A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello everyone and welcome to the Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

Maria is on vacation this week, so joining us is our friend of the show, Michelle Kellerman. Michelle.

A

Welcome, gentlemen.

C

That's a little presumptuous.

B

Okay. Don't think I've giving us a little more credit than we deserve, perhaps, but.

A

All right, we've got Joe's got a tie on. It felt right.

B

That's true. Joe does have a tie on today. I don't he's got up here in court or something.

C

Yeah, I got a court date later.

B

We've got some good stories to share this week, but first let's get into some follow up and I guess before we get into the real relevant stuff, Joe, how, how are the chickapoos doing? Chickens. The chickens.

C

The chickens are doing very well.

B

I.

C

We moved the coop and the run last weekend.

B

Okay.

C

Which was no small feat because this thing is heavy, but my brother gave me a couple of dollies so we could just put the two by fours on the dollies and roll it across the lawn. Okay, that worked really well. But now the chickens are out in the sun so I've got to find a way to make the roof opaque. I've already put the roof on, mind you, and the first, first thing I

B

did was I was the roof made of that? It's not opaque, it's a clear plastic. Okay.

C

So I feel like you should have

A

seen that one coming.

C

Should have. You're probably right. But. So my first solution is, well, just get some black spray paint that sticks to plastic and start spray painting it. Start spray painting it. There I can talk. I'm a podcaster and my wife called on the way over here to the podcast and she's like, this is not acceptable. The sun is going right through the piece you've painted. We're going to have to get new roofing material. And I'm like, that is no small cost nor task. So I'll keep you updated on how this pans out.

B

I wonder if you could get some of like, what are those adhesive, like shelf liners. You put in something, something opaque but sticky. Maybe you could put on it there. Maybe, maybe not terribly expensive.

C

That's a good idea, dude.

A

I'm certain there is Some redneck engineering. There is actually a subreddit called Rredneck Engineering. You may find your solution there.

C

I'm going to check that out right now.

A

So serious.

B

Michelle, you have something you wanted to highlight this week?

A

Yes, mentioned it a couple weeks ago when I was guest hosting. And we are still doing a Blood Cancer United fundraiser. So I am about one of the way through a 10 week campaign supporting Blood Cancer United, previously the Leukemia and Lymphoma Society. And my best friend, her daughter had infant leukemia and she is in remission and doing great, but she is. They are all very involved in the cancer community and this is just a way I want to support her for the Visionary of the Year for Boston for Blood Cancer United.

B

All right, very nice. But we will have a link to that in the show notes, so please do check that out. I actually have a little bit of relevant follow up this week. I know, how dare I? But I was at a play earlier this week with some friends and before the play was getting started, we were sitting in our seats and I was bringing my friend up to date on work things and he was asking about this show and I was telling him about some of the different scams we cover. And I mentioned romance scams. And at intermission I was out in the lobby and a gentleman came up to me and he said, I heard, I'm sorry, I couldn't help hear you speaking to your friend about scams. And he said, my mother got scammed. He said, in fact, she's in the middle of one right now. This is the second one. She's already lost about $20,000.

C

Yikes.

B

And he said there doesn't seem to be anything we can do to convince her that it's not real. He said he even had a friend of the family who is in law enforcement come and speak to her and she just refuses to believe that it's a scam.

A

That's tragic.

B

It is, yeah. So I guess the lesson here is try to spread the word and get ahead of these things. So we talk about inoculation. So if you can warn people about these things before they happen, it's a lot easier to convince someone not to be scammed than to get them out of the scam while they're in the middle of it and while they're believing it.

C

Yeah. And the inoculation part is no small feature of this. If you can make them aware of what happens and what the pattern is. You know, the love bombing, then the sudden, but you've never met this person. Then there's some sudden crisis and they need money. That should at least map to something you've already heard of.

B

Right? Right.

C

And if you've, if you've done that groundwork beforehand, you're in a lot better of a position, I think. I don't know if there's been any research on whether or not that's helpful.

A

I think the big part of it is going to be doing it before they're in that position. Because if you're doing it while they're in it, then it feels like you're telling the person that they are. Why would they be romantically inclined in any way? And then you're defending that. Not the. It's not about the behavior. It's about, you know, making them feel like it's not you. It has nothing to do with you being undesirable or wherever we're gonna find our insecurities. This is just the fact pattern prior. Doing it in the moment is infinitely harder.

B

Yeah. And you don't have any sunk cost fallacy here going on as well. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing configurations verified with Threat Locker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. All right, well, that is our follow up for this week. Let's get to our stories here. I'm going to start things off. And this is actually from a group called Picus Security who's new to me, but they shared some information here, some advice. They call it the SLAM method. Slam? This is the SLAM method for phishing awareness.

C

Oh, SLAM method for phishing awareness. And this is not a scam.

B

This is a slam. It's a slam to prevent scam.

C

I see that.

A

It's a doctor Seuss is knocking on the door.

B

That's right. That's right. Do I like this slam that scams? No, I do not like the slam that scams.

C

Especially that one from Sami.

B

So the SLAM method stands for.

C

It's an acronym.

B

It is indeed. It stands for sender links, attachments and message. So sender verification. They talk about how you can verify it and why it's crucial. They say look at the full email address, not just the display name. So in your email account, very often, like if I get an email from you Joe. It says Joe Kerrigan. It doesn't say. Right. Supercoolguymail.com.

C

yes.

A

Supercoolguy onemail.com.

B

right. Right, guys, Super Cool guy was already taken.

C

Right.

B

They say look for lookalike and homoglyph domains. So that means using characters that look like English characters but are actually characters from other languages, like Cyrillic or Greek or Latin characters. Those sorts of things. Yeah. They say look at domain age and reputation. Obviously, this is probably not something you're gonna do routinely checking your email, but

C

I'll tell you, there are corporate things that will. I'll say that my employer has something that will not let you go to a recently registered webpage. And I know that, following up on our things, Joe hates me purchasing the domain back because I wanted to go to it and see what it looked like. And it was like, oh, no, this has been registered in the last. And I was like, oh, okay.

A

Yeah. I couldn't follow any Artemis stuff while I was on my work computer because a lot of the stuff popped up for the Artemis mission. So it was that newly registered domain, despite being either government or something. So that was. I had to look at it on my phone, which I hate on principle. Yeah, it's not a little computer activity. It's a big computer activity.

C

You know, we're going off the rails here, but we do that every show.

B

We do best.

C

Yeah. I hate looking at websites on my phone. It is the worst.

A

Yeah, it's a big computer activity.

B

Yeah, yeah, yeah. But, you know, more and more, that's going to be less and less, Right?

C

Yep.

B

Because as the kids grow more comfortable with their mobile devices and wonder why anybody would ever use a desktop computer.

C

Yeah. I got mocked in one of my classes because I had a desktop computer.

B

Really?

C

Laptop. Yeah. So they still make those. I'm like, what are you talking about? This is the best thing you can do.

B

Oh, my. All right, so the L in slam is the links. Links within the email.

A

Email.

B

And they outline here how to reveal the real URL behind a click. So, as we've talked about here many times, if you have a link in an email and it says it's going to take you to things Joe hates, there might you. You can click on that, but you don't know that behind that link, you don't know what the actual URL is. So you can examine that link, you can right click the link, examine what the URL actually is. Or in a lot of browsers, I guess you can hover over it and it'll Tell you there'll be a display somewhere in your interface there that'll show you what the actual destination is.

C

Right. Again, phone problem. This is harder to do on a phone.

B

Yeah, absolutely. I'm told you can do it, but I can never remember how.

C

Yeah, I don't know how because there's

B

really no hover over on the phone.

C

Right, Right.

A

Yeah, I think it's like press and hold, but probably.

B

But who's going to risk that?

C

Ye.

B

Oh, we're old. The A in SLAM is attachments, how to identify dangerous files before you open them. The legitimacy of the attachment is important. Is this something that you'd normally receive? They point out that threat actors frequently disguise material as routine business documents, like invoices or resumes or something from hr, meeting notes, those kinds of things. And also they point out the urgency. You must open this now. Again, something comes from HR or your boss. I need you to take care of this right now or payment overdue, your action is required.

C

Yeah, I mean, that's a telltale, telltale sign of any of these scams is the artificial time horizon, the time constraint. So, yeah, look out for that.

A

I will take Maria's place as your annual reminder. If you get one of those for your taxes now that tax season is done and you say you actually missed some, you owe more, the IRS will mail you something about it. They will not text you about it. They will not email you about it. They will send you an official document, and you'll know for real, as best as you can, that it is a IRS document.

B

Right. Well, and the opposite kind of the urgency is the incentive, where they say, here's a reward or benefit. If you do this, we're going to give you a gift card or you've won a contest or something like that, or from maybe hr, it'll say, congratulations on your raise. You know, here's your click here to find out what your new salary is or something like that. And then the M in Slam is for messages, and they talk about how to spot suspicious or inconsistent content. This is just basically looking at the body of the message itself. The tone or the phrasing, spelling, or grammatical errors, which, of course, are becoming fewer and farther between thanks to our AI overlords.

C

I, for one, welcome our new AI overlords.

B

You know, I was interviewing a security researcher yesterday who very, very deep into AI stuff, and he mentioned that he's always very polite to the AI agents. He's like, just in case, he's like, you know, I realize it's probably Being silly and it can't hurt. And when they do come to take over, maybe they'll kill me last, right?

A

Nah, take me out first. I'm not navigating with that. I'm not.

B

Right.

A

Where will you be if a nuke goes off at the center? They're not doing that.

B

You want to be vaporized?

A

I get irritated when I have to park too far from the door. I'm not built for these things. I know who I am.

C

I am looking forward to post nuclear holocaust survival and see how long will that last. It's kind of like a game. I'm going to gamify it.

A

I like my water filtered and ice cold. I'm not doing that well.

C

I can find a way to filter it. And nevermind

B

requests that feel out of context, inconsistencies between the message and the role. Like there's like they point out HR sending financial documents or IT sending payment reminders, like if the ask doesn't match the person who's asking it. And then a manipulative tone which touches on the urgency thing. If they're using any kind of pressure or fear, unexpected benefits, anything that feels

A

off pause because nothing that's critical is going to be sent in an email that could risk getting filtered out. They are not gonna send you stuff that you could potentially miss. If it's time critical, they will pick up the phone and call you.

B

Right, Right. Even better. They'll come and knock on your door.

A

Yeah. They will come and knock on your door.

B

Yeah. So I kind of like this. We'll have a link to it in the show notes, but I think slam is pretty easy to remember. And again, it's sender links, attachments, messages. So I don't know that everybody's going to memorize that, but I think this is a decent one to send around to your colleagues, to your friends, that sort of thing to help guide them through and remind them what some of the things are to look for. So thanks to the friends at Picus Security for publishing this. I kind of like it. All right, Michelle, you're up. What do you got for us this week?

A

So I'm actually going to do something a little bit different. Different this week. I'm not doing one particular story. Mine is an amalgamation of stories that I think is the early warning signs to a turn of the tide when it comes to scamming. So to start this off, I'm going to set the stage to the, I believe, early 2010s. Do you guys remember when it was pretty standard for if you were using a standard credit card, your mag stripe would get stolen. There were skimmers everywhere and such. Yeah. And then those EMV chips came out. The stuff that's on your card that you now insert instead of swiping.

B

Right.

A

And when those came out and then all of a sudden they exploded and they were everywhere. And there was massive adoption. That adoption of those EMV chips were not because they were more secure. And everybody just wanted to be more secure.

C

Right.

A

Nobody does that out of the goodness of their heart.

C

Yeah, we talked about this a lot.

A

Yeah, it was. And it wasn't even dictated by the banks either. The credit card companies, MasterCard, Visa, Discover American, they change their liability structure if you do not adopt this technology, whoever is least compliant with the EMV chip will be responsible for paying out frauds from magstripe steals. So instead of the credit cards, American Express are FDIC insured. You know, they have insurance for credit card purchases that are fraudulent so that the end user doesn't end up having to pay it. They decided they're not going to foot the bill if a business in their store doesn't have these EMV chips. If you're not going to be compliant with this more secure technology, you have to foot the bill. We're not going to do that anymore. That's how those chips ended up becoming so widespread adoption.

B

Right. That's interesting.

C

They also carved out an exception for gas stations because they gave them more time because there was so much infrastructure that did not have the EMV chip readers in it.

A

And changing stuff out from pumps is so much more intensive than just like a store or something. Right.

C

And a lot of times the individual store doesn't actually own the pumps. It's owned by the fuel company like Shell or Sunoco or something.

A

So that was the mechanism for enforcement back for EMV chips back in the day. So now I want to bring this back to scamming with this. Reading these different stories that I'm going to go through kind of got my Spidey senses tingling. So as we all know, the whole part of the reason that this podcast exists is because Facebook makes money off of fraudulent advertising. That's where a ton of these frauds happen. And an investigation from Reuters at the end of 2025 talked about in China specifically, they China does not allow their citizens to use Facebook just to use, but they do allow Chinese companies to advertise on Facebook. And out of an $18 billion annual sales for advertisement for meta from China alone, more than a tenth of that more than a tenth of that accounted for their global revenue. And about 20% of that money, about $3 billion, was coming from ads for scams, illegal gambling, and other banned content. And it was known to meta at the time. So we know that Facebook is aware that their ads are fraudulent and they just let them go anyway because they make a ton of money off of them.

C

Yeah, right.

A

Which is a huge part of the problem.

C

We're sorry, but there's a profit to be had.

A

Exactly. So fast forward to now. This week, I saw two different articles that got me curious. One was titled Banks cannot save the UK Financial System from Fraud Alone. Talking about the controls that the banking system in the UK has put in place from a technical control only does so much. And so banks in the UK are starting to seek for accountability to extend upstream to telecom and social media companies too. Fraud has gotten so rampant that the UK is saying. The UK banks are saying, we are not going to foot the bill for you guys, either doing nothing or actually encouraging it because you are making money off of it. And it is not going to be squarely our responsibility anymore. Fair enough. Like, they can't. It's not their solely their fault. So they should not be responsible for footing the entire bill of this. And then fast forward to this week with all the Mythos stuff coming out, all of the disclosures, seeing all of the potential issues that could come, or the goodness of identifying these vulnerabilities and being able to patch them.

B

Well, let's pause there, Michelle, just for folks who might not be up on that, can you describe to us what exactly Mythos is and why it matters?

A

Yeah. So Mythos is a new AI model made by Anthropic. Anthropic is one of the leaders in AI development, and they started testing this particular model to identify vulnerabilities in code, in software. That's a good use for AI in general. Humans can't possibly. With the volume of code that is out there, humans cannot possibly identify all the vulnerabilities. This particular model, Mythos, is excellent at it, to the point where actually the Wolf SSL vulnerability that got a 10 out of 10 for the CVE, that came from an anthropic researcher working on this Mythos AI model. So we were already seeing how well it can identify all of these vulnerabilities. And I thought that it was interesting that when that came out, the first official administration action was Secretary Bessant, the Treasury Secretary, calling a meeting with all the bank CEOs to talk about what are they going to do about this. How are they going to secure banks? How are they going to secure banking infrastructure? Because at the end of the day, the banks are the ones who foot the bill for a lot of this. People get. People have to unfortunately stomach some losses, but also banks do as well. So I thought that it was interesting that they didn't call dhs, they didn't call cybersecurity firms, they called banks banks. And it got me thinking of, yeah, when banks want something done, it gets done. It has to, by the nature of how the world works.

C

So my solution is to the banks, you're going to start using this mythosanthropic model, or anthropic Mythos model. Start looking at your software, use this model, go find the vulnerabilities and fix them. That's the first thing that should be on every single CEOs and CISO's mind, but it probably isn't.

B

Well, I think the problem here is that Mythos is able to find things so quickly and find so many things that they're already talking about there being a huge backlog of things that it's found.

A

We're gonna, for the next year, probably we're gonna be seeing all of the technical debt from. We'll just put it out in beta and we'll fix it later. That we have gotten way too comfortable dealing with.

B

Yeah.

A

And so I think that we're gonna see so much. But the thing that I was realizing with all these seemingly disparate things that are all happening at the same time, I think we might be, we might be entering a time where banks are going to start pushing liability onto all of the infrastructure that is either enabling or allowing scams to go unchecked. Because it is now really hurting bottom lines. It's hurting. When we were talking a couple weeks ago, bank mortgage Fraud accounts for 40% of losses on mortgages. It's becoming. You can't ignore it anymore. And I think that banks are gonna start forcing the issue as opposed to just, oh, it sucks for the little guy. Banks now have a problem and when they want something fixed, it gets fixed. Cuz they're footing a lot of the bill.

B

When you say pushing it to other organizations, who would they push it to?

A

Telecoms, social media? The same way that the credit card companies put liability, they change their liability structure to whoever is least compliant with the EMV chips. That's who pays when there is fraud.

B

Right. So I guess what we're talking about here is faulty software. If you're a third party provider To a bank. And I suppose this is maybe the shape of things to come, is that every contract on the one hand, the people who are buying software are going to try to have it in the contract where the person providing the software will be liable for any errors in the software. But the people selling the software are gonna try to have it in the contract that they're not liable for anything.

A

Or Facebook is gonna get some legal heat for liability from fraud stemming from fraudulent advertisers on Facebook. They just got hit a couple weeks ago with their first product liability suit. They were found guilty for putting a faulty product on the market, which is just their social media.

B

Yeah.

A

So they are already facing some introductory product liability suits. And I know that there are more coming, and I think that Facebook could catch some of the heat for just allowing these fraudulent advertisements to go unchecked that lead to the fraud down the road.

B

Yeah. It's interesting. What this makes me think of is this whole notion of enough is enough. At what point do the banks. I guess it takes someone with the influence of the banks to be able to say, okay, we've had it. There are going to be changes here.

C

Listen up, Mark.

B

Well, yeah, but also, listen up, Congress. We're tired of footing the bill for this, and our insurance companies are tired of footing the bill for this, and so we need some changes here. And maybe that's what it takes to tighten some of these things down. But.

A

And we've seen that before. Gonna bring up the caveat punchline of the video privacy act for when members of congress were getting their video rental history back in the 80s.

C

Right, right.

A

Advertised. And then all of a sudden, there was a privacy act around what? Video. Like your video rental history is private.

B

Yeah. Yeah.

C

They did the same thing with selling and buying browser histories, But I don't think that had much of an impact.

B

Yeah, I think it was. Also, the books you borrowed from the library was fair game for a while, and I don't believe it is anymore.

C

Yeah. I know that in Howard county, Dave, where you live, the library does not keep your history of book checkouts.

B

Really?

C

They just don't have a record of it.

A

Why do you know that?

C

Because I asked.

A

Okay.

C

Why do you think I know?

B

Well, how do they know if you've returned a book or not?

C

Well, obviously, they have a system to know that you have a book out. So, I mean, so while you have a book out, they can, you know, they know that you have the book, but once you return that book and they check it in, they delete it.

B

Good, good, good on them.

C

Yeah.

A

It's so refreshing that for once something I do is not being sold to a data broker.

B

That's right.

A

How cute. I love that.

B

That's right. That's right. What is this saying about libraries? Is there like the one place left in our daily lives where there's no expectation of commerce?

C

Right.

B

You can just go and do what you need to do and not spend any money.

C

Yeah.

B

How quaint.

C

I should check and see if Carroll county has the same thing because now I'm a Carroll county library patron. I still have my Howard county card from when I lived here.

B

Yeah.

A

So, yeah, I think we're getting to that. Enough is enough. And I think it's just reached a volume of how many millions and billions of dollars are just stolen all over the world, where now it's. We can't keep stomaching it. We're starting to see that with cyber insurance policies, they can't keep taking the losses. If these companies are not gonna do a certain amount of cybersecurity to prevent these things. We're seeing just a critical mass of just how much volume it's not supported anymore.

B

Yeah, no. I saw recently that the feds are exploring the idea. They're open for comments about the possibility of a federal backstop for cybersecurity, much the same way that they provide flood insurance.

A

So I think we're starting to reach critical mass where it's not just a. Oh, that sucks. Be careful as the official guidance anymore.

C

Yeah, yeah.

A

Which makes me. I hate that it took this long, but it's nice to starting to see at least whispers of it.

B

Yeah. I guess my hope is that it doesn't ultimately land on the consumer. You know, that's because so often that's what happens.

C

Yeah, yeah. That's what I think is going to happen ultimately, you know, and. And you know, maybe that results in some. Some kind of consumer level class action. Action.

B

Yeah.

C

Or class action against some of these big media or big social media providers that make billions of dollars off of fraudulent advertising. Billions. Billions of dollars.

A

Billions from one country.

C

Right. Yeah. And that's just one country's fraudulent advertising.

A

And that's only what they could identify as fraud. Like I remember when like all the information about the Facebook advertising space after Brexit was shown, that was heavily handed by Facebook advertising. It's impossible to fully get all the way into the details of how many ads are fraudulent. Who is paying for these ads? It is incredibly difficult to do.

C

Yeah. So this is just best becomes a Money laundering problem.

B

Can I just. You got a minute for me to rant about Facebook?

A

Go for it, dude.

B

I certified hater. So just yesterday I was doing what I do, minding my business, right?

A

Scrolling through Facebook, that is objectively minding other people's business. But.

B

Well, that's true.

A

That is textbook minding others business.

C

She's got.

B

All right, I stand correct. Thanks, Michelle. Gotcha, Dave. Yeah. Okay. Next week Michelle won't be with us. Someone else will be. I don't know who yet, but it won't be her.

A

Just be knocking on the window. Just sad.

C

That's right, knock on me.

B

She'll be inside practicing her violin. So I'm scrolling along and I see an ad come by and it's from the Petersen Automotive Museum, which is well known museum in California, and they have one of the greatest collection of cars in the world. And I've watched some of their programming on YouTube. I wouldn't say I'm not a car guy in that I have desires to collect cars or anything. Like, just an admirer. Yeah, I like cars and I'm interested in cars and I like keeping up with technology and so on and so forth. Anyway, I made the mistake of pausing while this ad was going by to look at the picture of the 1970 whatever, like Porsche Carrera Turbo that they're giving away. They're auctioning off. They're raffling off, I guess is the way to say it. Yes, I paused to just admire this lovely car and whatever. And then I go scrolling. Every single ad from that point on was a car raffle.

C

That's amazing.

B

From all over the place. Like every kind of vehicle you could imagine. Like, I don't need an industrial work truck, but I could win one in a raffle. I mean, it's so aggressive and so fast. There's just no subtlety, there's no nuance. And I just hate it. I just hate it.

A

I had the same thought of, like, I put my phone down for a hot second just to like, go do something. And then I picked it back up and it was on a dumb ad. And I was like, ugh, I'm gonna see that for the next two weeks. So irritated. Just, I was pretty irritated. Like it hadn't even happened yet. But I knew by looking at it, I was like, I'm gonna see that every for the next two weeks.

C

I have a great story about this.

B

We'll be the judge of that.

C

Last week I was doing some thinking about what I'm doing with my. With my degree I'm going to umbc, and I'm getting a Master of Science in Data Science. And I was deciding whether or not I wanted to continue on with this degree and finish it up. I only have four classes left after the semester, or if I just wanted to take the certificate and move on to something else.

B

College boy, right? Yeah.

C

I've been in college most of my life.

B

Dave.

A

Same.

C

Yeah.

A

I have a greater percentage probably just by age.

C

We'll do the math. We'll follow up with that next week. So I was on my regular. I have a Google account for my UMBC account, and then I have a Google account that's just my personal one that I use.

B

Yeah.

C

And I had both of them open, and I was doing some searching through the UMBC stuff for the program and looking at classes. And on my way home from a class last night at UMBC, I have YouTube up and I'm listening to something on YouTube and it stops in the middle and pitches me an ad for the very program in which I am currently enrolled and almost finished with.

B

There you go.

C

And I get a sense of satisfaction from that because. Yeah, because that is. And this happens all the time. When I buy something on Amazon, I start getting ads for the thing I just bought, and I'm like, yeah, that's right. Waste your money. Burn that money in the fire. In the fire of futility.

B

Okay, so. Yep, I see.

C

That's the satisfaction.

B

Yeah, I get that, too. The last time I bought a car, I. You know, after I bought the car, I was getting all these ads for the car I just bought.

C

Right.

B

I don't need two of them.

C

Just be glad you didn't stop for a second to look at the bikini ad, Dave. Then when your wife sees you, your wife sees you looking in a bikini at nothing but bikini ads for the next two weeks, I'm starting a fight, Right.

A

If I've got nothing to do that day, you don't either.

C

Right? You have something to do is fight with Michelle.

B

Yeah.

C

Oh, boy.

B

Yeah. All right, you know what? This is a good time for us to take a break.

C

Yep.

B

We're gonna take a quick break here to hear from our sponsor. We'll be right back after this message. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real Assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable, even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. Joe, what do you got for us this week?

C

My story comes from the LA Times, and the reporter is Sierra Morgan. And it's a story of these two cousins, Shrey Goel of Calabasas and his cousin Janique Raheja of Denver. They both have admitted to federal crimes tied to a nationwide rental scheme that has been pretty big. So this scheme relied on deceptive listings, including double bookings and last minute cancellations. And this is all according to federal prosecutors. The short term rental strategy was first launched back in 2013. So they've been doing this for 10 years.

B

Okay.

C

And it involved an online business to list properties on digital platforms. So which these platforms? Of course, the big ones, Airbnb and vrbo and other platforms as well.

B

Right.

C

But. But the two were allegedly using a mix of properties they owned and others they had rented or leased on the platform, and they were listing the same property multiple times with varying prices on multiple platforms. Okay, So I go out and I, I secure an actual house, and then

B

I say, so you're the scammer.

C

I'm the scammer. Right, I'm the scammer. I'm. I'm Joe the scammer. And I'm going to go out and I'm going to try to. To list a house. So I put an ad on vrbo, and I. Or a listing on vrbo and I put a listing on Airbnb. The vrbo listing is $200 a night. The Airbnb listing is $150 a night. Michelle, she gets the. She says, I'll take the vrbo listing for $200 a night. Dave, you take the Airbnb listing, and when the night comes for you to check in, I cancel Dave's reservation.

B

Oh. See, I was thinking it's like a Meet Cute.

C

Right?

A

That's worse. That's worse.

B

Thanks, Michelle.

C

Right. Overbooking.

A

So my initial thought listening to this is, how is this different than how many other conglomerates are doing business? How is this Any different than airlines overbooking on purpose than dynamic pricing because of the person or the platform. I get it. Because it's illegal. Because these two just dudes are doing it or whatever.

C

Right? That's a good question.

A

It's not any. This all sounds like what's being done at a massive scale by all these mega corporations.

C

I know that airlines have. Have obligations to pay you when they. When they bump you or overbook you.

A

They did. I think that that was overturned with this administration. Was it one of those faa.

C

Oh, one of those FAA regulations. Okay. Because that's just a regulation. It's not a law. The. In. So in terms of. In terms of that. I. I don't know. That's a good question.

B

Yeah.

A

This all sounds like how business is done now.

B

Well, continue with the scam, so.

C

Oh, okay. So that was one of the things they'd do. They'd either cancel it and say, I'm sorry, Dave, there's plumbing problems at the house. You can't rent it. Or we got some kind of mechanical issues. Or I would say, hey, Dave, here's your new address. This is where you're going. And it would just be some alternate rental house, maybe like a trailer parked somewhere. Okay, congratulations. Thank you very much.

A

Is it still a meet cute, Dave?

B

No, not so much. You lost me.

C

So one rental platform eventually did ban them due to customer complaints, but that didn't bother these guys. They just used fake accounts to maintain their operations. And according to their plea agreement, they also took measurements to minimize negative feedback, such as reposting property listings under new identities and putting in fake reviews. So they were doing that as well. From October of 2017 to November of 2019, they use these fake names and identities. And then they started up a couple of LLCs, which I don't know why they did that, other than maybe they just wanted to spin these up and throw them away. But, you know, one of them was called Abbott Pacific llc, and the other one was called Jet Set Work llc. Cool names, by the way. Properties included listings from Southern California and also cities like Chicago, Dallas, and Denver and Nashville. So if you're going to go check out Graceland, baby, maybe you're going to get a scam by these cousins.

B

What was ultimately the scam here? Did anybody get a place to stay?

C

Some people did. Okay, Some people did, but other people did not.

B

Okay, Right.

C

So what they were doing was they were maximizing the amount of money they could get. And there's a little twist here that's coming up that is Going to be disgusting. But I love Airbnb's quote here because actually the LA Times reached out to Airbnb and Airbnb said Airbnb is built on trust and bad actors have no place in our community. We supported the U.S. attorney's office and the FBI throughout their investigation to help ensure those responsible are held accountable. And we are thankful for their work. We have taken multiple steps to strengthen our defenses and help make rare issues like this even rarer.

B

Okay.

C

You know, which is very corporate ease, right? Like, hey, this is a rare thing. Don't worry about it. We're working to make it better. Okay, maybe you are. Just once I'd like to hear a corporate spokesperson said, it's Too bad the U.S. constitution prohibits cruel and unusual punishment. You know, these people are reprehensible and should be punished to the fullest extent of law.

B

And then some.

C

Yeah, and then some.

B

Okay.

C

Did not immediately respond for comment. So maybe that's what we'll say. The verbo people said. No, we can't. We can't say that. Prosecutors alleged the scheme was large scale, that they, they did this more than 10,000 times, and their revenue was $8.5 million over these 10 years, which is a lot of money. Now, that means that some people were inconvenienced and all kinds of other stuff. But the indictment also alleges that the defendants engaged in discriminatory practices based on racial biases they were targeting. They would cancel the reservations who they perceive of people they perceived to be black and disproportionately targeted them with cancellations. Neither defendant would agree to the, in their plea deal said that it was a large scale operation or that they practiced this discrimination. But the prosecutors did allege that.

B

Okay.

C

And that's the really icky part. According to the plea agreement, Goel pleaded guilty to wire fraud and he faces up to 20 years in the federal pen. And Raheja pleaded guilty to obstruction of justice because while he was being investigated back in 2023, he made false statements to federal agents, including denying that the overbooking practices were intentional. He faces Amir. Ten years in the federal pen.

A

That's what I was thinking. Those plea deals are wildly different.

C

Well, they're different crimes. So lying to an investigator will only get you 10 years, but wire fraud will get you 20. I guess. But they have not been sentenced yet. That happens in August and September, plus

A

probably restitution for the wire fraud. Potentially, yeah.

B

I don't know.

C

That's a good question. I have to look at the indictment I just read the story. Or look at the plea agreement, rather.

B

Yeah. Do you guys make much use of these sorts of things? These Airbnb and Verbose?

A

I used to be a big fan of them back when they were actually worth it. When you. They cost less than a hotel room and you could have a bunch of people in one location, that was great. But now it's. They cost more than a hotel room. You get no service and you have to clean up after yourself on top of paying them a cleaning fee.

B

Yeah.

A

And they want you to strip the bed and take out the garbage and all this stuff. And it's like, I can do that at home.

C

Right.

A

For free.

B

I don't need to travel.

A

Yeah. At least at a hotel now you get service and then you don't have to worry about all the ickiness that happens in Airbnbs and creepy hosts and stuff.

C

I still check for the ickiness.

A

Yeah, you always got to. So, no, I have said goodbye to Airbnbs a long time ago, which is disappointing because it was a good idea.

C

Yeah. If they offered a. If they offered a reasonable value proposition, I might be willing to do to. To do all the service work, you know, like that gets done at a hotel. But if it's more expensive than a hotel, I'm gonna have to do some math on that. Like how many people are staying there, how many hotel rooms we need to get. You know what? You know, if, like, if seven of us are going down to Texas, maybe I'll get one, maybe I'll get an Airbnb. But you know, if I go down to Texas, I got a place to stay.

A

Yeah. They. And the economics are just not sustainable anymore because a bunch of people started buying up Airbnbs and renting out and stuff, and now it's. I have seen stuff on social media and in the news of Airbnb rentals and such are just staying vacant because there are just too many Airbnbs or they are too expensive. There's no need for it.

B

Yeah.

C

It's like multi level marketing. If you didn't get in early, you're not making the money.

A

Yeah.

B

Yeah. And we have a serious shortage of housing stock in our nation, so that helps. Makes that worse.

C

Yeah. Well, maybe this will make it better when people stop making money with Airbnb and they just have to liquidate the house.

A

That's what I'm hoping.

C

They'll sell it to somebody who will learn.

B

All right. We will have a link to that story in the show notes. Joe, Michelle, it is Time for our catch of the day,

C

Dave. Our catch of the day comes from the R. Scambait subreddit. The title on this one is who wants to help me with this one? And it's a very short. It looks like a text message coming. Oh, today it's 1934, which is 7:34.

B

Wow.

C

Yeah.

B

Good thing you're here.

A

Joe, quick math.

C

Yep.

B

It goes like this. It says, hi, Bob, it's me.

A

Is he sick?

B

I'm just trying again as I'm not sure my messages have been getting through. My phone screen's cracked, so I'm using a spare at the moment. I tried my SIM in it, but there's no signal because it's locked. Can you save this number and let me know when you see this?

C

So many questions. How are you sending this message if the phone screen is locked? That's my first question.

B

Well, it says he's using a spare.

C

A spare, okay.

A

Yeah, because his regular phone is cracked.

B

So that explains why it's coming from an unknown number. Ah, right. My phone's broken, so I'm using a spare. Tried using his sim, but can't do that because the SIM is somehow locked. The nuance here that I think is interesting is they say, can you save this number?

C

Because if you save the number, they can call you.

B

It's not unknown anymore. Right, Right. So they're trying to get them, like, I'm guessing. I mean, he says, hi, Mum, so hi, mum, it's me. Doesn't say who it is.

C

Right.

A

But you're only one. Only a handful of people. Most are calling you Mom. I think it's the I have so many questions I think is exactly the point. Nobody in general, most people do not know SIM architecture and how phones work and how phone numbers are assigned. Not enough people know that to be able to identify a specific. Like, that's not how that works.

B

Right, Right.

A

So like there even, like, I've done some learning about it and even still I couldn't be like, that's actually not how that works. With certainty of it's like, huh, that's weird. But, you know, I don't know how that stuff works. Okay.

B

Right. It's plausible.

A

Yeah, it's just vague enough.

C

And so what's your first response to this text?

B

Well, let me go in a different direction and just say, I can imagine. I will answer your question, Joe, but my first response is I'm trying to imagine my mother answering this question. If this came to her right. Her first question probably would have been, is this Dave. Right. So now she's given away the name.

C

Yep.

B

And so the scammer's gonna say, yes, it's me, Dave, and I'm in trouble and I need help and. And off we go. Right. How would I answer this? Yeah, well, if I wouldn't.

C

Oh, you wouldn't? No, I would say, is this Tommy? And when he comes back, yeah, this is Tommy. Tommy. You got the wrong number, man. That's good, because I don't have any kids named Tommy.

B

That's good. Yeah, I like that. That's a good one. Yeah. And I guess this is. I was talking to somebody just a couple weeks ago about this was a person who has grandchildren and they were telling me that they're entire family has a code word.

C

Right.

B

And this is a great example of why that would be a good thing to have.

C

We have that too.

B

What's the code word? And if they don't know it, tough. Right. And if it's a family member and they can't remember it, then nice knowing you.

C

Right. We'll start making arrangements.

A

Yeah, it's just interesting being like, just. It's not as overt. It's like subtly just a bit confusing. But not confusing enough to like set off alarm bells.

B

Right, right.

A

I don't like this one because of that.

B

Intentionally vague.

A

Yeah, it's effective and I don't like that.

C

Oh yeah, I'm rereading this again. And the SIM is locked. I'm sorry.

A

Yeah, it's totally miss. Yeah, I don't like that. I like when they're bad at what they do.

C

So when I got my new phone, which is a Google Pixel 10, which is still just a big box of tears and disappointment, okay. For some reason Google cannot make a Bluetooth interface to save their lives.

B

Okay.

C

And this one exhibits the exact same problems that every other Google Pixel I've ever had. I'm just complaining. But anyway, I did not have to set up a. Use a sim. I had an old SIM from my previous Pixel.

A

Yeah, they have virtual sims now and they had.

C

Yeah, they said, we don't need that. We're going to create a virtual SIM from your old one using your mobile provider. Give us the number on it or something. And. And I had to do that and it created a virtual sim.

A

Yeah, this is what I mean. None of us know like enough detail about like that's not technically how that works.

C

Right.

A

You gotta be a real specific person.

C

I have never been really into the mobile technology. Just never. It never interested me. So I never learned about it.

B

Yeah. All right. Well, that is our catch of the day. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Michelle Kellerman.

B

Thanks for listening.