Hacking Humans – “Social Engineering Served Sunny-Side Up”
Podcast by N2K Networks
Episode Date: August 28, 2025
Host(s): Dave Bittner (B), Joe Kerrigan (C), Maria Varmazes (A)
Overview
This episode explores the latest in social engineering, deception, and influence in the world of cybercrime. The hosts break down recent listener mail about online scams, reveal new twists in phishing and data breach tactics, and discuss the interplay between privacy, social posting, and AI. The tone is candid, playful, and insightful, making complex topics accessible for security professionals and everyday listeners alike.
Key Discussion Points & Insights
1. Listener Follow-Ups: Social Engineering & Subscription Scams
(Starts ~03:43)
-
Eggs & Hobbies Lighthearted Interlude: The show begins with a humorous follow-up referencing an Onion article about backyard chickens, setting a friendly, relatable tone about knowing yourself and hobbies that “feed you back.”
-
Subscription Scam Tactics:
- A listener from Belgium describes encountering scams offering high-value products at “employee discounts,” morphing into small-fee subscription traps. The scam uses Facebook ads and collects both personal info and recurring payments.
- Quote:
“By agreeing to pay the small fee, people are also unknowingly signing up for a recurring subscription of 60 to €80 per week. While the fine print might technically disclose this, it's highly unethical and designed to trick victims." —Listener Peter, email read at [05:23].
-
Discussion & Advice:
- These “win a prize” scams are cross-border and recurring, and the business model is to capture a victim for a billing cycle or two.
- Lessons: Be wary of “small fee” wins, check what you’re subscribing to, and look out for unusual payment mechanisms like recurring debit card charges.
2. Feature Story 1: Celebrity Podcast Scams
(Starts ~08:55)
-
Scam Mechanism Explained:
-
Attackers impersonate managers of a "celebrity podcast," offering business professionals $2,000 to guest star.
-
After praise and flattery, victims are required to do a “technical check” involving installation of remote access software under the guise of exclusive recording software.
-
Quote:
"Most of the dedicated podcast recording platforms ... they're all browser based now ... [the scammers] get you to install something on your machine, and then they steal ... your social media logins ... other accounts, credentials, things like that, which is kind of a twist on the classic tech support scam.” —Dave Bittner [12:32]. -
Heightened Threat: Instead of technical novices, these attacks target high-value business leaders.
-
Quote:
"This is more like almost like a spear phishing attack of the tech support scam.” —Joe Kerrigan [13:15].
-
-
Advice Recap:
- Be skeptical of generic email offers.
- Check sender addresses—legitimate podcasts rarely use free Gmail accounts.
- Never allow strangers remote access to your device; don’t install unexpected software.
- Podcast guest invitations should not require technical setup beyond browser-based recording.
3. Feature Story 2: Workday Social Engineering Breach
(Starts ~15:01)
-
Background:
- Workday, a leading HR and financial management SaaS provider, fell victim to a social engineering attack targeting a third-party CRM.
- Attackers impersonated HR/IT staff via phone or SMS, tricking employees into installing malicious OAuth apps which provided access to business contact data—names, emails, phone numbers—not customer or tenant data.
- Quote:
"Workday became the target of a coordinated social engineering attack ... impersonating internal HR IT personnel. These attackers tricked employees ... allowing them to infiltrate and get access to this CRM, which they did via malicious OAuth applications.” —Joe Kerrigan [17:29].
-
Expert Takeaways:
- OAuth Risks: Eliminate OAuth blind spots, enforce strict whitelisting for third-party integrations, and regularly review connections.
- Phishing-Resistant MFA: Adopt hardware tokens over codes or mobile push—less susceptible to 'MFA fatigue' or social attacks.
- Quote:
"User enrollment in execution of malware is very effective. ... I think we really need to move beyond these other methods of multi-factoring. Just go with these hardware based certificate multi-factor authentications." —Joe Kerrigan [20:29]. - Google’s adoption of hardware keys led to dramatic reduction in incidents.
-
User Realities:
- Hardware tokens can be frustrating (misplaced keys, added friction), but trade-offs are worth the security gain.
- Passkeys may become the future middle-ground.
4. Feature Story 3: URL Obfuscation & Smishing Tactics
(Starts ~26:26)
-
Maria’s Real-World Spam Example:
- Receives a fake FedEx delivery SMS with a link formatted as “fedex.com@spamurl,” an old HTTP/FTP protocol artifact to deceive users by putting a legit name before the "@".
- Quote:
“I have not seen a spam URL actually try to obscure itself within the legitimate one like that using the symbol.” —Maria [26:49]. - Technical Explanation:
- The @ in URLs comes from legacy protocols allowing username:password@domain access; here, it’s misused to trick users.
- “You're looking at the username portion of the URL, which is generally disregarded. ... It's just a zombie part of the protocol." —Dave Bittner [28:59].
-
Advice:
- Don’t follow links from unexpected delivery texts.
- Copy-pasting or replying to such instructions can expose you to credential theft.
5. Back-to-School Photo Privacy & Sharenting
(Starts ~30:04)
-
Rising Trend:
- Parents share school photos with giant chalkboards listing sensitive info (name, age, school, teacher, interests).
- Trend to “cover” faces with emoji stickers for privacy—celebrities and parents alike.
-
Expert Perspective (Lisa Ventura):
- The real privacy risk isn't AI “peeling off” stickers, but the metadata and context these posts provide.
- Quote:
“The main issue isn’t the threat of peeling away the emoji. But the fact that most parents aren’t just posting one carefully emoji protected photo, they’re sharing multiple images over time. And the combined data from all those posts creates a much bigger privacy concern than any single image.” —Lisa Ventura as read by Maria [32:12].
-
Host Discussion—Diverse Views:
-
Joe: Agrees about metadata and background info (house number, school, geotags) posing bigger risks than faces.
-
Maria: Advocates for strong privacy; doesn't post child online, prefers old-school photo sharing, and highlights concern over AI scraping or third-party data use.
-
Dave: Skeptical about practical risk, noting that fear may be overblown; believes benefit of sharing outweighs unlikely threats for most.
-
Quote:
“Do any of us believe that Facebook doesn't know what our kids look like?” —Dave Bittner [40:41]. -
Nuance:
- Risk models depend on personal and family situation (e.g., custody, threats).
- Even if facial privacy isn’t a concern, other info in photos (location, teams, interests) can accumulate unintended risks.
-
6. Catch of the Day: YouTube Optimization Scam
(Starts ~42:10)
-
Scam Details:
- Text invites recipient to become a YouTube Optimization Specialist — high pay, no experience, “your resume has been recommended by multiple online recruitment platforms.”
- Probable intent: trick victim into unpaid click farm “training” or further phishing attempts.
- Quote:
"The longer you work, the welfare policies you will enjoy." —Scam text [43:38].
-
Insights:
- Too-good-to-be-true job offers are perennial digital scam vectors.
- Scams use increasingly “official” sounding copy to bait engagement.
- Quote:
“You go out and watch these videos... they get you to do that for free because you never get the money.” —Joe [44:47].
-
Hosts Compare Notes:
- Classic internet stories about scammers not even checking the content producers they approach highlight how indiscriminately these schemes are run.
Notable Quotes & Moments
-
Dave Bittner [12:32]:
"They get you to install something on your machine, and then they steal ... your social media logins ... other accounts, credentials, things like that, which is kind of a twist on the classic tech support scam.” -
Maria Varmazes [32:12]:
“The main issue isn’t the threat of peeling away the emoji. But the fact that most parents aren’t just posting one carefully emoji protected photo, they’re sharing multiple images over time. And the combined data from all those posts creates a much bigger privacy concern than any single image.” -
Joe Kerrigan [20:29]:
"I think we really need to move beyond these other methods of multi-factoring. Just go with these hardware based certificate multi-factor authentications." -
Dave Bittner [40:41]:
“Do any of us believe that Facebook doesn't know what our kids look like?”
Important Timestamps
- 03:43 – Listener Peter describes the subscription scam and new payment angles.
- 08:55 – Celebrity podcast scam breakdown.
- 15:01 – Workday breach: how social engineering leads to organization-wide risk.
- 26:26 – Real-world spam text: legacy protocol tricks in phishy URLs.
- 30:04 – Privacy, school photos, and “sharenting” culture debated.
- 42:10 – Catch of the Day: job scam revealed and dissected.
Summary Table
| Time | Topic | |-----------|----------------------------------------------------------------| | 03:43 | Listener Follow-up on Subscription Scam | | 08:55 | Celebrity Podcast Scams | | 15:01 | Workday Social Engineering Breach | | 26:26 | Smishing Attack Using "@" in URLs | | 30:04 | Sharenting & Privacy (School Photos, Emojis, AI) | | 42:10 | Catch of the Day: YouTube Optimization Job Scam |
Conclusion
The episode blends topical cyber threats with practical advice and nuanced personal stories, covering both the technical and social dimensions of modern cybercrime and online privacy. The hosts emphasize vigilance against evolving scams, advocate for privacy-by-design (both in tech and life), and encourage critical thinking—always with a dose of humor and humanity. Listeners are left with actionable guidance and a deeper appreciation of the subtle ways digital manipulation can enter our lives.