Scamming just isn't what it used to be. - Hacking Humans

Summary5 min read

Hacking Humans: "Scamming Just Isn't What It Used to Be" – Detailed Summary

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: Scamming Just Isn't What It Used to Be
Release Date: November 28, 2024

1. Introduction and Follow-Up Discussions

The episode opens with Dave Buettner welcoming listeners to the Hacking Humans podcast, joined by Joe Kerrigan from the Johns Hopkins University Information Security Institute and returning host Maria Varmasis. The trio delves into recent listener feedback and follow-up stories.

Gift Card Scams: Joe shares an insightful anecdote from a listener involved in gift card theft:

"I know people who would shoplift the gift cards off the rack and bring them back home and then scratch off the scratch off that little part under the silver part." (02:35)

The discussion reveals a sophisticated method where scammers steal gift cards, remove the scratch-off layer, record the numbers, and return the cards to shelves. They then sell these stolen balances online for a percentage of their value.

Multifactor Authentication Concerns: Dave raises concerns about Wells Fargo using SMS-based multifactor authentication:

"Wells Fargo is using this as a way to identify you. I find this strangely wrong." (07:03)

Recommendations: Joe emphasizes the importance of credit freezing and identity theft insurance, especially for vulnerable individuals:

"Never get out information again. On the inbound calls, just say hang up, I'll call you back." (10:20)

2. Sextortion and Social Media Exploits

Guest Introduction: Maria introduces the episode's main focus on sextortion, a rising threat targeting minors through social media platforms like Snapchat, Instagram, and the teen dating app, Wizard.

Understanding Sextortion: Maria explains sextortion as a form of blackmail where criminals coerce victims into sending explicit material, subsequently threatening to expose it unless money is paid. This method leverages shame to manipulate minors, often leading to severe emotional distress and, tragically, suicides.

Scammer Tactics: Joe describes the organized nature of these scams:

"These guys have a script that they're following." (18:34)

Key tactics include:

Catfishing: Scammers pose as attractive individuals to build trust.
Exploiting Social Networks: Once integrated into a victim's network, they gain credibility.
Use of Hacked Accounts: Criminals utilize compromised accounts with high activity to appear legitimate.

Impact and Statistics: Maria cites a report from the Network Contagion Research Institute (NCRI):

"Incidents of this extortion crime have surged 1,000% over the last 18 months." (18:30)

Yahoo Boys: The discussion highlights a West African group known as the "Yahoo Boys," notorious for executing these scams using platforms like Yahoo Mail and leveraging social engineering techniques to target athletes and students.

Preventive Measures: Maria offers critical advice for minors and their guardians:

"Make sure that your child is not the only person that's involved in the financial decisions." (11:58)

Emotional Toll: Joe underscores the emotional devastation caused by these scams, emphasizing that victims are often left feeling isolated and humiliated:

"You're a victim, just like the bank is a victim." (10:20)

3. Additional Stories and Insights

Phishing Email Trends: Dave presents findings from Cofense, a cybersecurity company analyzing 2023 phishing email themes:

Finance (54%)
Notification Scams (35%)
Shipping Scams (7%)
Response Scams (3%)

Emerging Scam Techniques: Joe discusses the FBI's notice about scammers employing couriers to collect cash or precious metals from victims:

"They are hiring couriers to collect cash from people when they scam them." (30:23)

Scammers prefer valuable yet anonymous transactions, making precious metals an attractive option. This tactic bypasses traceability and complicates law enforcement efforts.

4. Catch of the Day: Facebook Messenger Scam

Scam Example: Dave shares a real-life phishing attempt targeting businesses via Facebook Messenger:

"Important notification. Your Facebook page is scheduled for permanent deletion due to a post that has infringed upon our trademark rights." (41:59)

Analysis: Joe breaks down the scam's red flags, such as suspicious URLs and the use of impersonated Facebook support:

"Instead of going to Facebook, it goes to some website called cake.com... Lots of red flags." (43:31)

Prevention Tips:

Verify URLs: Always check the authenticity of links before clicking.
Direct Communication: Reach out to official support channels if in doubt.

5. Conclusion and Key Takeaways

The episode concludes with the hosts reiterating the importance of vigilance against evolving scams. They emphasize educating oneself and loved ones about the latest fraud tactics and adopting robust security measures to mitigate risks.

Final Advice: Maria urges parents to foster open communication with their children regarding online interactions:

"Tell your children, tell your teenage contacts that those friends lists are available to a potential extortionist." (24:58)

Hosts' Sign-Off: Dave, Joe, and Maria thank listeners for tuning in, highlighting the critical nature of staying informed to protect against sophisticated cybercriminal activities.

Notable Quotes with Timestamps:

Joe Kerrigan (02:35): "I know people who would shoplift the gift cards off the rack and bring them back home and then scratch off the scratch off that little part under the silver part."
Dave Buettner (07:03): "Wells Fargo is using this as a way to identify you. I find this strangely wrong."
Joe Kerrigan (10:20): "Never get out information again. On the inbound calls, just say hang up, I'll call you back."
Maria Varmasis (18:30): "Incidents of this extortion crime have surged 1,000% over the last 18 months."
Joe Kerrigan (18:34): "These guys have a script that they're following."
Dave Buettner (30:23): "They are hiring couriers to collect cash from people when they scam them."
Dave Buettner (41:59): "Important notification. Your Facebook page is scheduled for permanent deletion due to a post that has infringed upon our trademark rights."

Final Note: For more insights and to stay updated on the latest in cyber deception and social engineering tactics, visit Hacking Humans and consider subscribing to the podcast on your preferred platform.

Loading summary

Transcript205 lines

[00:02]
Maria Varmasis
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
Dave Buettner
Hello, everyone, and welcome to the Cyberwires Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan from the Johns Hopkins University Information. Hey, Joe.
[00:33]
Joe Kerrigan
Hi, Dave.
[00:34]
Dave Buettner
We got some good stories to share this week and we are joined once again by our N2K colleague and host of the T minus Daily Space podcast, Maria Varmasis.
[00:43]
Maria Varmasis
Maria, hi. Good to be here.
[00:46]
Dave Buettner
Great to have you back. We will have our stories after a word from our sponsor. But first, a word from our sponsors at KnowBefore. We're not talking conspiracy theory when we say it's all connected. When it comes to infosec tools, effective integrations can make or break your security stack. Though not as common. The same should be true for security awareness training. Not only does KnowBe4 deliver the world's largest library of security awareness training, but they also provide a way to integrate the various elements of your existing security stack to help you strengthen your organization's security culture. Stable with us, and in a few minutes, we'll hear from our sponsors at KnowBefore about how you can integrate security awareness with your tech stack like never before. All right, Joe, so before we jump into our stories here with our very special guest, Maria, we've got a good bit of follow up here today. We do you want to start things off for us?
[01:58]
Joe Kerrigan
A significant amount? Yes, Dave. All of our follow up today is anonymous and the first one reads, hi, guys, I'm in recovery from addiction, but from a time or for a time more than five years ago, I was around and involved with the underbelly of society. Listening to one of your recent episodes about the gift card scams, you had a listener write in that she had gotten her balance stolen from the gift card before they actually tried to use it. I know people who would shoplift the gift cards off the rack and bring them back home and then scratch off the scratch off that little part under the silver part. Silver part.
[02:36]
Maria Varmasis
Oh, yeah, the fun part, right?
[02:37]
Joe Kerrigan
Exactly. And then get the numbers. I know at the time taking gift cards off the rack was pretty low stakes since they don't have any value associated with them. So they weren't being monitored by any kind of security protocols. Then they would actually order off ebay a roll of the scratch off stickers.
[02:57]
Dave Buettner
Oh, the silver stuff.
[02:59]
Joe Kerrigan
This is the part we were missing. Dave, I didn't know you could just buy a roll of that stuff.
[03:03]
Dave Buettner
Who knew?
[03:04]
Maria Varmasis
EBay's got everything. Yeah. Geez.
[03:07]
Joe Kerrigan
So they would then roll that, reapply it, the scratch off sticker over the numbers and bring it back to the store and pretty much reverse steal the gift cards onto the shelves.
[03:17]
Dave Buettner
Yeah.
[03:18]
Joe Kerrigan
Then they would track those serial numbers on a website called Gift card Granny. I don't know why it's called gift card Granny. Maybe because your grandmother always gives you gift cards.
[03:29]
Dave Buettner
That's good enough for me.
[03:32]
Joe Kerrigan
And when the balance showed up, they would do something on that website to either buy other gift cards or cash them out for some percentage on the dollar. I think it's like 80 cents per the dollar that you get. Okay, so if your grandmother says, well, I know he likes to eat, here's an olive garden gift card for 100 bucks, right? You go, I'm never going to use this. I'm going to go get 80 bucks out of this, and somebody gets 20 of Nana's dollars.
[03:57]
Dave Buettner
Okay?
[03:58]
Joe Kerrigan
Right. So. Okay. He's not sure about many more details about how it worked, but that's pretty much how the front end of the scam worked.
[04:08]
Dave Buettner
Okay, so this pretty much confirms our suspicions about people stealing the cards, getting the numbers, and putting them back. But you're right, we were missing that. We're missing the availability, the easy availability of that silver scratch off part. That's interesting.
[04:24]
Joe Kerrigan
Yeah, you can just put that back on the gift card and it goes back on the shelf and no one's any the wiser.
[04:28]
Dave Buettner
Yeah, that's interesting. I wonder if grocery stores and places that sell gift cards, if they've upped their game when it comes to monitoring the gift card rack or not. I don't know.
[04:40]
Joe Kerrigan
That's a good question. You know what? Next time I go to the store, I'm going to make a point of looking at the gift card rack and see what's going on there.
[04:45]
Dave Buettner
Maybe that suspicious guy lurking around the gift card.
[04:48]
Joe Kerrigan
I'm the suspicious guy with. Whenever I walk into a grocery store.
[04:51]
Dave Buettner
Sir, can we help you?
[04:53]
Joe Kerrigan
Security starts following me.
[04:55]
Dave Buettner
Right, right, exactly.
[04:56]
Joe Kerrigan
This guy's going to steal something. Yeah, I don't look like that at all. I mean, I just walk in, schlub around the place, get angry, and walk out.
[05:04]
Dave Buettner
That's usually how it goes for me without purchasing anything.
[05:09]
Maria Varmasis
The lack of gift cards.
[05:10]
Joe Kerrigan
Right.
[05:11]
Dave Buettner
Yeah. All right, well, we've got some more feedback here. Someone writes in and says, hey, guys, first. Wow, Joe, I would never have placed you As a metalhead, I tend to favor that gen of music, but do listen to pretty much anything that has a good beat and talent. Anyway, I want to talking a couple.
[05:27]
Joe Kerrigan
Weeks ago about expert testimony from musicians.
[05:30]
Dave Buettner
Right.
[05:31]
Joe Kerrigan
And I mentioned Dave Lombardo and.
[05:33]
Dave Buettner
Yes, yes, yes. For folks who are longtime listeners will know that Joe is quite the metalhead, going from, you know, back in the day when he had a full collection of heavy metal T shirts that still fit him.
[05:48]
Joe Kerrigan
You didn't even know me and we've never talked about. They don't still fit me. I don't even have them anymore.
[05:54]
Dave Buettner
That's right.
[05:54]
Joe Kerrigan
I actually ran a heavy metal show on the radio for my college.
[05:58]
Dave Buettner
That's right.
[05:58]
Maria Varmasis
Oh, that's awesome. That's great.
[06:02]
Dave Buettner
So this listener goes on and says, Anyway, I want to touch on a subject that you have mentioned a few times recently. A couple episodes ago, you mentioned how the spammers are using easy to use services that offer free trials and such. I believe you mentioned Azure in this. Well, funny thing, after that episode, I noticed I started getting a few spam messages sent from, you guessed it, on Microsoft.com. they always contain a couple of images only and no text in the body. The subject is usually something like please verify or that I've won a Harbor Freight Makita or Robey something. Most get caught by spam filters, but a few have actually made it through.
[06:39]
Joe Kerrigan
Hmm.
[06:40]
Dave Buettner
This person goes on and says, on a scammer's note, you all mention Andy Cohen going public about how he got scammed. This story actually reminds me of Wells Fargo. I have notices that when I go in, they verify my accounts by sending me a text message to my cell. In our everyday lives, we are told not to give these pins out if asked for them. But Wells Fargo is using this as a way to identify you. I find this strangely wrong.
[07:03]
Joe Kerrigan
Okay, so this is actually part of the Wells Fargo Multifactor Authentication on their website.
[07:08]
Dave Buettner
Okay.
[07:09]
Joe Kerrigan
And what they're doing is you have to register a phone with them, and when you log in, they say, we're going to send you a text message.
[07:15]
Dave Buettner
Yeah.
[07:15]
Joe Kerrigan
And this is the SMS method of multifactor authentication.
[07:19]
Dave Buettner
Yeah.
[07:20]
Joe Kerrigan
You think of multifactor authentication as something you know and something you have or something you are when you take two of those things, and those are the multifactors. So you know your username and password, you have your phone to verify it. And yes, for all the. All the aficionados of multifactor authentication, SMS is the worst kind of multifactor authentication. But it is a Lot better than nothing, right? A whole lot better. Like.
[07:48]
Dave Buettner
Yeah, but.
[07:48]
Joe Kerrigan
Never mind. But yes, this, this is normal now. So here, here's the, here's the workflow. You, you are on the website and you're logging in and you enter username and password. It says, we're going to send you a code. You say, send me the code. You get the code and that says, what's the code? You enter the code. That's a normal workflow, right?
[08:08]
Dave Buettner
Yeah.
[08:09]
Joe Kerrigan
Another normal workflow that I've actually seen from Comcast and T Mobile is I call into these services and they say, we're going to send you a code to verify it's you. Now, I've called into the service, so I know who it is I'm talking to, and then they send me a code, so I give it to them. But on the inbound call, when you get the call, then you get the text number. Don't give that number back because that's how the scam works. I know this seems like really convoluted and very nuanced, but if somebody calls you and says, hey, I need to verify your. Your identity. You really need to verify their identity.
[08:49]
Dave Buettner
Right.
[08:50]
Joe Kerrigan
That's what needs to happen. And the only way to do that is by calling the known good number.
[08:54]
Maria Varmasis
Yeah, yeah, that distinction is really important, which direction it's going. Right after we did that story, I think three days later, a friend of mine contacted me that they had just gotten affected by that scam. And it's, it was, it was how I found out that our local credit union had been breached because apparently almost all the customers were getting this phone call directly. They had enough PII to sound credible that it could be from our credit union. And so they presented themselves from the bank and said, we're going to send you a bunch of text messages to make sure you are who we think you are. And our credit union didn't have that little message in the SMS thing saying, we will never call you and ask you for this number. Which I've noticed that a lot of bigger places won't make sure to include that. But not everybody's got that, which seems like a nice thing to have.
[09:38]
Joe Kerrigan
It should be part of the workflow. I think.
[09:40]
Maria Varmasis
It really should.
[09:41]
Dave Buettner
This person goes on and says, my PII has been part of many data breaches.
[09:45]
Joe Kerrigan
Join the club.
[09:46]
Dave Buettner
Do you? Yeah, right, exactly. Do you all have any ideas on what anyone can do to protect themselves from these kinds of breaches? Many of the security and monitoring services like Lifelock and Incogni and so on seem like a money grab, but these services can be late on delivering news of a breach. My big thing is that I have a special needs child who is not going to be able to be as active on maintaining any kind of data protection if anything happens to me or their siblings. Their PII has also been breached with mine multiple times. I've frozen all of my family's Social Security numbers, but that only really protects credit.
[10:20]
Joe Kerrigan
Yeah. So freezing your credit is a great way to go at all three of the major credit agencies. That's really your biggest risk. Somebody opening a line of credit in your name or your child's name is going to be a huge headache. So also the other thing I would say is if you have identity and identity theft insurance available at your employer, I definitely look into getting some of that. There are a couple things I want to say. Number one, assume that your data has been breached. Never get out information again. On the inbound calls, just say hang up, I'll call you back. Or say hang. I guess you have to say that first and then hang up. But, and remember, if someone does commit fraud and opens an account in your name or your child's name, don't ever agree that you owe that money. That is that you are a victim, just like the bank is a victim. And don't let this bank. They're gonna try to. I've seen situations where they try to push somebody to say, you just gotta admit that you owe this debt. And once you do that, it's all over. They might be able to win a court case. At least that's what I understand. Again, not a lawyer.
[11:29]
Dave Buettner
Yeah, well, just this week we reported over on the Cyberwire that the State of New York is suing Citibank. And one of the things that they're upset about is that Citibank was saying that they have no responsibility if someone follows the instructions of a criminal. So they're gonna duke it out over that.
[11:54]
Joe Kerrigan
Yeah, I'd like to see how that turns out. I hope it doesn't turn out well for Citibank.
[11:58]
Dave Buettner
Yeah.
[11:58]
Joe Kerrigan
And finally, I like to say I don't know exactly what the situation is with, with a special needs child. That's a broad term. Right. So I don't know where on the. It's not even a spectrum, it's more like a two dimensional plane. Right. Maybe even a three dimensional. Very complex. So make sure that your child is not the only person that's involved in the financial decisions. Make sure there's somebody else there that has this child's best interest at heart at all times.
[12:28]
Dave Buettner
And then, last bit of follow up here from someone who goes by the Computrix on Mastodon wrote in and said, I need to defend Walmart a bit. So, Joe, remember a few episodes ago, you and I were taking cheap potshots at Walmart?
[12:42]
Joe Kerrigan
Yes, yes, we were.
[12:45]
Dave Buettner
Which I mostly stand by. But Computrix writes in and says they provide college degrees for any of their employees. Many of my cybersecurity students are only able to attend college because Walmart is paying for them to do so. This includes books. One student is a delightful older gentleman who works the night shift restocking shelves. To have watched his growth since 2020 is amazing. And now he has opportunities he would not have had. Anyhow, it's hard to defend a major company like Walmart, but even a stopped clock is correct twice a day.
[13:19]
Maria Varmasis
Fair enough. That's a good.
[13:21]
Joe Kerrigan
A very good benefit that Walmart offers.
[13:23]
Dave Buettner
Yeah, it's a great point. It's a great point. I mean, I think most of the issues I have with Walmart are kind of broader, philosophical, societal issues.
[13:32]
Joe Kerrigan
Right.
[13:34]
Dave Buettner
The Walmart effect on small towns and things like that has been greatly documented. But no, this is a great point and I appreciate the Computrix writing in and sharing that little bit of information with us.
[13:47]
Joe Kerrigan
Interesting. I wonder if they will pay for a master's degree.
[13:51]
Dave Buettner
Probably not.
[13:51]
Maria Varmasis
We should find out.
[13:52]
Dave Buettner
I would love one.
[13:53]
Maria Varmasis
Why don't we do it?
[13:53]
Dave Buettner
Exactly. Getting my PhD through Walmart.
[13:58]
Joe Kerrigan
Hey, welcome to Walmart. Would you like a sticker? I'm getting my PhD.
[14:01]
Dave Buettner
Yeah, sure you are. Sure you are, pal. All right, well, as always, we would love to hear from you. You can send us an email. It's hackinghumans2k.com all right, let's jump into our stories here and want to remind everybody that our special guest today is Maria Vermasas. She is the host of the T Minus podcast right here on the Cyberwire Network. And some of you are probably familiar with her from her regular appearances over on Smashing Security as well. Maria, it's great to have you back. And I have to say before we jump in here that one of the reasons I invited you back was the overwhelming amount of positive response and letters from listeners who said, please have Maria back as soon as possible.
[14:48]
Maria Varmasis
Oh, my gosh. You guys can't see it, but I'm blushing. That's really kind. I love talking about this kind of thing. It's an honor. I really enjoy it. So thank you for having me back. Thanks, everybody. For asking for me back. That's really just really nice.
[15:03]
Dave Buettner
Yeah. All right, Maria, what do you got for us today?
[15:06]
Maria Varmasis
Oh, gosh, I wish this was a happy story. So strap in for this one, everybody. Well, late January, many folks, especially in the US you might have seen in the news that a lot of social media tech CEOs did one of their regular parades before a congressional committee to be yelled at about how their poor content moderation policies are literally getting minors killed.
[15:27]
Joe Kerrigan
Yep.
[15:28]
Maria Varmasis
Only for them to do absolutely nothing about it and not be held accountable in any real way. Hooray.
[15:31]
Dave Buettner
Good times. Good times.
[15:33]
Maria Varmasis
Yeah, yeah, Great times. So, in that vein, I thought we should look a little bit today at what is going on. And one of the crimes involved here is called sextortion. And as the name implies, criminals are coercing adults and increasingly minors, meaning teenagers, into sending sexually explicit material. And then the criminal will extort that minor for money, lest those images be shared with their families, friends, coworkers, classmates, the public in general. You name it. Like Nana. You know, it's blackmail. It is. And the apps that teens are commonly used are often commonly targeted by sextortionists. So big ones are Snapchat, Instagram, and one that I admittedly had not heard of called wizard, which is a dating app for teens, which.
[16:18]
Joe Kerrigan
Why.
[16:19]
Maria Varmasis
Yeah, that was. Yeah.
[16:21]
Joe Kerrigan
Who thought this was a good idea.
[16:23]
Maria Varmasis
Red alert when I heard that that even existed. But, yeah, it exists. And not a big surprise. It is a big target for sextortion crimes. So what the criminals will often do, as they often will with any kind of extortion crime, is they're going to use a lot of social engineering. So in this case, it's catfishing. The criminal will pose as an attractive member of presumably the opposite sex. And in many cases, it's a pretty young lady they pretend to be. And they will connect to the profile of, like, the hunky football player or some such. And over time, slowly, that scammer will make friends with the victim's friends, really get embedded in their social networks, build a lot of trust. Like, there's no. There's no rush here. Over time, slowly, things heat up to a boil. And then the sextortionist convince. Convinces the victim to send them some sort of sexually explicit imagery or a video. And then that's really when it gets really bad, because the criminal now has their leverage and the threats start. And these threats are awful. Basically, they threaten to show everyone that that person knows on their social network, including their family and their teachers and their friends. And Their teammates, the sexually explicit video. And in a panic, many times the victim will pay up because the extortion money is often $200 or some amount. But then it just escalates the demands, as we might imagine, as we've seen with ransomware sometimes, too, right?
[17:42]
Joe Kerrigan
No, I got some money out of you, I'm going to get more money out of you.
[17:45]
Maria Varmasis
Yeah. And if you don't pay up, guess what? I'm still going to do the thing I've threatened. Big surprise, right?
[17:49]
Dave Buettner
Right.
[17:49]
Maria Varmasis
So the weapon really here is shame. And again, these extortionists are targeting. I mean, they're minors, they're children. So, you know, shame is a very powerful weapon in this case, and there's a lot of embarrassment. And the teens feel like they can't tell anyone, and it's really terrible. And unfortunately, they're targeting predominantly teen boys and young men. So many of these victims of these extortion crimes will sometimes try to find support with other victims. Reddit is a popular place where people will go and sort of compare notes on what they've experienced. And people have noticed that the messages that they're receiving from the sextortionists are often not just super similar, but practically copy and paste of each other. And that's not a coincidence at all.
[18:31]
Joe Kerrigan
No, this is just. These guys have a script that they're following.
[18:35]
Maria Varmasis
They sure do. And like any campaign, even a terrible one like this, the criminals have optimized their scam. So someone who has looked into this is the Network Contagion Research Institute, and they published a really thorough report on all of this that I found gripping but extremely sad and alarming news. But it's a highly recommended reading. And they have reported that incidents of this extortion crime have. I gotta say this number slowly because I can't believe it. Incidents of this crime have surged 1,000% over the last 18 months, which is astonishing. And NCRI wanted to figure out why this was happening. And to do so, they took a look at a group in West Africa that's doing a lot of these crimes, and they're called the Yahoo Boys. No relation to the search engine or the company. It's just what they call themselves.
[19:23]
Joe Kerrigan
I think, actually it does have a relationship, I think.
[19:25]
Maria Varmasis
Those guys.
[19:26]
Joe Kerrigan
Yes, because they use Yahoo. Email addresses.
[19:28]
Maria Varmasis
Oh, man. I was meaning professionally. Like, they're not professionally.
[19:32]
Dave Buettner
No, no, no. It's not the. It's not the Yahoo. HR team who's doing a little moonlighting?
[19:36]
Joe Kerrigan
No, it is not.
[19:37]
Dave Buettner
No.
[19:37]
Maria Varmasis
If they use Yahoo, it's not Yahoo's fault. But yeah.
[19:40]
Dave Buettner
No, no.
[19:41]
Maria Varmasis
Or is it? I know, I was kidding. So the Yahoo boys apparently seem to target high school university athletes. That seems to be a lot of who they go after, as well as high school student groups in general. And even sometimes young professional athletes we've seen get caught up in these extortion crimes. But the reason is, when you think about it, kind of easy to understand. A lot of times these athletes have a lot of public information available to them to be, you know, that's good fodder for a social engineer. And often because they're athletes on teams, they're very connected to their peers and to a broader social network. So you get in with one athlete and then you can befriend the entire team. And then once you're friends with the whole team, you now have social proof that you're a legitimate account and you're a real person and you're not, oh, I don't know, a catfish. You're operating out of Lagos and that helps your validity and you sell the scam. So. And a lot of times, many times these criminals are also using old hacked accounts that they've acquired on the dark web in breaches, so they can use accounts that look valid, maybe they have a high snap score or, you know, they've got a lot of activity, so they, they pass the initial sniff test. Like, oh, this is actually a real person that's trying to connect with me.
[20:48]
Joe Kerrigan
Right.
[20:49]
Maria Varmasis
So Joe, as you mentioned, the Yahoo boys have scripts that they use. And they don't just have scripts, they have best practices that they've published. Training videos. Yes. Canned scripts, and even live stream videos of them actively extorting their victims, where they talk about what to tell them as they're actually walking them to a bitcoin atm. It's really harrowing stuff. And none of this is hard to find. It's all on Instagram, TikTok, Snapchat, Scribd, and YouTube and instructional videos. These instructional videos are there and it absolutely violates the platform's content rules against criminal activities, of course, but that hasn't stopped these criminals from using those platforms. Nonetheless, they're using things like basic code language like calling their marks clients to evade basic content filters. And as you also might imagine, AI and deepfakes are making all of this even worse. So I just wanted to bring this to people's attention and say, you know, the term is called sextortion, which sounds kind of cutesy, but the bigger point here is that this is targeting minors predominantly and so far, 21 minors have committed suicide as a result of being victims of sextortion crimes. And that number is an estimate and it's probably a very low one. So, yeah, the NCRI report says that sextortion is the most rapidly growing crime targeting children in the United States, Canada and Australia.
[22:18]
Joe Kerrigan
Yeah, we had a story about this a while ago about a young man named Jordan demay who did end his life. And it's heartbreaking, heartbreaking to hear that some of the people responsible for that have since been extradited to the US I don't know what's going on with it yet.
[22:35]
Maria Varmasis
Yes. Yeah, it's nice to see some people being held responsible for what they're doing. But the impetus to me, obviously, we want the criminals to stop what they're doing. The impetus to me is on the social media companies.
[22:47]
Joe Kerrigan
Yeah, absolutely.
[22:48]
Maria Varmasis
They need to be doing a whole hell of a lot more.
[22:50]
Dave Buettner
I saw, just as you were mentioning the congressional testimony, and I was watching some news reporting on that, and they had the mother of one of the children, she had a teenage son who had committed suicide, having been the victim of this. And, you know, the reporter asked her what she thought about the testimony and she was pretty dismissive of it. You know, she said, these companies come and they talk and they say all the things that they think they want the congressional folks to hear, but then they don't really change anything and they spend a lot of money lobbying to make sure that they don't have any real rules applied to them. And. And meanwhile, kids are dying.
[23:38]
Maria Varmasis
Yeah, kids are dying. I mean, it's not a. As I said, the term sextortion might sound kind of cutesy, but I mean, children are actually dying. So it's one of those. The impetus is on social media companies that need to do more. I'm not going to hold my breath. I really wish they would. And they need to. In the meantime, to try and make yourself be less likely to be a victim. Make your account private. Be very wary of who you friend. Tell. Tell your children, tell your teenage contacts that those friends lists are. That even if you have a private profile, if you friend somebody, your friend list then becomes available to a potential extortionist, and then that's how they embed themselves and that. Always remember that things like screenshots are a thing. Apparently a lot of times the sextortionists are. They eventually will move conversations over to Snapchat because Snapchat seems to be a little more secure than other social media platforms because it disappears images and messages, but those disappearing images and messages really aren't. So it gives people a false sense of security, and they let their guard down. So just be careful and definitely make sure you can. If someone you know has been a victim of this, you know, save all the evidence, block report, never pay the extortion, deactivate accounts that are affected. And please tell a trusted adult. Minors, if you're listening, tell a trusted adult who can help you, because you're a victim here.
[24:57]
Joe Kerrigan
Right.
[24:58]
Maria Varmasis
So.
[24:58]
Joe Kerrigan
And this. And this is not permanent. I know it seems like it's permanent. It's not permanent. You know, it's. It's. It's going to be very temporary. It might be a little bit embarrassing, but it is survivable. And like you said, Maria, the truth of the matter is these kids are victims of these criminals. And, you know, they're violating actually some pretty serious laws in the United States. And if we get them, if we can get our hands on them, things don't go well for them.
[25:26]
Dave Buettner
Yeah. You know, this reminds me of. I think that, like, a lot of parents out there who've been through having teenagers, you know, one of the things that my wife and I did, and this is not new or unique to us, this is, I think, a technique that's been around for decades is when it comes to alcohol and drunk driving, is telling your kid, you know, if you find yourself in a situation where you don't feel safe, you call us, and we will come and pick you up no matter where you are, and you will not be in trouble for that, you know, because the. You being safe is way more important than, you know, you made a bad choice to drink or, you know, whatever. Whatever it was.
[26:08]
Maria Varmasis
Yes.
[26:09]
Dave Buettner
But I think that philosophy can be applied to this as well, to tell your kids proactively. You know, if you find yourself in trouble with something like this, let us know, and you will not be in trouble for it, and we'll help you.
[26:23]
Maria Varmasis
Yeah, right.
[26:23]
Joe Kerrigan
Right.
[26:24]
Maria Varmasis
Yeah. The embarrassment can't be understated. I mean, I can only imagine how mortifying this must be. But it's. That shame is really. It is the weapon. And if a kid is alone and doesn't feel like they have anyone to turn to, that can become deadly. So I think it's on all of us to try and take that shame away and let especially minors know that, like, this is definitely they're a victim and there's help for them.
[26:49]
Joe Kerrigan
Right?
[26:50]
Dave Buettner
Yeah, absolutely. All right, well, let's move on to my story, which it is impossible for it to be anything but a little lighter than yours, Maria.
[27:02]
Maria Varmasis
I'm so sorry, Maria.
[27:05]
Joe Kerrigan
That story is an important story that.
[27:07]
Dave Buettner
Needs to be draft. No, it's important. It's absolutely important. Yeah. Right. It's a hard act to follow, that's all.
[27:16]
Maria Varmasis
Something lighter would be great. I would love that.
[27:19]
Joe Kerrigan
Right.
[27:19]
Dave Buettner
So my story is about rainbows and puppy dogs. Awesome. Actually, I've got two stories here because they're short and we'll have links to both of these in the show notes. The first one is some research that the folks over at Cofence published. They're a cybersecurity company and they were looking at some of the most common phishing email themes of 2023, and they broke this down into different quarters of the year and things like that. And so I'm going to skip some of those specifics because they're not really relevant to us. But the major themes are things that we talk about here. Finance that came in at 54%, notification scams, which is 35%, shipping scams, 7%, and what they call response scams, which are 3%. None of this really tracks or surprises me rather. And this is what they categorize as their major themes. So these are really the top things that they see. They had another level that they call moderate themes, and this included document scams. So someone sends you a PDF, a voicemail scam, something with travel assistance, scam faxes, which are still a thing. Yeah. Legal scams. Yeah. I recently had an interaction, I think I've mentioned this here. I had an interaction with my doctor where I asked them if I could email them something and they said no, but you can fax it. And I said, I'm sorry, I left my fax machine in 1995, so I won't be faxing that to you.
[28:53]
Maria Varmasis
Just send them the black sheets of paper over and over to ease up their toner.
[28:57]
Dave Buettner
Right, Exactly. Get them to move on. Yeah. And then they also have minor themes which the ones that they don't see as much of. And some of those were benefit scams, tax scams, job application scams, and closing scams. Those are the scams where people. Someone's buying a house and things like that. Yeah. The other thing I wanted to touch on today was actually a report from the FBI that they had put out some notice that scammers, it seems more and more are hiring couriers to collect cash from people when they scam them. Couriers. Couriers. Right. So what'll happen is a scammer will get somebody on the line. And they will have them either go to the bank and withdraw cash. An interesting wrinkle that this story talked about is they'll have people converting their money into precious metals. So they'll buy gold or something like gold, silver, diamonds, whatever it is, and then they'll have the courier come and pick up either the cash or the gold or whatever it is that's valuable, something that's valuable yet anonymous. Right. Because you can go anywhere and we can't go anywhere, but you can go to a precious metals dealer with your gold. Right. Which I know is something all of us have done wrong all the time.
[30:24]
Maria Varmasis
Who among us have not.
[30:25]
Dave Buettner
Right. Exactly. Taken a big block of a brick of gold, an ingot, if you will. Right. To take, trade in for some farm animals or something. I don't.
[30:35]
Joe Kerrigan
Every time I sit down with this microphone, I have to put tape around my Mr. T style size collection of gold chains I have.
[30:41]
Dave Buettner
That's right.
[30:41]
Maria Varmasis
Yeah. Joe, you jangle a lot.
[30:43]
Joe Kerrigan
So just to keep it so the mic doesn't pick up all my chains.
[30:46]
Dave Buettner
Your Mr. T starter set, right? Absolutely. So the point they're making here is, number one, the scammers are getting more bold about this and the couriers don't know they're. They're innocent when it comes to this. Generally, they're just being hired to be a courier, go pick up a package from this person. They don't know what's in there. But it's another red flag, right. That if someone says they're going to send a courier over to pick up some money or really anything of value, that is a huge red flag that someone is not on the up and up. Because, you know, the FBI, the irs, your bank, they don't send couriers over to pick up cash or gold bars or gold bars. Right. Just doesn't work that way. But so spread the word. Evidently, this is something that the FBI is seeing more and more of. Enough that they've concerned that they've put out a flyer about this sort of thing. So those are my stories this week. Joe, what do you have for us?
[31:46]
Joe Kerrigan
Dave, I saw an article on Axios from Sam Saban that was called Companies aren't paying ransoms like they used to. It's just not like the good old days of ransomware.
[31:56]
Dave Buettner
Dave, instead of cryptocurrency, they're using gold bars, right?
[32:01]
Joe Kerrigan
Yes.
[32:02]
Maria Varmasis
We've devolved.
[32:03]
Dave Buettner
Right.
[32:04]
Joe Kerrigan
But Sam actually links to a report from Coveware that has been tracking ransomware since 2018. And that's where I went but this report covers a lot of stuff. But I really wanted to focus on this, this payment issue that ransomware gangs are starting to experience.
[32:23]
Dave Buettner
Okay.
[32:24]
Joe Kerrigan
My heart breaks for them. Of course, there are two dimensions here. Number one, the first dimension is the number of victims who pay. If you go back to the first quarter of 2018, 85% of companies, or 2019, 85% of companies were paying the ransom to the ransomware actors. Now, in the last quarter of 2023, 29% have paid the ransom. So of the people that got hit, only 29%, a little less than a third paid the ransom, which is way down from almost all of them. 90%, 85%. The other issue is that during the same. The same timeframe, it was 2018, this data actually starts in quarter three of 2018. And the median attack has ramped up. In terms of value, how much do you think that people. What do you think the median value is for a ransomware attack? Well, it's around $200,000 now. And you can watch it over time. It's gone up to this $200,000 mark. Now, in the last quarter or third quarter of last year, that mean was $750,000.
[33:42]
Dave Buettner
Wow.
[33:43]
Joe Kerrigan
So that mean was like almost four times the mean, the median. Which means that there are some large outliers that are pulling that average up and that most of the, you know, half of the occurrences are below $200,000. And of the ones that are above $200,000, some of them are really, really, really far above 200,000. Now, in the fourth quarter of last year, that mean dropped by 33%, so that the mean that those larger payments are much, much smaller. So those outliers are getting closer to the median. Now, this is not enough to say this is a trend, Right. It's one quarter. Although the downward trend of people paying is what I would call a trend. So why are people not paying? Coveware points to two major things. First, organizations have gotten on the bandwagon with good backups. So the ability to restore from backup is there. And then they're doing the math, right? And they say, hopefully they have some idea how long it's going to take to restore from backup. They can do a cost estimate of would it be cheaper to restore from backup, or would it be. Would it be cheaper to assume that the data can be decrypted in place? Now, if the data can be decrypted in place, how much of it do we get back? Because the answer is very rarely. 100%. Yeah, it's in fact, it's like 100% in fewer than 10% of the cases. So if you do the math, how likely are you to even get your data back? And if you do get your data back, how likely are you to get that? Now you've come down to a value proposition of at least a quarter, right? Like in other words, the. If the cost differential between me restoring it and having the using the ransomware to restore it, if that is $1 million, then I shouldn't pay more than $250,000 in ransom. Right? Because there's no. And this is a very naive calculation, you understand? Right?
[35:47]
Maria Varmasis
Back in the napkin. Yeah, right.
[35:48]
Joe Kerrigan
Back of the napkin.
[35:49]
Dave Buettner
I'll take your word for it.
[35:52]
Joe Kerrigan
I'm saying that the value of the ransom is 25% of the Delta between.
[35:57]
Dave Buettner
Okay, math boy, whatever you say.
[35:59]
Maria Varmasis
I'm assuming that the data is all of equal value, but okay, how sensitive is the data? True enough, true enough.
[36:06]
Dave Buettner
My eyes glazed over a while back.
[36:09]
Joe Kerrigan
Sorry about that.
[36:09]
Dave Buettner
Keep going, keep going.
[36:10]
Maria Varmasis
He said percentages.
[36:11]
Dave Buettner
Yes, we're mean and mediums and averages. And this is like math class. Go on, Joe, go on, bring us home.
[36:19]
Joe Kerrigan
So people are just saying, no, I'm not going to pay the ransom, we're just going to restore it. The other reason is because they're not trusting the promises of the cyber criminals to not disclose this information, which was the add on that they started talking about like back in 2020 or something like that. In fact, there's a great quote. I'm going to read this. Data driven reluctance to pay for intangible promises from cyber criminals, such as promises not to disclose or misuse stolen data and promises to exempt the company from future attacks or harassment. So that's the reasoning. They're using data, right, These companies. We know you're not going to honor what you say. You're going to come after us again. You're going to sell our data anyway. There's no sense in paying you the ransom to keep it to yourself. That's not even part of our calculus. And I don't know, Dave, but if you remember all the way back to when this started happening, my advice was don't make this part of your calculus because you can't trust these people. Yeah, and, and a lot of. And now there's data that backs this up. You can't trust them and they're not paying it. There's much more to this report. Yeah, it is a bad deal. But here's my question. I would recommend taking a look at the COVID report, it's really good, has a lot of interesting stuff, talks about the merits of outlawing ransomware payments. Could you criminalize that for companies? Would that further decrease these things? But here's my question. As these ransomware payments start to go down, right, and these, these ransomware gangs or actors start making less and less money, what are they going to do next? Now, we've already seen one thing they do next, right, where they look in the data and then they go after the people in the data and start extorting them.
[38:03]
Maria Varmasis
Yep.
[38:03]
Dave Buettner
Right, right, right. I mean, a lot of them aren't even bothering to encrypt anymore. They're just doing straight extortion.
[38:08]
Joe Kerrigan
Yes, that's right.
[38:09]
Maria Varmasis
Yeah. I mean, I would think surgical strikes might also, as you sort of. In that, in that vein, surgical strikes might be very interesting, but that's sort of what they've always done, too. So, I mean, the ransomware was always, for the most part, casting a broad net. Right. So if that doesn't work for a while, go back to what they used to do and be a little more targeted.
[38:27]
Dave Buettner
Yeah. I wonder too, about the amount of influence that insurance has on this, because on the one side, you would think that organizations that have insurance, they would be more likely to pay because it's not coming out of their pocket. But on the other hand, these days, in order to get insurance, you really have to up your game when it comes to proving to the insurance company that you have all sorts of things in place that will help keep you from getting ransomware in the first place. And that, to me, seems like a bit of a virtuous circle.
[39:01]
Joe Kerrigan
Right? Yeah, it does. That is a good. A good. I never heard the term virtuous circle. That's a new one. And now my mind's stuck on it.
[39:10]
Maria Varmasis
That's a nice phrase.
[39:11]
Joe Kerrigan
It is. But I'm also wondering, as you're talking about that I'm wondering if these insurance companies are saying that we're not paying the ransomware guys, we're just going to pay for you to restore your data because, number one, we don't know if you get your data back, and number two, we don't want to finance them. And we know that over the long term this is going to be the way to go to reduce risk is to take the profit motive out of it.
[39:33]
Dave Buettner
Right, right. That's an interesting way to think of it, that your insurance company is your. Is your partner in getting your data back, whichever path you take on that journey. Right, yeah. Interesting.
[39:44]
Maria Varmasis
That's an interesting idea.
[39:46]
Dave Buettner
All right, well we will have a link to the report here in the show Notes and again we would love to hear from you. If there's something that you would like us to cover here on the show, you can email us. It's hackinghumanshecyberwire.com before we get to our catch for the day, we are going to take a quick break to hear from our show sponsor. Back to the concept of integrations. Nobafore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, Cisco and dozens of others. Security Coach analyzes alerts your security stack generates to identify events related to any risky security behavior from your users. With this information, you can set up real time coaching campaigns to target risky users based on those events from your network, endpoint identity or web security vendors. These campaigns enable you to coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. With 35 integrations and counting, Security Coach delivers the insight you need to improve your organization's security culture. Learn more about SecurityCoach@KnowBefore.com SecurityCoach that's KnowBefore.com SecurityCoach all right, we are back Joe. It is time for our Catch of the Day.
[41:46]
Joe Kerrigan
Dave Our Catch of the Day comes from William, who writes, I received this phishing scam the other day. Obvious scam to the train die. But if your business does a lot of social media business, this is really scary. And this is a Facebook messenger scam.
[41:59]
Dave Buettner
Okay, it goes like this. Important notification. Your Facebook page is scheduled for permanent deletion due to a post that has infringed upon our trademark rights. We have reached this decision after a thorough review and in accordance with our Intellectual Property Protection policies. If you believe this to be a misunderstanding, we kindly request you to file a complaint seeking the reinstatement of your page prior to its removal from Facebook. And there's a link to the request for review. We understand that this situation may impact your ongoing business operations. However, please be informed that if we do not receive a complaint from you, our decision will be final. Your cooperation and understanding are greatly appreciated. Should you have any inquiries or apprehensions, please feel free to reach out to us. Sincerely, Facebook Support Team Copyright no Reply.
[42:47]
Joe Kerrigan
Facebook Meta Platforms incorporated attention community support 1 Facebook Way Menlo Park. I can never remember which park it is and I'm reading this and it looks like it's Menlo. Yeah, this is obviously fake Actually I saw somebody on my Facebook feed post about this and say, is this real? And I said no, definitely a scam.
[43:13]
Dave Buettner
Yeah, but I can see what's going on here. I mean, particularly if you are relying on Facebook for some or part or all of your living. And I suspect what they're doing here is they're getting you to a fake Facebook login.
[43:31]
Joe Kerrigan
Right. I would bet exactly what they do. And then you log in and then they go in, they steal your page and then they kick you out as an administrator.
[43:39]
Dave Buettner
Right.
[43:40]
Joe Kerrigan
And now they have all your followers.
[43:42]
Dave Buettner
It's interesting to look at the URL here, which goes to.
[43:44]
Maria Varmasis
I was just thinking that.
[43:45]
Dave Buettner
Go on Maria, to describe it for me.
[43:47]
Maria Varmasis
I was just at the end of it, there's a tracking parameter at the end of the URL. I think it's a tracking parameter. Certainly looks like one. The question mark FB equals meta. Which seems imply to me that this is like a really broad campaign and they're trying to get some stats on where they're getting people to click from. That's kind of amazing to think if that's what that is.
[44:09]
Dave Buettner
Right.
[44:09]
Joe Kerrigan
That is, that is a. A parameter gets passed along with the. With the URL string.
[44:14]
Dave Buettner
Yeah. What caught my attention is that instead of going to Facebook it goes to some website called cake.com and instead of an A in cake it's the number eight. So it's k.com or something. Yeah. Cake.com. yeah. Lots of red flags, but certainly worth looking out for.
[44:36]
Joe Kerrigan
My sister's name is Kate and she used to, when she was a teenager, Sign her letters K8.
[44:41]
Dave Buettner
Yeah.
[44:42]
Maria Varmasis
Oh yeah.
[44:43]
Dave Buettner
Did she dot her I's with hearts?
[44:44]
Joe Kerrigan
No.
[44:45]
Dave Buettner
Okay, good.
[44:47]
Maria Varmasis
Maybe when she was younger.
[44:49]
Dave Buettner
Yeah, that's right. That's right. We want to thank all of you for listening and of course we want to thank our sponsors at KnowBe4. They are experts at enabling a fully integrated approach to security awareness training. All right, well that is our show. We want to thank all of you for listening and of course we want to especially thank our special guest, Maria Vermatsis. She is the host of the T Minus podcast right here on the Cyberwire podcast network. You can find that wherever your podcasts are listed. Do check it out. It is quite good. I enjoy it every day. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at ISI JHU edu. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment. Your people. We make you smarter about your team while making your team smarter. Learn more@n2k.com our executive producer is Jennifer Ibn. This show is edited by Trey Hester. Our executive editor is Peter Kilpie. I'm Dave Buettner.
[46:06]
Joe Kerrigan
I'm Joe Kerrigan.
[46:07]
Maria Varmasis
And I'm Maria Varmazes.
[46:09]
Dave Buettner
Thanks for listening.