Loading summary
Transcript317 lines
- [00:02]
Dave Buettner
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Joe Kerrigan
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is my co host, Joe Kerrigan. Hey there, Joe.
- [00:31]
Maria Varmazes
Hi, Dav.
- [00:32]
Joe Kerrigan
And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermasis. Hello, Maria.
- [00:38]
Dave Buettner
Hello. Hello.
- [00:39]
Joe Kerrigan
We've got some good stories to share this week and we'll be right back after this message from our show sponsor.
- [00:50]
ThreatLocker Sponsor
And now a few thoughts from our sponsors. At ThreatLocker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allowlisting and ring fencing has your back.
- [01:17]
Joe Kerrigan
All right, let's jump right into some follow up here. Joe, you want to take the honors here with this message?
- [01:25]
Maria Varmazes
Sure. This is from Kaylee, who says, I wanted to thank Maria and follow up on the request regarding the toll scams from last week's episode. Thank you for including my last email on your live show in Orlando, which I missed a few weeks ago.
- [01:41]
Joe Kerrigan
I'm sorry, I'm still bitter.
- [01:43]
Maria Varmazes
I am. I wish I could have gone to Orlando.
- [01:45]
Dave Buettner
Yeah, next time.
- [01:47]
Joe Kerrigan
It was awesome.
- [01:47]
Maria Varmazes
I'll bet it was cool to hear my name on the episode. Well, here you go again, Kaylee. It's going to be on the episode again. You were asking about the toll scam. I am an active duty naval officer living in Virginia. I have an easy pass that I use every day. However, my permanent residence is in Florida. Now, if you're active duty military, you are not required to change your driver's license when you change residence. You can keep whatever state you live in. Like if you in Maryland, you have to change your driver's license within 30 days of moving into the state. You have to have a Maryland. If you're military, you do not have to do that.
- [02:23]
Joe Kerrigan
Okay, so.
- [02:23]
Maria Varmazes
So she is a permanent resident of Florida. I have a Florida driver's license and phone number. The toll scams I receive are not from my own E Z Pass, but from the Florida version, the Sun Pass. This is interesting. I know this toll program from growing up and seeing the Sun Pass lanes. My family did have one at one point, but it was never under my name. I believe they are using my Florida phone number for the scam. Since I haven't lived In Florida since 2018, I would include the text message, but I always delete them immediately and just mark as spam. Which is a good practice, I believe.
- [02:58]
Joe Kerrigan
Yes, I do the same.
- [02:59]
Maria Varmazes
Seems the scammers haven't figured out who actually has the toll passes, just phone numbers. And I hope this helps your investigation.
- [03:08]
Dave Buettner
Thanks, Kaylee.
- [03:09]
Maria Varmazes
Yeah, that is interesting. What is interesting is I would like to know if Kayleigh is getting these when she uses a toll road. Yeah, like if Kaylee gets on an easy pass toll road, does she get a Sun Pass text message?
- [03:24]
Joe Kerrigan
Right, right.
- [03:26]
Maria Varmazes
I'd like to know the answer to that question.
- [03:27]
Joe Kerrigan
Yeah.
- [03:28]
Maria Varmazes
So Kaylee, if you're listening, here's another.
- [03:31]
Joe Kerrigan
Opportunity for you to hear your name on the show again.
- [03:33]
Maria Varmazes
Right.
- [03:34]
Dave Buettner
I'm still getting the E Z Pass spam and every time we're on the show it changes its iteration. And now I'm getting a really lazy one. I included it in the script for you both to look at it, but for our listeners it's just, just an image of the text now that says your vehicle has an unpaid toll with a bunch of just garbage letters afterwards and a link that I don't want to know if it works or not, but it doesn't look like a real link. So I, I don't know, it's evolving into something just really messy and strange. Now I can tell you that I have not received it after going on a toll road. I've been getting them at really random times. But that's just anecdote from me personally.
- [04:11]
Joe Kerrigan
Yeah, yeah. All right, well, very interesting. And we continue to gather little pieces of this puzzle. So Kayleigh, we appreciate you writing in and to our listeners, if there's some particular piece of the puzzle that you believe you have, you can write us. It's hackinghumans2k.com all right, let's jump right into our stories here. I have a story from the folks over at Palo Alto Networks, very well known cybersecurity company. Their research team is called unit 42 and yes, it is a homage to Hitchhiker's Guide.
- [04:48]
Maria Varmazes
Excellent. I did not know that.
- [04:50]
Joe Kerrigan
Yeah, I know that because our former Cyberwire colleague Rick Howard, who has since retired, but Rick started unit 42 and he named it after the Hitchhiker's Guide. So I have it on, you know.
- [05:06]
Maria Varmazes
First account, firsthand knowledge.
- [05:07]
Joe Kerrigan
Firsthand knowledge, that's right. That's where it comes from. All right, so they recently did some research about some fraud that was going on on crypto platforms. So they've uncovered this large scale operation that involves thousands of fraudulent cryptocurrency investment platforms. And the scams are cleverly designed to mimic well known brands, cryptocurrency exchanges, and even like back during the Paris Olympics, they were using the branding of the Paris Olympics to lure unsuspecting victims in. So what they do, they develop both websites and Android apps for these fake investment platforms. Now what's interesting is the apps are not available on the official app stores and Palo Alto speculates that this is likely to avoid detection and removal so they don't have to go through app review. So once users are drawn in, they're enticed with promises of extraordinarily high returns on their investments. One scheme offers a daily return of $3 on an $11 investment. That is a 27% daily return, which compounds to an annual ROI of over 2,600%. Please sign me up.
- [06:22]
Maria Varmazes
Yeah.
- [06:24]
Dave Buettner
Oh my God.
- [06:27]
Joe Kerrigan
Palo Alto says these figures are not just unrealistic, they're downright impossible.
- [06:31]
Maria Varmazes
Right?
- [06:32]
Dave Buettner
Yes.
- [06:34]
Joe Kerrigan
So these operations are primarily targeting individuals in East Africa and Asia. So far they're utilizing telegram groups to communicate with their victims and there seems like they're trying to foster a sense of community along with legitimacy. Palo Alto says these are very similar to Ponzi schemes, encouraging people to recruit each other through multi level affiliate programs. From a tech point of view, they're finding consistency in the website and app design, which suggests the use of a toolkit which lets them create these platforms really quickly. And they say the domains associated with the scams are predominantly registered in Singapore, often through registrars with lenient policies. Shocker. Right?
- [07:25]
Maria Varmazes
Yeah. I got to find out who these people are, these.
- [07:28]
Joe Kerrigan
Why you have some domains you want to register people to follow up on.
- [07:34]
Maria Varmazes
That's right.
- [07:34]
Dave Buettner
For chicken business or what are you doing?
- [07:37]
Joe Kerrigan
Business. All right. His black market egg business.
- [07:43]
Dave Buettner
Yeah. That's good money right now.
- [07:45]
Maria Varmazes
That's right, yeah.
- [07:46]
Joe Kerrigan
Now's the time. Palo Alto says to further obscure their operations, they're using free HTTPs certificates and they're using domain fronting via popular public cloud services, which makes it hard to track where they're actually coming from.
- [08:02]
Maria Varmazes
Interesting.
- [08:04]
Joe Kerrigan
So the bottom line here is Palo Alto saying, if you're going to invest in cryptocurrency, be vigilant.
- [08:11]
Maria Varmazes
Right.
- [08:11]
Joe Kerrigan
Be careful. There's so much scamming going on in crypto, which is not to say that it's completely useless, but I'd say the ratio of Scams to legitimate businesses is out of whack and certainly makes me shy away from it.
- [08:27]
Maria Varmazes
Absolutely.
- [08:28]
Joe Kerrigan
I, I suppose probably both of you feel the same way.
- [08:31]
Maria Varmazes
I have crypto. I keep some crypto.
- [08:33]
Joe Kerrigan
Yeah.
- [08:33]
Maria Varmazes
I have some in my own personal wallet.
- [08:35]
Joe Kerrigan
Okay.
- [08:36]
Maria Varmazes
And then I also have some in an exchange.
- [08:38]
Joe Kerrigan
Okay.
- [08:38]
Maria Varmazes
But it's not a lot.
- [08:39]
Joe Kerrigan
Yeah.
- [08:40]
Maria Varmazes
You know.
- [08:40]
Joe Kerrigan
Yeah. I've never dipped my toes in that world. Have you had any curiosity, Maria?
- [08:46]
Dave Buettner
I've, I think I've mentioned this a few times. I, I have family members who are very, very into crypto. So I actually received. Yeah, I have. I've received money crypto specifically for my wedding and the birth of my child. And it was like, oh, that's very nice. And I actually received the money for my daughter on an open dime USB wallet. It was really fascinating to learn about all that. And I pretty much immediately cashed out. I was like, you know what? This is really cool. Like, the geek in me is kind of fascinated to learn more about this.
- [09:17]
Joe Kerrigan
Right.
- [09:18]
Dave Buettner
But I'm. When it comes to my finances, I'm. I'm sort of like, I don't want to be doing too much work. Yeah. So I'm just like, yeah, I'm good, thanks. I'll just make this something I can understand more easily and let it be.
- [09:30]
Joe Kerrigan
Yeah.
- [09:31]
Dave Buettner
Yeah.
- [09:32]
Joe Kerrigan
All right. Well, this is an interesting bit of research here again from the folks at Palo Alto Networks, unit 42. So we will have a link to that in the show notes. That's my story for this week. Maria, you're up next. What do you got for us?
- [09:45]
Dave Buettner
Well, I was, I was a little conflicted about doing the story. It's a gold bar scam and we've covered them a lot. But I think the reason this one is hitting home for me is because it quite literally is in my backyard. It's in Newton, Massachusetts. And this was a 72 year old woman who was just scammed out of an unbelievable amount of money. And this scam just happened in the last couple, like two months. So as much as we talk about them on the show, I, I think the broader public, this message has not really gotten through yet. So if anything, please talk to your families about this, people who are listening, because clearly there's a lot more work to be done. So here is the story. This started, actually this past December. The victim in this case, she received a call, as we've often heard, someone pretending to be in a D A agent, and they told the victim that there were 22 fraudulent bank accounts in her name. Totaling $2 million in illegal drug transactions. This should all sound very familiar to our listeners. She understandably denied that these were hers. So the agents very helpfully came up with a solution because they wanted to be helpers. Right. That's great. And they said the solution to stop this ID theft in progress was for her to transfer all of her assets to the US treasury for safekeeping. And then she. And then she would be giving. I know. And then she would be given treasury checks to secure what she had transferred. So it's like, we'll hang on to it for you. Will give you these checks as sort of a guarantee that this is real. So, you know, there's definitely no scam here. And of course, just in case that wasn't enough, there was also a threat that if she didn't do all this, she'd be arrested by the FBI. So, Right.
- [11:20]
Maria Varmazes
There's the fear.
- [11:21]
Dave Buettner
There's the fear. So it's like they're going to help you, but also you have to do this so you don't have an out. And then there was, as we've often talked about on the show, there was a second caller, there was a second scammer that followed up with her opposing, in this case, as a US treasury case manager, who then convinced her to convert her money into gold bars as part of the whole asset securing scheme, after which her Social Security number would be changed. Yay. Because it had been her previous one had been used in ID theft. Right. And her money would be given back and all would be well. So over the next month, she did as she had been instructed. She drained her retirement funds entirely. And again, she's 72, so she needs this money right now.
- [11:59]
Maria Varmazes
Right.
- [11:59]
Dave Buettner
And she bought and personally delivered 15 gold bars worth over $430,000 to careers. And she also wired nearly $50,000 to a scammer's bank account directly. And all in all, back of the napkin math, she lost nearly half a million dollars in this scam.
- [12:15]
Joe Kerrigan
Wow.
- [12:16]
Dave Buettner
Just. Just in the last three months. And to keep the scam going and to make sure that the victim didn't have any doubts that this was a scam or that it wasn't a scam. Yeah, that it wasn't a scam. The scammers also sent her fake images of the supposed treasury checks that were guaranteeing that her money was safe. You know, saying, like, it's all. Here it is. Here's. It's legit. Here are those checks that are guaranteeing you. So by chance, the victim's family found out about this and they thankfully immediately contacted law enforcement. Investigators set up a sting with an undercover officer posing at the victim arranging a fake gold delivery. We've heard a lot of stories like this before and it ends up that a 23 year old from Queens, New York named Vishal Kumar showed up to collect the package of gold bars, confirmed the secret code word and was arrested on the spot. And just for insult to injury, the US Secret Service confirmed that the treasury checks were counterfeit. So they the suspicion is that Kumar was definitely not acting alone. There were probably a bunch of other co conspirators he worked with. He has been himself indicted on multiple charges by the Middlesex county da including extortion and conspiracy. And right now he's being held in lieu of half a million dollars of bail, considering he probably had access to at least that much money. So yeah, I heard this story and my heart broke because again, we've covered these kind of gold bar scams a lot and I know we sort of chuckle like, oh my gosh, how does anyone fall for this? But gold bars right now are also a lot in the news as a place to sort of park your money with all the market inconsistency and uncertainty. So I, I think this is definitely like, please talk to your families about this one because I think a lot of people are going to be falling for this even more than usual. So this one's half a million. My God.
- [13:59]
Maria Varmazes
When I see those gold commercials on tv, I immediately think it's time to sell gold, not buy it. If you hold gold, it's time to sell it and cash in. Because I've got this deeply seated suspicion about, about things like nobody wants to sell you gold for your benefit, they want to sell it to you for their benefit. So when do you sell for your benefit? When it's high and you think it's going to go down. So if you can convince somebody to buy the gold when it's high and then it goes down and then you can buy the gold back with your, with the money you got and you buy more gold.
- [14:36]
Dave Buettner
It's a pump and dump scheme.
- [14:37]
Maria Varmazes
It's almost like a pump and dump scheme.
- [14:39]
Dave Buettner
That's what it is. Yeah. I mean, and we're hearing a lot of chatter about gold right now again. So a lot of people are looking into it for all sorts of, you know, fear, uncertainty and doubt type of reasons. Those I don't are not related to this kind of a scam. This is a totally different thing. But I just think gold is on a lot of people's mind. It goes cyclically, doesn't it? Because I remember some years ago, there was this whole thing about gold all over again. So. Oh yeah, it happens every.
- [15:03]
Maria Varmazes
Every couple of years, 10 years. Market gets volatile, people go, oh, you should buy gold.
- [15:08]
Dave Buettner
Yep.
- [15:08]
Joe Kerrigan
I just did a Google search that for where does one buy gold bars? Because I have no idea where to.
- [15:14]
Dave Buettner
Buy a gold bar on the Interwebs.
- [15:17]
Joe Kerrigan
Do either of you have any idea where to buy a gold bar?
- [15:19]
Maria Varmazes
No clue. What is the Google search?
- [15:21]
Dave Buettner
I would hope that the search engine, if it was half responsible, would say, maybe don't do this because you're probably being scammed, but that's asking too much.
- [15:28]
Joe Kerrigan
Well, so the first result was buy gold bars online from JM Bullion, not.
- [15:35]
Maria Varmazes
Buying gold bars online.
- [15:36]
Dave Buettner
JM Bullion. I trust that name implicitly.
- [15:40]
Joe Kerrigan
Gold bars for sale. This was. Oh, you can buy gold bars over the phone through U.S. money Reserve's website. U.S. money Reserve. That sounds familiar. Or official, rather.
- [15:51]
Maria Varmazes
How does every one of these. Is there one that doesn't sound like it's just a total scam?
- [15:55]
Joe Kerrigan
Well, I will say to Google, I'll give Google partial credit on this because the second link in the list is actually from CBS News.
- [16:04]
Maria Varmazes
Okay.
- [16:05]
Joe Kerrigan
And it says where to buy gold bars and coins and it says some banks have them. Ah, there are physical or precious metal retailers. You can get them.
- [16:17]
Maria Varmazes
See, here's another one of my concerns.
- [16:20]
Joe Kerrigan
Yeah.
- [16:21]
Maria Varmazes
How do you know that when you go to some of these places and you buy a bar of gold that you're actually getting what you're paying for?
- [16:27]
Joe Kerrigan
Right.
- [16:28]
Maria Varmazes
Let's assume that you're going to get a good deal on the gold. That's it's going to be market price plus 0.1%. Right. That's the precious metal. Metal dealers guy. How do you know that what is stamped on that gold bar is factual?
- [16:40]
Dave Buettner
You bite it.
- [16:41]
Maria Varmazes
You bite it.
- [16:43]
Joe Kerrigan
Yeah, exactly.
- [16:44]
Dave Buettner
That's what everybody does.
- [16:45]
Joe Kerrigan
Like Yukon Cornelius, right? Well, yes. I was coming at it from a slightly different point of view, which is that I would have no idea because I know nothing about gold and I know nothing about how buying and selling gold works, that I would be walking into any of these transactions with a huge sign on my forehead that says sucker, Right? Yeah, I don't know any of the questions to ask. I don't know. You know, they'd say, oh, well, we have to add on this service fee. And I'd be like, okay, so gold.
- [17:17]
Dave Buettner
Supposed to sound like this when you drop it on the table. That's how you know it's real. I mean, how would you know if that's true or not? Yeah, I wouldn't. Yeah, yeah.
- [17:24]
Joe Kerrigan
No, I feel like it's a lot like, well, buying or selling anything you don't know anything about. I'd feel the same way about jewelry. Yeah.
- [17:32]
Maria Varmazes
Oh, yeah.
- [17:33]
Dave Buettner
I feel that way about crypto.
- [17:34]
Joe Kerrigan
Right?
- [17:35]
Maria Varmazes
Crypto.
- [17:36]
Joe Kerrigan
Perfect. Yeah.
- [17:37]
Maria Varmazes
That brings up a conversation. My father in law. Father in law. My wife and I had one time when my wife was selling jewelry. She said that they can't put a. A stamp on it for a different karat weight than the gold actually is. So if you're buying 14 karat gold, it has to be 14 karat gold. And if it's stamped 14 karat gold, you can have faith that it's 14 karat gold because they can't stamp it without any other way.
- [18:00]
Joe Kerrigan
They being the licensed dealer of jewelry.
- [18:03]
Maria Varmazes
Well, we don't know who they are. And my father in law and I looked at each other and we're like, yeah, sure they can. Anybody can do it. I can go out and make a stamp that says 24 karat gold and put it on any piece of metal I want. And she's like, no, you can't do that. I'm like, I absolutely can't do that. Stop.
- [18:23]
Joe Kerrigan
You get me a bar of gold and a blowtorch. Watch me work.
- [18:27]
Maria Varmazes
My father in law and I both had that adversarial hacker way of thinking. And my wife was like, no, no, this is the way the system. I'm like, we'll break the system. We'll break it.
- [18:35]
Joe Kerrigan
Right?
- [18:36]
Maria Varmazes
So, yeah, I don't trust. I trust gold. You know, I mean, I guess I don't trust gold less than I trust crypto, but I really don't know how I would trust that I'm buying a real bar of gold, not something filled with some lead or some other lead and something else that would weigh the same amount as a bar of gold. Right, right.
- [18:53]
Dave Buettner
And there's a thing called pyrite.
- [18:55]
Maria Varmazes
Pyrite.
- [18:57]
Dave Buettner
There you go.
- [18:57]
Maria Varmazes
Yeah. How do I know I'm actually getting gold? Not something that looks like gold.
- [19:02]
Dave Buettner
This story goes back hundreds of years.
- [19:04]
Maria Varmazes
Hundreds of years.
- [19:05]
Dave Buettner
Honestly?
- [19:06]
ThreatLocker Sponsor
Yeah.
- [19:07]
Dave Buettner
Oh, my goodness. What's old is new again.
- [19:10]
Joe Kerrigan
That's right. All right, well, we'll have a link to that story in the show notes. I mean, I guess the hope here is that since they did nab a bad guy, that maybe there's a slim chance that she gets some of her money back here's. Hoping.
- [19:21]
Maria Varmazes
Yeah. Maybe they can get him to sing a little bit.
- [19:25]
Joe Kerrigan
Right.
- [19:25]
Dave Buettner
Yeah. In case people don't know that the place that she's from, it's considered a very wealthy, educated town. So I just. To me, this is like a classic example of, you know, really, anybody can fall victim.
- [19:37]
Maria Varmazes
Anybody can fall for it.
- [19:38]
Joe Kerrigan
Right, right, right. It's a banana. How much could it possibly cost?
- [19:43]
Dave Buettner
$10.
- [19:45]
Maria Varmazes
$10?
- [19:47]
Joe Kerrigan
Oh, my goodness.
- [19:48]
Maria Varmazes
We've all seen the show.
- [19:50]
Dave Buettner
Oh, it's one of my absolute favorite shows.
- [19:52]
Maria Varmazes
It's a great show.
- [19:53]
Joe Kerrigan
We're gonna take a quick break here, but hear a message from our sponsor before we get to our next story. We'll be right back.
- [20:04]
ThreatLocker Sponsor
So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't want to run, Threat Locker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust endpoint protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
- [21:15]
Joe Kerrigan
All right, we are back, and Joe, it is your turn. What do you got for us?
- [21:18]
Maria Varmazes
So the first thing I wanted to talk about was I saw an ad on Facebook that caught my attention was an AI ad with Kelly Clarkson. Oh, and apparently Kelly Clarkson has lost weight recently. And this ad was capitalizing on that. And they had fake interviews of Kelly Clarkson. And I noticed it was AI because of the cadence of the speaking. I'm like, this is obviously. And I don't know what Kelly Clarkson sounds like, but she's interviewing with Whoopi Goldberg. And I do know what Whoopi Goldberg sounds like. It sounds just like Whoopi Goldberg. And they're talking. But in this video, in this video, Kelly Clarkson has the sentence, it's obviously not Kelly Clarkson. She says, when I had all that weight and I was unattractive, which I thought I don't Think anybody would say that about themselves, Especially not someone who's famous. And I was just like, this sounds like it was written by someone whose native language is not English. And it was. I mean, there were. There are all kinds of different tells about this, but I. I was. I watched that ad for probably about 45 seconds. I was engrossed because it was AI slop.
- [22:28]
Dave Buettner
And you.
- [22:29]
Maria Varmazes
Just because it was AI slop. Right. I couldn't look away.
- [22:31]
Joe Kerrigan
Yeah.
- [22:31]
Maria Varmazes
So they got me with that.
- [22:32]
Dave Buettner
Right, they got you.
- [22:34]
Maria Varmazes
Anyway, my story actually comes from Carla Basu at the BBC. That's the British Broadcasting Corporation. And this was a new one for me. It's called a whiskey cask scam. Do you like whiskey, Dave?
- [22:47]
Joe Kerrigan
I do.
- [22:48]
Maria Varmazes
What kind of whiskey is your favorite?
- [22:50]
Joe Kerrigan
Oh, I would say if I'm going to enjoy, casually enjoy some whiskey, I will pour myself a couple fingers of Maker's Mark.
- [23:00]
Maria Varmazes
Maker's Mark. That's a bourbon. Oh, that's a whiskey. Bourbon is a whiskey.
- [23:04]
Joe Kerrigan
Okay. So.
- [23:05]
Maria Varmazes
Yep, that's right. So apparently in the UK you can buy a cask of whiskey when it's been made.
- [23:17]
Joe Kerrigan
Yeah.
- [23:18]
Maria Varmazes
And the idea is that you will sell it after it's aged for anywhere for at least three years. So in this one, they're talking particularly about scotch, because in order for something to be considered Scotch, it has to be aged in a barrel for at least three years.
- [23:34]
Dave Buettner
Yep. But they call it whiskey. They don't call it scotch.
- [23:38]
Maria Varmazes
The scotch call it whiskey.
- [23:40]
Dave Buettner
No, they call it whiskey. Yeah, yeah, yeah, Right.
- [23:43]
Joe Kerrigan
Chinese call Chinese food. Food.
- [23:44]
Maria Varmazes
Right, Food.
- [23:45]
Dave Buettner
Yes, they call it whiskey.
- [23:47]
Maria Varmazes
But here in America, we call it Scotch.
- [23:50]
Joe Kerrigan
Yeah.
- [23:50]
Maria Varmazes
My son in law is a big fan of the Isla scotches, the really peaty ones.
- [23:55]
Joe Kerrigan
Okay.
- [23:55]
Maria Varmazes
And I like pretty good Islay. Is that what it is? I thought it was Isla.
- [24:00]
Dave Buettner
You know what? I think I'm gonna be kicked out of Scotland. I honeymoon in Scotland because I love whiskey so much, so.
- [24:05]
Maria Varmazes
Okay.
- [24:06]
Joe Kerrigan
Wow. New detail dropped on Maria. All right. Very good. Yes.
- [24:11]
Dave Buettner
Didn't do the beach because I'm from Greece, so it doesn't make sense. I went to Scotland instead.
- [24:17]
Maria Varmazes
Well, one of the. One of the victims in this story, her name is Allison Cox, C O, C K S. And she was initially. She bought a single Whiskey cask for £3,000. And everything appears to be legitimate. Now, if I'm going to buy a cask, the first thing I want to know is what kind of cask are you buying? This is. This is Joe talking here. Because I did some research and casks come in Multiple sizes. Like there's a pin, a firkin, a kilderkin, a barrel, hogshead, butt and ton. So when you hear the term butt ton, that's actually referring to cask sizes? No, it's not a fun ton of beer. It is.
- [24:58]
Dave Buettner
No, there's no way.
- [25:00]
Maria Varmazes
I am not joking with you. I know that tun is, is. Is like the biggest container of things. Cause like when you go into a brewery, they have like the mashed tun and the bright tun and that's 216 gallons. But a butt is 108 gallons and then a hogshead is 54 gallons and a barrel is only 30, 36 gallons, which is different from the. A barrel of oil. What about a 45 gallon?
- [25:23]
Dave Buettner
Just kidding. I don't know. I'm just throwing.
- [25:24]
Maria Varmazes
That's a measure of depth.
- [25:25]
Dave Buettner
I just throw it. Just words out.
- [25:28]
Maria Varmazes
I know. Anyway, you don't. It doesn't ever say in this article what size of cask people were buying. So I don't know if $3,000 is a good. A good deal or not, but I did a little poking around and you can buy a 55 gallon drum of ethyl alcohol here in the US from a chemical supply company and it will cost you around $3,000.
- [25:51]
Joe Kerrigan
Okay. And that'll be one heck of a party.
- [25:54]
Dave Buettner
Slight difference. Slight difference.
- [25:57]
Maria Varmazes
It's not that much of a difference, actually.
- [25:59]
Dave Buettner
Well, art and science there, man.
- [26:02]
Maria Varmazes
Right. So if you wanted to make vodka, and I'm pretty sure a lot of the vodka is out there, you could just buy this alcohol, cut it down from 95% alcohol by volume down to 40%, put it on a shelf as vodka. Because vodka is not aged whiskey. It's all about the process. Right. So. Yeah, you're right, Maria. Like making, making scotch whiskey is going to be. You're not going to make scotch out of this alcohol you get from, from the science lab.
- [26:28]
Dave Buettner
I would like to see someone try, but I would not drink it because I like my, you know, to not be dead.
- [26:33]
Maria Varmazes
Right, right.
- [26:34]
Joe Kerrigan
You like having your vision.
- [26:35]
Maria Varmazes
Yeah. Right. Yeah. The price. The price of. Of Ms. Cox's original cask was £3,000. And she was given certificates and the company provided an online portal where she could track her investment. And her port, her portfolio seemed to grow, at least on paper.
- [26:55]
Joe Kerrigan
So let me understand here. So she bought a cask, but the cask stayed at the facility.
- [27:02]
Maria Varmazes
You don't take delivery of it. They give you a place where it is and a number on it.
- [27:06]
Joe Kerrigan
Okay, I'm with you.
- [27:08]
Dave Buettner
All right.
- [27:09]
Maria Varmazes
She then proceeded to buy three more casks for around £100,000. And when she said, okay, I think I've made enough money here, I want to start selling, that's when these people stop talking to her. They were avoiding her telephone calls and she says she was really panicking. So she starts doing some investigation of her cask. And on one of her certificates it says an address of where the cask is stored, allegedly. So she contacts the warehouse and they say, no, your casks are not here. She was told by independent whiskey valuers, apparently that is a job that you can have that she paid five times what the barrels were actually worth. So one of these barrels she paid 49,000 doll for or pounds. Pounds. £49,500. And she found out that cask actually does not exist. This is a scam being run by this guy that calls himself Craig Arch. But the BBC investigated and found out his name is actually Craig brooks. Who In 2019, he and his brother were jailed for a $6.2 million fraud where 350 victims were cold called and convinced to invest in carbon credits or rare earth metals. So this guy has been doing this for a long time now. I've never understood the idea of buying and trading carbon credits. Never got it. I mean, the rare earth metals. I think I don't understand how you'd pitch that as an investment idea unless you're saying we're going to be mining metal. But I'll tell you, I've invested in a couple mining companies and it's never worked out for me. You know, I still have some of the shares, but they're almost worthless.
- [28:59]
Joe Kerrigan
You're underground on the mining company?
- [29:01]
Maria Varmazes
I am, that's right. So whenever somebody says, hey, I got some mining, mining idea, I'm like, I don't even want to hear it. I just been burned, you know, three or four times. Not for a lot of money, fortunately, but it's, you know, it's, it's still something that sits with me.
- [29:14]
Joe Kerrigan
Yeah.
- [29:15]
Maria Varmazes
Anyway, this guy Brooks has been in the uk, he has been disqualified, which means he can no longer. He's a disqualified director, which means it's illegal for him to run a company, but he's running this company. And so he's out. He's out there scamming people out of their money by pitching this, this, this with these whiskey barrels. There's a, there's a point in this story where they interview a guy that runs one of these is a, has a warehouse, a bonded warehouse. And he goes, I get Calls every day for people looking for their barrels saying that they've bought them from some scammer and nobody is. The barrels aren't here.
- [29:58]
Joe Kerrigan
Yeah.
- [29:58]
Maria Varmazes
Sometimes the barrels are sold multiple times. Right. So like, five people get the same certificate for the same barrel. Which kind of reminds me of the producer scam. But it's not like that because that at least would work if. If the show actually failed. But the. These are actually. You're selling the same thing to multiple people. That's just fraud. Right, Right.
- [30:19]
Joe Kerrigan
Well, but also, you're selling multiple things that don't exist to people.
- [30:25]
Maria Varmazes
Right? Well, sometimes. Sometimes they do exist.
- [30:27]
Joe Kerrigan
Oh, I see.
- [30:27]
Maria Varmazes
And they're, you know, and. But they're selling them three or four times. Okay, so. But yeah, you're right. Sometimes they just don't exist. They're not real at all. And then, of course, somebody is. They interview somebody here who is like Kenny McDonald, who is a legitimate whiskey cask broker, says that there were other good guys operating in the industry, but now it looks like there's a huge amount of people that are just profiteering from this, which is unfortunate. Who I feel for is the people in the story who have lost money. They're the ones that have really, really suffered. They have a terrible story in here about a woman who has terminal cancer and she's invested a lot of her money with this, and it's all essentially gone.
- [31:14]
Dave Buettner
Oh, my God.
- [31:16]
Maria Varmazes
I hope they take this guy and do the most British thing they can with him, whatever that is. This Brooks guy. If he's guilty, of course, it's all alleged, right?
- [31:26]
Dave Buettner
Yeah.
- [31:26]
Maria Varmazes
He's innocent until proven guilty, even in England. So that's my cheery uppy story today.
- [31:36]
Dave Buettner
Wow.
- [31:37]
Joe Kerrigan
I had a vague recollection that you could buy a barrel of whiskey from Jack Daniels. And I'm just poking around here, and sure enough, you can.
- [31:46]
Maria Varmazes
Is it like a real. Like you're buying the actual barrel from the distiller? From the. From the actual company?
- [31:51]
Dave Buettner
From.
- [31:51]
Joe Kerrigan
Yeah, from. Oh, no, no, it doesn't. It says. All right, so it says, can. Can anyone purchase a barrel? And it says, the single barrel personal collection program is available to those of legal age in most markets around the world. And then it says, do I get an actual barrel? Says, no, no. Though you will receive a barrel head to commemorate your purchase. As an optional. As an optional. Okay, editors. Jack Daniels. As an opt. Oh, no, no, they're actually right. As an optional additional purchase, you may have a barrel shipped to you from our Lynchburg hardware store. Okay. So I don't know what to tell you.
- [32:30]
Maria Varmazes
Yeah. That sounds like you're just buying a bunch of whiskey and then you can buy a barrel and you can say, hey, I bought all this. And you know, it sounds like Jack Daniels was just trying to capitalize on their name.
- [32:41]
Joe Kerrigan
Yeah. If I wanted to buy a barrel of whiskey, I want the barrel like I want some guy with a dolly to pull.
- [32:49]
Dave Buettner
Yeah. Load it up.
- [32:50]
Maria Varmazes
Show up at your house.
- [32:51]
Joe Kerrigan
Right, Exactly. And say, where do you want this?
- [32:53]
Maria Varmazes
Right.
- [32:53]
Joe Kerrigan
I'll say right here.
- [32:55]
Maria Varmazes
Right here, Right next to where I sit.
- [32:57]
Joe Kerrigan
Yeah. We're gonna tap this baby right here. It's gonna be a fun weekend, right? Yeah. Yeah.
- [33:03]
Dave Buettner
I don't. I guess I don't understand. What. I don't understand this. Like, why. Because what am I missing?
- [33:09]
Maria Varmazes
I. I get it if you. Here's the thing. If what, what, what, what gets me about this is, this is the business model for a lot of distilleries. Right. I'm going to make a barrel of, of ethyl. I'm going to make a bunch of ethyl alcohol with some process, and I'm going to dilute it with water and store it in a, in a, in a warehouse for a number of years. And then I'm going to sell that. Why would I sell it for, you know, £3,000, $6,000, whatever, when I first made it and let somebody else take the profits when I'm still gonna have to be storing it and everything?
- [33:42]
Joe Kerrigan
Yeah.
- [33:42]
Maria Varmazes
Why would I do that?
- [33:43]
Dave Buettner
I don't. Yeah, I'm sure somebody can explain this.
- [33:45]
Joe Kerrigan
But I think it's probably just that you can spin up a plausible story. People know that exotic drinks have value. People think that they're kind of hoity toity. They know that they take time. So you have a time element here where you can say to someone, plausibly, listen, this is an investment. We're gonna keep your money for X amount of time, and when it's done, you're gonna make this much profit. And so they take the money and they run. But the person they take the money from, because there's this time component, they're not expecting their money back anytime soon.
- [34:26]
Maria Varmazes
Right.
- [34:26]
Joe Kerrigan
So by the time they start asking questions, presumably the scammer's long gone. Yep, that's my take on it.
- [34:32]
Maria Varmazes
I get how the scam works. Yeah, 100%. I mean, I see how the scam works. My question is, why would any. But why are there actually legitimate versions of this?
- [34:40]
Dave Buettner
That was. Yeah, that's my question too. But I'm looking at Their website. I'm like, okay. I guess it's one of those. Not for me.
- [34:47]
Maria Varmazes
Yeah. Like, why does Jack Daniels sell a barrel of its own whiskey?
- [34:50]
Joe Kerrigan
Yeah.
- [34:51]
Maria Varmazes
Instead of just bottling it and selling it that way, that's gotta be more profitable.
- [34:54]
Joe Kerrigan
Yeah.
- [34:55]
Dave Buettner
So I'm looking at the why you would do this is you. You can auction it. So I guess if you feel like maybe this was a particularly good year, you can. Maybe you can buy a cask as an investment and say, you know, this is going to be worth a lot more once it's aged.
- [35:08]
Maria Varmazes
I suppose that is a very speculative investment.
- [35:11]
Dave Buettner
It sure is. You can bottle it yourself. They can sell it for you. You can sell it privately. So some people, I mean, I can understand being like, I want to buy a cask, and that way I can have this, you know, to divvy up for my friends and family. But as an investment, I still don't really understand that. It just seems like there's way smarter ways to do this.
- [35:29]
Maria Varmazes
I get that 100%. The first use case you said I could give away, in 10 years, I'll be able to give away nice bottles of whiskey that have my name on them. That'd be cool. I might spend $6,000 on that.
- [35:43]
Joe Kerrigan
My grandfather was a big. Having a bar in your house kind of guy.
- [35:48]
Maria Varmazes
Oh, yeah.
- [35:48]
Joe Kerrigan
You know what I mean, this is. This might be a little before your time, Maria, but back in the 70s, bars and club basements were a big thing.
- [35:58]
Dave Buettner
Oh, yeah, the rumpus room. Oh, yes.
- [36:01]
Joe Kerrigan
But like, having a really fancy. Like. So basically, my grandfather had a bar in his basement that looked like any bar you could walk off a city street and walk into.
- [36:11]
Dave Buettner
And that is still a thing. I know people with that. I have a small bar in my own home, but it's not like a full one, but I do have a little bar.
- [36:18]
Joe Kerrigan
Right. So this was a full bar, and it was very fancy. And I could totally see him seeing the value in having a barrel of whiskey. Maybe a half barrel. I don't know. One of those volumes that you described.
- [36:37]
Maria Varmazes
Earlier, Joe, that would be a Kilderton.
- [36:40]
Dave Buettner
Not a butt ton.
- [36:41]
Maria Varmazes
Not a butt ton.
- [36:42]
Dave Buettner
No.
- [36:43]
Joe Kerrigan
But the whole point is that he would have something that not everyone else had.
- [36:47]
Maria Varmazes
Right.
- [36:47]
Joe Kerrigan
That would be the appeal.
- [36:49]
Dave Buettner
Yeah. For an investment opportunity. That's the thing. I'm like, huh?
- [36:53]
Joe Kerrigan
No, no, no. This would just be bragging rights with his buddies, you know, pouring right. Straight from the barrel, my man. Straight from the barrel.
- [37:01]
Maria Varmazes
Right.
- [37:01]
Joe Kerrigan
You know, that sort of thing.
- [37:03]
Dave Buettner
Yeah.
- [37:03]
Joe Kerrigan
All right, well, we will Have a link to these stories in the show Notes Joe and Maria, it is time to move on to our catch of.
- [37:20]
Maria Varmazes
Dave. Our catch of the day from comes from Connor who has some interesting things to say. He says, I think Maria is a wonderful addition to the show. I think you guys have great energy, which I would agree with.
- [37:29]
Joe Kerrigan
Concur.
- [37:30]
Maria Varmazes
After the last several episodes, I had to google what Joe looks like because all I was imagining was a middle aged man with a massive backpack wearing a black cowboy hat with a golden lace polish chicken nestled in his arm. Googling him did not help.
- [37:45]
Dave Buettner
That sounds like a job for AI.
- [37:47]
Maria Varmazes
Now I have to imagine Joe with a massive backpack wearing a black cowboy hat with a golden lace polish chicken nestled on his arm. So the funny thing is I asked my wife if she had any pictures of me with a chicken in a cowboy hat and she did. Actually, I've put it here in the script. You can see this is a picture of me wearing a cowboy hat holding a chicken. I'm not wearing my hat.
- [38:12]
Dave Buettner
You can't imagine Joe. It's just a cow.
- [38:14]
Maria Varmazes
The cowboy hat is white, not black.
- [38:16]
Joe Kerrigan
A hacking humans T shirt.
- [38:20]
Dave Buettner
It's just perfect.
- [38:21]
Maria Varmazes
And everywhere this may have been from like last year's county fair or the year before. This is not a recent picture.
- [38:28]
ThreatLocker Sponsor
Okay.
- [38:29]
Maria Varmazes
So how Conor is thinking of me is kind of how I look in real life.
- [38:34]
Joe Kerrigan
No, that's it. Yeah.
- [38:35]
Dave Buettner
That's not a Polish chicken though.
- [38:37]
Maria Varmazes
It is not. It is not. Nobody would let me hold a chicken.
- [38:39]
Dave Buettner
I've learned a little bit about chickens, Joe.
- [38:41]
Maria Varmazes
Yeah. I've never had the opportunity to hold a Polish chicken. I want to hold a Polish chicken one day. Yes, One day maybe I'll just get a Polish chicken.
- [38:49]
Joe Kerrigan
Well, how did you come to be holding this chicken? Did you simply walk up and say, hello, sir, may I hold your chicken?
- [38:55]
Maria Varmazes
There was somebody working with their chicken, I think. I don't remember this one. But somebody had the chicken and they were letting people hold it at the fair. So I held the chicken.
- [39:05]
Dave Buettner
You look pretty happy about it.
- [39:06]
Joe Kerrigan
The damn chicken for holding.
- [39:08]
Maria Varmazes
Right?
- [39:08]
Joe Kerrigan
Yeah.
- [39:09]
Maria Varmazes
I actually sent this picture to Connor because Connor's email address.
- [39:13]
Joe Kerrigan
Oh, it's nice.
- [39:15]
Maria Varmazes
I almost never respond to these email submissions, but this one I did. I had to.
- [39:20]
Joe Kerrigan
That's sweet. Very nice. So anyway, we need somebody to photoshop an impossible backpack on you.
- [39:26]
Maria Varmazes
Yes.
- [39:27]
Joe Kerrigan
Right. Like one makes you fall backwards on the ground like an inverted turtle.
- [39:33]
Maria Varmazes
Yes. Kicking and screaming, still somehow holding the chicken.
- [39:37]
Joe Kerrigan
Yeah, yeah.
- [39:40]
Maria Varmazes
Anyway, Connor says, here's some content you might like For a catch of the day. This is an email that purports to come from the Social Security Administration. Actually Social Security admin. And the email address is noreply express Some other address.com, which is not the Social Security email address. The subject is warning. Don't ignore your Social Security statement.
- [40:05]
Joe Kerrigan
Okay, goes like this. We have an important update regarding your account. To review your latest statement, simply click the link below. Access your secure statement. Exclusive access. For security reasons, this link is best accessed via a desktop or laptop. Stay informed and in control of your financial future. Your latest statement contains essential details tailored just for you. We appreciate your trust in our services and are committed to providing you with the best support and transparency. For security reasons. This is an automated email. Kindly do not reply this message brought to you by your trusted financial institution. And then it repeats three times.
- [40:46]
Maria Varmazes
Three times.
- [40:47]
Dave Buettner
Three times.
- [40:48]
Maria Varmazes
Which is weird.
- [40:50]
Joe Kerrigan
The email shall repeat three times.
- [40:55]
Maria Varmazes
It shall not repeat twice unless it repeats a third time.
- [40:58]
Joe Kerrigan
One is way off. It reminds me of. Have you ever gotten a voicemail that's just an endless looping kind of thing? This is the email version of that.
- [41:10]
Maria Varmazes
Right.
- [41:10]
Dave Buettner
I don't know how to tape, so.
- [41:13]
Maria Varmazes
It'S weird that it repeats three times. In the original message that Connor forwarded above, each iteration of this message was what looks like an image link or a placeholder that said, quote, trusted Institution logo.
- [41:27]
Dave Buettner
It actually says Trusted Institution logo.
- [41:30]
Maria Varmazes
Right.
- [41:31]
Joe Kerrigan
That's the word.
- [41:34]
Maria Varmazes
Which smacks to me that this is from a fishing kit. Somewhere somebody's selling this and you're supposed to add the logo in there somehow. Also, what's interesting is that it says you should open this on a desktop or a laptop, which says that this is probably something that is exploiting some kind of vulnerability that will install malware on a Windows machine. That's what it. That's what it looks like to me. Don't do this on your actual phone, where everybody does your computing now except me. I actually still open up my laptop or desktop.
- [42:06]
Joe Kerrigan
Yeah.
- [42:07]
Maria Varmazes
And the links actually go to some. The address. These are actually. Don't click on them. Or active links.
- [42:15]
Dave Buettner
I'm just looking at the URL. I'm not actually clicking on them.
- [42:17]
Maria Varmazes
Yeah, the URL is. If memory serves me right, it's vrcx.com which I looked up in the WHOIS database and it's all obfuscated so you can't see who it is. But they were registered. I want to say they were registered in Singapore, but I don't know if that's correct. Maybe I just remembering what you said earlier, Dave.
- [42:35]
Joe Kerrigan
Yeah.
- [42:36]
Maria Varmazes
Anyway, this is very interesting. I think if you're a US citizen who's paid into Social Security, you do have a Social Security statement. You access that by going to SSA.gov. that's where you go Social Security Administration.gov and you'll have to create a. They're, they've, they're in the process of converting to a new government wide identity identity management system. But I have like an old SSA account, so I still log in with that. I just haven't gotten the new government authorized or the new universal government ID for online activities.
- [43:14]
Joe Kerrigan
All right, all right. Well, thanks to Connor for sending that in. We do appreciate it and of course we would love to hear from, from you. If there's something you'd like us to consider for the show, you can email us@hackinghumans2k.com.
- [43:34]
ThreatLocker Sponsor
And of course we want to thank this week's sponsor, ThreatLocker. Go to threatlocker.com HH and check out their Zero Trust endpoint protection platform. That's the words threat and locker with nospace.com HH where you can request a demo and neutralize the threat of malware running on your devices.
- [44:02]
Joe Kerrigan
That is hacking humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Buettner.
- [44:33]
Maria Varmazes
I'm Joe Kerrigan.
- [44:34]
Dave Buettner
And I'm Maria Varmazes.
- [44:36]
Joe Kerrigan
Thanks for listening.