right.

C

Swings around, it gets slammed in car doors and everything.

B

Yeah.

C

I mean, I'm glad I have two of them. That's what I'm saying.

A

You could reconsider where you put it. I'm just saying.

C

Yeah, I could. I could. I also want to say, not going to.

B

For those who. Who. Those who have never crossed paths with Joe, first of all, he brings his backpack with him just about everywhere. Yeah. But also, his backpack weighs about 400 pounds.

C

It's very heavy.

B

Yeah.

A

So you're one of those.

C

Cannot pick it up. And I say, hand me my backpack. She goes, no.

B

Nobody has ever said, hey, Joe, toss me that backpack. No. So anything attached to it is a crushing risk, for sure.

C

Absolutely.

B

All right, well, thanks for the kind words about Maria. And the interviews aren't necessarily gone forever. We've just sort of changed modes where when we brought Maria on the show every week, we wanted to make sure that we had enough time for Maria to do the things she wants to do and for three of us to each tell our stories. So that pushed the interviews aside, but we're still open to them. So when a really interesting interview comes along that we think is great for the show, then we will include that. So not necessarily gone forever, but for the most of our episodes will be interview free from this point on. We traded the interviews for one Maria. And I think it's been a good.

A

Trade, so hope it was a good choice.

B

A Maria to be named later. Yeah, no, I think it's been great. So that's where we are. All right, well, that is our follow up, and of course we would love to hear from you. If there's something you'd like us to discuss on the show, you can email us. It's hackinghumans2k.com. All right, let's get to our stories here. I'm gonna lead things off for us and I wanna talk about the honey scam.

A

Yeah.

C

Now, I think I see this in my new neighborhood. It's where you drive by a house and it says, honey for sale.

A

Oh, is it.

C

Local honey for sale? Is that what this is?

B

No, this is not that.

C

Oh, okay. Maybe I'll stop by and actually, what.

B

Do you envision a honey scam would be? Or it's not actually local honey or. Okay, so industrial honey.

C

That's quite right. That's right. It's. It's honey. Honey from some. Some mass produced farm out in the Midwest and they just ship it in a. In a tanker truck and then somebody sells like local honey.

B

Right, right.

C

Which homeopathic people will say local honey will help you with allergies that you have.

B

Yeah, I've heard that.

C

I don't know if that's true or not.

A

I don't know if it works. I've tried it. I don't know if it's worked, but it's nice. Honey. It tastes good.

C

I love honey. Honey is one of my favorites.

B

Oh, it's delicious. Evidently it lasts just about forever.

C

Yeah, it does. It does not go bad.

A

Great story, Dave. Love this one.

B

Thanks. This has nothing to do with any of that. Right? So remember when our commenter was talking about Joe going too far down a rap?

C

Here we are. Look at all these bunnies.

B

Maria, save us reeling in. Okay, so here's what's going on. And I want to preface this by saying at this point in the life story of this scam, the word scam is in quotes because these are all allegations.

C

Okay?

B

The accused has not officially made a meaningful response to any of this. So these are allegations, but there's a good amount of verification and backup. And it seems like what is being alleged is going on here, But I just want to frame it that way just so everybody knows this isn't a done deal. So there is a web browser plugin called Honey. And what Honey is supposed to do is you install this browser plugin, and when you go shopping for things right before you check out, you click the Honey button. And what Honey says they do is they search the web for all the best coupon codes. And so just as you're about to check out, they search the web, they pop up a coupon code, you put that coupon code in and you save some money. That's what it's supposed to do. Make sense? Yes, yes, Maria.

A

Yeah.

B

All right.

A

Yes, I'm with you. Yep.

B

So Honey is also one of the largest advertisers on, let's call them, influencer channels, so YouTube channels. And we're talking about the big names here. Most of them have been sponsored by Honey.

C

Now, I'm looking at this lineup of guys, and I only recognize two of them.

B

Yeah.

C

One of them is one of my favorites, Mark Rober, who I like a lot.

B

Yeah.

C

And the other one is Mr. Beast, who I. Who I have blocked on all of my YouTube stuff. And the only reason I blocked him is because I can't stand seeing his stupid face on the. On the stupid face he makes. You know that stupid face he makes? Like, oh, it's a shocked face. He puts it on all of his.

A

Every YouTuber does that.

B

That's like you do thumbnail.

C

If you do that, I block your channel so quickly.

B

Yeah, I hate it. I installed a plugin that blocks that.

C

Oh, did you?

B

Yeah. Oh, it's rid of that.

A

I need to get that plugin.

B

Yeah. All right, so. And down the rabbit hole we go. So Marquis Brownlee is one of the well known YouTubers who I frequent, and he was sponsored by Honey as well. Now, it's worth noting that Honey was purchased by PayPal. So Honey has deep pockets.

A

They've been around not that long. I feel like they just had a meteoric rise, though. I remember when they were new and it just seemed like they got snatched up pretty quickly.

B

Yeah.

A

Quite amazing.

B

I think that's right. I think that's right. So There is a YouTuber who goes by the name Megalag who published a video with all of these allegations.

C

Awesome name, by the way.

B

So here's what's Going on. When you go to purchase something that was recommended by someone online, you often get an affiliate link. And an affiliate link is a special link. Let's just use Amazon as an example, because it's easy. It's a special link that connects to that YouTuber or influencer's account. They say, go buy this bottle of facial cream, and when you do, we'll get a small percentage back to support our channel. I think we've all seen that.

C

Yes.

B

And so that is a special affiliate link code. So what the allegation. Allegation number one is that when you go to, let's say, Amazon with that affiliate link and you click on the Honey plugin, Honey replaces the affiliate link with their own.

C

I knew that when you started saying that and said the first allegation, I knew exactly where this was gonna go.

A

Yeah.

B

So everything you buy, then the kickback doesn't go to the creator, the person you intended to support. It goes to Honey. So that's allegation number one. And that Honey is not making that clear, that that's what they're doing. Allegation number two is, as we mentioned, Honey claims to the user, to the user of their plugin that they are going out and searching the web for all of the best coupons. Well, if you are a Honey affiliate, someone partnering with Honey, let's say you are a brand like Coca Cola.

C

Okay.

B

All right. You can partner with Honey. And part of your agreement is that Honey will only present the coupons that you want them to present.

A

Hmm.

B

So let's say there's a 20% Coca Cola coupon floating around on the web for very special reasons.

C

Right.

B

But you run Coca Cola, and you only want a 5% coupon to show up on Honey. Right. You partner with Honey, you tell them, in exchange for only presenting this 5% coupon, we will partner. And, you know, you'll get a. And Honey will get a kickback for that deal as well. So the notion that Honey is searching the web for all the best deals and coupons isn't necessarily true.

A

Yeah, I'm not surprised.

B

Because if they partner with a company, they only present the deals that that company wants them to bring.

C

It seems like way more than shady, you know?

B

It does.

C

Yeah.

B

It does seem that way.

A

And yet it's not surprising, is it?

C

No, absolutely. You know, that's a good point, Maria. I am absolutely not shocked at any of this.

B

No. We all respond with learned resignation.

C

Right, Right.

B

Another thing. Another good thing ruined.

C

Yeah.

B

Yeah.

A

Made credible. Right?

C

Yep.

B

Incredible. So many of the original folks who were. Who had sponsorships from Honey. For example, Marque Brownlee has posted a video basically saying, if I knew they were doing this, I never would have allowed them to sponsor. And I suggest that everybody uninstall the Honey plugin.

C

I imagine that these influencers are all losing revenue to this app.

B

Yeah, absolutely.

A

Very likely. Yep.

B

Absolutely. Absolutely. So what do you guys make of this?

C

It's like a pack of weasels that run a company. That's what.

A

There have been so many browser extensions like this, like Honey. I mean, I think Capital One makes one. I get advertisements for it all the time that do the similar. I'm not saying they do the cookie stealing, but the whole running coupons in for you, they're just a dime a dozen. So I don't know, it just doesn't surprise me that they're scammy at all. I never wanted one on my browser, but I get. They're everywhere. I mean, they're just. People were getting bombarded with them. So I don't know, it just speaks more to the, again, incredification of everything on the Internet.

C

I think I may have gone looking for coupon codes, like a total of four or five times. And every time I go looking for a coupon code for whatever it is I'm buying, I quickly get disgusted and just like, stop looking and just go, this is all just scam. I'm just going to pay the extra 10%. I don't care.

B

For your dignity, right?

C

For my dignity. Insanity.

B

Yes. Right. Yeah. I've done the exact same thing. There are times when I've definitely gone looking for coupon codes, and most of the time I'm not successful. Either the coupon doesn't work or it's expired or who knows? But I can understand this. It's interesting to me that someone as big as PayPal is behind this now. There is a class action lawsuit.

C

Good.

B

At the end of last year, there were a group of lawyers representing some of the content creators who partnered with Honey have filed a class action lawsuit. They're claiming damages in excess of $5 million. Oh, good. So we'll see how that plays out. The other thing I've been thinking about this is I wonder how far and wide does this story go? Does it spread far enough to actually have a meaningful effect on Honey? And should the class action lawsuit not succeed, do they change anything about how they're doing business?

C

I say if the class action lawsuit does not succeed, they don't change anything. Yeah, yeah, that's probably what's going to happen?

A

Because I'm sure they're saying they've done nothing wrong, that they provide an incredible value to customers and we're saving you money and time. That's why we're great. So, yeah, they've done nothing wrong, I'm sure. In their. Their eyes.

B

Yeah. This idea of stealing the affiliate links, though, rubs me the wrong way.

C

Really does. Yeah.

B

I mean, it's just. It's just awful how. How could anyone think that's the right thing to do? Right?

C

I mean, if you're on your web, on your phone, or on your web browser and you click on an affiliate link and you think you're supporting the content creator, and it turns out because you have this app installed or this extension installed, you're just supporting PayPal.

B

Right? Right.

A

Who doesn't need that money?

C

Yeah, they don't need that money.

A

That content creator does. But PayPal. PayPal's good, right? Yeah, yeah, it's pretty gross. But I think a lot of it is with this affiliate marketing and a lot of these code trackers and because it is so obscure to the end user, and for most people who are not professionals at this, I think a lot of people figure they can get away with doing shady stuff like this. And honestly, they can, because people just don't look at this stuff. A lot of it, they don't understand how it works. So people just like, I'll just do it until somebody figures out that I'm doing something wrong. Lo and behold.

B

Yeah. All right, well, we will have a link to that story in the show notes. Maria, what do you have for us this week?

A

Well, a lot of folks were home for the holiday season, and I know for me, that tends to be the time of year where I'm doing a lot of family tech support. And I was looking on Reddit's scam subreddit, and I noticed a trend of a lot of people posting, hey, my mom or dad is messaging someone they think is Elon Musk, and how do I get them to stop giving them money? And it just seems like a lot of those posts popped up over the holiday season. It was quite amazing. And that sort of was a natural segue in my mind to a story that CBS just put out about a woman named sue who is 66 and used match.com to find a traveling companion in her retirement, connected with a man named Santos. And of course, this is a romance scam. Spoiler alert. And over the course of several weeks, he romanced her. He wrote her a poem it was very romantic. His first money ask was for $40,000 for to help with a job certification. And sue has $2 million in her retirement savings. So she figured 40k for someone she's falling in love with, she could manage it. And over the course of some more time, this scammer scammed her out of all of her $2 million of life savings. It's gone in that romance scam, which is just unbelievable. And the reason CBS was highlighting Sue's story is that there's two points. One is that the FTC said in 2024, over 64,000Americans alone were hit by romance scams, like what sue went through with the damage totaling over $1.1 billion. And that's in 2024. And that number, $1.1 billion is double what it was just four years ago for romance scams damage, which is just speaks to the efficacy of how horrible these things are.

C

And these are only the reported numbers.

A

And these are only the reported numbers too. Yeah. This is what the FTC knows. Right. So I'm. We what. It's probably quadruple that. I mean, I don't. I mean, I'm making that number up, but honestly, it's. It's probably so much larger. And they also said that about half of online daters like sue, who is using Match, say they've come across scammers looking for money. So people who are looking for romance in sort of legitimate places, so to speak, they're coming across scammers way more than I would have guessed. I. When I used online dating to meet my husband 14 years ago, I did not meet, as far as I know, a single scammer. And if my husband's a scammer, the scam's gone a long, long time.

B

Right. He's all in.

C

He's playing along.

A

He's definitely all in. We've got a kid and everything.

C

I've got her to have one of my children.

A

Yeah, I've got my hooks in. So this online dating being the realm of scammers and the place where they go to find new victims is a known quantity. We've talked about it. So there is some legislation floating around that is actually bipartisan, called the Online Dating Safety act, that is hoping to try and address or at least stem the flow of all these online dating scams. And, and it's very easy for me to be cynical and go, this doesn't go far enough. But I applaud the fact that someone's actually trying to do something. And the bill says it would require online dating service providers, either mobile applications or websites to provide users like sue with a fraud ban notification if the person they've been talking to has actually been identified as a scammer and then banned through the service. So it may not necessarily stop a scam in progress, but at least the thinking is if they've talked to this person, they know retroactively this person was a scammer. Or, you know, if, if, if the scam happens to be stopped midway, then they'll know, hey, this guy didn't just disappear, he was banned because he was a scammer. Right. So, yeah, it's limited in its scope, but it does it, it's hoping to do something.

C

One of the first things they do, these scammers, is they try to move you off this platform because they know they're going to get banned.

A

Yep.

C

So that's where the scam, you know, they'll go to a third. Another thing like WhatsApp or Signal or something, and they'll, they'll scam the people. That's where they actually conduct the scam.

A

Yes.

C

So, and that can take some time. So if this can, if this can reach the victim, this notification can reach the victim. Hey, we've identified this person as a scam account. You should stop, stop communicating with them. And if you send them any money, you should call the police.

A

Yeah, I wonder, I mean, we've talked about these kinds of romance scams many times about how all attempts to sort of reason somebody out of something they didn't reason themselves into is, Is very hard. But I do wonder if, if a message sort of from an authority figure like the service that one used, if that might be potentially effective in ways that we haven't seen before. Because again, I can be very cynical about this. Doesn't go far enough. You know, as you mentioned, Joe, these scams are taken into other platforms. So what about, you know, what about meta platforms? What are they doing? But again, if you get that official notification, we identified this person definitively as a scammer. Maybe that would cause enough friction. Maybe. So anyway, the status of this bill was that it passed the House and it did not yet pass the Senate. Fingers crossed. It looks like it's going to be floated in the upcoming Senate session, so to speak. So we'll see if that actually goes anywhere. But it's interesting that at least two legislators, one's from California, one's from Colorado, they're trying. So I would like it to have more teeth, but it's nice that somebody's thinking of it and here's hoping it goes somewhere.

B

Yeah.

C

And they are bipartisan, the sponsors of this bill. One is a Democrat, one is a Republican.

A

Yep.

B

It's so hard to be anything but cynical about all this stuff, though, right? Like, I mean, just. I don't know, it's hard to see anything. I guess I just don't have confidence that there's much that can move the needle, you know, like, it's great. We're trying. We're gonna do stuff, but when we're dealing with folks who are out, literally out of the reach of law enforcement by virtue of most of them being overseas.

C

Right.

A

Yep.

B

And no way to stop them from accessing folks here.

A

Yeah, yeah. It's sort of like the robocalls that have just made phones pretty much useless for everybody. Nothing has really helped. I mean, I use an app that sort of helps stem that tide, but I still get these spam calls all the time. And it's been going on for years now, and I've sort of lost any hope that this is going to get better. And I'm trying not to lose hope in this case, but, I mean, over a billion dollars a year, again, that we know about. I mean, this is an unbelievable amount of money.

B

Absolutely. Well, cross our fingers and hope, right?

A

Yeah, yeah. What else can you do?

B

Yeah, exactly.

C

It's all going downhill. The entire content of the Internet is just being. I'll give you another example. I went looking for something on YouTube the other day. And, like, the first three videos I click on are just AI slop of somebody reading a script, some AI voice reading a script, and it's just getting put up on YouTube because it's getting through the search engines and it's just all awful. The content on the Internet is just going downhill.

A

Yeah, I miss the old Internet.

C

Yeah, me too.

B

I know, I know. I just. I think about the. I mean, we. It's hard to imagine, but like, when I was a teen, Joe, when you and I were teenagers. Right. So in the 80s, there really was this sense of techno optimism. Like, we thought computers and the Internet were going to be a force for good. And, you know, people were going to have to work less and there'd be more leisure time and all these good things were going to happen because all the drudgery of life would be taken away from us by computers. And here we are.

C

Right.

B

It did not work out that way.

C

I, for one of them, are new computer overlords.

A

Technopessimism is techno dystopianism that's not a word, Right?

B

Right. All right, interesting stuff. And we will have a link to that story in the show Notes. Before we get to Joe's story, let's take a quick break to hear a message from our sponsor. And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core ThreatLocker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring fencing, and Network Control. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank Threat Locker for sponsoring Hacking humans. All right, we are back. And Joe, it is time for you to share what you've got for us. Why don't you go ahead there?

C

I do want to say before we go on to my stories here, that what you were just talking about, the techno pessimism. William Gibson nailed the techno pessimism in the 80s 90s. So if you read the Sprawl trilogy, very much like he accurately predicted a lot of what was going on here.

B

Oh, interesting.

C

Okay, so let's see. First, I want to remind everybody that the scammers liturgical calendar has changed seasons, we are out of delivery and holiday fraud, and now it's time for tax scam season.

B

Oh goody.

C

Right. So keep an eye out on your inboxes for anything that looks like it comes from the irs. It probably doesn't. Unless you have a way to communicate with the IRS on a regular basis. They're going to send you letters. Read those, Open them. They will come on official letterhead and they will always ask you for money in the form of checks. They will never say, send me cryptocurrencies. Send me gift cards. That is not how you pay the irs.

B

No.

A

Yes. No.

B

Okay.

A

Not yet.

C

That's right.

B

Well, didn't we have a when we had a listener write in was it last show who talked about how you could pay some state taxes to pay with cryptocurrency?

C

Yep.

B

This does not seem like a good thing to me.

C

Ultimately, if you have that option, don't do it. Just don't, don't encourage them. Don't encourage them.

B

Right, right.

C

Exactly right. Don't encourage them. And you know, maybe. Never mind. I was going to say maybe somebody should try to go in and defraud the governments. But don't do that, don't do that. Just try to get them to give your private keys.

A

Really?

C

And wow. Yeah, don't of course, shouldn't ever do that idea. But I mean, can you imagine what, can you imagine that? Use case.

B

Right.

C

Or that, that, that, that. What's the threat model? That threat model. That's the one I'm thinking. I'm not used. You know, you have a government that actually collects money in taxes in crypto. And somebody goes, hey, I'll bet they're holding a lot of money in crypto. And I could sit there and get the, if I can, if I can socially engineer their, their crypto keys out of, out of somebody that works there, I can get the payments and then just forward them onto my wallet.

B

Yeah.

C

And be done with it.

A

And there's nothing you can do about it.

C

And there's nothing you can do about it.

A

Now send it to Hollywood. Joe, you've got a movie idea right.

C

There that's very short movie. That's pretty much it. My story actually comes from the BBC and the headline is Madoff Fraud Victims Get 4.3 Billion as Fund completes payout. So it's talking about most recently there's the Madoff victim front. Now let's recap. Bernie Madoff, you know who Bernie, Everybody remembers Bernie Madoff. He died in prison in 2021. But back in 2008 or 2007, somewhere around that time, his Ponzi scheme, as it was called, which I think it accurately was called, or accurately was described as a Ponzi scheme, ran out of money and he couldn't pay victims or pay pay his investors anymore.

B

Right.

C

And it came to light that it was a Ponzi scheme. He wound up getting a 150 year sentence. Good for him. He didn't wind up serving nearly 150 years.

B

He showed them.

C

Yeah, he did. So yeah, he was only in prison from 2009 to 2021 when he passed away.

B

Okay.

C

So the latest payouts being made from the victims fund, the MVF Madoff Victim Fund is $131.4 million and will bring the grand total of money that's been paid to the claimants to about $4.3 billion. Now before people get upset and think about, you know, this is just rich people getting away with more stuff, there were 40,930 claimants, which means the average amount that people had invested with this Ponzi scheme was around $100,000.

B

Okay.

C

These were not big investors. These were people that probably had a sizable portion of their nest egg.

B

I'm.

C

I'm speculating here, but I can see where these were people who had a sizable portion of their nest egg put in this fund, and when this thing collapsed, they essentially lost all of it. But over time, over the last 15 years or so, the MVF estimates, it has been able to recover 94% of what it's calling the victim's proven losses when they wrap up all the distributions here in this calendar year, 2025. So the downside is that, or the upside is people are gonna get 94% of their money back. The downside is they've lost the 15 years of time on that money, which is the more valuable part to the investor.

B

Right.

C

Because, you know, by now that could have doubled once, maybe twice, depending on how you invested it properly.

B

Right.

C

So it's not. People are not getting back everything they've been robbed that has been taken from them here, but they are getting back their initial investments, or at least most of it, it seems.

B

Huh. Have either of you ever been approached with anything resembling a Ponzi scheme?

C

Not a Ponzi scheme. No, no, no, not that.

A

Pon.

C

Send something in. And I didn't want to put it in here because it's all still in litigation right now. Maybe I'll talk about it once it goes through trial and the outcomes come out. But, you know, there's. You know, the idea of a Ponzi scheme is you start telling people that you're going to pay them some kind of astronomical return on your investment. And the funny thing is that usually what people are saying is, like, 8% return on investment, and there are investments out there that will pay that or better, that are legit that you can just go out and buy. Now, they don't guarantee those kind of returns.

B

Right?

C

They're never guaranteed, but, you know, and of course, your investment can lose money. I'm not giving out investment advice on this podcast. I'm not qualified to do that.

A

Yeah, well, the benefit of being a millennial in this case is everyone I know is broke. So I've never been approached about financial stuff.

C

Yeah, that's. That's another thing. But the idea is they say, we're going to give you, like, 10% guaranteed returns every year, and then the entire scam relies on them being able to bring more people in.

B

Right.

C

Because the initial investors are not getting the 10%. They're just getting money that's being paid into the, into the fund given to them as, as, as dividends or returns or whatever.

B

Yeah.

C

And of course the, the, the way this works is the people who get in early actually don't get hurt as bad as. But the people who get in late are the ones that get, get hurt the most.

B

Yeah.

C

They lose just about everything.

B

I guess the closest to this is there have certainly been a lot of multi level marketing schemes over the years that.

C

Yes.

B

If, if not being this, they rhyme, you know. Right.

C

Well, yeah, pyramid schemes and Ponzi schemes are very, very similar. So actually I did, I did a little bit of a refresher on this. Pyramid schemes are, you know, the, what was the, the, the eight square or eight ball. The eight ball game or the, you know, the airplane game where everybody pays $1,000 to get on an airplane if you're a passenger.

B

Yeah.

C

And then there's four levels. There's pilots, there's one pilot, there's two co pilots, there's four crew members, and then there's eight passengers.

B

Okay.

C

The eight passengers pay in and they all pay $1,000. So they give $1,000 and that all goes to the pilot who then takes the money and disappears. And then the passengers have to go out and find eight more passengers. They become crew members, the co pilots split the pyramid and they become pilots. So they get the next $8,000. And it sounds like it's great. Right. But if you do this 20 times, there's not that many people on the planet.

B

A dear friend of mine said once about multi level marketing. The problem with multi level marketing is that eventually you run out of friends.

C

Right, right. Very quickly, actually. Yeah.

A

Yeah.

B

Because it really does rely on that.

C

Yeah. And it alienates people. I mean.

B

Yeah.

C

Like I've talked about this. We have somebody in our family who is big in the multi level market. We don't talk to him anymore.

B

Right.

C

And I don't care if I ever see him again.

B

Right.

C

You know.

B

Yeah, it's, it's true. I mean it's, it's. And it can be sad. Yeah. I understand that. Avoidance, that's no fun.

A

Yeah.

C

So it looks at, looks like these, the people that got hurt in the Madoff scam are not, are getting made almost whole, although they have lost a lot of time.

B

Yeah.

C

And we'll put a link in the show notes to the story on the BBC.

B

I think it's remarkable how much they've gotten back actually.

C

Yeah. I'm Impressed?

A

Yeah. I thought they were all ruined by this.

C

He had other assets. Yeah, he had other assets that they were able to collect on.

A

Wow, nice. Okay.

B

All right, well, we will have a link to that in the show notes. All right, Joe, Maria, it is time to move on to our catch of the day. All right, so our catch of the day comes from the scambait subreddit over on Reddit. This is called John Part 1. And it goes like this. Maria, this is you and me. I will start things off. Here we go. The person gets out of the blue text that says, hello, my friend, how are you doing today? And how's the weather conditions there?

A

Sorry, do I know you?

B

Nice connecting with you. I'm John by name.

A

Okay. Where are you from?

B

I'm from Portugal. Currently live in Denver, Colorado.

A

Oh, wow. So how do I know you? You called me friend.

B

Where are you from?

A

Do you always ignore questions? I'm from the uk.

B

Everyone is my friend, including you. I'm to meet new friend, chat and get to know you better.

C

Beautiful guy.

B

Beautiful country. You live UK people are not friends.

A

Until they know one another. Saying hello doesn't make you friends. And where in the UK have you been?

B

I have been to Manchester City. What city in UK do you live?

A

I don't live in a city.

B

So where do you live, if you don't mind?

A

I live in a small village.

B

Okay, that's cool. How's your family, your husband and kids? Hope all is well.

A

I don't have a husband or kids.

B

Do you live alone?

A

Yes, I live alone.

C

Does anybody else get really creeped out by that question?

B

Do you live alone?

A

I'm like, I would never answer these questions. My goodness.

B

Wow.

C

Like that one. Just don't do that. It's like there's somebody behind me waving a red flag and that's all I see.

B

Yeah, okay. I'm divorced. Have been divorced since two years now. I live alone. I don't have any kids.

A

Oh, why did you get divorced?

B

It was a long story, my friend. In everything that happened in the past, life goes on. You seem like a very nice and easygoing person. What do you do? I mean, what do you do for work, if you don't mind?

A

Well, it's also important to talk about these things. I'm an accountant. And you?

B

Awesome job. I'm a contract worker. I work as offshore. I do all types of constructions, building of oil rigs and pipelines.

A

Oh, wow. So you work for a large company right now?

B

I'm currently in Gulf of Mexico working as offshore. I has a contract here and have been here one month, three weeks and some days now.

A

I wasn't aware they were building more rigs there. How long will you be there for?

B

I will be here for more 30 days. My job is on progress. I will like to know more about you but I don't usually chat here due to my job. I don't know if we can chat in another platform. Get to know each other more better if you don't mind.

A

There it is.

B

Hopefully to meet you someday in person.

A

Oh, I have Google Chat.

B

Okay, let me have your google chat emailmail.com okay, I will text you on Google chat. I sent you messages on Google Chat. Did you got my message on Google Chat?

A

Yes. Oh no, it keeps going.

B

Hello, it's me, John. Hello.

A

Hello. How are you?

B

I'm fine, thank you. How are you? And how's the weather conditions there?

C

So now he's just copying and pasting from the same part of the script.

A

Oh my God. Before I started over I'm fine and the weather is normal for the time of year. Can you send one photo please? Only one?

B

Okay. And it's a pretty nondescript, I'd say older gentleman with closely clipped graying hair. Looks pretty normal to me.

A

And then I send back.

B

Who knows what. I guess.

A

Yeah, thank you. We aren't teenagers so we don't need to send multiple pictures.

B

You look very much beautiful and attractive. So tell me more about yourself. How long have you been living alone?

A

I've lived alone for 18 months. I was with my ex partner for 17 years but he met and fell in love with a man. We are still friends though.

B

Well, I'm sorry about that. Where did you meet your man and how do you feel living alone all this months?

A

We met through mutual friends. I feel fine living alone. What about you?

B

Well, been lonely is kind of hard for me. Ever since I got divorced I've been single, living alone, trying to live my best life and be happy with what life offered me.

A

Don't you have friends?

B

Yes, I have friends, but they are all married. Do you live in rented apartment or a house?

A

You can rent a house or own an apartment. I own my house.

B

Okay. That's nice. Do you have neighbor that lives close to you and how many bedroom house? I own a two bedroom house with beautiful swimming pool on it.

A

Does it matter how big my house is? Is that important to you?

B

Not at all. Just that I'm interested to get to know you more. Hopefully to meet you someday in person. You seem like a Very nice and easygoing person with sense of humor.

A

Well, we can get to know each other, but the size of my home is irrelevant to that. So have you been on any dates lately?

B

No, I haven't. How old are you? If you don't mind, I am 59.

A

And you? Goodbye.

B

Sorry, my friend. I have been very busy with work here. I'm 67 years of age.

C

No, he's not.

B

I always got busy with my job. I text whenever I'm free and less busy with things here. Hello, how are you?

C

How's the weather?

A

Yes, that's why you read my what is happening? Yes, that's why you read my message and didn't reply.

B

I'm sorry about that. How are you doing today? And how's your night? Hope you slept well.

A

I'm fine. And you?

B

I'm fine, thank you. What's the time where you live and what are your plans?

A

Geez, it's 9:44. I'm just staying home. And you? Man, you're in danger, girl. What are you doing?

B

Okay, same here. All right, we're going to wrap this up. This is long. Goes on forever.

C

So this is like someone's first day on the job at the romance gaming factory.

B

Yeah. Wants to make an impression on the boss, right? Just hanging in there for ages. I'm just scrolling through here, trying to get to the end. So here's the last page. We'll start here. He says, I have been with my job. Besides, I made a promise to myself that I will navy settle for less. And I pray and hope to meet my soulmate someday and retire from my job so my family can. Enough of my time. I'm not getting any younger and don't want to die single.

A

Have you ever dated a man?

B

Ever since I got divorced, life hasn't been easy for me. Living alone without a woman to call my soulmate. Why should I date a man?

A

I'm just asking you.

B

I can't date a man. And then it ends. So I think you found this scammer's kryptonite. Whatever.

C

Right?

B

Whatever. After. Oof.

C

That was long, arduous.

B

It was.

A

Why do they want to know how many bedrooms this person has in their house?

C

That might be. Actually, that might be a way that they can gauge how much money the person has. So they decide whether or not they want to continue on with the scam.

A

Right.

C

You know, they say I live in a house. Bedrooms. Right? Yeah.

B

Yeah, Right. I rent a studio apartment and I'm barely getting by.

C

Right.

B

They're not gonna spend as much time with someone who says, you know, I've never counted the number of bedrooms in my house.

C

So many. My dead husband has so much money.

B

The servants tell me there are wings to the estate that I have yet to visit. So I'm looking for some weird voice.

A

Coming from the attic, some wailing.

B

That's right. There's a room. I know there's a room on the other side of the campus where we keep all of the gold, but I've never actually visited it.

C

I've heard it's very bright in there.

B

That's right. It's right next to the diamond vault.

A

Sometimes I do giant leaping jumps into it and go swimming in the gold.

B

That's right. Yeah. Are you familiar with Scrooge McDuck? All right, that is our catch of the day. Of course, we would love to hear from you. If there's something you'd like us to consider, hopefully something shorter, please email us. It's hackinghumans2k.com thank you. To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com that is our show. We want to thank all of you for hanging in there. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also so fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandy and Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.