Seniors in scam crosshairs.

A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hi, Joe.

C

Hi, Dave.

B

And our N2K and host of the T Minus Space Daily podcast, Maria Vermazes. Maria.

A

Hi, Dave. And hi, Joe.

B

We've got some good stories to share this week, but first let's jump into our follow up here. Joe, I think you're up first with follow up. What you got?

C

We got a lot of follow up, but I'll start with. Jay messaged me and Dave on LinkedIn and sent a link to a post from Ivan Verkalets. I'm hoping I'm pronouncing Ivan's last name correctly, but Ivan is posting an interface improvement that Robinhood has implemented. And this is a pretty big claim that Ivan makes it. Robinhood just solved the $25.4 billion problem with a simple banner. I don't think this solves the problem, but I think this goes a long way. So if you are on the phone when you open your Robinhood app.

B

Okay. Robinhood is in a financial, it's a financial app.

C

Right. You can open an account with Robinhood and trade stocks, and I think you can even buy fractional stocks.

B

Okay.

A

You can do crypto on Robinh too?

C

Yes.

A

Yeah.

C

So if you, you know, if you're, if, if you want to buy, if you're a small time investor and you want to, you want to buy Microsoft, but you don't have $500 to lay down for a single share of stock.

B

Yeah.

C

Then you can go in there and buy a fractional share as well.

B

Okay.

C

So you can put $50 down and buy a tenth of a share, which is good, I think.

B

All right.

C

Gets everybody in. Anyway, this banner that comes up, if you're on your phone and you open Robinhood, it says we're not calling you. If the caller says they're from Robinhood, they're not. Hang up.

A

Love it.

C

That's what the banner says.

A

Love it. Direct to the point.

C

I'm looking at the. And that's what Ivan says. This is great. It detects active phone calls, triggers a contextual warning. There's no complex AI works across all the scam scripts. And Ivan says zero friction for legitimate users. But, but there's a lot of Feedback in here that it's not scalable. I disagree with that. It is. It is scalable because it says here 200 other apps. But in order for this alert to come up, you have to open Robin Hood while you're on the phone. So if you're talking to your wife and you want to know, she wants to know how much is in the Robinhood account, you open it up and you get the banner. You click the banner away. Right. But if someone says, hey, I'm from. And I'm from whatever bank I am, open your banking app. If every banking app enabled this, it would not. I think it would scale just fine. Somebody else pointed out that Monzo bank already did this in 2023.

B

Okay, so. Well, good.

C

It's a good idea.

B

Yeah.

C

I think everybody. Every financial app should do it.

B

All right, what else we got?

C

Let's see. Hold on. Let me close this tab. I have a little follow up on one of our previous stories. We'll put a link in the show notes. But apparently Myanmar is blowing up or demolishing scam centers.

B

Yes.

C

So they're just tearing them down, which is great. So go read that story. It's from the AP News. We're not gonna cover this. It's just good news.

B

I will add quickly that the people are out of them before they're blowing them up.

A

Yes.

B

Good news.

A

Lots of people died. No, no, no, no, no.

B

Right? No, no. They're clearing the people out and they're actually trying to reconnect them.

C

Repatriate them.

B

Repatriate. That's the word I'm looking for. And so get them home. But then to put a button on it, they are blowing up the buildings being used for it.

C

Exactly.

B

I hope they weren't renters. Anyway.

A

Just put a little spackle on it. The landlord.

C

That wasn't mine.

B

I was gonna leave a mark.

C

Yeah, you go over and rent another place and build another scam center.

B

Yeah. All right. I have some follow up from jj, who's a longtime listener and regular contributor. And Joe, he's taking you to test.

C

Okay.

B

He says nobody calls them just a cac. Everybody except Joe calls them CAC cards. Don't be Joe. Now, let's back up here, because I couldn't remember what CAC was.

C

Common Access Card.

B

Common Access card. So this is kind of like an id. Military. Military contractor id, I guess it's a.

C

Government ID issued to government employees and to some select government contractors. Yes.

B

Okay. All right.

C

And it gives.

A

Not that common.

C

Because I don't know it's a smart card. Are you a government contractor? Do you work for the government?

A

No. So it can't be that common.

C

You will not have it. But it's a smart card. It's just a smart card for certificate based authentication.

B

Okay.

C

And it's got a PIN on it. And that's what keeps your pins encrypted or your keys encrypted. The PIN is used to decrypt your keys when it's put into a CAC reader. All right, so I'm going to take issue with this JJ because I did a real quick survey.

A

You're taking issue with you?

B

I do.

A

It's issues all the way down. Okay.

C

All right. Five people familiar with with the matter and everyone.

A

I said that is a small sample size. Joe, come on.

C

It is. It is a small sample size. But four out of five guys, fair.

B

Joe works in a cleared space. Right? I mean, isn't that.

C

Yeah, I don't like talking about that. But I. Right. And I said, what is this? And four people said cac. One person said CAC card. Okay, so four out of five people called it cac.

A

Are you sure they weren't just clearing their throat going cat? You know, is.

B

Isn't CAT card kind of like ATM machine?

C

It is exactly like ATM machine.

A

Oh, don't get started, Dave. It was a whole thing. Oh, my gosh.

C

I actually said ATM machine a couple weeks ago and then corrected myself this week.

A

No. Okay.

C

I almost burst. I'm surprised I didn't. Yeah. I go back and listen to every episode so that not just because I love to hear the sound of my own voice, but to correct those errors.

B

In addition to that, in addition to.

C

That, I like to correct my own errors when I say things like ATM machine or CAC card self flagellation. Yes.

B

Yes. All right.

C

And then finally, no follow up section would be complete without chickens. Dave, Shannon writes in to say my daughter works as a barista at Scooter's Coffee. It's a drive through coffee place. She has seen owners come through the drive with a duck, opossum, dogs, cats, and now a chicken. The chicken got a pup cup, which is just a cup of whipped cream. You ever get that at Starbucks?

B

No.

C

You get a papaccino.

B

Okay.

C

Yeah. They'll give your dog a free cup of whipped cream.

B

Okay.

C

I go through there in dog costumes.

A

So like, I would like a free cup of whipped cream.

C

I don't have a dog, but it's a free cup of. This one had a dog biscuit in It. And so my question, Joe, if you're not taking your chickens for coffee and a cup pup cup, are you even a real chicken owner? By the way, I'm also including a picture of the duck because it's adorable. And down in the script, you will see a picture of the chicken.

B

Yeah.

C

Eating out of the pup cup and somebody holding a duck over. And my wife tried to get. Talked me into getting ducks, but my brother has ducks. I have a shirt to that effect.

B

Ducks are great. Yeah.

C

That's a whole nother story. But the ducks are much messier than chickens.

B

Oh, really?

C

Yeah. If you think chickens are messy, ducks are much more messy. Now, as far as taking your chickens on a ride, the very first person who convinced me that I needed chickens was years ago. This guy's name was Tony Phelps. He's since passed away, so I can say his name.

B

Yeah.

C

But he had a chicken, a Henry, that was very much like my hen snuggle bug that I call her. This is the one that's on my Facebook profile that is sitting on my shoulder.

B

Sure.

C

She's first out of the coop. When I come out there, she wants me to pick her up and hold.

A

Her little Velcro chicken.

C

Right. Little Velcro chicken. But Tony used to take his version of the snuggle bug in the car. He'd drape a towel over the car, take the headrest off, and take the chicken out for a ride in the car. And the chicken loved it, apparently.

B

Okay, yeah, see, that's the thing I would question. I don't know anything about the ability to, let's say, house train a bird.

C

You cannot. That's the end of the story, Dave.

B

Yeah, they just go where they go.

C

I don't even think they are conscious of the fact that they're doing that. They're just.

B

Yeah, that would keep me from having a chicken in my car.

C

Yeah, I will. Probably not. Yes. I guess to answer Shannon's question, am I even a real chicken owner? I guess by Shannon's standards, probably not. But I will walk around the yard with the chicken on my shoulder.

B

Okay, see, what you need is so you can put the chicken in the back.

C

Yes.

B

It doesn't matter. And then you can go pulling up to your. You could pull up to Starbucks with all of your chickens. I could. And get a whole bunch of cups of whipped cream. Oh, my. All right, well, thank you, everybody, for sending in your kind comments. We would love to hear from you. Our email address is hackinghumanstud. And now a word from our sponsor ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. Let's jump into some stories here. Maria, why don't you kick things off for us?

A

Sure thing. Well, there is a report from friends at Bitdefender and Netgear their 2025 IoT Security Landscape Report, which I read with great interest because up until pretty recently I was a keep all smart things out of my home type person. I didn't want any IoT devices whatsoever. But I have completely lost that battle because it just became just about impossible to do and now my home has many IoT devices and I worry about it all the time.

B

When you say lost the battle, is this lost the battle with your other family members?

A

No, it was just like when we needed to replace the tv. My husband and I both were, we just didn't want any smart devices in our home and it became almost impossible to find a non smart tv. And I tried to buy basically a monitor, a TV sized monitor without any smart features. And it lasted I think all of a year before my kid essentially destroyed it. But it was just becoming harder and harder to do to find things that were just dumb. Even though I'm still trying, but especially when I moved into my new home in the last year, it just, it just, I gave up. I said I just can't put in all this work to get nowhere. So I have a lot of IoT devices in my home now and it worries me a lot. So I mean, I'm not staying up at night worrying about it, but I'm concerned anyway. So I read this report from Bitdefender and Netgear and apparently they looked at telemetry from 6.1 million smart homes across North America, Europe and Australia from January through October 2025. And then BitDE vendor researchers analyzed 13.6 billion IoT attacks and 4.6 billion V exploitation attempts to give what they call a detailed snapshot of global IoT risk. So there's. I'm going to throw a bunch of stats at you from their report because I thought these were fascinating. Connected households like mine are under constant attack. Hooray. The average Household now has 22 connected devices and faces an average of 29 attacks a day, which is up about 3 times 3x increase from 10 attacks in 2024. So do you know off the top of your head how many connected devices you have in your home? Out of curiosity? All the devices? Yes. Does 22 sound about right?

B

Sure.

C

I think it's a little high for me. But I mean, what do you mean?

B

What.

C

What counts? Does my phone count as a device?

A

Your phone counts? Yes.

B

Okay, then I guess anything that's hosed up to the Internet counts as a. Yeah, right. Yeah, I guess so. My question is, what constitutes an attack if somebody's. I mean, obviously most, the vast majority of these are unsuccessful. Right. So a port scan probably counts as an attack.

A

It does, yeah.

B

They don't. They don't get in.

A

Yes. Okay, by. By this report's metrics, definitely that. That counts there. Well, I'll get into a little bit of what they were specifically looking at for attack types, but, Yeah, I mean, 29 attacks a day, I don't think people are going to be aware of those. I'm certainly not aware of 29 attacks a day, but I'm sure it's happening. And when it was saying 22 connected devices per household, I was trying to inventory how many I have, and I cannot. Which is kind of the problem, isn't it?

B

I kept.

A

Every time I kept thinking, that's definitely the number I've got, I go, no, wait, there's two other things. No, wait, there's some other things.

B

So it's just like Joe trying to count up the number of girlfriends he had in college. It's just he always forgets one or two, and so why even bother counting? Am I right, Joe? Am I right?

C

One, two, and then Lisa, she's going.

A

To be there a while.

B

So four on one hand. There you go.

C

One of them was my high school girlfriend that lasted into the first year.

A

Well, all right. So anyway, to your question about what are IoT devices specifically, and anything hooked up to the Internet is definitely an IoT device. Mobile devices are the most common kind. Mobile phones account for almost 20% of connected endpoints and followed by smart TVs, which is 9.5%, and streaming devices. So I imagine this would be like a Roku or a Fire Stick or an Apple TV that's 7.3%. So smartphones, no surprise, I think, to anyone that they are the central hub for basically anything in a connected home. It goes through a smartphone. Everything requires an app, was what I have noticed anyway.

C

Right.

A

Yeah. Entertainment devices like smart TVs or streaming devices and IP cameras are the most frequently targeted IoT devices in a connected home. So streaming devices, smart TVs and IP cameras specifically represent over half of all detected IoT vulnerabilities because they're frequently left unpatched and rarely updated. And again, I was thinking to myself, when is the last time I even knew if any of those devices in my home needed to be updated? How often am I checking that? I genuinely have no idea.

B

Right.

C

I'm saying this. Yeah, I have an LG television in my basement that does a really good job of letting me know when it needs an update. So I'm actually pretty impressed with LG.

A

In that smart TVs. Yeah, mine doesn't know the Internet exists, so I never hooked mine up to the Internet at all.

C

Right.

A

My streaming device, in my case, I have an Apple TV device that does a good job of. I have auto updates turned on, so that updates itself. I feel pretty good about that. But I'm just going through all the other devices in my home and I half the time the app has been uninstalled because I haven't used it in a while. I don't get emails from any of them. So I'm going, when's the last time this has been updated? I don't know. I imagine I'm not alone in that at all. So, yeah, that's a huge potential entry point when you have all these unpatched devices that are just sitting there on your network. So it's not great. Yeah, I don't even know what the login is for half of my devices, to be honest with you. So, yeah. And does the update succeed? I have no idea. So the known vulnerabilities, not zero days, nothing like that. Known vulnerabilities remain the biggest risk for all of these IoT home IoT devices. And this stat is amazing to me. 99.4% of IoT exploits target already known and fixed CVEs, not weak passwords, which was, I think, a drum that a lot of us were beating for a long time. Like, make sure you update your default password. That's. That's 0.27% of attacks. And then devices using HTTP instead of HTTPs for authentication is only 0.30%. So yes, again, 99.4% are vault known VS being exploited. That's. There you go. Yeah. And I was curious if either of you could guess what generally the CVSS score might be for the. On average, for the types of vulns that are being exploited for IoT devices.

C

That are the criticality score for Any vulnerability. Correct.

A

Okay, so what do you think that number would be?

C

If I had to pick an average, I'd say 7.5.

A

Wow. Okay.

B

Yeah. I mean a scale of 10, right?

A

Yes. Out of 10. Yes.

B

I guess I'd put it somewhere in the middle, like five or six because, you know, these are the devices still work, you know, like they're not. Yeah, yeah. I mean they're not screaming at you that, oh my gosh, you must update now or bad things are gonna happen. Even if they are.

A

Yeah.

B

So yeah, I put it somewhere in the middle.

A

Both are very good guesses. So the answer from this report, 34.3% of total issues, which was overwhelmingly the most common. The median number was the high high of 7.8. That was the CVSS score that was most common. So. So Joe, you were very good. You're pretty good. So I thought it was very interesting that critical severe severity volumes that were, you know, eight or above. Those are the drop everything, your house is on fire, metaphorically speaking. You know, the news is in, the headlines are in the news that, you know, your, your baby monitor could get hacked and someone could do something creepy. That would be like a sev10, right? Huge, huge. You would hear about that. But something that's in the high highs, 7.8. It's something that the attacker can use, but it's not necessarily a house on fire criticality. And from the point of view of the device maker, they're going, well, it's not critical. So we could probably wait on updating this for a while and that represents a great opportunity for an attacker. So yeah, 7.8 feels like a nice little sweet spot for an attacker. So yeah, they'll just get around to it, I suppose. So the types of attacks that are being exploited for these home IoT devices are buffer overflow and denial of service attacks. That is Most of what IoT exploits are in this situation and then the critical severity. So the really severe headline grabbing stuff that doesn't happen very often but is catastrophic when it does are privilege escalation and code execution attacks. So that means that the cybercriminal can take full control of your device. So that doesn't happen very often. Denial of service and overflow again are the big ones. Some interesting long term trends from this report that I wanted to highlight, especially given my space angle that I'm always looking out for. Long term expectations are not a huge surprise here that IoT is going increasingly industrial. We've known this for quite a long time in the space world. IoT is a huge, huge topic and many more of these attacks are going to continue targeting IoT in commercial and in the industrial domains. So EV chargers, smart inverters like the one I've got on my roof right now, routers, industrial controls, expect to see more and more attacks going after these. I think many people who have been watching this for a while know that, but just expect more of it. And then something that made me stop cold in my tracks was attacks going after attacks that would be using vulnerabilities and shared libraries, software development kits and even updating mechanisms would allow attackers to cast a hugely, hugely wide net across entire ecosystems. So that is an expected potential vector there. So the scenario they said in the report was imagine an attacker compromising an over the air updating service like, I don't know, a certain famous car companies.

B

Right, right.

A

How would you detect that and how would you remediate that? And that just makes me go, all right, this is a terrifying, terrifying thought. They break the car, break your car and then how do you get it to the dealer to get it fixed? I can't even begin, I don't even want to imagine that happening. So, yeah, so thankfully this report did have some advice for the home IoT user, which is all of us.

C

Yes.

A

Yeah. Number one was try to keep an updated inventory of all IoT and network devices in your home or at work. Disable the ones you no longer use. And note for me, it is very easy to forget all of the devices that you have hooked up to your network, as I certainly have. Yeah, like I, I, I still don't think my inventory is complete, frankly.

C

This goes back to a couple years ago at Black Hat. I can't remember how many years ago it was, but the, the best new product award went to a, a company that had invented or developed a, a fantastic asset inventorying system that would go out and discover all the IT on your, on your networks there. No shadow it anymore. Yeah, which is exactly the problem. This problem. I'm sitting here thinking about all the things I have in my house. I keep forgetting about the tv. I have my bedroom, which right now is unplugged. But is the fire stick in the back of that unplugged? Probably not. Has that been updated? Probably not.

A

Probably not. Yeah. Yep. They just hang around. It's just really easy to forget what's there. And I know for my home router I have a Verizon and they gave me a home router when we hooked up with their service, they had the router came with an IoT network option built in. And every once in a while I'm messing around with network settings, doing stuff, and I'm always just shocked at how many devices I have actually connected to my home router IoT network. To the point where sometimes I turn to my husband, I'm like, are we sure all these devices are ours? Are these all supposed to be here? Because this is a very long list. I don't remember half of these and I guess I'm just getting old, but I just don't remember some of these. Some other advice was to replace legacy hardware, which is much easier said than done if you remember what your legacy hardware is. Try to prioritize devices that receive regular security patches. I don't know how much people are going to prioritize this. And hey, get a brand new TV because your old one's not getting security updates. Hope you got a couple K to drop on that, but there you go. If you can segment your network to keep all your smart devices on a home IoT network like the one that I have I mentioned it's a good idea if you can do that. Patch devices as soon as new firmware becomes available. If you know that it has become available, try to do it. Maybe keep an eye on that to begin with. That would be a nice start for me. Use routers or gateways with built in security. And as you might imagine, Netgear has some ideas for you there. You can fill in the blanks. And my favorite tip is avoid exposing devices to the Internet unless absolutely necessary. Amen to that. My smart TV does not know the Internet exists and it never will. So it's a pretty dumb tv. But not everyone has that option, obviously for many reasons. But if you can take that route, it is a good one.

C

So I'll tell you this. I have a Netgear device inside my Comcast router. So my Comcast router talks directly to my Netgear device. And I'm actually seriously considering replacing that with an OpenBSD firewall. But neither here nor there. Everything that matters to me connects to the Netgear and everything that I don't want, you know, I don't want to worry about, that's on the Comcast box. So if it does get compromised, it's outside of my network. That's number one. Number two, it's kind of a way of subnetting. When I had Verizon services at my house in Columbia, I had the TV connected to my Netgear router, not to the Verizon router. And I called Verizon and I said, do I need to connect my TV WI fi to the Verizon router in order to stream the TV services? Instead of putting a cable box in, they're like, yeah, of course you have to. I'm like, oh, okay, well this isn't going to work then because I have it on my network. And he's like, well, why don't you put it on our network? I don't trust you. That was my answer. Kind of stopped them dead in their tracks.

A

It. Yeah. When we've tried doing stuff like that with my previous isp, we would just find that things just wouldn't work. Basically our ISP would try and shut it down and it would take a lot of phone calls to them to go, no, really, this is legit. But it just became more trouble than it was worth. And this was a different isp, not Verizon, but it's a lot of work, even if you kind of know what you're doing. I do appreciate that I'm not being paid by Verizon to say this. Providers like them giving people an IoT network option sort of built in to make it a little easier, but it's still not easy. Do you need to take a couple networking classes to figure this out? I don't know.

B

Well, you need kids and grandkids, that's what you need, obviously.

A

Yeah, I gotta get my 8 year old on that, that's for sure. Yeah, don't get it right on that long.

C

She'll be helping you out.

A

Yeah, I'm looking forward to that immensely, honestly.

B

Your day is coming, Maria. Trust me on this.

A

I'm tired of being family. It let someone else do that.

B

Yes, exactly. Exactly. The two things I'll just add to your information here, Maria, which I think is excellent, is number one to just kind of flesh out what you were saying about the bad guys searching for these devices and how many of them are unpatched. Like the bad guys will just go out on the Internet and they'll say, I'm gonna go looking for unpatched thermostats. Right? And they just go poking around on the Internet and there are so many out there to be found, they're low hanging fruit and they just do what they need to do and off they go. So that's one thing. The other thing. And so if you keep your devices patched and up to date, you're no longer the low hanging fruit for that sort of attack. The other thing is just remember that just because your device is working the way it should, it doesn't mean it hasn't been compromised. Right.

A

Amen to that.

B

So with the. Particularly when you talk about video cameras, security cameras, you know, pretty much everything that has a single function like a security camera these days has way more processing power built into it than it actually needs. Yep. And that's what the bad guys take advantage of. They come in and they say, okay, this is a video camera. It's still going to function the way it always has as a video camera. The user won't notice a thing.

C

It's got an operating system on it.

B

We're going to add our own little thing on top of that or next to that, or underneath of that. That will either mine cryptocurrency in the background or be available. When we want to summon up a DDoS attack on somebody.

A

We can use this camera like happened recently. Yeah, yeah.

B

We can use this camera as one of our nodes and use it to help flood somebody with denial of service attacks.

A

Yes, that's right.

B

Just cause you don't see anything doesn't mean it's not happening.

A

Yeah. I feel like there was some common advice for some time. If you notice degradation in your home network performance, that maybe something amiss was happening. I don't know if that really applies as much anymore or if at all to your point that are there signs that your devices have been pwned? I don't know anymore. I'm not saying that facetiously. I genuinely don't know if that's true anymore.

B

Well, there's so much overhead now. There's so much spare bandwidth and spare processor power and things don't lug down the way they used to, you know, noticeably. Yeah.

A

I maintain that there has got to be some kind of a growing market for people like me who want dumb devices. I know everything wants to be connected, but I really want dumb devices for a lot of stuff. I don't want my dishwasher to be hooked up to the Internet. I just don't.

C

Yeah, well, appliances. I think it's happening. I was talking about this with my office mate, Michelle. We mentioned her last week, but she was saying that she's seeing more and more of these appliances that are just. That are not connected to the Internet. Nobody wants that.

B

Yeah.

C

So it's. The market forces are trending. I want like mechanical appliances. Right.

A

Amen to that. Yes.

B

You want gears and solenoids, right?

C

Yeah, that's what I want. I want my washing machine to have a timer, gears, solenoids, that you can.

A

Replace and fix yourself when they need replacing or get someone injured. Yes, I agree with you completely. Yep, sure, I'm with you.

B

All right. We will have a link to that story in the show notes. My story this week comes from a researcher who found that his AWS account had been hacked. Aws, of course, is Amazon Web Services. That's Amazon's cloud service. People buy time and space on those kinds of services. So this is a researcher who goes by the name Zvi Zvi. He actually is a cloud architect and a former vulnerability hunter. So this is somebody who knows a thing or two about all of this computer stuff, but also security. But he got hit. And he shared his story as to what happened and how he figured it out and ultimately what he did about it. He was doing some work, minding his own business, when suddenly his email inbox, he, as he put it, explodes. Just hundreds of spam messages, random signups, and newsletters. Noise just coming in his email account. And he sees this, and he thinks, well, that's odd. Buried in the noise is an email from AWS about his account. That seems routine to him. He's actually working on a personal project in aws, so it seems routine. A little later, another AWS email lands in his email telling him that something is pending. He hasn't changed anything. So that gets his attention. He says that's kind of his oh moment. So he jumps into his account and he checks the activity logs, and he spots some actions taken by a user that he never created. So now he knows somebody's inside. So he jumps into defensive mode, right? He says his first priority is to stop the bleeding. So he resets his password, keeps his multi factor on. Now, let's. He already had multi factor on, and they were in.

C

Yeah. How'd they get in?

B

We'll get to that joke.

C

Okay?

B

And he deletes several fake users and their access keys. He checks his AWS bill. Now, AWS is metered. You know, kind of like your electric bill or your water bill. The more you use, the more you pay.

C

But it goes up really fast.

A

Yes.

B

And that's what happens to this person. His costs have spiked. Somebody launched some powerful servers in a region that he doesn't normally use. So he shuts all those down. He removes the attacker's email settings so they can't send messages that look like they're coming from his domain. He actually calls AWS on the phone. Imagine that. And they flip his account to an under attack mode that blocks any risky changes. Basically gives everybody Time to clean things up. So then he starts looking through his logs to see what happened, try to figure out what happened. And what he finds is the intruder used an access key that was tied to his account, created these backdoor users, spun up the servers, and tried to set up his domains to send phishing emails. And that initial spam flood was a smokescreen to hide the real alerts, so the real alerts from Amazon would be buried in this pile of spam. Hmm.

C

Wow.

B

So how'd they get in? He says this is the painful part. While he was building his own personal website, he accidentally left an access key in some code that ended up exposed.

C

Ah, okay.

B

So all the bad guys had to do was scan the web. They found this key, and they walked right in. He says, who were they? It's hard to say. He says the behavior points to money motives rather than espionage or spies or anything like that. The trail led to a particular hosting provider, but that's as far as he can prove. So he rotated his keys, all of them. He checked all his users, tightened his alerts, paused his site, and he moved his secrets into a proper vault. He said, no more keys and code ever. And the lessons that he learned was he said, trust your gut. Contain first and investigate second. Because time matters when you're doing these sorts of things. That AWS clock is ticking. Right. And they're going to be trying to send spam emails out using your account. He said, also, don't rely on chatbots to bless a security alert. He actually, at one point in this thing, he had asked ChatGPT about a security alert and said, is this routine? And ChatGPT said, yes, that's a routine security alert. Turns out it wasn't. He said, logs and notifications are your friends. So he says the big takeaway here is that security isn't a feature you tack on later. It is a habit. He said, if it can happen to someone who does this for a living, it can happen to anyone. So quite a story here. I'm curious. So what do you guys think of this?

C

Well, we were talking about this, I think, last week. I did listen to the show, of course, this morning. So we talk about how we've gotten got before through social engineering attacks. And this guy, I get exactly what he was doing. He was. He was trying to quickly develop a webpage and then forgot about a credential that he left.

B

Yeah. So he put the credential in for his convenience while he was testing. Probably developing.

C

Yeah. And then. Then deployed that out to the out to the web and somebody found it. And finding it is trivial. You just match a regular expression and say, hey, I pull down all this web, find all the Amazon keys in here and it's. You can, you can actually write a python script. It'll spit that out pretty quickly.

B

Okay.

C

Yeah.

B

So it doesn't take a whole lot of sophistication.

C

No, it does not.

B

To take advantage of this simple mistake that this person made. Admittedly. Yeah. Any thoughts, Maria?

A

No, nothing really to add there, honestly.

B

Okay, very good. Yeah, it's fine. All right, well, we will have a link to his story in the show. Notes. There's a lot more technical details in there. If you're the kind of person who likes to dig into the tech, this is a good one for that.

C

But unlike Joe, Dave will not be diving that deep.

B

We will spare you on the show, but it's there if you want it. So go. Go for it. All right, I tell you what, let's take a quick break to hear from our show sponsor. We will be right back after this message. And now back to our sponsor, Threat Locker, the powerful zero trust enterprise solution that stops ransomware in its track tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring Fencing and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from ThreatLocker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. Joe, you're up. What you got?

C

My, my, my story comes. Actually, it's not a story. It's a consumer protection data spotlight from the Federal Trade Commission. False alarm, Real scam. How scammers are stealing older adults life savings. And this thing starts off by talking about how older people are more likely to lose more money than younger people. But younger people also get scammed. One of the things I like about this article is it has three lies. Three lies that will be told to you to get you to. These lies will short circuit your thinking. They will focus your attention on what the attacker says. And what they are is lie number one. Someone is using your accounts. It says this lie might start with someone pretending to be Your bank flagging some so called suspicious activity or pretending to be Amazon with a message about an unauthorized purchase. I got one of these from Amazon, allegedly from Amazon one time. Guy's like, did you authorize this purchase? I'm like, I just want to know what happens next in this scam. And the guy just started swearing at me. I'm like, I don't think you're actually for Amazon.

A

What if you say yes though? Yeah. Oh, I totally bought that. Right.

C

I got one of these yesterday and I should have said, oh yeah, yeah, yeah, that's me. I did that. Yeah. Because, oh, something that's happened to me recently is I've moved my, what was my old house phone from Comcast to my mobile provider as an app number. So now I get my old house number directly at my cell phone because I don't have a house phone anymore.

B

Right.

C

So, but I want to keep, I want to keep the number because there's, that's the only number some people have for me.

B

Yeah.

C

Even though I haven't been able to answer that number in over, over a year.

B

Yeah.

C

But it's still a good number. But somebody called, knew my name and started talking to me about some wireless service, I think. Anyway, I'm going to be having some fun with the people call me there. Lot number two that they call that they tell you your information is being used to commit crimes. This will be a lie that allegedly comes from some government agent or officer warning. Your Social Security number is linked to some crimes like drug smuggling or money laundering or even the dreaded csam.

B

Right.

C

You know, once you hear that, you're like, oh, I don't want anything to do with this. Your, your first reaction when anybody says this is I want to talk to my lawyer. You don't have to talk to anybody from law enforcement without talking to your lawyer first. And if you can't afford a lawyer and you're being charged with crimes, one will be provided for you by the state. So don't talk to anybody claiming to be from law enforcement, even if they are and they're accusing you of crimes. Law enforcement doesn't work this way, by the way. Law enforcement actually does real investigations and usually they'll show up at your house if they have questions. They don't just call you on the phone line. Number three is there's a security problem with your computer. This is often like the on screen security alerts from Apple or Microsoft and you need to call this number. They have some statistics in here about combined losses and these are reported combined losses from, like, 2024. And they have stats going all the way back to 2022. But in 2024, combined losses under 10 grand were $41 million. Combined losses between 10 grand and 100 grand were. Were $214 million. And combined losses over $100,000 were $445 million. And that's just reported losses. So these scammers are making billions. I guarantee it.

B

Yeah.

A

Wow.

C

So couple of. They have a couple of. A couple of three. Three things you can do. Don't move money to protect it. That's always a lie. Don't worry, I'm going to keep your money safe. That's always a lie, too. Hang up and verify. So in other words, somebody calls you from some bank or some law enforcement agency, you hang up and then block unwanted calls. And this is another thing I learned recently with my mobile provider, with all my lines, I have this spam option to block unwanted spam calls. And it's something I have to switch on, which I wonder why I have to do that, but I do.

A

Why is that on? On by default, right?

B

Yeah, yeah, I use that as well. And it's definitely a lifestyle upgrade.

C

Yeah, it is.

B

Like, the phone doesn't even ring, Right.

C

Cause nobody calls anymore. You get a text, right?

B

That's true.

C

Hey, you busy? Can I talk to you? That's the only time I call anybody in my family, right. I text him first. Hey, can I give you a call right now?

B

That's true. I think that's the way.

C

Yeah.

B

All right, well, very good. We'll have a link to that from the FTC in our show notes. Joe, Maria, it is time to move on to our catch of the day.

C

Dave. Our catch of the day comes from the scambait subreddit trying to scam the scammer. It's called.

B

Yes. So, Maria, I'm asking for your help here. Oh, yeah, you will. Yeah. You will be the person leading this off the gray text, if you will. In this text exchange, I will be in the blue. And we will take this as far as we can before we realize it's probably in our best interest to stop.

A

Geez. Oh, goodness. Okay. All right. Hello. I hope you are doing well. I'm delighted to connect with you. Sarah Sutton from Indeed Job center has notified me that you are interested in a flexible remote opportunity. Is that right?

B

Who do I have the pleasure of speaking with?

A

My name is Alice. I work for Datastax as an instructor. Nice to meet you.

B

Nice. Alice is a sexy Name?

A

May I know your name?

B

Petey Wheatstraw.

A

And in reply to Alice is a sexy name. I say thank you for your compliment. Smiley face.

B

People call me the devil's son in law on account my ex father in law was a serial killer.

C

Lol.

B

It's true. What kind of jobs.

A

Anyway? I like your honesty and openness.

B

This is a picture of me. You got a pic.

C

The picture is just almost like a mug shot.

B

Yeah, mugshot. If you saw this person coming down the street, you'd cross the street right on the street.

A

It's a very dimly lit mugshot too. It's like a mugshot in an abandoned mental hospital.

B

There you go.

A

This is a remote position with flexible working hours. You'll be required to work for just 30 minutes to one hour per day. And you can choose any time that suits you. Within business hours from 10am to 11pm Eastern Standard Time EST. There are no regional restrictions, so you can work from anywhere in the world. You may use a smartphone, a laptop, iPad or PC, whichever device you prefer to complete your daily tasks.

B

Nice. You got a pic.

A

And now there is a. I am sending a random photo of some lady in a bathroom. Closed. I should mention she's.

B

She's fully clothed.

A

She's fully clothed.

B

She looks professional. I would say attractive. Yes. Yes. And then he sends a reply of Jim Carrey as the mask with his jaw on the table like the old Warner Brothers wolf. You know where he.

C

Yes, the wolf whistle attack surgery.

A

Yeah. If it's convenient for you, I'll explain the job role and salary structure. Do you have any free time right now?

B

Not at the moment. I'm kicking my girlfriend out of our house. She got mad that I cheated on her. Can you believe the audacity? Sure it was with her 20 year old daughter, but that's no excuse for getting mad.

A

I'm sorry to hear from you. I hope it's going well for you.

B

It will be once she's out of here. You got a man?

A

I am a divorced woman. Since my divorce, I have devoted my time to my son. So I have been single for a long time.

B

Sweet.

A

Are you really interested in remote work for extra income? Please confirm with me.

B

I'm interested in you and the job.

A

Lol. Smiley smiley face, winky winky, smiley face. Many, many emojis.

B

I like you.

A

So shall I explain the job details and salary structure for you?

B

Yes.

A

So I will explain your work role first.

B

All right. You know what?

A

This is going on.

C

My goodness, this goes on for. I thought it was going to be like, for like maybe 15, for like four slides. It's like 15, 20 of them.

B

This person really keeps them going. Eventually goes into the fact that he uses AI images to create ladies, that he's actually catfishing people. At one point he references Hot for Teacher from Van Halen. I mean, just, you know, the whole thing. But basically the point here is that this person is wasting a spammer's time.

C

Yes.

B

Which we don't recommend because these guys.

C

Are good at their job.

B

There's a good chance that they're better at this than you are.

A

Right.

B

But at the same time, it's fun to see when somebody is actually capable of holding their attention, wasting their time, and keeping them away from the rest of us. Well done. Yeah. Nice. We'll have a link. Sweet. We will have a link. You know who I was thinking of the whole time I was doing that voice? I was thinking of Carla's ex husband on Cheers, Nick Tortelli.

C

Oh, yeah.

B

Oh, wow.

C

I remember that guy.

B

Right. I'm trying to think of, like, the most disgusting person, and I don't know why he popped up. Anyway, we'll have a link to that in the show notes. And again, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and that is Hacking Humans. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send a an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.