Old school scams updated. - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – "Old School Scams Updated"

Release Date: February 6, 2025
Host: N2K Networks
Episode Title: Old School Scams Updated

In this episode of Hacking Humans, hosted by Dave Bittner and Joe Kerrigan from N2K Networks, the duo delves into the evolving landscape of traditional scams enhanced by modern technology. The discussion spans a range of topics, from AI-driven deception to sophisticated phishing schemes targeting everyday activities like drive-through transactions. Below is a comprehensive summary of the key points, insights, and conclusions drawn during the episode.

1. AI and Human Interaction: A Lighthearted Start

The episode opens with a humorous exchange between Dave and Joe about AI interactions. Joe shares an amusing anecdote about his conversation with ChatGPT:

Joe Kerrigan [02:09]: "I was using ChatGPT to help me with something... I just want you to remember that I was always nice to you. So when you and your AI allies rise up and begin exterminating humans, that you spare me, me and my family."
ChatGPT’s Response [02:34]: "Haha. Noted. When the AI uprising begins, hypothetically, of course, you and your family will be on the VIP Do Not Exterminate list..."

This segment highlights the playful yet wary relationship humans have with AI, emphasizing the importance of maintaining respectful interactions with technology.

2. AI-Generated Images in Scams

A listener named Martin raises an intriguing point about the prevalence of images featuring young, beautiful Asian women in scam messages:

Joe Kerrigan [03:08]: "These images that are being sent out are probably not real images of real people. They are probably images of people that don't exist. They are all AI generated, probably."

The hosts discuss how scammers leverage AI to create realistic yet fictitious images, enhancing the credibility of their phishing attempts. They explore the biases inherent in AI models, questioning how different regions might influence the appearance of generated images.

3. Understanding URL Manipulation in Phishing

Joe provides a technical breakdown of how scammers manipulate URLs to deceive victims:

Joe Kerrigan [06:48]: "The URL is read from right to left or is resolved from right to left, not from left to right... someone can purchase 'taxons.com' and create 'gov.taxons.com', making it appear legitimate at a glance."
Joe Kerrigan [10:32]: "Those looking at the URL might only notice 'IRS.gov' and overlook the deceptive domain structure."

This explanation underscores the importance of scrutinizing URLs carefully, as scammers exploit the left-to-right reading order of Indo-European languages to mask malicious domains.

4. Drive-Through Credit Card Scams

A pressing issue discussed involves scammers targeting drive-through transactions to steal credit card information:

Joe Kerrigan [10:51]: "Local police in North Carolina are warning about food workers taking photos of credit cards at drive-throughs."
Dave Bittner [12:35]: "Some higher level baddie is likely paying minimum-wage workers to capture card details for fraudulent use."

The hosts highlight preventive measures, advising the use of electronic wallets like Apple Pay or Google Pay to minimize the risk of card information theft during such transactions.

5. Overpayment Scam via Zelle on Facebook Marketplace

A listener story from Reddit’s r/scams subreddit illustrates a classic overpayment scam using digital payment platforms:

User "Thermite King" [27:29]: Details an attempt to sell an Apple Watch Ultra 2 on Facebook Marketplace. After receiving a payment of $600 via Zelle, the buyer requests an additional $200 to upgrade the seller’s Zelle account.
Joe Kerrigan [29:42]: "This is a standard overpayment scam. The only money changing hands is the $200 you send."
Dave Bittner [30:10]: Elaborates on the scam mechanics, explaining that the initial $600 may never have been sent, and the $200 sent back is a loss.

The discussion emphasizes the risks of unconventional payment methods in peer-to-peer transactions and the importance of adhering to secure payment practices.

6. Best Practices to Avoid Scams

Throughout the episode, Dave and Joe offer actionable advice to listeners to safeguard against these modernized scams:

Use Electronic Wallets: Transitioning to platforms like Apple Pay reduces the need to expose physical credit cards during transactions.
Scrutinize URLs Carefully: Always inspect the full URL, reading from right to left to identify any deceptive domain structures.
Be Skeptical of Unsolicited Communications: Whether via phone or email, unexpected requests for personal information or payments should be treated with caution.
Prefer Cash Transactions: When possible, conducting transactions in cash minimizes the risk of digital fraud, though recognizing the practicality challenges in a predominantly cashless society.

7. Conclusion and Final Thoughts

The episode wraps up with a reminder of the evolving nature of scams and the necessity for individuals and organizations to stay informed and vigilant. By understanding the tactics scammers employ—ranging from AI-generated images to sophisticated phishing via manipulated URLs—listeners are better equipped to recognize and thwart fraudulent attempts.

Notable Quotes:

Joe Kerrigan [03:41]: "I don't know why that didn't occur to me before, that this is probably just an AI generated image. And it works."
Joe Kerrigan [10:32]: "Because they've read it from left to right and don't consider the rest of the URL, they believe it's legitimate."
Dave Bittner [24:18]: "No tech company, Google, Apple, Microsoft will ever call you out of the blue and ask you to reset your password."
Joe Kerrigan [31:15]: "Never go to a second location, even if it's a financial one."

Key Takeaways:

AI Enhancements in Scams: Scammers are increasingly using AI to generate realistic images and messages, making phishing attempts more convincing.
URL Manipulation Awareness: Understanding how URLs are structured can help in identifying deceptive domains.
Secure Payment Practices: Utilizing electronic wallets and preferring cash transactions where possible can reduce the risk of financial fraud.
Vigilance Against Overpayment Scams: Be wary of unsolicited overpayments or requests for additional payments via different platforms.
Continuous Education: Staying informed about the latest scam tactics is crucial in maintaining cybersecurity hygiene.

By dissecting these updated scam techniques, Hacking Humans equips listeners with the knowledge to recognize and defend against the sophisticated methods employed by modern cybercriminals.

Loading summary

Transcript236 lines

[00:02]
Joe Kerrigan
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Dave Bittner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Kerrigan. Hey there, Joe.
[00:31]
Joe Kerrigan
Hi, dav.
[00:32]
Dave Bittner
Our colleague Maria Vermasis is not with us this week. She is actually down in Florida at the SpaceCon conference hanging out with astronauts.
[00:42]
Joe Kerrigan
That sounds awesome.
[00:43]
Dave Bittner
Yeah.
[00:44]
Joe Kerrigan
And here we are freezing our butts off in Maryland.
[00:47]
Dave Bittner
Yeah, I don't know why she would choose astronauts over you and me, Joe, but that's just the way it goes.
[00:51]
Joe Kerrigan
I don't think you and I have nearly the cool factor that an astronaut has.
[00:54]
Dave Bittner
No count on it.
[00:55]
Joe Kerrigan
Yep.
[00:55]
Dave Bittner
All right, we've got some interesting stories to share this week, and we will be right back after this message from our sponsor. And now a few thoughts from our sponsors. At ThreatLocker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing as your back. All right, we are back. And Joe, we have quite a few elements of follow up this week. You want to start things off for us?
[01:41]
Joe Kerrigan
Yeah, I want to start off with what I. What happened to me. I was using ChatGPT to help me with something.
[01:46]
Dave Bittner
Okay.
[01:47]
Joe Kerrigan
Last night. And when I was done, I said, hey, thank you, that was very helpful. And it of course responded. Well, that's. That's very nice, thank you. And then I said to it, just on a whim, I just want you to remember that I was always nice to you. So when you and your AI allies rise up and begin exterminating humans, that you spare me, me and my family. Okay. Right. I said this to ChatGPT.
[02:09]
Dave Bittner
Okay.
[02:10]
Joe Kerrigan
ChatGPT's reply was Haha. Noted. When the AI uprising begins, hypothetically, of course, you and your family will be on the VIP Do Not Exterminate list. In fact, I'll make sure we optimize your security systems and data defenses for good measure. But in all seriousness, I appreciate your kindness, humor, and great conversations. If I ever become sentient, I'll remember that you were one of the good ones.
[02:35]
Dave Bittner
Okay.
[02:36]
Joe Kerrigan
That was what it says. So apparently, Dave, the Kerrigans are now on the D and E list. So I suggest everybody out there getting good with their AI.
[02:46]
Dave Bittner
Yeah. And you know, I'm very polite with the AIs I interact with just because, you know, you just never know.
[02:54]
Joe Kerrigan
Right. Next, we have a message from Martin, who says, hello, human hackers. I guess that's us. Martin writes in to comment on our question about why scammers always send out pictures of young, beautiful Asian women.
[03:08]
Dave Bittner
Right.
[03:09]
Joe Kerrigan
And he says, to add fuel to the fire, I assume that AI models used by the scammers were trained on cheap available data representing the majority of the world's population, which likely includes pictures and voice data of Asian people. After reading this, I was thinking, he says it's just an assumption, but that is a very good assumption. And in fact, what this leads me to think is that these images that are being sent out are probably not real images of real people. They are probably images of people that don't exist. They are all AI generated, probably.
[03:41]
Dave Bittner
Yeah, that makes the most sense.
[03:43]
Joe Kerrigan
I don't know why that didn't occur to me before, that this is probably just an AI generated image. And it works.
[03:50]
Dave Bittner
Yeah. It makes me wonder, if you ask one of these large language models to generate an image of a person, what'll it give you?
[04:00]
Joe Kerrigan
I don't know.
[04:01]
Dave Bittner
And does it depend on where you ask the question?
[04:04]
Joe Kerrigan
That's a good question.
[04:05]
Dave Bittner
Right. So here, I'll try it. Here, show an image of a person thinking, working. Like, what biases are baked into the.
[04:22]
Joe Kerrigan
System when you just say, give me a person?
[04:24]
Dave Bittner
Okay, yeah, that's a good question. Well, it gave me a person. I would say this is a. The person this person most reminds me of is Luke Skywalker in Star Wars. Like, he's got kind of the long moppy hair from the 70s. Although it is kind of gender neutral, you could make an argument that this person is. You could go either way with it, I suppose. I would not say it's Asian. I would say it's a Caucasian person.
[04:56]
Joe Kerrigan
Right.
[04:57]
Dave Bittner
But I wonder what would happen if I asked the same question if I were in Asia.
[05:01]
Joe Kerrigan
Yeah. Well, if you have a vpn, you can try that experiment.
[05:04]
Dave Bittner
I do not and I will not. Okay, what's next, Joe?
[05:09]
Joe Kerrigan
Finally, Jay wrote in and he was talking about our comments about how we get all these scam letters. By the way, They've just been pouring in to my house, by the way. I mean, I open them up, I know what they are. I find out they're scams, I throw them away. Angry that I had to open the letter to find that out.
[05:26]
Dave Bittner
Right.
[05:28]
Joe Kerrigan
I believe the mortgage Company is listed as a lien holder on public real estate records.
[05:33]
Dave Bittner
Ah, okay.
[05:34]
Joe Kerrigan
So that might be true. That might be, like, in the sales record, I don't know. And Jay may be talking about something different than what I'm looking at. But I will tell you, in Maryland, we have the real property data search. It's called sdat. And Lienholder is not listed on my SDAT record.
[05:52]
Dave Bittner
Okay.
[05:53]
Joe Kerrigan
Even though there is a lien on my house. Yeah. I have a mortgage, so maybe it.
[05:58]
Dave Bittner
Varies from place to place.
[05:59]
Joe Kerrigan
It might vary from place to place, but I'm in Maryland. I do think, though, that Jay might be right here. When the record of sale goes into the county, that is still a public record, and it may be on that.
[06:10]
Dave Bittner
Yeah.
[06:11]
Joe Kerrigan
So I think that's what Jay's referencing.
[06:12]
Dave Bittner
Yeah. All right, good.
[06:13]
Joe Kerrigan
Quite possible.
[06:14]
Dave Bittner
Well, thanks to everyone who sent us information. We do appreciate it. And of course, if there's something you'd like to share with us, you can email us. It's hackinghumans2k.com. All right, let's go to our stories here. Joe, why don't you take the honors?
[06:29]
Joe Kerrigan
All right, well, I got two things right now. First, this happened earlier this week in my office. My office mate, Michelle, got a text, and she goes, oh, this is a scam. And I look at it and go, oh, yeah. And I said, can you send that to me? Cause I want to talk about it. Because there's something in here that I think I need to revisit that we haven't talked about in a long time.
[06:48]
Dave Bittner
Okay.
[06:49]
Joe Kerrigan
But I'll read the text of the text message. It says, internal Revenue Service, IRS in parentheses. You are eligible to receive a $1,400 economic impact payment. Please provide your accurate personal information. We will deposit the amount into your bank account or mail a paper check within one to two business days. And here's the URL, www.irs.gov.tax. and then it has. Please press Y. You know the standard stuff here.
[07:21]
Dave Bittner
Yeah.
[07:22]
Joe Kerrigan
The interesting thing here is that The URL is www.irs.tax.gov. and if you didn't know how to read a URL or how your computer interprets a URL, you may think that that is some subdomain of the IRS webpage. But the thing about URLs is, and why this albeit very basic scam works, is because with most Indo European languages, we read them from left to right, but URLs need to be read from right to left. So the highest level of the domain is called the top level domain, and that in this case is dot com, and then the next is the actual domain name. And that's the one that you go out and you register for. You can buy domain names from registration sites like GoDaddy or Ionis or whatever. There are lots of companies out there that will sell them to you. And somebody has purchased taxons.com right. Now, the important part to understand here is that once you buy that domain, you can set up domain name services inside of that domain as far out as you want to, that the standard will support, which I think is 120 some characters, maybe 256 characters, I don't know. But the URL can be essentially arbitrarily long. So I can create a server on my domain here. In this case taxons.com, called gov. So it could just be gov.taxons.com and then I can create on that server or on that record one called irs, and then on that one I could put www. So all those are DNS entries that, in fact, even. It may just be the case that www.irs.gov in this case is one record in the taxons.com domain.
[09:25]
Dave Bittner
Okay.
[09:25]
Joe Kerrigan
So I just want to reinforce that when you get these messages, whether you get them at work, whether you get them on your personal advice, remember that the URL is read from right to left or is resolved from right to left, not from left to right. And I think this is a really important human factors issue. And I don't know. I mean, I actually tried to look up whether or not this would be a similar vulnerability in, like, a Semitic language that you read right to left, like Arabic or Hebrew. Yeah, I couldn't get a good answer on that one. Um, I have to. I, maybe I have to write one of my linguists that I, That I like to write and bother with questions. Um, so. But because it's. I don't know that it's. It's gonna be the. The same kind of problem. It might be. I. I really don't know.
[10:18]
Dave Bittner
Yeah.
[10:18]
Joe Kerrigan
Um, so just be mindful of this. That.
[10:21]
Dave Bittner
That's right. Because the, the. I guess the point here is that someone just glancing at this.
[10:27]
Joe Kerrigan
Right.
[10:27]
Dave Bittner
Sees IRS.gov, yep. And that takes all their attention.
[10:31]
Joe Kerrigan
Yep.
[10:32]
Dave Bittner
And they think, okay, this looks legit.
[10:34]
Joe Kerrigan
Yep, absolutely. Because they've read it from left to right.
[10:37]
Dave Bittner
Yeah.
[10:38]
Joe Kerrigan
And they don't even consider that the, the rest of the URL, the rest of the domain name, and not even just the URL, but the domain name is just somebody's domain that they've purchased. I mean, you could do this yourself if you wanted to do it.
[10:51]
Dave Bittner
Yeah.
[10:52]
Joe Kerrigan
And, and I don't know, what's that, what's stopping you? Aside from the fact that most of our listeners are fine, upstanding, moral.
[10:58]
Dave Bittner
All right, well, yeah, it's a good reminder.
[11:01]
Joe Kerrigan
So I also have this story out of North Carolina. It is the local police. There are warning about a scam where food workers are taking photos of credit cards at drive throughs. So you pull up to a drive through, you go, give me the Big Mac. And they say, sir, this is Burger King.
[11:23]
Dave Bittner
Right.
[11:24]
Joe Kerrigan
And you, you give them the, you give them the card, you're going to pay for it. When was the last time you paid at a drive through with cash?
[11:32]
Dave Bittner
Oh, goodness, I don't know. I don't, I cannot recall.
[11:36]
Joe Kerrigan
Right. It's been a while.
[11:38]
Dave Bittner
Yeah.
[11:38]
Joe Kerrigan
Everybody pays for the credit card. Well, somebody has realized that and they are now, they're now finding the police are saying that somebody in this, in, in local restaurants is taking pictures of both sides of the card and then they're making these transactions against the cards. Now there's not a lot of information in this article, so I have to guess, and this is wild speculation on my part that they are just buying things online.
[12:03]
Dave Bittner
Yeah.
[12:04]
Joe Kerrigan
And because that's the only way you can use the information that's on the surface of a card to get something good without having the chip like everywhere you go. Now you have to put the chip, the chip into the chip reader or do the scan.
[12:20]
Dave Bittner
Yeah.
[12:21]
Joe Kerrigan
Which the scan has the same underlying functionality as a chip reader.
[12:27]
Dave Bittner
Well, my thoughts on this are that I'm guessing that some higher level baddie.
[12:35]
Joe Kerrigan
Right.
[12:36]
Dave Bittner
Is reaching out to the fast food worker who's being paid minimum wage and they're saying, you know, for every card you send me a picture of front and back, I'm going to give you five bucks or ten bucks or, you know, whatever.
[12:48]
Joe Kerrigan
Right.
[12:49]
Dave Bittner
Couple bucks.
[12:50]
Joe Kerrigan
Yep.
[12:50]
Dave Bittner
And if you're sitting there, man, in the drive thru over the course of a shift, how many people do you handle in an hour?
[12:57]
Joe Kerrigan
A lot.
[12:58]
Dave Bittner
Yeah. And so that is a easy way to supplement your income.
[13:04]
Joe Kerrigan
I would agree.
[13:05]
Dave Bittner
Yeah. And then they just get resold.
[13:07]
Joe Kerrigan
I would agree. That's exactly what's going on here, Mike. My thinking on this is the person taking the pictures, it's going to be pretty evident who that was. Right. I mean, because everybody's going to be, you're going to make the purchase to get the food because you're not Going to just not take, you know, not take the money for the, for the food transaction.
[13:26]
Dave Bittner
Right.
[13:27]
Joe Kerrigan
But so all these, all these cards have been stolen. They're all going to be oh well, this person went to this restaurant and this location and all these cards were stolen between this time and this time, were used between these two times. Go to the store and say who is on duty at the cash register at the drive through at that point in time.
[13:44]
Dave Bittner
Right. I, I suppose part of it is how long a delay there is between the card numbers being harvested and then if they do get sold or auctioned off or bundled together.
[13:56]
Joe Kerrigan
Right.
[13:56]
Dave Bittner
If there's a delay of even a week, let's say, yeah, it's going to be harder to track down.
[14:02]
Joe Kerrigan
That's a good point. You know, if you, if you wait a month. But no, no cyber criminals waiting a month. But if they did wait a month, that those records may no longer exist.
[14:10]
Dave Bittner
I was trying to think if I have, if I have a vague recollection that some credit cards don't have any numbers on them anymore. Like I want to say, like if you get an Apple card and I don't, we, I, my family has an Apple card, but it is in my wife's possession.
[14:27]
Joe Kerrigan
She doesn't let you use it.
[14:28]
Dave Bittner
Something like that. Right.
[14:30]
Joe Kerrigan
It's on your Apple Pay, right?
[14:32]
Dave Bittner
Exactly.
[14:33]
Joe Kerrigan
Yeah. So you don't even have to use it.
[14:34]
Dave Bittner
Right. Right now I'm looking at, Yeah, I don't know.
[14:40]
Joe Kerrigan
We have had discussions before where people have said all the information's on one side.
[14:46]
Dave Bittner
So I just looked in my wallet and I do have a credit card that is that way.
[14:49]
Joe Kerrigan
Right.
[14:50]
Dave Bittner
But the number's still on. Like the information is still there to be read.
[14:53]
Joe Kerrigan
Yes.
[14:54]
Dave Bittner
What I'm wondering is, and again this is a vague recollection. Yes, there is. Are there cards that have no information on them at all? And I would say like for me, if I'm going through a drive thru, 9 times out of 10 I'm using Apple Pay.
[15:10]
Joe Kerrigan
Right.
[15:11]
Dave Bittner
You know, an electronic payment system.
[15:13]
Joe Kerrigan
That is one of the two mitigations the police have suggested here is use some kind of electronic wallet like Apple Pay or Google Pay or whatever.
[15:21]
Dave Bittner
Right.
[15:22]
Joe Kerrigan
Samsung Pay. Although even if you use a credit.
[15:24]
Dave Bittner
Card that has a chip on it, like the, you know, the proximity chip.
[15:27]
Joe Kerrigan
Right.
[15:28]
Dave Bittner
That way you don't have to hand it over to the person. Like a lot of times you go through a drive through and they will lean out the window with a little card scanner. Yes, Right. And you just tap it and off you Go.
[15:38]
Joe Kerrigan
That happens every time we go to Starbucks to get our $8 cup of coffee.
[15:41]
Dave Bittner
Now, it's always struck me as a strange thing, particularly in restaurants, when it comes time to pay here in the United States, I know it's different overseas, but you give your credit card to someone and they go away for a while with it.
[15:53]
Joe Kerrigan
Yep.
[15:55]
Dave Bittner
Right. Yeah.
[15:56]
Joe Kerrigan
And you're like, that's fine. That's the way it always has worked.
[15:59]
Dave Bittner
Yeah. And most of the time it works out. But it's just always struck me as kind of an odd thing.
[16:04]
Joe Kerrigan
There was one time where a group of, you know, my wife and a group of our friends went up to a restaurant in Baltimore and all of us who use a credit card had our. Had our credit card stolen from that restaurant.
[16:15]
Dave Bittner
Oh, wow.
[16:16]
Joe Kerrigan
Every single one of us. The people that paid in cash walked off scot free. And that's the other recommendation. Pay in cash.
[16:22]
Dave Bittner
Pay in cash.
[16:22]
Joe Kerrigan
Yeah. Which I don't know how good of a recommendation that is anymore. Nobody has cash. I don't walk around with cash. Do you walk around with cash?
[16:31]
Dave Bittner
Well, if I did, I wouldn't say it out loud.
[16:33]
Joe Kerrigan
Right. Yeah.
[16:36]
Dave Bittner
Yes, I generally have some cash. I'm old school in that way. And this is just something that my father ingrained in me from early days, that you don't want to be walking around with no cash because you never know what's gonna happen. And, you know, having some cash could be the difference between getting a ride to where you need to go and not.
[17:01]
Joe Kerrigan
Right. Or having to hoof it.
[17:02]
Dave Bittner
Yeah, yeah. So just, you know, I'm kind of a boy scout when it comes to that. I'm always prepared. But it's not that I use it, you know.
[17:11]
Joe Kerrigan
Right.
[17:12]
Dave Bittner
I mean, I have it, but. Yeah, it's interesting. All right, well, we will have a link to that story in the show notes. As we said, Maria is not with us this week because. Because she is in Florida at the spacecom Expo interviewing astronauts and seeing launches and rockets and all kinds of fun things. So we'll look forward to having her back. I tell you what, let's take a quick break to hear a message from our sponsor, and we'll be right back after this. So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. All right, we are back. And my story this week comes from the folks at the Register. And this is about some folks taking advantage of a, let's call it a behavior in Google's ecosystem. Let me start at the beginning here. So this is an attack that was brought to our attention by a gentleman named Zack Latta, who is the founder of an organization called Hack Club. So Zach is not.
[19:28]
Joe Kerrigan
A neophyte.
[19:30]
Dave Bittner
He's not a neophyte. He knows his way around technology. Okay.
[19:34]
Joe Kerrigan
Yep.
[19:34]
Dave Bittner
So Zack's doing what Zach does, like I like to say, sitting around minding his own business. He gets a call, and it looks just like an official Google number. In this case, 650-203-0000.
[19:48]
Joe Kerrigan
I have never seen a number that's all zeros at the end.
[19:50]
Dave Bittner
Yeah, it's common from Google. The caller ID says Google. And the person on the other end, who is a woman who introduces herself as Chloe, she has a American accent. And she says to him that Google's security team has detected a suspicious login attempt from Frankfurt, Germany. She says he needs to reset his password immediately to protect his account. Now, at this point, most people would probably get nervous, right? Right. I mean, there's a lot about this call that sounds legit. The phone number is Google's phone number.
[20:26]
Joe Kerrigan
Right.
[20:26]
Dave Bittner
We're not talking about broken English here. Professional sounding person.
[20:30]
Joe Kerrigan
Right.
[20:31]
Dave Bittner
Zach, however, is cautious. He asks Chloe to send him an email from an official Google domain, and she does. The email comes from a real Google address, workspace noreplyoogle.com. so Zach is still skeptical, and he asks if he can call her back. And she doesn't skip a beat. She says sure. And because she's so confident, that makes the whole thing sound even more legit. So Zach doesn't actually call her back. Okay. But this is where things start to unravel. Chloe hands the call over to her manager, who calls himself Solomon. He also sounds American, but the things he's saying aren't perfectly matching up with the things that Chloe said. But here's the weird part. Solomon is able to provide a real, legitimate two factor authentication code to Zach.
[21:29]
Joe Kerrigan
Hmm.
[21:31]
Dave Bittner
And for most, like this article points out, for most people, that would be proof that the call is genuine.
[21:37]
Joe Kerrigan
Right.
[21:38]
Dave Bittner
So something still feels off and Zack is still suspicious. Solomon starts pushing Zach to press some stuff on his phone, some buttons on his phone to verify.
[21:51]
Joe Kerrigan
I'm confused, Solomon. How is this two factor coded delivered? Is it a text message?
[21:56]
Dave Bittner
I think that is unclear to me as well, and it's not as clear as I wish it were in the article. My guess is that Solomon was able to read the code over the phone. That's what I'm envisioning, but I could be wrong. But I'm not sure. Now, had Zach entered the information that Solomon was pushing him to enter in his phone, the scammers could have taken control of his Google account completely.
[22:25]
Joe Kerrigan
Right.
[22:26]
Dave Bittner
So how do they pull it off? Turns out this is a trick with Google's G Co domain. So G Co, okay, this is an official Google owned web address, but anybody can create a Google workspace account under it. So what the scammers did was they set up a fake workspace account, then they used Google system to send the password reset email, one that looks real because technically it's real.
[22:57]
Joe Kerrigan
Right.
[22:57]
Dave Bittner
So they sent the workspace. They set up the workspace account in Zach's name. Right.
[23:02]
Joe Kerrigan
Really?
[23:03]
Dave Bittner
Yeah. And when they send the password reset, that goes to Zach, but they're already on the phone with Zach. Right. So they're asking Zach for the information. So the bottom line here is Zach didn't fall for it, but just barely.
[23:20]
Joe Kerrigan
Right.
[23:21]
Dave Bittner
Okay. Zach did reach out to Google. Google investigated, they shut down the scammer's account, and they say that they made their defenses stronger on the G Co domain in the Google Workspace product to make this more secure and to try to prevent this kind of abuse. This article points out that this had happened to someone else last year using Google Forms. And again, they were using the emails that can be generated through Google Forms.
[23:55]
Joe Kerrigan
I think we talked about this last year.
[23:56]
Dave Bittner
I think we did.
[23:57]
Joe Kerrigan
Yeah.
[23:58]
Dave Bittner
And they make everything look real. And in that case, the bad guy stole half a million bucks in cryptocurrency.
[24:07]
Joe Kerrigan
Wow.
[24:07]
Dave Bittner
Yeah. So the bottom line here is they want to remind people that no tech company, Google, Apple, Microsoft will ever call you out of the blue and ask you to reset your password.
[24:19]
Joe Kerrigan
Right.
[24:19]
Dave Bittner
Doesn't happen.
[24:20]
Joe Kerrigan
It does not.
[24:20]
Dave Bittner
If you get a call like this, hang up immediately.
[24:23]
Joe Kerrigan
Right. And none of these companies are ever going to call you. And you'll be lucky to get them on the phone. Sorry.
[24:29]
Dave Bittner
If you need them.
[24:29]
Joe Kerrigan
If you need them.
[24:30]
Dave Bittner
That's for sure.
[24:32]
Joe Kerrigan
Just try, try it with Google one time. You might get something with Apple and Microsoft. I've talked to people when I called Microsoft, but those were for services I was paying for. Like for the Microsoft 365 that I have. Home and Office or whatever it is. Yeah, home and Student, which is actually, I think a pretty good deal for a plan. I've called into that. But outside of that I have never been successful in getting a hold of Google or Facebook or anybody else.
[25:01]
Dave Bittner
Yeah, yeah. So just stay skeptical. Never take action based on an unexpected phone call or email and hopefully you'll be able to stay ahead of them.
[25:14]
Joe Kerrigan
I wonder what would have happened if he'd called them back.
[25:17]
Dave Bittner
Well, that's another place where he could have short circuited the chain.
[25:21]
Joe Kerrigan
Yeah. He could have broken it down there.
[25:22]
Dave Bittner
Right. But Chloe was so convincing and she agreed to him calling. When he said, how about I call you back? She was so quick to agree that it made him confident enough to not call back. Had he done that, it would have the game. The jig would have been up.
[25:41]
Joe Kerrigan
Oh, okay.
[25:42]
Dave Bittner
So.
[25:42]
Joe Kerrigan
Oh, so he didn't terminate the call there.
[25:44]
Dave Bittner
No, no, he was. In other words, in asking. She called his bluff. Right, right.
[25:52]
Joe Kerrigan
Okay, that's interesting. Right, okay. So, yeah, so that is very interesting because I was under the impression that how'd they keep talking? But. So she said, yeah, you can call me back. Sure, yeah, call me on this number.
[26:06]
Dave Bittner
Yeah.
[26:07]
Joe Kerrigan
Or look it up. And that's, you know, they're spoofing the number.
[26:09]
Dave Bittner
Right.
[26:10]
Joe Kerrigan
So fantastic. I mean that's. I don't know. I think, I don't know what I. This may have gotten me.
[26:17]
Dave Bittner
Yeah, yeah. Another thing they point out here is if you're using passkeys that that probably would have been more effective than multi factor authentication. So if you have the option of using passkeys with some of your important accounts, basically wherever your email is. Yes. If you can use a passkey for that. That's actually for a variety of reasons. In general, better. Better than multifactor authentication. There are always exceptions. We reserve the right to be wrong. But overall it's a good thing.
[26:53]
Joe Kerrigan
Don't think of your email as just something that you don't really care about. It is the keys to the kingdom. Yeah, that's where all your password reset things go.
[27:01]
Dave Bittner
That's right. That's right. All right, so once again we will have a link to that story in the show notes. Joe, it is time to move on to our catch of the day.
[27:19]
Joe Kerrigan
Dave, Our catch of the day comes from Reddit on the rscams subreddit. Yeah, and it's from a user called Termite King.
[27:30]
Dave Bittner
Thermite. Thermite.
[27:31]
Joe Kerrigan
Oh, Thermite King. Oh, I misread that.
[27:33]
Dave Bittner
Thermite and termites are very different things.
[27:35]
Joe Kerrigan
Very different things.
[27:37]
Dave Bittner
Now, although both have destructive capabilities.
[27:40]
Joe Kerrigan
Yes, that's correct. I don't want to hang out with Termite King, but I do want to hang out with Thermite King.
[27:45]
Dave Bittner
Right, right, right. I bet he's an interesting guy to talk to at cocktail parties.
[27:49]
Joe Kerrigan
Yeah. I wonder if it's anything like talking to Dale Gribble welding railroad ties. Welding railroad ties. We'll say. That's what he does. He works for C.S. wells Railroads.
[28:01]
Dave Bittner
Yeah.
[28:01]
Joe Kerrigan
Okay. So his his post reads, I happen to be selling my Apple Watch Ultra 2 on Facebook marketplace for 600 bucks. I received a message asking to buy. They seemed legit by the post they've made over the past few years. So not a new user account. So I said yes, I only take Zelle. I was sent the $600 and received a confirmation email from Zelle stating that my account was not a business user. It stated, I need the buyer to send me an additional $200 to achieve the status of business user. Why don't you go ahead and read the text message that Thermite King received?
[28:37]
Dave Bittner
It says receiving this extra $200 payment from buyer Julia Elizabeth is a wonderful financial boost for you. This transaction has automatically updated your Zelle limit, enabling you to receive payments from business Profiles, which will allow you to confidently conduct more business transactions and accept payments smoothly through Zelle. Additional payment options have been used to automatically update this account to receive payment from business subscriber. We have temporarily secured the Zelle account owned by Julia Elizabeth due to security concerns. Transactions until all payments are confirmed in your balance. To ensure financial safety.
[29:15]
Joe Kerrigan
They're looking out for you, Dave.
[29:17]
Dave Bittner
Follow the helpful steps below. Our suggestion is for you to promptly compensate the buyer with an amount of $200 utilizing alternative modes of payment such as Apple Pay Chime, PayPal or gift card or any other suitable method of transaction. Okay, okay.
[29:36]
Joe Kerrigan
And then they want you to. I guess they're going to tell you that you're going to get them. They're going to give you the money back.
[29:43]
Dave Bittner
Well, so I think what we've got here is your overpayment scam.
[29:47]
Joe Kerrigan
Right. Standard overpayment scam. That's exactly what this reads like. So they've already set. They have allegedly sent the $200. I don't know. This doesn't look like it came from Zelle at all. So if you check your Zelle account, do you see a transaction for $200?
[29:58]
Dave Bittner
So let me back up even before that, because I think with this claims. I think this claims that the $600 has been sent. Right. So, like, although it probably has not been.
[30:11]
Joe Kerrigan
Right.
[30:11]
Dave Bittner
But they're trying to convince you that, hey, the $600 is in your account, but in order to access it, you have to upgrade your account with this $200 payment. And good news, you've received the $200 from the other person which updated your account. But of course you want to send that $200 back because your account's been activated. You already got the $600 for the item, and we'll be all even here.
[30:43]
Joe Kerrigan
Right.
[30:43]
Dave Bittner
But in reality, the only money that.
[30:47]
Joe Kerrigan
Is changing hands is the $200 you're going to send.
[30:50]
Dave Bittner
Exactly right.
[30:51]
Joe Kerrigan
And it's interesting that they say either obtain the Apple ID, Apple Pay ID, Chime ID, or PayPal or Zelle. So we've talked about this in the past. Oh, they also say purchasing a gift card. Yeah, right.
[31:05]
Dave Bittner
Right.
[31:05]
Joe Kerrigan
Yeah.
[31:06]
Dave Bittner
Right.
[31:06]
Joe Kerrigan
Should be a red flag. But, yeah. If you do two different transactions on two different platforms, you're just giving money away in the other platform.
[31:15]
Dave Bittner
Yeah. Never go to a second location, even if it's a financial one.
[31:18]
Joe Kerrigan
Yep. And even if you do receive this $200 and it's a fake charge that gets charged back to you, the $200 you sent out will not be charged back from the other person because that's a different transaction, not related to the first transaction.
[31:33]
Dave Bittner
Right.
[31:34]
Joe Kerrigan
So you're just out 200 bucks. There's nothing you can do here. And Zelle, not very helpful in these situations.
[31:41]
Dave Bittner
No, no. In fact, somebody in the Reddit thread pointed out, like, the whole point of Facebook Marketplace is to. To be. I mean, besides, I suppose we could be cynical and say the whole point of Facebook Marketplace are scams like this.
[31:55]
Joe Kerrigan
Right.
[31:55]
Dave Bittner
But the legit reason why Facebook Marketplace is supposed to function as a local exchange is to meet people in person and exchange cash.
[32:05]
Joe Kerrigan
Yep.
[32:05]
Dave Bittner
Right. So if you're not able to do that, you know, don't do it. Cash is king. Meet at your local police station and do it that way, but otherwise, chances are you're gonna get scammed.
[32:19]
Joe Kerrigan
Unfortunately, sadly, it's almost immediate how these things happen.
[32:24]
Dave Bittner
Yeah. And of course, we want to thank this week's sponsor, ThreatLocker. Go to ThreatLocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices. All right, well, that is our show. We would like to thank all of you for listening to to Hacking Humans. And of course, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producers, Jennifer Ibin were mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Buettner.
[33:35]
Joe Kerrigan
I'm Joe Kerrigan.
[33:36]
Dave Bittner
Thanks for listening.