A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.

C

Hi. Dav.

B

N2K colleague and host of the T Minus Space Daily Podcast, Maria Vermazes. Maria.

A

Hi, Dave. And. Hi, Joe.

B

We've got some good stories to share this week. Why don't we jump right in here? I'm going to lead things off for us with a question for both of you.

C

Okay.

B

Have either of you ever done any modeling?

C

Yes, I've done modeling. For slouchy fat guy clothes. No, I've never done any modeling, Dave.

A

So Costco's got your number. Is that my understanding? We love Kirkland in my house. I'm just saying.

C

I was looking for my Kirkland jacket this morning. Couldn't find it. Yeah, it was a little cold out.

B

Yeah.

C

So I put on my Cyberwire jacket.

B

Okay.

A

Maria, it will shock you to hear I have never modeled in my life. I know it's very hard to believe.

C

That does shock me. What? Thanks.

B

Well, I have done some modeling.

C

Oh, have you? Okay, I'm sure you have. Yeah.

A

Actually, yes. I feel like you told. This is one of your two truths and a lie thing.

B

Yeah, yeah. When I was a child.

C

That's right. You were in a. I did modeling.

B

And I did some. I did some TV commercials. I did, you know, did a lot of theater and things like that, but I did some modeling for clothing, some catalogs and local clothing stores and things like that.

C

Were you ever in the J.C. penney's catalog?

B

No. Or the Stars Kettlebell? I don't think so. I don't think I was the big.

C

Show, as they call it.

B

It's hard to remember. And back then, it was a lot harder to gather things up that you did because, you know, they didn't. They were ethereal. They're. You know, you do a modeling job and it would be posted in some Roy Rogers restaurant in Connecticut, and you'd never get a job, you know, a copy of it or anything like that. It just didn't work that way. So.

A

I do have a Ray Rogers.

B

Yeah.

C

Rory Rogers with Dave Buettner on the wall.

B

Yeah.

C

I need to find it.

B

Yeah, I have one. And. Well, anyway, I don't want to. I could go down a story. Rat hole I'm not going to do that. I did that last week poker story.

A

So come on, it was a good one.

B

We've had enough of that. But my scam this week comes from the BBC, from the Biebs. And this is about modeling scams, which is not a new thing. There have been lots of modeling scams, but the modeling scam folks have shifted gears a little bit and now they're targeting seniors. Huh.

A

Okay.

B

Yeah. So, Joe, your day may come yet.

C

Yeah, when I get model scammed, I'm probably not gonna actually get legitimately asked to model.

B

So this story follows a couple of senior citizens. We've got a 79 year old young lady named Judy Corker, which is a very British name if there ever were one.

C

Yes.

B

73 year old Roland Parker, who fell for a modeling scheme that was aimed at older adults. And what happened was there were social media platforms. I'll let you have three guesses which platform you think it was on.

C

Hold on, hold on, wait.

A

So 73 and 79 or how old?

B

79 and 73, respectively.

A

They've gotta be on TikTok.

C

So, yeah, I was gonna say Maria, do you wanna say Facebook or do you want me to say Facebook?

A

Yeah, Zuck's ears are burning.

B

Right, so there were ads that were claiming that there was a shortage of mature models and inviting people to apply. And so they thought to themselves, well, why not? And so they applied to be models and of course they were greeted enthusiastically. Oh, my gosh, yes, the search is over.

C

Right. You are exactly what we're looking for.

A

You're gorgeous.

B

Right, right, exactly. And so what they were invited to do was to go have some professional looking photo shoots, but they had to pay up front for, for their portfolio images. And they were charged ahead of time, between 2 and 300 pounds for these portfolio images. Now, I don't know what that is in real money, but it's a lot. Right, so the problem is they would show up at the photography studio and the photography studio had no idea what they were doing there. So there was a legit photography studio. The scammers would say, we need you to pay in advance to have these photos taken. Here's the studio where you're gonna go, you're gonna show up at this time. So imagine you're the victim and you're saying, all right, well I can Google the studio. Look, there it is. Well, that's a real studio, so this must be legit. And they show up at the studio and the person running the studio is like, I have no idea why you're here? No, we are not booked and no money was given to me. So you've been scammed. So the gentleman, Roland Parker, he lost about 1,000 pounds through using PayPal's friends and family payments, which is.

C

You can't get that back.

B

That's what this story points out, right?

A

Yeah.

B

So Judy got her money back because she used PayPal's goods and services option. So do either of you have any insight here on what the. I'm not familiar with this.

C

So, yeah. So there's, there's two different ways you can send money. Yeah. It's a toggle. On PayPal, you send money via friends and family.

B

Yeah.

C

That is not business oriented, allegedly. It's not supposed to be business oriented. It's supposed to be like, hey, I need 50 bucks. Can you send this man PayPal? Sure. Here you go.

B

Right.

C

And then the other one is I'm going to pay for a service online. And in that one, the merchant will pay fees to collect that money.

A

Yes.

C

So if you send them 500 bucks, they'll get like $470.

A

Yeah, yeah. And then, so a lot of small businesses will tell you, please don't use that option. Please use friends and family instead. So none of us pay fees.

C

Right. That's probably against the PayPal terms of use.

A

Oh, 100%. It is. Thank you.

C

Legal.

A

Yes, it is. 100% it.

C

But here's, here's a drawback. When you, when you send using the pay I'm paying a merchant thing, you get purchaser protections like a credit card, very similar to a credit card.

B

Right.

C

When you send to friends and family, you don't get that protection. That money is gone. So. And that's why there are no fees, because you're not, you know, or rather I should say that's why there are fees on the other one. Yeah. Because you're paying. You're paying. I just realized I may have gotten scammed on something.

B

Oh, no.

C

I'm sitting here thinking about real time.

B

Real time scamming on something.

C

My wife. Yeah, I did, because my wife bought something online and we paid with PayPal.

B

Yeah.

C

And it hasn't arrived yet.

B

Oh, dang.

C

Wait a minute. I just remembered the last time we used PayPal was to pay for that thing, and I haven't seen it yet.

A

Is it coming from overseas, though?

C

I don't know where it's coming from.

A

Yeah.

C

So we're gonna try to get that money back anyway. That was why I, like, sound like I was having a stroke.

A

Something.

C

Something just came into my head and.

A

I'm like, went off. Yeah. Wow.

C

So, yeah, so yeah, if you use, if you, if you pay like you're paying a merchant, when, when a merchant says, hey, just send it friends and family, you tell them, no, no, I'm sending it with the merchant thing because I want my protections.

A

Okay.

B

So that could be a red flag if a merchant asks you to use the friends and family payment.

C

Absolutely.

B

It's yours. A lot of them theirs, correct?

A

Yeah, a lot of them do.

B

Interesting. So they have a couple of tips here to help protect yourself. I think these are pretty straightforward. They say, never pay up front for work, verify the agencies, use secure payment methods, avoid rushed decisions, and report fraud if it does happen to you.

C

They say reported to Action Fraud, which is the UK's fraud reporting tool.

B

Right.

C

We would say reported to. Good luck. IC3.

B

Yeah.

A

Report it to. Yeah, yeah. This, this scam has existed. I remember that when I, in the 90s, when I turned 16, my friends and I, all around the same age were basically joking that we would all get this postcard in the mail. And this is real. Like as soon as you hit 16 years old as a girl, you would get this postcard saying you want to be a model. And it was the same idea. You paid, your parents would pay up front. And of course it was a guarantee. You'd totally get picked up by Ford or some major agency. It was always a scam. So my friends and I would look forward to who would get the scam postcard next. This is the 90s we knew about, right?

B

Yeah, yeah.

A

So it's.

C

I would have told my daughter. This doesn't say, do you want to be a model? This says, do you want to get kidnapped and sent overseas and never heard from again? That's what it sounds like to me.

A

Well, it was just a scam. That version of the scam that my friends and I all would receive was the. You're paying somebody to take your picture for an exorbitant amount of money and you're never going to become a model for every reason you can imagine.

C

Right.

A

It was just a ripoff, but people always did fall for it.

C

Oh, that's why you got the postcards.

A

Yeah. Of course, they had marketing budget, wasn't cheap. Yeah. I'm amazed this scam is still around, to be honest. But I guess it works.

B

Yeah. One time.

A

Oh, no, here's the story.

C

There it is. This is different.

B

It's a different story, but it's. It's a story of Its time. That is in retrospect, horrible, but also hilarious.

C

Those are my favorite. Hey, you know what, Dave? Tragedy plus time equals comedy.

B

There you go. So my mom gets a call from this producer who had hired me to do lots of things. And you have to remember that back then you had your landline telephone in the home and that was it. You know, there was no texting, there were no mobile phones. So my mom gets a call from this producer who's just a piece of work. He's like, you know this guy straight out of New York and he's like, listen, I got this job.

C

You can almost see him pumping his arms with the cigar in one hand.

B

Right? Exactly. Balding combo verse, plaid jacket. Yeah. He's like, look, I got this job I think young David would be perfect for is from muscular dystrophy. My mom is like, my son doesn't have. I know, I know, but he can look sad. Here's what we do. We bring him in, we put him in the braces, we have the little crutches, he makes a sad face, everybody wins.

C

Is that what he said? Yeah.

B

My mom was like, okay, okay. Yeah. My mom was like, okay, so you know, we get scheduled everything. She's like, david, you can make a sad face, right? I'm like, of course, yeah. Look at this. Oh, oh, yeah, yeah, here it is. Oh, look at her bottom lip.

C

Because people with muscular dystrophy are always sad.

B

Well, so there's that. Yeah, right. There's complete drainage of joy in any moment of their lives. So like the day before this shoot is supposed to happen, we get a call from the producer, like, ah, look, who. Who would have thought they want an actual kid who has Ms. Or md, you know, like, oh, well, maybe next time. Sorry.

C

So Jerry Lewis called and he's really upset.

B

Easy come, easy go. You know, again, in retrospect, probably best that it did not happen.

C

Absolutely. Dave, one thing that would not be good for you today is to have one of those pictures surface. Right, right.

B

Yeah, exactly. Exactly. Alright, that's my story this week. We will be right back after this message from our show sponsors. And now a word from our sponsor. ThreatLocker. The powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. Joe, what do you got for us, Dave?

C

My story comes from ABC News and Jay o' Brien and Lucian Brugman. Anyway, they have a story that is that the headline is ATM Bitcoin ATMs increasingly used by scammers to target victims, critics say. And the sub headline is like one of the quotes from the FBI in this story, and that is that in 2024, nearly $250 million were scammed out of people using Bitcoin ATMs.

B

Huh.

C

So I'm going to go ahead and as we always say, that number is probably low because there are crimes that don't get reported.

B

Let me pause you just for one second here, Joe, and ask you and Maria.

C

Yep.

B

Have either of you ever used a bitcoin atmosphere?

C

Maria?

A

No, I have not.

C

Yes, I have.

B

Of course you have.

C

And I'm going to get into it at the end of this story or.

B

Towards the end of the story.

A

It feels like important context for this.

B

Yeah. I mean, there's one right up the street from where we're recording today. There's like a gas station, convenience store. And as you walk in, there's a bitcoin atm.

C

Is it a Royal Farms?

B

Yes. Yeah.

C

Because they have Royal Farms has Bitcoin ATMs everywhere.

B

Okay.

C

Or every time I walk in there and I'm like, I got $10, I could buy some bitcoin. But I'll tell you why I don't do that. Anyway, so the crypto in particular has been, or in these ATMs in particular, rather have been the number one way that scammers are trying to get access to people's money. This is according to Amy Nass, Knoff Zinger. Knoffsinger. That's a tough name to say. Knoffsinger. She is, Dave. She's a friend of yours and mine. She's the Director of Fraud and Victim support at the AARP. And apparently Maria, who got her first AARB letter at the time when I was 29.

B

Right.

A

Yeah. Really not great.

C

But anyway, last month, the Washington, D.C. attorney General's office sued Athena. Bitcoin, which is one of the bitcoin ATM machine purveyors, one of the larger ones, saying that they are pocketing hundreds of thousands of dollars in undisclosed fees and on the backs of scam victims. So this lawsuit claims that 93% of transactions on Athena's devices in the District were the product of outright fraud, and the median age of victims was 71 years old. So we've all seen these scams, and there's a story in this Story about a woman who is being scammed out of money, as you know, and it's got a good ending. So I'm going to get to that in a minute. But, you know, she was pumping money into a bitcoin atm. Brenna Byrd is the attorney General in Iowa, and she filed a similar lawsuit earlier this year against two major players, Bitcoin Depot, which makes a lot of sense, right? Bitcoin Depot. You're going to piggyback off other, you know, Dome Depot, Home Depot, sure. And the other one is Coin Flip, which is a pretty good name, I would think, for a digital currency thing. And she accused them of being a silent partner to many of these scammers preying on Iowans, taking a cut of each scam with its excessive and deceptive bitcoin ATM fees. Now, Bitcoin Depot and Coin Flip have both denied the claims in court and in statements to ABC News. Bitcoin Depot says the vast majority of our transactions are legitimate. We are. That they are one of the few operators in the bitcoin ATM space to proactively require ID, even for the smallest transactions. And that customers receive up to four scam warnings before completing purchase. Okay, I get that. And that's good. I don't know if these laws are gonna do anything about these lawsuits are gonna do anything about this. I think the fees are really high. In fact, I'll say they're so high that I'm a little bit suspect. Because originally I was like thinking to myself, originally I was thinking to myself, you know, when I was doing this story, I was like, these businesses or these Bitcoin ATMs offer a legitimate need. I've even used this service in the past. But then I think back to the one time I used a Bitcoin ATM. I put $5 in and they were like, ooh, which cryptocurrency would you like? And I'm like, I know if I buy $5 of Bitcoin, I'm going to be waiting days for that to show up in my wallet. Because that's not a transaction that does a lot. It gets a lot of attention on the blockchain in the pool. I'm going down to the weeds here. So I went with a different coin. I went with Litecoin and I put it directly into my non custodial wallet. It was on my phone and I put in $5 into the ATM and I got $3.50 in Litecoin. Now that went into my wallet, $3.50. I looked it up. I still have that litecoin, it's now worth about $6. But in order for me to recoup my $1.50 in fees, or more importantly, 30% in fees, it took me probably four or five years to get that, to get that back out in litecoin price changes. And by the way, I'm not advocating anybody invest any money in any cryptocurrency, and I'm certainly not investing, telling you to invest in it at a bitcoin atm.

B

Right.

C

Because my question about this is I keep most of my cryptocurrency on an exchange. When I buy cryptocurrency or sell cryptocurrency on that exchange, my fee is less than 1%. It's very small.

B

Yeah.

C

And that exchange has to make some money. These bitcoin ATM operators also have to make some money too, but they don't need to make 30%. I could also on the exchange, pay a flat fee and get free trades, which would be great if I was an active bitcoin or cryptocurrency trader, which I'm not. I have some standing sell orders for when the cryptocurrency goes through the roof and I cash out. But these high fees seem to me that there may be no legitimate business purpose behind these ATMs. So the model of somebody walking up pumping $10 or $50 into a, into a Bitcoin ATM so they can get $7 or, or, or what, $40 worth of, of bitcoin or cryptocurrency, it doesn't seem like it works because I could just as easily wire that money to that exchange, buy the cryptocurrency on the exchange and for free, transfer it to my non custodial wallet and be walking around with it on my phone.

B

Mm.

C

It's entirely possible for me to do this at a much lower cost. These Bitcoin ATMs don't have, they're not completely anonymous. Like, like, which was a bit depot was saying, hey, we require a photo of the ID of the person using the, the, the atm. And we also, when I use it, they required my phone number and had me enter a verification message sent to my phone number via text. So I had to cough up some personally identifiable information to use this thing. So they're not anonymous, they're not offering anonymity as a service. It seems to me like they're. And this is me and only me and my speculation that the majority of the purpose of these things is helping people commit scams or helping people launder money like I'm a drug dealer, and I've got to get a bunch of money into the system. I'll just go pump this drug money into a bitcoin atm, and then I'll have a different problem, a different money laundering problem, but one is much more manageable.

B

Yeah, in, in.

C

And I'm not walking around with a big stack of cash. I've got my money cryptographically secured, all the other things, and it only cost me 20, 30%. So I'm not saying that. That. That these companies intentionally do this, but I'm saying that this is an artifact of. Of this system that's set up. So this article also quotes a man named Adam Zarazinski, who is the CEO of Inca Digital, which is a cryptocurrency forensic. Forensic firm. And he was asked, do you think these companies know that in large part their ATMs are being used for scams? And he said, they either know it or they're turning a blind eye. Yes.

B

Yeah.

C

So, I mean, if you're turning a blind eye to it, doesn't that mean you kind of know it?

B

Well, yes.

C

Right. So the story, the personal story in here is Fran Bates, who is, I think, 71 in June of 2024, was actively getting scammed out of money. She was in the process of feeding $23,000 into one of these machines because some scammer had called her and said that your bank is in the process of being virtually robbed. You need to get your money safe. Now go buy some bitcoin and send it to me. I'll keep it safe. But somebody named Mindy Jordan, who is another customer at the gas station, noticed Ms. Bates shoving the money into the Bitcoin ATM and walked over and said, hey, what are you doing? And Ms. Jordan called the police. Now, why did Ms. Jordan know that this was a scam? Because she had also been victimized by something like this. So she immediately recognized this was a scam. Fortunately, I'm very happy Mindy Jordan was there to stop this from happening. When the cop got there, he stopped everything from happening. And the woman was able to get her money back because she actually hadn't sent the cryptocurrency to the bad guy yet. She had bought the cryptocurrency on the atm, but she was able to get most of that money back.

B

Wow. So what do we suppose the solution here is? I mean, well, first of all, is this a result of the lack of regulation in the bitcoin arena?

C

One of the things about cryptocurrencies is that they are naturally resistant to regulation. That's kind of why they were started. Right. There is no central banking authority behind, like, bitcoin or ethereum or ether or whatever. So they're designed to be protected against regulation. So. Yeah, yeah.

B

But the device is sitting in a retail store.

C

Correct.

B

So it's plausible for me to think that the FTC, for example, could say, hey, no more Bitcoin ATMs. Bitcoin ATMs are only going to be in banks.

C

Some. Some jurisdictions. The story does mention that some jurisdictions have just straight up outlawed cryptocurrency ATMs. Okay, so you could do that. The other thing we can do as citizens, vigilant hacking human citizens, is if we see somebody who you think shouldn't be using a bitcoin atm. You know what I mean?

B

Yeah.

C

Someone who looks like me putting $5 in. Somebody said, hey, what are you doing? I'm just buying a little bit of cryptocurrency for myself. Some spending crypto, I don't know.

B

But isn't that the thing? I mean, anyone who is seriously invested in crypto. Yeah.

C

They don't use these ATMs, right? Absolutely not.

A

So I didn't want to say it, but my attitude is nobody should be using these things. So since we're going there, I mean.

C

That'S kind of what my point is, that there's no reason to pay a 30% fee on these things.

A

Yeah. Every bitcoin ATM I have seen and where I live anyway, is in the seediest, nastiest place. So, like, nothing about it engenders confidence that this is a good idea. I'm not saying crypto in general. I'm saying the bitcoin atm, just to be clear. And I'm just. It just seems like they're made to prey on people. I just. I'm sure there are people who use them for good reasons, but they. It just. It's like a red alert, do not touch. As soon as far as I'm concerned, like, it's a hot stove. Don't go near it.

B

Yeah, yeah. No, I've never used one. Well, so another question I have, Joe, which I don't know if you have the answer to this or not, but is. Is it actually a percentage or is it kind of like a regular ATM where it's a flat fee? Yeah, it's a flat fee. So, you know, if you withdraw $20 and it charges you three bucks, it's a higher percentage than if you withdrew $200 and it was still three bucks.

C

Right. Yeah, that's, that's a good, good question. I don't know the answer to that. I think it's a fee plus a percent.

B

That makes sense.

C

Yeah.

B

I mean, they're going to take everything they can because they're unregulated.

C

Yep.

A

And the transactions are probably small overall.

C

Well, except for these really big ones.

B

Well, like, so this. Wow. Wow. That's the kind of insights we count on you to.

C

What I mean when I say that is the scam victims. You know, this woman was pumping $20,000 into an ATM.

B

Yeah.

C

That's a big transaction.

B

Yeah.

C

There's another legislation in here that's been proposed to cap the amount of money that would at least limit the damages. The problem with that is if you're capping it, it's going to be a daily cap. All that means is that these scammers just keep calling back and it won't stop them because $300 is still $300. They'll take that. Right. Whatever the cap is. But yeah, you could mitigate the amount of money that people lose, or at least the rate at which they lose it, and maybe provide the opportunity for someone else to jump into the scam system there and break it up and execute on the kill chain somehow.

B

Yeah. Well, I continue to wonder how long is it going to take or will it ever happen that the global financial system says enough. With just the amount of scamming that is enabled by cryptocurrency, it is the weapon of choice.

C

Yeah. All they'll be able to do is take the average person's ability to use it away. Because you can't stop somebody from using cryptocurrency. If I hear that's coming, I'm putting all my stuff in a non custodial wallet and I'm having it at my house or someplace else. Maybe I won't keep it at my house. Maybe I'll keep the key somewhere so nobody comes and gets my crypto. I don't know. Maybe I'm getting a little too paranoid about this.

B

I mean, wouldn't it be the same as like when one day Confederate money stopped being worth anything? If the global financial system says we're doing away with this and it no longer has any value, it no longer.

C

Has any value to them. You're right. It would collapse the value of a lot of these cryptocurrencies. Currencies.

B

Correct.

C

Yeah, but it wouldn't make them worthless. People would still be trapped. Because you remember when Bitcoin started, when it was like 25 cents a bitcoin.

B

I've still got some valuable beanie babies, Joe. Yeah.

C

There were no exchanges there.

B

All right, let's take a quick break here. We will be right back after this message from our show sponsors. And now back to our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and and manage access to storage devices. Its building blocks are allowlisting, Ring fencing and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. Maria, you are up. What do you got for us this week?

A

I have a story that kind of icky, but it's one that our listeners should know about. It comes from our friends at bitdefender Labs and they're trying tracking a new scam going through WhatsApp. And from once I'm going to interrupt.

C

And say this from time to time, we have to talk about these icky scams. It's better to talk about them and put them out there and let people know about them than to ignore them.

A

Of course, yes. And that is definitely one of the goals of the show is to let people know about it.

C

You're taking one for the team this week, Maria, thanks.

A

You're welcome. I was admittedly kind of fascinated by this one because of where it's localized. So for once, even though the three of us are based in the States, this is not a scam that is hitting the United States at large just yet because it's a WhatsApp scam and it's not as used as widely here in the States. This is actually largely in Central and Eastern Europe right now. So this specific scam, BitDefender is calling the vote for my child scam, and apparently it's spreading fast across all of Europe, but especially Central and Eastern Europe. So this WhatsApp scam, it tricks users into handing over their verification codes and then by doing that, they will lose control of their WhatsApp account. And the scam that gets them is a voting contest for a child who is either a dancer or a gymnast and has entered a contest. So Bitdefender, in tracking the scam, said there were 177 fraudulent domains, over 550 unique URLs that are linked to this campaign. And they are mostly like. Almost half of them are targeting users in Poland, and the rest are in Romania and Germany largely. And there are some smaller clusters targeting users in Spain, the United Kingdom, a few in the US So it is making its way here and also Kazakhstan. So the Bitdefender has some screenshots of this, this, this scam. And I, it just, it gave me the ick when I looked at it, because the pictures of these largely little girls are just like. It just gives me. They creep me out. I don't know if they're real photos or not, but they're in, like, gymnastics or dance poses. It's a little. It's just icky. And the. The message comes across on WhatsApp from a friend supposedly saying they're helping a friend of a friend's child try to win a scholarship or a competition. So just vote for them and they've got a better chance. And these scams are all over social media. Actually, they're not always scams. Sometimes there are actual voting campaigns. Hey, my. My coworker's daughter is trying to get a scholarship to a dance camp. That's really pricey. If you. She wins this contest, you'll be able to pay for it.

B

It's.

A

It's great. Like, I see these all the time, and I presume they're legit. I don't vote in them, but I do presume they're legit. But, yeah, the idea is that if you're trying to help somebody out, do them a solid by voting for their. Their adorable kid and look at them in that very cute costume. Then you hand over your WhatsApp account, which is not great because a lot of businesses, especially in Eastern Europe, rely on WhatsApp to do their jobs. So the scam works this way. You get that message saying, please vote for a friend of a friend's kid. And here's the contest page. The page goes to a very realistic phishing voting site with lots of vote buttons. And again, it is localized. So none of this is, from what I can see in the Bitdefender post, none of this is in English. So for many people, that's like the red alert. If it's an English page. If it's a Polish campaign, it is written in Polish. So it is fully localized. So that may get some people feeling like it might be a little more trustworthy. And again, the photos on these just give me the ick. And then to cast a vote for the child who may or may not even be real. I doubt the real. You are asked to enter your phone number and your WhatsApp verification code. So I presume this is your WhatsApp phone number specifically. And once entered, the attackers then use that code because you're giving over the keys to your WhatsApp kingdom. And then they can hijack your WhatsApp account. And then the scam proliferates because they hijack your WhatsApp account and they start sending those messages out to your contacts. So they will often resend that fake contest link to your contacts, and then they will escalate it into money fraud. Asking money under maybe urgent pretenses. And the. The amount of money asked for is usually what we would consider maybe on the smaller side, maybe up to €400. But if you can broadcast this out, that's a lot of money that they can make pretty quickly. And a lot of people are falling victim to this one, mainly because it is being spammed up by your contacts from a. From a hijacked WhatsApp account. So until somebody tells you, hey, don't trust that message, because my WhatsApp got hijacked, you might think this is legit, right? And especially if you're maybe an older person, apparently, that's sort of the idea. Like seniors who are trying to look out for their grandkids or their friends grandkids, they might think, what's the harm in helping out, you know, my neighbor's grandkid or something by voting for them. And they look so adorable. And, you know, they. They deserve to go to that dance contest and all that kind of stuff. So the familiar names engender trust. And maybe folks are not as familiar with these scam tactics. And again, in my opinion, if they're seeing stuff that's written in their localized language, they may be more likely to trust that this is real and not fake. So it is a good time to remind people that you definitely never want to share your WhatsApp verification codes, ever, ever, ever. Not even with friends or family. And if you can figure out how to enable two set verification in WhatsApp, or if you can get someone to help you with that, you definitely want to. Yeah. So this scam is nasty. It's gross. I don't like it.

B

Yeah, I was looking at some of the pictures here, and you're right. They're just.

A

They're icky. I don't know how else to put that. Like, it's just. It's icky. So just. Yeah. And my thing with WhatsApp is in the States, we don't tend to use it as much. So it's not really these kind of scams for us kind of go, like, what's the big deal? But when you're in other parts of the world, that is the way of contacting people for business. Like, you don't see phone numbers posted. You will see Specifically, here's my WhatsApp contact info. And that is, that stands in for what we would consider like a website or an email. People say, just contact me through WhatsApp. So if you lose your access to that, it really is. It's pretty, Pretty big deal.

C

So, so what's the end game?

A

They make money. They, they, they, they scam people. They take over accounts. And by. And by doing that, they then scam people out for money. They say, hey, maybe this kid specifically needs money to go to that camp. Can you send some?

C

Okay.

A

Or they, they now have that. Yeah.

B

So once they get access to the account.

C

Right. Then they start begging. And that's what you're talking about, the small amounts?

B

Yeah.

A

The bitdefender says it's only about €400 per request, which is. It can be a lot of money, depending on where you're at. But, you know, a lot of times we think of tens of thousands of dollars on some of these scams, and €400 sounds like small potatoes, but if you're able to get a lot of people to donate €400. Yeah, that adds up fast.

C

Yeah.

B

You know what this reminds me of that grinds my gears is the scams that you'll see for pets that need to be adopted.

C

Oh, yeah, right.

B

In other words, similar buttons that they're trying to push here. Oh, look how cute. Oh, I, you know, I want to help. I want to be helpful. Everybody wants to be helpful.

C

Right.

B

And what bugs me about this is that I do love cute little animals, and I would love to help them. And now when I see a cute little animal thing on Facebook, the first thing I think of is it's probably a scam.

C

Right?

A

Yeah.

B

And that makes me sad because I like cute animals, and I would love to be able to help them. And I don't want to associate cute animals who need help with scams. But here we are.

C

Well, we gave the Internet to too many people, Dave.

A

Give it back to darpa. We're done here.

C

That's Right.

B

That's right. You need an edu email address from now on to or to use the Internet. So be it. All right, well, we will have a link to that story in the show notes. Joe, Maria, it is time for our catch of the day.

C

Dave, our catch of the day comes from the scam subreddit and it comes from a very important person, a VIP, if you will, whose initials are B.O.

B

Yeah, yeah. This is from Barack Obama.

C

Former President Barack Obama.

A

Not body owner. Okay.

C

Right.

B

Former President Barack Obama. Gosh, I really don't do a Barack Obama. I'll try to get his rhythms right.

C

I do a really good Bill Clinton, but I do not do a good Bill. Barack Obama.

B

Okay, so it goes like this. Hi, I found your details on Google and I've looked at your website and realized your website is in a great design, but your website's ranking could be much better. Where your keywords come up in the search on Google and other search engines, as they should. I can place your website on the first page of Google, Yahoo, Bing, and all the search engines. We can help get it to the first page. May I share a price list or quote with a proposal? Thanks and regards, Barack.

C

That's pretty good.

A

That was really good.

C

Pretty good cake.

B

Yeah. I mean, not bad.

C

Yeah. Pretty good on the cadence, the voice. But you have to. In order to do that, you have to be a really good impressionist. But yes, and Barack Obama's one of the harder ones to impersonate. I think.

B

I think that's true.

C

Yeah.

B

Yeah. So what do we got going on? First of all, Barack Obama's doing website or search engines.

C

He's got much more important things to do here than this.

A

Good on you, Barack. It's a little side hustle for the former president.

B

He's a helper, right? Yeah.

A

How many of these emails do we get a day, Dave? At N2K, I think I get like 10 for T. Minus these. Hey, we can help you with your SEO things.

B

Oh, yeah, yeah.

A

We got a gajillion of these.

B

Yeah, that's true. Yeah. And they usually start off with, hey, I hate to bother you. You got. Got a minute? You know, like, they're trying. There's. They're trying to, like.

C

It's like that agent from New York. Right. So hold the guy. Hey, I hate to bother you. You got. Let me talk to you. Right?

B

It's like forced, I don't know, affability or something.

A

It's unearned familiarity walking up to you.

C

In a crowd and they're starting to talk, but they're sending you an email. You're wasting your time. Right?

B

It's like somebody walking up to you and going, hey, hey, blue shirt. Hey. I like blue shirt. We're practically friends. Yeah, right.

A

Your website stinks. Your podcast stinks. Nobody knows you. Nobody likes you. But I can help you with that. Yeah, you won me over. Absolutely.

B

As the former leader of the free world, I can help get your webpage first. Oh, my gosh. All right, well, look, we would love to hear from you. If there's something you'd like us to consider for our catch of the day, you can email us. It's hackinghumans2k.com thank you. To ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and that is Hacking Humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or. Or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Buettner.

C

I'm Joe Kerrigan.

A

And I'm Maria Vermazes.

B

Thanks for listening.